FIDO2 based Passwordless technology allows users to use a USB key sign in to Azure AD without using passwords. Once enabled, the users will be able to sign in to their accounts and log onto their Windows 10 machines (Azure AD or Hybrid AD joined) using FIDO2 Security keys. The access is still protected by two factors in this case: 1) having physical access to the security key and 2) PIN or Fingerprint (on devices with biometrics support) configured on the FIDO2 Security keys
FIDO2 keys as a security method is available with Microsoft Azure AD for already a couple of years now. Being the most secure access method available for Office 365 user access, enrolling FIDO2 security keys had a requirement of MFA to be configured for the users, which made it useless for use cases where users do not have (or do not want) to use multiple devices to log in. This has finally changed!
During the MS Ignite 2021 conference (which was held virtually this year as well), in addition to GA of Passwordless, Microsoft also announced a new feature, Temporary Access Pass in Azure AD (Preview), which will allow your end users to use only a FIDO2 Security key to access their account (this eliminates the requirement of having the MFA configured prior to that, which was the case before).
This guide will describe how the administrator can set Temporary Access Pass for a user, and how that user can subsequently enroll his/her FIDO2 security key:
Enable the Temporary Access Pass (TAP)
As this is a preview feature, it has to be enabled first. Global administrator and Authentication Method Policy administrator role holders can update the TAP authentication method policy. To configure the TAP authentication method policy:
- Sign in to the Azure portal as a Global admin and click Azure Active Directory > Security > Authentication methods > Temporary Access Pass.
- Click Yes to enable the policy, select which users have the policy applied, and any General settings
Note: make sure FIDO2 Security Key method is also enabled (it is on the same page).
- You can keep the default TAP values for the time being. A full description of possible options is available here
Create Temporary Access Pass for a user
Now, lets create a temporary access pass for a user. The user should be allowed to use TAP (configured in the previous step). To add a TAP for a user, follow the steps below:
Sign in to the portal as either a Global administrator, Privileged Authentication administrator, or Authentication administrator.
- Click Azure Active Directory, browse to Users, select a user, then choose Authentication methods.
- If needed, select the option to Try the new user authentication methods experience.
- Select the option to Add authentication methods.
- Below Choose method, click Temporary Access Pass (Preview).
- Define a custom activation time or duration and click Add
- Once added, the details of the TAP are shown. Make a note of the actual TAP value. You provide this value to the user. You can't view this value after you click Ok.
Adding a FIDO2 Key using TAP Login
The steps below will allow a user to add a FIDO2 security key as the only authentication method for his/her account.
Please note that only TAP method allows this, if the user logs in using a regular password this security method will not be enabled (it will show an error similar to "To set up a security key, you need to sign in with two-factor authentication" )
- User needs to log out of all existing session or launch a web browser in Private (Incognito) mode
- Navigate to https://aka.ms/mysecurityinfo
- Enter the UPN of the account (the TAP was created for), such as [email protected]
- If the TAP is valid, instead of the regular password and MFA prompt, the login form will ask for a temporary access pass
- After logging in with the TAP, the browser will redirect to the Security Methods page, where a FIDO2 key can be added
Add a FIDO2 Security key by clicking Add method and choosing Security key
Choose USB device
Have your key ready and choose Next
A box will appear and ask you to create/enter a PIN for your security key, then touch the shield or lock icon on the key (the LED indicator is usually blinking at this moment). If the PIN code for your FIDO2 key has already been set, it will ask to enter it. Please note that for biometric-enabled keys, PIN can be replaced by a fingerprint authentication.
You will be returned to the combined registration experience and asked to provide a meaningful name for your token so you can identify which one if you have multiple. Click Next.
Click Done to complete the process
As you can see from this guide, after logging in using TAP, enrolling a FIDO2 Security key does not require having another MFA configured prior to that. This means that it is possible to set up access for a user that does not require knowing the password. Moreover, with TAP created, the whole process can be done by the admin on behalf of the user (the only additional complexity here is when biometric protection is used - in this case, user presence is required).
Where to buy FIDO2 Security keys to use with this method?
All of our FIDO2 keys are compatible with Azure AD. You can place an order online or contact us for a quote. We ship worldwide* both with regular post and express services such as FedEx, UPS and DHL.
* - with the exception of Iran, India, Russia and a couple of other locations due to very complex customs clearance procedures