A short introduction into FIDO2 Security Keys

FIDO2 is an evolution of the Universal 2^nd Factor open authentication standard based on public key cryptography using hardware devices. This standard is intended to solve multiple user scenarios including strong first factor (password-less) and multi-factor authentication. With these new capabilities, a security key can entirely replace weak static username/password credentials with strong hardware-backed public/private-key credentials.

These credentials cannot be reused, replayed, or shared across services. Devices and tokens that adhere to FIDO2, WebAuthN, and CTAP (Client to Authentication Protocol) protocols bring about a cross-platform solution of strong authentication without using passwords. Microsoft partners are working on a variety of security key form factors, such as USB security keys and NFC-enabled smart cards.

Use cases for using FIDO2 Security Keys

As described in my previous blog posts, you can work password-less via phone sign-in & Windows Hello for Business (Hybrid). So I can imagine you would think why should I use security keys in my environment?

There are several scenarios for which FIDO2 Keys are a perfect fit within the enterprise business, these are:

• Using FIDO2 Security Keys on shared devices;
  Shared devices only support up to a maximum of 10 Windows Hello for Business enrollments and therefore Windows Hello for Business shouldn’t be enabled on these types of devices as the 11^th users wouldn’t be prompted for a WHfB enrollment.
• Using FIDO2 Security Keys on devices which don’t have a TPM;
  In my previous blog post I’ve used the WHfB key-trust scenario for several reasons. This results in a hard requirement of a TPM Chip within the device. Devices who don’t have a TPM chip installed therefore aren’t prompted for a WHfB enrollment. FIDO2 Security keys can give these devices and therefore users a password-less experience.
• Using FIDO2 Security Keys for users who have more than one device;
  If users have three personal business devices it’s not helpful to have three different PINs on all these devices. For those reasons you can give these users the opportunity to use a FIDO2 Security Key instead to make sure they only have one single PIN which can be used across all devices.
• Using FIDO2 Security Keys for users who don’t have a corporate mobile phone and / or want to use the Security Key for multi factor purposes;
  There are users who don’t have a business phone and don’t want to use their personal phone for business activities (for all the right reasons). These users can use FIDO2 Security keys to provide them a password-less experience instead of the phone sign in option. Besides the phone sign in option they can also use the security key as a hardware MFA token, which they can use during for example their WHfB enrollment which requires MFA. In the above mentioned cases you only need to buy those users a FIDO2 security key instead of a mobile phone which is obviously a big cost saving.
• Using FIDO2 Security keys for users which are not allowed to use a phone at work, i.e. in high-secure environments;
  I personally don’t see this scenario very often but I know it’s there. People which are working in a factory, lab, etc. aren’t allowed to use phones at work. So the only way they can logon securely with password-less on a web-based session or via Windows 10 is with a FIDO2 Security key. This also gives the users the option to use this FIDO2 key as a hardware MFA token.
• Using FIDO2 Security keys for users who have more than one account;
  Admins and maybe even some of your users can have more than one account which they use for cloud purposes (also think of personal Microsoft accounts). Each account obviously has a password and from a security perspective should be secured with MFA. In some cases this brings in challenges like forgotten passwords or ‘lost’ MFA methods. For these reasons security keys can also be a solution as Security keys can contain multiple identities (this differs per key).
• Using FIDO2 Security keys for your VIP users;
  Your VIP users are the users which (in most cases) are the most important for your company. Think of your CEO, COO, CTO, etc. These users really don’t like password and if you would ask me they forget them quite often. Besides that you definitely don’t want those accounts to be hacked by hackers. On the other hand you see that your VIP users, in some cases, are using multiple devices to do their work on. These device also include the MacOS operating system, which don’t support Windows Hello for Business. Security keys brings in a solution for all of these issues as you will give them an easy way to logon password-less on Windows 10 or work password-less via web-based tools.

Different FIDO2 Security key form factors and best fit scenario

If you’re searching the internet you will find several FIDO2 Security key suppliers. You can think of Yubico, Feitian, Nitrokey, Thetis, Titan, eWBM etc.

Each key and each supplier has different form factors suitable for different scenario’s. I’ve listed a few different form factors which I’ve tested below with my personal opinion.

---

YubiKey 5 Nano

The YubiKey 5 Nano is a small security key which you would rather not take in and out of your laptop each day. So in my opinion this is a key which you would leave into your device for as long as needed. When you switch a lot between devices this key is definitely not the one you’re looking for. As the key is small it’s not NFC enabled and therefore can’t be used for other purposes.

---

YubiKey 5 NFC

The YubiKey 5 NFC is the form factor which is very common on the market and which is quite easy to plug in and out of your computer as the size is a bit bigger compared to the Yubikey 5 Nano. You can easily connect it to your keychain which you’re carrying with you all day. A nice addition with this key is that it’s NFC enabled, meaning you can use it for access to your office building, but also use that on mobile devices which do have NFC support.

---

Yubikey 5Ci

The YubiKey 5Ci is built specifically for iOS devices and devices who do have a USB-C port built-in to the system. This requires that your hardware is up-to-date as not all hardware devices have a USB-C port these days. This key also isn’t NFC enabled and therefore cannot be used for other purposes.

---

NitroKey FIDO2

The NitroKey FIDO2 key is a regular simple key which can only be used for FIDO2 purposes. It’s not expensive and doesn’t have other options besides U2F but does the trick. The biggest difference between this key and other regular keys is that you need to touch the plastic top of the key instead of a ‘better’ visible touch point.

---

Feitian K27

The Feitian K27 bring in more security and is based on USB-A. An advantage this key brings is that it can rely on your fingerprint (which is of course more than a PIN as that something you know and a fingerprint is something you have). This key on the other hand doesn’t support NFC. A small note in relation to the fingerprint is that the enrollment of your fingerprint requires separate steps, besides the regular ones, and therefore separate instructions for your end users.

---

Feitian K33

The Feitian K33 is a key which differs from all the previous versions as this key is mainly based on a Bluetooth connection with on the other hand a fingerprint sensor. Besides the Bluetooth connection it also supports NFC. It’s a key which you can carry with you on your keychain without the need of putting it into a device. It basically becomes the ‘carkey’ to access your laptop and/or desktop and other the other hand this key can also be used to access the office building. The key needs to be charged every once in a while and like the Feitian K27 also the fingerprint sensor requires separate steps, besides the regular ones, and therefore separate instructions for your end users.

Summary

Now I’ve summarized all keys which I’ve been testing you maybe wonder what key I do prefer the most… Now first of all I don’t like small keys (nano format) as I don’t want my Security Key ending up in my device, this as users can set simple pins and there is no way the enforce complex pins. This has to do with the fact that FIDO2 is an open standard and the standard is no complex pins so 111111 is an allowed PIN, same goes for 123456. Besides the above nano keys are quite hard to get out of your system, this as they’re quite small.

Secondly I don’t want to type in my PIN each time as that simply feels a bit like working non password-less. For those reasons you would end up with a Security key which has a fingerprint sensor installed. The only Keys which I’ve tested are the Feitian K27 and the Feitian K33 which have a fingerprint sensor available. Yubico will also bring a key on the market soon with Fingerprint recognition called YubiKey Bio so I’ve only been able to test with Feitian keys currently

Biggest advantage of the Feitian K33 key in this case from what I’ve tested is that it supports other functionalities as well via NFC, i.e access to the office building and it has Bluetooth on it, meaning I don’t need to plug it into my device each time. On the other hand it requires more end user adoption as not each user is familiar with Bluetooth.

Please do keep in mind that security keys which have a fingerprint sensor require extra enrollment steps to active the fingerprint sensor on the device. This can easily be done via the ‘Sign-in options’ within the ‘Account settings’ in Windows 10 where the security key is plugged in.

This results in my personal top #3

#1 Biometric Security Keys with NFC support
I simply love these keys, these give you a real password-less experience by using your fingerprint instead of your PIN. And in case your fingerprint doesn’t work there is a fallback possibility to your PIN. If your key has NFC support this would bring in other use cases for Security Keys as described above besides just using them to go password-less and beyond. On the other hand these keys can be quite expensive and the fingerprint does require separate enrollment steps which requires a bit more user adoption.

Pro’s: No daily pin hassle, NFC Support.
Con’s: High in cost, separate enrollment steps required for fingerprint.

#2 NFC Security Keys
As biometric keys are quite expensive I can imagine you don’t want to pay that much for only the fingerprint sensor. In that case I would recommend you to buy keys which at least have NFC support. This way you can still use your security key to go password-less and beyond while not paying to much for your key.

Pro’s: Lower in costs, NFC Support, no extra enrollment steps required by end users.
Con’s: Daily pin hassle.

#3 Regular size Security Keys
Regular size keys can simply be used to go password-less and not beyond as these don’t support NFC. This lowers the adoption rate for your end users as they will get another option and device (security key) which they need to work with. Compare this to your home, you also want one key which works on all of your locks and don’t want a separate key for each lock you have.

Pro’s: You can go password-less.
Con’s: Daily pin hassle, no password-less and beyond (no biometric, no NFC).

Now you know the use cases, the form factors and my personal #3 of the Security Keys I hope you can make a decision in what kind of security key fits your organizations needs and what would be the security key(s) you can use. If you have doubts I would strongly recommend to order the different keys and test them separately before providing them to your end users.

Distribution of keys

The last step in the whole process is to distribute these keys to end users. This can be done in several ways. The challenge however is that you cannot pre-enroll keys easily today or require them to be used by your end users. To overcome these challenges I’ve described a few ways which you can think of to distribute these keys.

In the last 6 months I’ve seen several options which are used in practice, each which it’s own pro’s and cons:

• Big bang; Plan the handover of keys on a company event which most of your employees are attending to and give this way of working password-less a lovely introduction by the CEO or IT Director. For the employees which aren’t attending this company event an envelop can be send over to their home addresses contain instructions and the Security Key. Advantage in this case is that you tell everyone in person the advantage of working password-less and encourage them. On the other hand will people really use the functionality without a good and solid explanation and instruction or will they just forget they even have a key which they can use to work password-less? Besides that you can’t give users the opportunity to shop or try out a security key form factor which they do like (small size, normal size or maybe even Bluetooth).
• Staged implementation; Or as I would call it ‘the simple method’, just provide a security key together with a new desktop/laptop or a new mobile phone. The best thing you can do is let users try out their new key and let them decide which security key form factor they want to use out of the security keys which are pre-selected by IT. This way it feels as if the security key has been chosen by the end user itself and that they actually did have options (small size, normal size or with Bluetooth as example). On the other hand the time frame which you got for providing users with a new laptop is also an opportunity to enroll the key together with the end user and explain what other things they can do with their key (think of personal accounts which they also can with password-less). The biggest disadvantage of this option of providing security keys is that it would take a very long time to provide each employee with a new key as you need to wait for the hardware refresh to happen and it would take more effort.
• Use Motivators; Adopt new or renewed company processes, think of access to office buildings, use the coffee machine with your security key to grab a coffee or explore other NFC possibilities which can enable your company to get more out of their processes by using Security Keys. Work together with your Marketing department for communications to end users and either plan days where IT Support hands over the security keys or ship the security keys with a nice introduction card to the home addresses of your employees. In both scenario’s you give the employee the option to come by to retrieve or activate their security key for access to office as an example but also ask users to enroll their keys to go password-less.

The best experience I had in the above described scenarios was the scenario where motivators were used. This scenario had the highest adoption rate with end users, everyone needed to have a security key for access to an office building. For that each employee was given a security key which they could use to access the office building, without a key no access to the office. On the other hand instructions were posted online (in this case on SharePoint) to enable the security key to logon to Windows 10 and therefore Azure AD. In this particular scenario I did see everyone walking around with their own security key, which some people even already use for other (personal) accounts as well.

---

I hope you have enjoyed reading Part 1 of my blog post about security keys and hope you didn’t had to wait to long for it to appear online. Reason why it took a bit longer than expected is that a brand new Identity has been born (Stenn Jacobs). Parent life consumed a bit more of my time lately then my non parent life did before. But don’t worry, I don’t expect that my next blog will take two months again ;-).

Now it’s time to go techie :-). However due to the size of this blog I’ve decided that the technical part will be written in Part 2, therefore keep following my blog for more very soon!

In part 2 of this security key blog of this series I will go techie :-). This into full technical detail how you can implement security keys within your environment to sign-on to Windows 10 and Office 365 services.

• Introduction to a password-less era
• Password-less 1 of 5: Going password-less with phone sign-in
• Password-less 2 of 5: Going password-less with Windows Hello for Business
• Password-less 3 of 5: Going password-less with Windows Hello for Business Hybrid
• Password-less 4 of 5: Going password-less with FIDO2 Security Keys Part 1
• Password-less 4 of 5: Going password-less with FIDO2 Security Keys Part 2
• Password-less 5 of 5: Expanding password-less to Azure AD Applications Part 1
• Password-less 5 of 5: Expanding password-less to Azure AD Applications Part 2
• Password-less 5 of 5: Expanding password-less to Azure AD Applications Part 3
• Password-less continued: Upgrading your password-less experience with Windows Hello for Business Hybrid cloud-trust.
• Password-less continued: Using the Passwordless Phone Sign-in experience for multiple accounts on iOS!
• Password-less continued: Using a Temporary Access Pass for Bootstrapping your Passwordless Journey