question

DocsForumUser-1609 avatar image
1 Vote"
DocsForumUser-1609 asked ·

Passwordless authentication - Azure AD joined shared workstations

Hello,

I've read and watched a few videos on passwordless Azure AD authentication using FIDO2 keys and am wondering if can leverage this technology in my environment. I have several hundred shared workstations, and our users might use any one of them at any time. Can I purchase supported FIDO2 keys for each of my users, then have them register their assigned key on the combined registration experience site and choose a PIN, and then they'll have access to log into any one of the shared workstations at any time using that key and the PIN they chose?

Thank you

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered ·

Yes, you can enable your users to be able to sign in to Azure AD using FIDO2 security keys (like YubiKeys and Feitan) however, FIDO2 security keys is a public preview feature for Azure Active Directory (not recommended for production use until the feature goes GA) and currently supports Azure AD Joined PC's only. Please refer to the documentation for details. Refer to document - Enable passwordless security key sign-in (preview)


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DocsForumUser-1609 avatar image
0 Votes"
DocsForumUser-1609 answered ·

oh fantastic, thank you for your reply. One more question, will I be able to make it mandatory that the users must use their FIDO2 key + PIN (MFA) at the Windows login screen on all our computers, and have no option to just use their Azure AD account password (no MFA) instead?

· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If you are talking about device PIN as a second factor then after inserting key into the device you need to provide a second gesture (PIN/Biometric) which is stored in your key. You need to contact the device manufacturer to discuss how their devices can be enabled with a PIN or Biometric as a second factor. Please refer to FIDO2 security keys for details on the different available security keys.


Please let me know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply. This will help other community members facing similar query to refer to this solution. Thanks.

0 Votes 0 · ·

Hello, thank you for your reply. I understand what you explained so thanks for that, however my question really centers around, can I setup the computer so it does not allow the user to login without their FIDO2 security key. I want to make sure that use of the FIDO2 key at the login screen is mandatory and not optional, and by optional I mean the operating system letting the user just skip the use of their FIDO2 key and just using a password instead.

Thanks!

0 Votes 0 · ·

Unfortunately, that's not possible as of now. Yo can do multifactor unlock with Windows Hello for Business but FIDO key isn't an option at time (the same applies to phone sign-in through authentication app). More info here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock

0 Votes 0 · ·