Passwordless authentication - Azure AD joined shared workstations

Docs Forum User 6

Hello,

I've read and watched a few videos on passwordless Azure AD authentication using FIDO2 keys and am wondering if can leverage this technology in my environment. I have several hundred shared workstations, and our users might use any one of them at any time. Can I purchase supported FIDO2 keys for each of my users, then have them register their assigned key on the combined registration experience site and choose a PIN, and then they'll have access to log into any one of the shared workstations at any time using that key and the PIN they chose?

Thank you

2 answers

Saurabh Sharma 23,816 Reputation points Microsoft Employee

2020-02-21T21:12:16.967+00:00

Yes, you can enable your users to be able to sign in to Azure AD using FIDO2 security keys (like YubiKeys and Feitan) however, FIDO2 security keys is a public preview feature for Azure Active Directory (not recommended for production use until the feature goes GA) and currently supports Azure AD Joined PC's only. Please refer to the documentation for details. Refer to document - Enable passwordless security key sign-in (preview)
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Docs Forum User 6 Reputation points

2020-02-21T21:20:59.427+00:00

oh fantastic, thank you for your reply. One more question, will I be able to make it mandatory that the users must use their FIDO2 key + PIN (MFA) at the Windows login screen on all our computers, and have no option to just use their Azure AD account password (no MFA) instead?
Please sign in to rate this answer.
Saurabh Sharma 23,816 Reputation points Microsoft Employee

2020-02-21T22:51:35.167+00:00

If you are talking about device PIN as a second factor then after inserting key into the device you need to provide a second gesture (PIN/Biometric) which is stored in your key. You need to contact the device manufacturer to discuss how their devices can be enabled with a PIN or Biometric as a second factor. Please refer to FIDO2 security keys for details on the different available security keys.

Please let me know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply. This will help other community members facing similar query to refer to this solution. Thanks.

Docs Forum User 6 Reputation points

2020-02-21T23:31:46.827+00:00

Hello, thank you for your reply. I understand what you explained so thanks for that, however my question really centers around, can I setup the computer so it does not allow the user to login without their FIDO2 security key. I want to make sure that use of the FIDO2 key at the login screen is mandatory and not optional, and by optional I mean the operating system letting the user just skip the use of their FIDO2 key and just using a password instead.

Thanks!

Pavel Otych 1 Reputation point

2020-02-23T18:38:12.847+00:00

Unfortunately, that's not possible as of now. Yo can do multifactor unlock with Windows Hello for Business but FIDO key isn't an option at time (the same applies to phone sign-in through authentication app). More info here: https://video2.skills-academy.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Passwordless authentication - Azure AD joined shared workstations

2 answers

Your answer