FIDO keys (Token2)

Introduction

FIDO (Fast Identity Online) keys are a type of physical security key used to authenticate users on online platforms. They are part of the FIDO Alliance’s standards for passwordless authentication, which aim to improve online security and reduce reliance on passwords.

A FIDO key can be a USB device, a wireless device, or a biometric device. When you need to log in to a service, you insert the key (or connect it wirelessly via NFC or Bluetooth), and it authenticates you. This provides a higher level of security because even if someone knows your password, they can’t access your account without the physical key.

A more detailed deep dive about FIDO keys will soon come.
In the following chapter, I will shortly explain some “words and names” in the world of FIDO keys.

What’s FIDO, FIDO2, U2F, PIN+, PIN+ Relase2, etc. ? Is that something to eat?

Around the topic of FIDO keys, you hear a lot of abbreviations and acronyms. Here is a short explantation for some of those abbreviations with their meanings:

FIDO (Fast Identity Online): FIDO is a set of security specifications for strong authentication. It includes U2F and UAF protocols and is developed by the FIDO Alliance, a consortium that aims to standardize authentication at the client and protocol layers.

U2F (Universal 2nd Factor): U2F is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices. It’s part of the FIDO specifications.

UAF (Universal Authentication Framework): A FIDO Alliance standard for passwordless and multifactor authentication using local authentication mechanisms like fingerprints, facial recognition, or PINs.

FIDO2: FIDO2 is the latest set of specifications from the FIDO Alliance. It includes WebAuthn and CTAP, and it’s designed to help move the world away from passwords, offering instead more secure passwordless login options.

CTAP (Client to Authenticator Protocol): Part of FIDO2, this standard allows external devices like mobile phones or security keys to act as authenticators over USB, NFC, or Bluetooth.

WebAuthn (Web Authentication): A web standard for passwordless authentication. It allows users to register and authenticate on websites using an authenticator like a security key, mobile phone, or biometric device.

PIN+ (Token2 standard): The PIN+ keys enforce specific complexity rules for numeric and alphanumeric PINs. Numeric PINs must be at least 6 digits long, cannot be sequential or repeated numbers, and cannot be “mirror” or palindrome numbers. Alphanumeric PINs must be at least 10 characters long and contain characters from at least two of the four categories: uppercase, lowercase, digits, and special characters.

PIN+ Release2 (Token2 standard): A new FIDO2 Key with the unique feature of storing up to 300 passkeys. The FIDO2 PIN+ provides top-level authentication with advanced features and firmware-level PIN complexity enforcement. Compared to the initial release which could only store 50 passkeys, Release 2 offers significantly enhanced capacity.

Why Token2 FIDO2 keys?

Here is my answer:
Token2 is a cybersecurity company founded in 2014, specializing in multifactor authentication. Based in Versoix, Switzerland, the company has developed various hardware and software solutions for secure authentication. As a member of the FIDO Alliance, Token2 has been providing FIDO security keys for over 5 years and earned its initial FIDO certificate in 2019. The company recently introduced the PIN+ series, a line of FIDO2 Security keys with advanced PIN complexity rules, available in three form factors – USB-A, USB-Type-C, and a Dual-port design. The PIN+ series keys implement stringent complexity rules for both numeric and alphanumeric PINs, enhancing security measures. The PIN+ series is FIDO Alliance certified, setting new standards for FIDO2 Security keys.

Technical

Prerequisites for Token2 FIDO2 keys

• Entra ID Free/Basic licence (not recommended)
• Entra ID Premium P1 or P2 licence for more flexibility and usability

How to choose the right Token2 FIDO2 keys?

The FIDO2 Key Selection Assistant of Token2 is a tool that helps users decide the right FIDO2 key model based on their specific needs and preferences. It guides users in selecting features such as USB-A, USB-Type C, NFC, fingerprint recognition, or a specific PIN type. All keys recommended by this assistant are FIDO Certified, verified by Microsoft, and compatible with Microsoft Entra ID Passwordless.

You can easily compare them on this page too: Product Comparison

Manage your passkeys and FIDO keys

The native FIDO2 functionality of security keys can be managed using various tools. The FIDO2.1 Security Key Management Tool allows users to view information, manage relying on parties, and perform operations on FIDO2.1 devices. It’s compatible with any FIDO2.1 security key, not just Token2 keys (that’s really neat). The standard Windows control panel tool can also be used for key management for those running Windows 10 build 1903 or later, but it has some limitations. For macOS or Linux users, FIDO2 keys can be managed using the tool integrated into the latest Chromium-based browsers, such as Google Chrome (version 80 and later).

Configure FIDO key for MFA via Entra ID

In this scenario, I’m using a T2F2-PIN+/Dual key (provided by Token2) with Entra ID P2 licences. I’m using the USB-A and USB-C connection to connect the key to my devices. Follow these steps to configure the Token2 FIDO2 key for a scenario like this:

1. Purchase the key(s) via https://www.token2.com/
2. Create an account on Token2.
3. If you are an Administrator, use the FIDO2.1 Security Key Management Tool.
   1. Install the FIDO2.1 Security Key Management Tool (unzip and run it)
   2. Choose your Token and type in a random PIN. Choose your Token and type in a random PIN. Afterwards, you will be prompted to create a new PIN (If you haven’t set one yet). A command line will open, and you have to type in the PIN twice. Check the complexity of your PIN with that tool from Token2.

   

4. If you are an “ordinary” user and can’t install the tool, configure your PIN via the integrated Windows control panel tool.
5. Afterwards, sign in to the Entra ID Portal or the Azure Portal and navigate to Entra ID (Activate your PIM roles)
6. Navigate to Protection -> Authentication methods-> FIDO2 security key.
   1. 1. Enable the setting and target the FIDO2 security keys to a specific group or all users.
      2. Configure the follow settings:

   

   1. “Allow self-service set up” should remain set to “Yes” to register a FIDO key through MySecurityInfo.
   2. “Enforce attestation” setting to “Yes” requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft’s additional set of validation testing.
   3. “Enforce key restrictions” should be set to “Yes” only if your organization wants to only allow or disallow certain FIDO security keys, which are identified by their Authenticator Attestation GUID (AAGUID)
7. After you have configured the authentication method, please sign in with the accounts, which will use the FIDO keys. Configure them as an authentication method.
8. Create afterwards a conditional access policy to force the user, in this example one break-glass-administrator account and the default global administrator, to use strong MFA methods to sign in to all Cloud Apps.
9. Here is an example of a conditional access policy that I would use for this use case:

Setting	Value
Policy Name	CA102-Admins-IdentityProtection-AllApps-AnyPlatform-StrongMFA
Assignments (Users and Groups) Include users	Specific users included CSGA-PRD-IAM-CAP-CA102-Include
Assignments (Users and Groups) Exclude users	Specific users excluded CSGA-PRD-IAM-CAP-CA102-Exclude (second SOS Admin)
Cloud apps or actions Include Cloud apps	All cloud apps
Cloud apps or actions Exclude Cloud apps	None
Conditions Sign-in risk Device platform Locations Client apps	Device platform: Any Locations: Any location
Access controls Grant	Require authentication strength – Phising-resistant MFA
Session	Sign-in frequency – Every time

 

10. After you have created the conditional access policy, you can test the sign-in via a browser with your default global administrator and the break-glass-administrator account. Either you use the FIDO key as an 2FA method or use the passwordless authentication method. Both methods work just fine.

Sources:

• FIDO Alliance – Open Authentication Standards More Secure than Passwords
• Token2 | OATH-TOTP SHA-1 hardware tokens | Home | TOKEN2 MFA Products and Services | programmable hardware token, FIDO2 key, U2F key, TOTP, OATH-TOTP SHA-1 hardware tokens |
• Web Authentication: An API for accessing Public Key Credentials – Level 2 (w3.org)
• Passwordless security key sign-in – Microsoft Entra ID | Microsoft Learn
• Token2 – FIDO Alliance