FIDO2 device-bound passkeys with Microsoft Entra ID

Date: 2024-05-02
Author: Versasec

FIDO2 device-bound passkeys with Microsoft Entra ID

Do you want to achieve the highest level of authentication for your organization’s Entra ID joined devices? Have you considered FIDO2 device-bound passkeys? 

The login experience into an Entra ID joined computer is easy as a breeze, demonstrated in the following video. Whether you lean towards smart cards or security keys for FIDO2 devices, with PIN or fingerprint authentication.

Watch a short presentation:

 

Prerequisites

There are some requirements to consider:

  • Windows 10 version 1903 or higher for the best experience for devices joined to Microsoft Entra ID. 
  • FIDO2 device for authentication. 

While it is not a requirement to leverage a credential management system for  FIDO2 device-bound passkeys, a credential management system (CMS) can bring valuable financial and security benefits. A CMS will tighten the security posture of your Identity and Access Managment (IAM) infrastructure and processes and lower the pain of the setup and implementation for your organization, especially your IT department and for your users.. Manual issuance is burdensome, slow, prone to human error and costly.  Deploying and implementing with a CMS will eliminate these factors and save vast amounts of time compared to the default issuance process in Microsoft Entra ID. 

Versasec’s credential management, provides the necessary orchestration to automate and manage the multiple IAM systems, providing organizations a secure hub for their IAM solution providers: certificate authorities, user directories, HSMs, credentials, and more. Versasec credential management system, vSEC:CMS, is available on-prem, and as a managed service through vSEC:CLOUD with premium support. Versasec supports the most number of credentials in the market, covering the latest modern authenticators and technologies for PIV/PKI, FIDO, virtual and physical credentials, as well as RFID for secure access control.

Getting started with FIDO2 device-bound passkeys in Entra ID.

Enable passwordless authentication method in Entra ID.

Tip: Steps in this article could vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
  2. Browse to Protection > Authentication methods > Authentication method policy.
  3. Under the method FIDO2 Security Key, click All users, or click Add groups to select specific groups. Only security groups are supported.
  4. Save the configuration.

Note: If you see an error when you try to save, the cause might be due to the number of users or groups being added. As a workaround, replace the users and groups you are trying to add with a single group, in the same operation, and then click Save again.

Source: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2 

Getting started with enterprise management of FIDO2 device-bound passkeys

Learn about our FIDO2 management offering:  Versasec’s FIDO Management solution for the enterprise.

Register for a free evaluation of vSEC:CMS here: https://versasec.com/products/product-registration/

Check out our extensive step-by-step guides at: https://support.versasec.com/hc/en-us/sections/115000094514-vSEC-CMS-Documentation

Or reach out to us for a demo or assistance with getting you started: https://download.versasec.com/products/demo-registration

vSEC:CMS

Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.

Start here

Free Product Trial

Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.

Job Openings

We are always looking for new exceptional persons to join our team! Find out more about our job openings.

Share this article