Passwordless with Windows Hello and FIDO2

Introduction

The traditional username and password authentication method, while ubiquitous, has become the weakest link in an organization's security posture. Phishing, credential stuffing, and brute-force attacks target passwords daily, leading to widespread data breaches and significant financial and reputational damage. The industry's push towards a passwordless future is not merely a trend but a critical security imperative.

This article delves into the implementation of passwordless authentication using a powerful combination of Windows Hello for Business and FIDO2 security keys within a Microsoft Entra ID (formerly Azure Active Directory) environment. We will explore the "why" and "how" of this transformative shift, providing a practical guide for IT professionals, security architects, and system administrators looking to enhance their organization's security while improving user experience.

Why this matters

The adoption of passwordless authentication offers compelling benefits across several crucial areas. From a security perspective, eliminating passwords drastically reduces the attack surface for common credential-based attacks. FIDO2 and Windows Hello for Business leverage strong, cryptographically bound credentials that are phishing-resistant, significantly enhancing an organization's Zero Trust security framework. This directly addresses compliance requirements from frameworks like NIST, ISO 27001, and CMMC, which increasingly emphasize strong, multi-factor authentication and phishing-resistant credentials.

Beyond security, there are tangible business advantages. Reduced helpdesk calls for password resets translate into significant cost savings and improved IT operational efficiency. End-users benefit from a more streamlined and productive experience, no longer needing to remember complex passwords or frequently reset them. This improved user satisfaction can lead to greater adoption of secure authentication methods and a more secure, productive workforce.

Key concepts

• Microsoft Entra ID (formerly Azure AD): Microsoft's cloud-based identity and access management service, providing authentication, authorization, and user management for cloud and on-premises applications.
• Windows Hello for Business (WHfB): A strong two-factor authentication method for Windows devices. It replaces passwords with strong user credentials tied to a device, using biometrics (fingerprint, facial recognition) or a PIN. The credentials are encrypted with the Trusted Platform Module (TPM) chip on the device.
• FIDO2 (Fast IDentity Online): An open authentication standard that enables users to authenticate to online services using an external security key or an authenticating device. FIDO2 security keys are phishing-resistant and include a hardware component that stores cryptographic keys.
• WebAuthn (Web Authentication): The web-facing API component of FIDO2, developed by the W3C and the FIDO Alliance. It allows web applications to interface with FIDO2 authenticators.
• Trusted Platform Module (TPM): A secure cryptoprocessor designed to secure hardware by integrating cryptographic keys into devices. Both Windows Hello for Business and many FIDO2 keys leverage TPM for enhanced security.
• Passwordless Authentication: An authentication method where users verify their identity without entering a traditional password. This typically involves biometrics, hardware keys, or authenticator apps.

Step-by-step implementation

Implementing passwordless authentication with Windows Hello for Business and FIDO2 involves several key steps within your Microsoft 365/Entra ecosystem.

1. Enable FIDO2 Security Key Authentication in Microsoft Entra ID:

Navigate to the Entra admin center. Go to Protection > Authentication methods > Authentication methods policies. Click on FIDO2 Security Key. Set Enable to Yes. Choose All users or specific groups to include. Optionally, configure Configure basic settings* such as enforcing attestation and restricting specific security key vendors (highly recommended for production environments).

1. Configure Windows Hello for Business (WHfB) using Intune (MDM):

This ensures WHfB is provisioned for your managed Windows devices. Navigate to the [Microsoft Intune admin center](https://intune.microsoft.com). Go to Devices > Enroll devices > Windows enrollment > Windows Hello for Business. Set Configure Windows Hello for Business to Enabled. Configure settings such as Use a Trusted Platform Module (TPM) to Required, Minimum PIN length, Maximum PIN length, and Require lower/upper/special characters according to your security policy. * Assign this policy to your user or device groups.

1. User Registration for FIDO2 Security Keys:

Users will need to register their FIDO2 keys. They can do this by: Navigating to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). Clicking Add method and choosing Security key. * Following the prompts to register their FIDO2 key. This typically involves inserting the key, touching it, and setting a PIN for the key itself.

```powershell # Assign a FIDO2 Security Key authentication method policy to a specific group # Ensure you have the Microsoft.Graph module installed and authenticated with appropriate permissions (e.g., Policy.ReadWrite.AuthenticationMethod)

# Get the Object ID of your FIDO2 Security Key policy (usually only one) $fido2Policy = Get-MgPolicyAuthenticationMethodPolicy -Filter "Fido2SecurityKey" | Select-Object -First 1

# Get the Group ID of the Entra ID group you want to target $groupId = (Get-MgGroup -Filter "DisplayName eq 'FIDO2 Pilot Users'" | Select-Object -First 1).Id

# Create the targets array $newTargets = @( @{ "id" = $groupId "targetType" = "group" "is " = $true "authenticationMode" = "any" # "any" allows both passwordless and second factor } )

# Update the FIDO2 policy to include the new target group # Note: This will overwrite existing targets, so retrieve, modify, then update or use a more specific PATCH if available for targets # For a simple addition, you'd typically get the current targets and append. This example shows a full replacement. $fido2Policy.AllowedTarget = @{ "targets" = $newTargets }

Update-MgPolicyAuthenticationMethodPolicy -AuthenticationMethodPolicyId $fido2Policy.Id -Body $fido2Policy Write-Host "Updated FIDO2 Security Key policy to target group with ID: $groupId" ```

Example configuration

Below is an example JSON snippet representing a FIDO2 Security Key authentication method policy in Microsoft Entra ID. This configuration enables FIDO2 for a specific group, requires attestation, and restricts usage to only AAGUIDs (Authenticator Attestation GUIDs) from specific vendors, enhancing security by ensuring keys come from trusted manufacturers.

{
  "id": "Fido2SecurityKey",
  "state": "enabled",
  "displayInternalName": "FIDO2 Security Key",
  "description": "FIDO2 Security Key policy for passwordless authentication.",
  "fido2Configuration": {
    "keyRestrictions": {
      "is  ": true,
      "enforceAttestation": true,
      "attestationLevels": [
        "basic",
        "strict"
      ],
      "aaguidRestrictions": [
        "1d720516-24a6-455b-8012-70b1542f567b",             // YubiKey Bio FIDO2
        "8ac0c8b3-3da3-4318-9774-854747385d38",             // Microsoft Security Key by Feitian
        "615fbd84-a15d-425f-bb54-1b32d2e1c313"              // Google Titan Security Key
      ]
    },
    "allowedTarget": {
        "targets": [
            {
                "id": "a1b2c3d4-e5f6-7890-1234-567890abcdef", // Example Group ID for 'Passwordless Users'
                "targetType": "group",
                "is       ": true,
                "authenticationMode": "passwordless"          // Users in this group can only use FIDO2 for primary auth
            }
        ]
    }
  }
}

Common pitfalls

• Lack of User Education: Users may be unfamiliar with FIDO2 keys or the concept of WHfB. Proper communication and training are crucial for adoption.
• Incomplete Policy Assignment: Forgetting to assign necessary Intune policies for WHfB or Entra ID authentication method policies to the correct user or device groups.
• Device Readiness: Not all devices are created equal. Older devices may lack TPM 2.0 or compatible biometric sensors required for optimal WHfB functionality.
• FIDO2 Key Inventory Management: Organizations need a strategy for provisioning, managing, and revoking FIDO2 keys, including handling lost or stolen keys.
• Excluding Emergency Access Accounts: Always maintain a separate, highly secure break-glass account that does not rely on passwordless methods, in case of a service outage or misconfiguration.
• Browser/Application Compatibility: While widely supported, some legacy applications or browsers might not fully support WebAuthn/FIDO2, requiring a fallback authentication method.

Best practices

• Phased Rollout: Implement passwordless in phases, starting with a pilot group, then expanding to departmental or role-based groups before a wider rollout. This allows for feedback and refinement.
• Strong Documentation and Support: Provide clear, concise documentation for users on how to register and use their passwordless credentials. Ensure helpdesk staff are trained to support passwordless scenarios.
• Enforce Strong Policy Settings: For FIDO2, enforce attestation and restrict AAGUIDs to known, trusted vendors. For WHfB, require TPM and set strong PIN policies. This aligns with the Zero Trust principle of "assume breach" and "verify explicitly."
• Combine WHfB and FIDO2: Encourage users to enroll in both. WHfB provides a seamless experience for device login, while FIDO2 keys offer an excellent portable, phishing-resistant option for shared devices or as a backup.
• Monitor Authentication Reports: Regularly review Entra ID sign-in logs and authentication method reports to track adoption, identify issues, and monitor for suspicious activity.
• Conditional Access Integration: Leverage Entra ID Conditional Access policies to enforce specific requirements (e.g., requiring FIDO2 for access to critical applications) in conjunction with your passwordless strategy, adhering to the Microsoft Cloud Adoption Framework's governance principles.

Further reading

• Plan a passwordless authentication deployment in Azure Active Directory
• Windows Hello for Business documentation
• FIDO2 authentication with Azure Active Directory
• Zero Trust guidance center