Can I use a Fido2 Key for 2FA with EOP1?

HCHTech

HCHTech

Well-Known Member
Reaction score
4,238
Location
Pittsburgh, PA - USA
I suspect the answer is "no", but in the meantime, I'll wipe the blood from my forehead and ask here to see if I'm missing something. Basically, when you go into the account security settings after logging in with a browser, and click the "Add sign-in method", a choice for 'USB Key' is not on the list of available choices:
1674159305652.png


I searched for a place in the tenant to enable USB Keys, but came up empty. It appears you need to be on AzureAD for this, correct?
 
It's probably only for higher level licenses. I just checked mine, which is E3 via MAPS, and I only have the 4 options you have.
 
I was afraid of that. We have an employee at that client that only uses pay-as-you-go phones, and is standing firm at not wanting to use their personal phone for business purposes. We'll have to resort to telephone, I guess. Ugh.
 
Of course you can. What brand of USB is it?

This video is for yubikey but the process is much the same for any key. You using the Authenticator App option and then doing it manually.

 
Yeah, I saw that Yubikey video. I'm using a Feitian epass FIDO. The Yubikey uses software running on the local computer, but Feitian's incomprehensible website organization hid their version of that software pretty well. I finally found it this morning (I think), so I'll give it another shot later today.
 
HCHTech said:
Yeah, I saw that Yubikey video. I'm using a Feitian epass FIDO. The Yubikey uses software running on the local computer, but Feitian's incomprehensible website organization hid their version of that software pretty well. I finally found it this morning (I think), so I'll give it another shot later today.
Click to expand...
All the keys have to have something. I’ve seen some keyfobs or credit card keys that you goto the company website and put in the serial number and the username and secret code from Microsoft to get the return codes that link up.
 
YeOldeStonecat said:
I don't recall installing any software when I got a few demo's of the FIDO keys. They may still have the free "demos' avail.
Click to expand...
You have to install something in order for your PC to communicate with the key. A fido key is no different than a app. It has a 6 digit key that has to be sent to Microsoft. It just does it internally instead of displaying it on your phone or the LCD of a fob.
 
nlinecomputers said:
You have to install something in order for your PC to communicate with the key. A fido key is no different than a app. It has a 6 digit key that has to be sent to Microsoft. It just does it internally instead of displaying it on your phone or the LCD of a fob.
Click to expand...

Tried to scratch up my memory more this morning while I'm pounding coffee getting ready to drive to Tampa to drop daughter off at airport. Looked in my laptops APPWIZ.CPL and I see no software related to it that was installed. Looked in my downloads folder...couldn't find anything. I believe it's natively supported in recent versions of Windows, and the HELLO component of Windows knows how to drive it.

Much like in the old days when I'd set up point of sale systems, the "keyboard wedge" connection for a scanner required zero software/drivers installed, you could test those just opening notepad and scanning a bar code.

I played with the FIDO key for a week or so, but really don't use it anymore, I have a teeny tiny one and a larger one. I don't see it practical to recommend to clients, because...if you misplace it, well, it's so easily replaceable. And I see clients just leaving it on their desk or in their computer 24x7...thus bypassing the security. Much prefer the MS Auth apps "passwordless" login with the location map enabled.
 
In my case, we're just looking for an alternative to the Authenticator app because the employee doesn't want to use their personal cell phone for this purpose and you cannot force them to do that. So we need another way, that's all. I don't really like it either. Maybe that forces them to upgrade to a higher license for that one person...
 
HCHTech said:
In my case, we're just looking for an alternative to the Authenticator app because the employee doesn't want to use their personal cell phone for this purpose and you cannot force them to do that. So we need another way, that's all. I don't really like it either. Maybe that forces them to upgrade to a higher license for that one person...
Click to expand...
YeOldeStonecat said:
Tried to scratch up my memory more this morning while I'm pounding coffee getting ready to drive to Tampa to drop daughter off at airport. Looked in my laptops APPWIZ.CPL and I see no software related to it that was installed. Looked in my downloads folder...couldn't find anything. I believe it's natively supported in recent versions of Windows, and the HELLO component of Windows knows how to drive it.

Much like in the old days when I'd set up point of sale systems, the "keyboard wedge" connection for a scanner required zero software/drivers installed, you could test those just opening notepad and scanning a bar code.

I played with the FIDO key for a week or so, but really don't use it anymore, I have a teeny tiny one and a larger one. I don't see it practical to recommend to clients, because...if you misplace it, well, it's so easily replaceable. And I see clients just leaving it on their desk or in their computer 24x7...thus bypassing the security. Much prefer the MS Auth apps "passwordless" login with the location map enabled.
Click to expand...
Yes, it functions as the keyboard but you still have to configure it once. Just like you have to configure your app. How does M$ know THAT yubikey is the correct one? So all keys have an app or you go to their website to get that first-time code and the key has to be programmed or Microsoft told what the key's UUID(or whatever they call it) is known.

As for the end user losing it that is the client's HR problem, not yours. Lose the key you get your pay docked to buy a new one. Just like you'd have to pay for a new key to be cut if you lost keys to the building. You get the first free but destroy/lose company property you get to buy a new one or get fired. I would use yubikeys that have the button on them you have to push. There are also models that have fingerprint readers.

The other option for @HCHTech clients is a key fob/credit card that generates the proper 6-digit code.
 
nlinecomputers said:
Yes, it functions as the keyboard but you still have to configure it once. Just like you have to configure your app. How does M$ know THAT yubikey is the correct one? So all keys have an app or you go to their website to get that first-time code and the key has to be programmed or Microsoft told what the key's UUID(or whatever they call it) is known.
Click to expand...

Ahh yes...there's the key. There's a difference between "configuring something"...and "downloading/"installing" something" (refer to your earlier reply to do so). Pairing something to your unique user account is different than installing software. I didn't go to the Microsoft store to install anything.
 
YeOldeStonecat said:
Ahh yes...there's the key. There's a difference between "configuring something"...and "downloading/"installing" something" (refer to your earlier reply to do so). Pairing something to your unique user account is different than installing software. I didn't go to the Microsoft store to install anything.
Click to expand...
Then how did you do it. The only way I have been able to pair any hardware device has been with it's app or website.
 
nlinecomputers said:
Not sure if @HCHTech has a FIDO2 key but if so it requires prep in the Azure portal. See my link.
Click to expand...
...which would then only be available if your machine is joined to AzureAD, yes? Almost none of my SMB clients do that, unfortunately, certainly not the ones with EOP1. My handful of bigger clients still use an on-prem DC.
 
HCHTech said:
...which would then only be available if your machine is joined to AzureAD, yes? Almost none of my SMB clients do that, unfortunately, certainly not the ones with EOP1. My handful of bigger clients still use an on-prem DC.
Click to expand...
Not sure. Everything has some limited Azure AD functions. You could not have ANY multifactor authentication without it. They used to call it Azure AD Free, but I think they have dropped that name. And I don’t think you need the machine joined to AAD for that even on the bigger plans. There is a difference between authentication of the Windows User and the Exchange or full M365 apps.
 
I very tentatively logged into portal.azure.com, and enabled the FIDO2 Security Key option for all users using @nlinecomputers link. I was hoping for the ability to enable it only for the user we need it for, but the only choices are 'all users' and 'specific groups'. I didn't stick around to try and find out where you would define these groups, probably in AzureAD, but I'm not really sure. Since we can't / don't want to use AzureAD, I'm worried about poking this bear, frankly. :-)

Anyway - I see after that was done that normal logins to portal.office.com and then going to account security, the Security Key option is now on the list for 'Add a new method', so that, combined with my locating the Windows software to initialize the key will probably end in a favorable result. I'm going back onsite tomorrow to try again for the user in question.

I don't think I'm too worried about the user inevitably ending up leaving the key inserted 24/7 - that is still going to protect the account from everything BUT physical access to the machine.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Can I use a UDM-Pro as a controller ONLY?
Replies
1
Views
230
phaZed
phaZed
britechguy
Clean Reinstall of Windows 11 on an LG Gram 16 Laptop
Replies
3
Views
3K
Sky-Knight
Sky-Knight
T
A good Software List..must see!!
Replies
11
Views
8K
nesrinamb
N
Appletax
A Malware Removal Guide
2 3
Replies
56
Views
27K
glennd
glennd
Kitten Kong
Hirens 13 - Now released
2
Replies
31
Views
17K
eloria
E
Back
Top