FIDO 2 security key authentication

Question

@Rudy Ooms

Has anybody tried to unlock windows 10 Azure-AD joined device with FIDO Security-key (yubikey or any other that is inserted in the USB drive) ?

The condition is the security-key must be biometric-key and end-user must do biometric-authentication and there has to be at least 2 AAD accounts in the security-key.

Would like to know how was your experience.

Thanks.

Answer 1

Thanks @Marilee Turscak-MSFT but you totally missed the point.

I do not need how to set up FIDO2 key authentication. The condition there has to be at least 2 AAD accounts in the security-key.

Anyways, I figured it out. You can not do this authentication properly because windows-login shell is NOT ready with account-picker. If you have multiple creds in the key for the same tenant then the Windows login screen will only use the last enrolled credential.  I do not know what Microsoft's personal interest is being served by not providing account-picker on login-screen.

Thanks.

Answer 2

@testuser7 ,

Thanks for clarifying and apologies. I did totally miss that part of your question and Windows does pick the last enrolled account so this will not work for interactive login.

Setting up a Windows 10 or Windows 11 autopilot PC and using the FIDO2 token with multiple identities works.  It allows you to choose which identity to use from the FIDO2 key. However, if you take the same token and use it to logon to a Windows 10/11 Azure joined PC, it does not give you an option of which identity to use. It will automatically use the last registered FIDO2 identity on the token.

This feature change has been requested a few times though and I agree with you that it is important. I've resurfaced the feedback with the product team but there is no ETA for a fix yet. You can also leave feedback in the feedback forum here where the product team can reply directly. https://feedback.azure.com/

Answer 3

Ok thanks. Let's see when MS blinks.