How to "clean up" the authentification options with FIDO2 as MFA

Vladyslav Bondarchuk 100 Reputation points
2024-03-19T17:15:59.5333333+00:00

When testing FIDO2 as MFA to sign in I am seeing all these options that I'd like to simplify as much as possible. I have a security pin set up for the FIDO2 key, but other than that I want to disable as much as possible and simply be able to enter email / password and authenticate with the security key. w

1111

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,798 questions
{count} votes

Accepted answer
  1. Nagappan Veerappan 651 Reputation points Microsoft Employee
    2024-03-27T04:43:39.7766667+00:00

    @Vladyslav Bondarchuk

    As you may know starting from windows 11 23h2 and 22h2, This is listed as know issue in the below public doc https://learn.microsoft.com/en-us/entra/identity/authentication/fido2-compatibility#known-issues
    change introduced via KB 5032190: November 14, 2023—KB5032190 (OS Builds 22621.2715 and 22631.2715)
    End user would see this unavoidable prompt with passkey in the front and have to choose security key below.

    Then talking about prompt - you have mentioned two kinds.

    1. windows security prompt
    2. Browser prompt

    1.For Windows security prompt

    Removing WHFB from from windows Security prompt

    Disabling WHFB policy will not remove the credentials already provisioned. you can remove the credentials on the user via "certutil -deleteHellocontainer"

    Caution: removing WHFB credentials destructive operation and no way to reverse it. The user need to again provision the WHFB credentials.

    Removing security key option from windows Security prompt

    There is a registry key from the windows will remove the security key options at windows level including lock screen. These are the key, added either or one. you can remove for testing. this registry is reversable. it won't destroy credential stored on FIDO2 keys.

    commonly used one.

    REG ADD "HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey" /v UseSecurityKeyForSignin /t REG_DWORD /d 1 /f

    I have heard this below one as alternate - but never tested.

    REG ADD "HKLM\SOFTWARE\policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 1 /f

    1. For Browser prompt

    Both WHFB key and FIDO2 key treated as WebAuthN redirect based authentication. that's why it combines both as a single choice there. So, browser level there is no way to remove just one out of the two.

    Good news is there is an improvement is in pipeline for chromium-based browser not to show other credential prompt those are not available in top list by calling the "WebAuthNAuthenticatorGetAssertion" call to know the available credentials.

    I saw Github post about that call
    https://github.com/chromium/chromium/commit/6b3db1afad5684c2e186320f1743982a7e38eb04

    Not sure, what exact version of browser version include those calls. browser support team might know better than me.
    If you happen to see this corrected on a newer browser version. This would be the reason in future.

    If this helps, please mark this as an answer.

    Feel free to let me know if any queries.

    Thanks
    -Nagappan V


2 additional answers

Sort by: Most helpful
  1. Givary-MSFT 32,591 Reputation points Microsoft Employee
    2024-03-20T11:13:20.33+00:00

    @Vladyslav Bondarchuk Thank you for reaching out to us, As I understand you would like to have only email / password & FIDO2 as MFA, you dont want any other options to be seen.

    The Authentication methods policy is the recommended way to manage authentication methods, including modern methods like passwordless authentication - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods-manage

    Would recommend to review the configuration within Entra - for authentication methods policy which you can configure (only those options would be available for the end user).

    Enable FIDO2 security key method - https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

  2. Vladyslav Bondarchuk 100 Reputation points
    2024-03-21T14:15:22.62+00:00

    Hello @Givary-MSFT ,

    I should've given more details to this.

    At the time the screenshots were made I had the following settings in place:

    1. Under Authentication methods - I disabled Microsoft Authenticator for myself, and enabled FIDO2 security key for myself.
    2. I added my FIDO2 key as a sign-in method in https://mysignins.microsoft.com/security-info

    As you can see in the screenshots, I am given the passkey choice between "Windows Hello or external security key" and "Use a phone, tablet, or security key". I don't want to have options; I want to only have "Windows Hello or external security key" or if possible - automatically bypass it.

    On the next slide, after I choose "Windows Hello or external security key", I have an option of PIN or security key. I'd like to only have an option of the security key. I disabled WHFB through Intune Endpoint Security - Account protection configuration, but it didn't help.

    I hope that gives clarity to what I'm wanting to accomplish,

    Thanks.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.