Windows Hello for Business

testuser7 286 Reputation points
2021-03-11T13:50:47.57+00:00

Hello,

With respect to Password-less initiative, we know that we have 3 OPTIONS when talking about Azure-AD

  • FIDO
  • WHfB
  • Phone-signin

I have one basic architectural question.
When we say WHfB, we are talking about platform-authenticator i.e.., built into the Windows 10 box

Is this WHfB platform-authenticator FIDO 2.0 compliant ?

Thanks.

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. AliceYang-MSFT 2,106 Reputation points
    2021-03-12T03:37:10.873+00:00

    Hi,

    WHfB is FIOD2.0 certified following the Windows 10 May 2019 update. Please see, Microsoft Achieves FIDO2 Certification for Windows Hello.

    As to the difference between certified/validated and compliant, please refer to these links
    What is the difference between “FIPS 140 Validated” and “FIPS 140 compliant”?
    FIPS Validated vs FIPS Compliant, What's The Difference?
    FIPS 140-2 Compliance vs Validation & Products vs. Modules vs. Ciphers

    Compliant means that the vendor believes they have followed FIPS encryption requirements and their product meets the specificaiton.
    Certified means that the product has actually been tested by NIST and issued a certificate number.

    Certified is better than compliant.

    Please note: Information posted in the given links is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. testuser7 286 Reputation points
    2021-03-15T12:15:46.673+00:00

    Thanks @AliceYang-MSFT Appreciate your response.

    Though your response was very helpful with valuable info, I am more focusing from technical aspect.

    As you clarified that WHfB is FIDO2 compliant authenticator, is it possible to use this platform-authenticator for web-signin ?

    and second generic point I want to ask is,

    As we know, architecturally FIDO2 creates and stores SCOPED CREDENTIALS
    Meaning if I have a FIDO2 security-key, it can create distinct credentials for different relying parties.
    This scoping is enforced jointly by User Agents (browsers) and authenticators.
    In the context of the WebAuthn API, a relying party identifier is a valid domain string identifying the WebAuthn Relying Party on whose behalf a given registration ceremony is being performed.

    Azure-AD is one relying-party.
    So are the credentials created in the security-key are separated by every tenant ?
    If so , what is the Relying-party-ID (RP-ID) string made up of ?
    I believe it can not be just "login.microsoftonline.com/"

    Thanks.

    0 comments No comments

  3. VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee
    2021-03-16T06:50:41.177+00:00

    @testuser7 Yes you can use FIDO with web signin as well, where ever the web platform supports FIDO keys.
    In general, a credential is data that proves a person’s identity or qualification. This credential is used to authenticate to an online service, also known as a Relying Party (RP).

    FIDO2 uses public-key cryptography to authenticate users. An RP-specific credential key pair, i.e., a private key and a public key, is generated on the authenticator.
    The public key is sent to the RP at registration time. The private key never leaves the authenticator.

    When the user makes the request to login, the authenticator sends an assertion that proves the user possesses the private key. The RP uses the public key to validate the assertion before allowing the user to login.
    While Adding the keys, the user has option to name it whatever they want.

    May I know what is the business requirement of knowing "what is the Relying-party-ID (RP-ID) string made up of ?"
    As RP ID gets stored in the Secure Store and is managed by the Device itself. But it has the capability to distinguish all the RPs

    0 comments No comments

  4. testuser7 286 Reputation points
    2021-03-16T12:49:04.89+00:00

    Thanks @VipulSparsh-MSFT

    My ask is as simple as following.

    If I purchase one FIDO2 Key (yubikey) from Amazon to use with my 5 tenants, can I do that.
    More than likely, the answer is YES

    As we are technical people,
    Are the credentials created in the security-key separated by every tenant ?
    If so , what is the Relying-party-ID (RP-ID) string made up of ?
    I believe it can not be just "login.microsoftonline.com"

    Thanks.


  5. Vinh Dinh 0 Reputation points
    2023-09-28T02:09:52.2733333+00:00

    Hi @testuser7

    This is a bit late, but when registering FIDO2 keys, the Relying Party is just login.microsoft.com

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.