Skip to content

FIDO2 Magic: Using the Offpad with Microsoft 365

Discover the Offpad: Your Keycard to Password-Free Cybersecurity! This blog post will dive into the revolutionary Offpad – a device that eliminates the need for passwords, two-factor authentication, face scans, or verification codes. Compatible with Microsoft 365 and other platforms supporting FIDO2 security keys, the Offpad offers a seamless login experience with just a touch of your finger. Join me as I unbox and explore how to set up, pair, and jump into using the Offpad with Microsoft 365.

Table of Contents

The Background

Last year, I came across an article in the Norwegian magazine Teknisk Ukeblad (4/2023), where they presented the Offpad, a device that aims to eliminate passwords and traditional multi-factor authentication methods using biometric fingerprint recognition and asymmetric cryptography. This caught my interest, so I contacted the company for more information. I got an inspiring product presentation from Trond Hagen. After the call, he was kind enough to send me a device for testing. Join me as I unbox and test using the Offpad with Microsoft 365.

The Offpad Device

Offpad is a thin card that fits in a wallet or cardholder. It has a fingerprint reader from IDEX, a glass-free electrophoretic display from Plastic Logic, a rechargeable Li-ion battery, a secure element from Infineon, and a processor. The screen and processor make this product stand out from other FIDO2 passkey devices in the FIDO alliance.

The battery is charged through a standard wireless charger and is expected to last for three weeks. It communicates with other devices via Bluetooth or NFC. The Offpad follows the FIDO2 standard and generates a private and public key pair for each service the user registers with. The private key is securely stored on the Offpad. The user can authenticate themselves by placing their finger on the card and confirming the service on the screen. Today, there is support for three fingers managed through a device management app for Windows.

Offpad, designed and manufactured in Scandinavia, offers higher security and convenience than traditional passwords and multi-factor authentication methods, as it does not require the user to remember or enter any codes. It protects the user from phishing and replay attacks, as the private key never leaves the card. When not in use, the card goes to deep protective sleep. Offpad can also be used as an access card with NFC.

Device-Bound Passkey

Offpad is addressed as a device-bound passkey, the same as YUBI and Feitian, meaning the key never leaves the device. There are always contradictions between security and user-friendliness. This applies here as well. My friend Jan Bakker articulates the concerns between device-bound and synced passkeys well in the following tweet/X:

The trade-offs here can be like a double-edged sword.

Credit Card Form VS USB Key Form

Offpad adopts an exciting form factor to enhance security compared to other device-bound passkeys. While traditional keys are typically designed to be attached to keychains, Offpad’s form factor in the credit card size stands out. Nowadays, carrying physical keys is becoming less common in our society.

People don’t tend to carry a bunch of traditional keys anymore – we need a FIDO device for our wallet.

Offpad’s slim design fits well in a wallet alongside credit cards or even alongside a work access card. According to Trond Peder, efforts are underway to integrate Offpad as a combined access card for such systems.

How many of you have been locked out from work
because your FIDO key or keycard was left at home?

I often see access cards combined with identity cards. 💡Could it be a great idea to provide skins for the Offpad to give it company branding? That way, we could get a combined FIDO2 device, a building access card, and a company ID card.

Unboxing

Let’s unbox and take a closer look at the Offpad. The Offpad came in a pleasant and minimalistic packaging:

The inside of the box holds the Offpad device and a QR code pointing to the starting instructions found at https://ponebiometrics.com/offpad/start

Besides the Offpad, I also got a wireless fast charger and a retractable lanyard with a cardholder.

The following picture shows how thin the Offpad is compared to a traditional credit card to the right and a FIDO2 bio-key from Feitian to the left.

The Offpad compared to three other FIDO2 keys from Feitian and Yubi.

Connecting the charger plate to the power grid and placing the Offpad on it initiates wireless charging.

I find the form factor exciting, as it will fit in my wallet, on a cardholder on my phone, or next to my keycard using the necklace.

We have unboxed the product. Let’s move on and get the Offpad onboard!

Onboarding The Offpad

The official guide for getting started is simple and well-written, just as the device seems to be.

Power On The Offpad

The Offpad device remains off and inactive until activated for authentication. This minimizes potential attack points and optimizes power usage for efficiency. I’m starting by powering on the Offpad. There is a small power button next to the fingerprint reader.

The Offpad boots, and the display is now lit up.

Add The First Fingerprint

The Offpad prompts me to add the first fingerprint. The screen guides me through presenting my chosen finger five times.

When the process is completed, the Offpad shuts down automatically.

Offpad Device Manager

I was now guided through installing the Offpad Device Manager from the Microsoft Store on Windows.

The download came as an EXE file to install. This will thus require local Admin access on your device to install, or you should package and distribute this application for distribution through Microsoft Intune.

Once installed, I could start the app and scan for Offpads.

The application gives instructions for the pairing process.

By holding the power button for 3 seconds, my Offpad goes to pairing mode.

Offpad Device Manager now discovers the Offpad, and I can select to pair them.

My Offpad gives me a pin, which I confirm on the Device Manager.

This results in a successful pairing.

The device is now listed within the Device Manager, and the display of the device says Connected.

Let’s see how the Device Manager can manage my Offpad.

Offpad Management

When clicking Manage on my Offpad, I must create a PIN code for the device.

I now get to a page showing technical details about my Offpad, such as the Firmware version, model, build number, FIDO versions, etc.

I can add, manage, and rename up to three fingerprints through the menu on the left side. Please note that the device will get slower with each finger added.

The Credentials menu requires me to present one of the registered fingers before accessing the content.

Once authenticated, the Device Manager gives info on which credentials are stored on the device for this finger.

I have onboarded myself to my Offpad, and now I am ready for the real deal – to use it for authentication!

Using the Offpad with Microsoft 365

The Offpad can be used to log in to any service that supports FIDO2. As a Microsoft 365 consultant, I am eager to have my Offpad included in my strong authentication strategies.

Register Offpad As FIDO2

To start using Offpad for authentication, I must register it as a FIDO2 security key for my Microsoft work account. This is just as simple as adding any other FIDO2 key but with some variations related to the fact this is using wireless protocols.

I begin by navigating to aka.ms/mfasetup where I select to add a Security key as a sign-in method.

In previous blog posts covering FIDO2 keys, I have used USB devices. The Offpad device can utilize Bluetooth Low Energy (BLE), but Microsoft 365 hasn’t included BLE as a selectable option for Security Keys. Therefore, I will opt for the NFC option. I power on the Offpad before clicking Next.

Select to use a Security key and click Ok in the following two windows displayed.

Ensure the Offpad is still turned on. You will see the name of the service being authenticated while the application asks you to touch the fingerprint sensor on the security key (the Offpad).

The final step is to give the Offpad a familiar name to be seen among your sign-in methods.

The routine finishes by sending you to the Security Info page.

The Offpad is now listed as a security key; you can identify it by name.

Check Credentials Onboarded Using Offpad Device Manager

Looking at the Credentials blade in the Offpad Device Manager, I can list the newly added relying part. I can get more information about the account by clicking the Edit button.

In the Edit view, I can rename or remove the credential set from the key.

I love this kind of insight, which I miss from other FIDO2 brands❤️

Sign-In Using the Offpad with Microsoft 365 Portal

By navigating to portal.office.com on my Windows device, I can now sign in using the Offpad device.

As seen above, I could sign in with a security key by selecting the Sign-in option. The key was detected when powering on the Offpad, and I could touch the fingerprint sensor to sign in.

This is now a strong authentication method without providing a username or password.

Sign-In To Windows Using the Offpad

Intune Configuration for Security Key Signin

Windows devices managed through Microsoft Intune can be prepared to let users sign in to Windows with FIDO keys. The following configuration in a device configuration profile based on the Settings Catalog will allow a security key like the Offpad to sign in to Windows.

Use Security Key For Signin: Enabled

This is a practical way of using the Offpad with Microsoft 365! You can read more details about this in my previous blog, Five Approaches For Local Admin Access).

Sign In To Windows Using Offpad

At the login screen for Windows, I can now select the FIDO Security Option in Windows. Since I already have Windows Hello for Business configured with facial recognition, I needed to cover my camera to pilot the option to sign in with Offpad or any other FIDO2 key.

Now I must turn on my Offpad and let it connect to my computer.

Next, I am asked to touch the fingerprint sensor on the Offpad to sign in to Windows. The display on the Offpad informs about the sign-in to login.microsoft.com.

using the Offpad with Microsoft 365

This way, I signed in to Windows using strong authentication from my Offpad device. No password provided!

Using Offpad on MacOS

At present, Apple does not enable the use of FIDO2 to log into the macOS computer itself. This means users cannot employ FIDO2 for authentication directly on their Mac systems, regardless of whether it is an Offpad or another brand.

Furthermore, there are specific limitations regarding the compatibility of FIDO2 features when combined with BLE (Bluetooth Low Energy) and NFC (Near Field Communication) on Mac browsers. Currently, BLE functionality is not supported, while NFC is supported exclusively on Safari. Since my MacBook is managed with SSO enabled, I didn’t manage to test this feature.

However, USB FIDO authentication is universally supported across all browsers. Offpad will introduce USB compatibility in its upcoming version by introducing a new type of cardholder. I have received the following preview picture of such a cardholder.

With the introduction of USB support, I suppose the device will have the same compatibility as other USB-based FIDO2 keys. Mixing this with the announced Microsoft Platform SSO for macOS might be a relief for using the Offpad to sign in to macOS computers.

Wrapping It All Up

The Offpad is a recent addition to the FIDO2 strong authentication device market. It stands out from competitors due to its unique and exciting technical choices. Let’s compare its strengths and weaknesses using the Offpad with Microsoft 365.

Pros and Cons

The following table summarizes the advantages and disadvantages I observed when I tested using the Offpad with Microsoft 365.

ProsCons
The form factor is appealingThe battery needs charging for the device to be operative
Display informing of the service being authenticatedNFC and BLE might not be supported on all devices and operating systems
Device Manager to administer the deviceBuild quality
Biometrics adding extra securityWorking temperature from 0ºC
Bringing biometrics to all devices supported by the OffpadPrice compared to FIDO2 competitors
CPU power onboard opens for new functionality in the futureIP grade protecting for water and dust
Can be combined as an access card with biometrics for physical doorsIt can take some time from powering on to the connection established with Windows.
NFC and BLE
Deep sleep protected when not in use
Offpad Device Manager needs admin privileges to run
Complies with the highest security standards
Strong unphishable authentication!

A Product Future-Proofing Authentication and Security?

Pone Biometrics is a member of the FIDO Alliance, and they are collaborating with Oxford-based PQShield, experts in quantum-safe cryptography, to fortify their Offpad against the power of quantum computers. They are currently developing a demo to test against future quantum threats, with plans to upgrade their code for quantum-safe authentication services. Recognizing the looming threat quantum computing poses, Pone Biometrics aims to bolster its encryption against potential breaches. While current quantum computers can’t crack encrypted data in transit, the risk of future decryption looms, prompting the development of new cryptographic applications with PQShield to safeguard against impending quantum capabilities.

Conclusion

In conclusion, the demand for phishing-resistant authentication methods will surge as quantum computers advance. Traditional MFA approaches will become vulnerable, emphasizing the need for solutions like FIDO keys such as the Offpad. These keys will be crucial in ensuring robust security in the face of evolving technological threats and safeguarding sensitive information in the digital age.

If you are into the keycard/credit-card/id-card design, you should examine using the Offpad with Microsoft 365. When I first contacted them, their product wasn’t on the market. But now, you can grab it straight from their website. I’m excited to see where this Scandinavian gem goes next!

External Resources

Published inIntuneMicrosoft 365SecurityWindows

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *