Skip to content

The Secret Weapon for Strong Authentication: FIDO Keys with Biometrics

Today I want to share a secret weapon that will make your online accounts virtually unbreakable: the FIDO keys with biometrics. Sounds fancy, right? Well, it is. It’s also super easy and convenient!

Background

I recently covered how to Hack Your Security with One Trick: Strong Authentication. That post introduced you to the FIDO key and how this can be used to give strong authentication in Microsoft Azure.

Now I want to up the game even more by adding biometrics. If you’re looking for a way to protect your online accounts from hackers, phishing, and identity theft, you might want to consider using a FIDO key with biometrics. This device can provide strong authentication for your online services without requiring codes of any kind. In this blog post, I’ll explain what a FIDO key is, how it works, and why it’s a secret weapon for security and convenience.

The Key To The Highway

A FIDO key is a small device plugs into your computer or smartphone via USB, NFC, or Bluetooth. It acts as a second factor of authentication, meaning that you need both the FIDO key (something you have), a pin code (something you know), or your biometrics (something you are) to access your online accounts.

The biometrics will represent something that can’t be stolen. This way, even if someone steals your password or tricks you into entering it on a fake website, they won’t be able to log in without your FIDO key and biometrics. In fact, they can’t log in if they steal your FIDO key either, since they don’t have the rest of the parts for using it – The key to the highway is as safe as it gets – sweet music for security!

Biometrics To The Rescue

Biometrics are physical or behavioral characteristics unique to you, such as your fingerprint, face, voice, or iris. They are used to verify your identity and prevent unauthorized access. A FIDO key with biometrics has a built-in sensor that can scan your fingerprint and match it with the one stored on the device. This adds an extra layer of security and convenience, as you don’t need to remember or type any username or password. Your biometric data is stored only on your FIDO key and never shared with anyone else. This will add an extra level to the strong authentication described earlier.

⚙️FIDO stands for Fast IDentity Online, a set of standards that enable secure and interoperable authentication across different platforms and services.
⚙️FIDO keys are compatible with hundreds of websites and apps supporting FIDO authentication, such as Microsoft Azure, Google, Facebook, Twitter, Dropbox, and more.
⚙️You can use the same FIDO key for multiple accounts and don’t need to create or manage any passwords.

FIDO keys with biometrics are a secret weapon for strong authentication because they offer several benefits over other methods:

  • They are easy to use.
    • You plug in your FIDO key, scan your fingerprint, and you’re done.
    • No need to enter any identities, codes, or passwords.
  • They are secure.
    • They protect you from phishing, malware, and man-in-the-middle attacks.
    • They use public-key cryptography and store your biometric data locally on the device.
    • They don’t share any personal information with the websites or apps you use.
  • They are convenient.
    • You don’t need to carry around multiple devices or remember multiple passwords.
    • You can use the same FIDO key for different accounts and services.
  • They are future-proof.
    • They support the latest FIDO standards and protocols.
    • They can work with new devices and technologies that may emerge.

The Variety of FIDO Keys With Biometrics

If you want to experience the benefits of FIDO keys with biometrics, you can get one from various vendors and manufacturers. Some of the most popular ones are YubiKey Bio, SoloKey V2, and Feitian BioPass, which I will use in this post.

I have got a Feitian BioPass K49 which will raise my security to the maximum. This key uses biometric technology to enable passwordless and multifactor authentication.

FIDO Keys with Biometrics
Comparison of two Feitian keys. Left to right: K49 and K40 front + K49 and K40 back

The K49 has a fingerprint module that prevents token misuse and a security chip that encrypts and stores fingerprint data. The key supports FIDO U2F and FIDO2 standards and is verified by Microsoft Azure. This is a perfect FIDO2 key for the use cases I target.

Implement The Strongest Authentication

My previous post covered several ways to secure different workloads using FIDO keys. You should start reading that to get FIDO2 enabled as a security method in your tenant and see how you can move your regular users to secure MFA methods such as Microsoft Authenticator and Windows Hello for Business while your privileged roles and accounts should be forced to use strong authentication methods like FIDO2 security keys. This can now be extended to an even higher level with the addition of biometrics.

Onboard FIDO Keys with Biometrics

To add the biometric key as a sign-in method to a user, I start from mysignins.microsoft.com by adding a security key as a new sign-in method.

This will now follow the routine described in my earlier blog post and give me a security key protected by a PIN code.

Add Fingerprint To The Feitian Key

To set fingerprint protection on the FIDO2 key, I will use the BioPass FIDO2 Manager downloaded from the FEITIAN Resources webpage:

Starting the FIDO2 Manager will discover my FEITIAN K49 key and allow me to add a fingerprint. I first need to verify my knowledge of the key by providing the PIN before I can scan my finger.

It is possible to add multiple fingers to the key.

Test Login Using FIDO Keys With Biometrics

I am now able to use this key to sign in to portal.azure.com without typing any user credentials or pin codes:

If I present the wrong finger, the key gives a red light. When I present the correct finger, the key provides a green light, and I get signed in. If I fail to give the correct fingerprint, the key fallbacks to the PIN code prompt.

In a twist of fate, my trusty PIN code proved to be the lifesaver, granting me access when my injured finger couldn’t unlock my biometric key 🤕.

Force Strong Authentication With Biometrics

My previous blog post did dive deep into the possibilities for forcing strong authentication for sensitive operations. I will now explore if I can force the use of biometrics for some security loads.

New Authentication Strength for FIDO keys with Biometrics

I will start by creating a new authentication strength.

Unfortunately, I cannot select biometrics directly as a general multifactor authentication method. As described in my previous post, I need to add the AAGUID for the allowed FIDO2 keys. I will add the AAGUI for the FEITIAN K49 type.

By setting the new authentication strength in the conditional access policy, I will implement the requirement for using the FIDO2 key holding the biometric capacity.

Please ensure you control your break glass account when testing changes like these!

Testing Authentication Strength With Biometrics

When signing in to the Azure Portal, I select a security key, and I can sign in using my FEITIAN K49 key and my fingerprint. I do not provide any username, password, or pin code – just the FEITIAN key and my fingerprint.

I get denied access if I use my other FEITIAN K40 key without the biometric options.

To make sure the security measures are top-notch, I’m not just accepting this FIDO2 key with biometrics at face value. I’m conducting additional tests to ensure nobody can waltz in and buy the enchilada without proper evaluation. I don’t want anyone to just stroll in and grab the whole shebang without putting in a little bit of effort.

The PIN Code Fallback

I’ve noticed that when I’m not using my FEITIAN K49 FIDO2 key properly, it prompts me to enter the PIN code. This occurs when I fail to use my fingerprint or take too long to authenticate, resulting in a timeout.

After entering my PIN code, the FIDO2 key will work with any finger touching the key. It won’t specifically check for my registered fingerprint. The fallback method is still based on strong auth as any other FIDO2 key (pin + touch the key). This time this is a drawback as it prevents me from exclusively locking the feature to biometric authentication as intended.

Wrapping Up

I hoped to find ways to force biometric authentication in Microsoft Entra or with the Feitian FIDO key. However, there is still room for improvement in this area. It would be great if Microsoft could add options to the Entra platform to force biometric authentication. Additionally, it would be helpful if Feitian could provide an opportunity to remove the PIN code from the FIDO2 key, similar to the option to remove the fingerprint.

FIDO keys with biometrics are the secret weapon for ensuring super-strong authentication, helping to keep your online accounts secure and easy to access. Try them out today and see the difference for yourself!

Published inAzureEndpointMicrosoft 365Security

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *