Microsoft announced the public preview of Azure AD support for FIDO2-based passwordless sign-in. With this preview you can now go passwordless with the public preview of FIDO2 security keys support in Azure Active Directory (Azure AD). This releases provides you with seamless, secure, and passwordless access to all your Azure AD-connected apps and services.
In addition, Microsoft turned on a new set of admin capabilities in the Azure AD portal that enable you to manage authentication factors for users and groups in your organization. In this first release, you can use them to manage a staged rollout of passwordless authentication using FIDO2 security keys and/or the Microsoft Authenticator application. Microsoft states that going forward you’ll see them add the ability to manage all their traditional authentication factors (Multi-Factor Authentication (MFA), OATH Tokens, phone number sign in, etc.). Microsoft’s goal is to enable you to use this one tool to manage all your authentication factors.
Microsoft states that every day, more and more of our customers move to cloud services and applications. Unfortunately, passwords are no longer an effective security mechanism. Microsoft states that they know from industry analysts that 81 percent of successful cyberattacks begin with a compromised username and password. Additionally, traditional MFA, while very effective, can be hard to use and has a very low adoption rate. Microsoft says that it’s clear that there’s a need to provide their customers with authentication options that are secure and easy to use, so they can confidently access information without having to worry about hackers taking over their accounts. This is where passwordless authentication comes in.
Microsoft believes it will help to significantly and permanently reduce the risk of account compromise. They believe it will help to significantly and permanently reduce the risk of account compromise.
With this public preview all Azure AD users can sign in password-free using a FIDO2 security key, the Microsoft Authenticator app, or Windows Hello. These strong authentication factors are based off the same world class, public key/private key encryption standards and protocols, which are protected by a biometric factor (fingerprint or facial recognition) or a PIN. Users apply the biometric factor or PIN to unlock the private key stored securely on the device. The key is then used to prove who the user and the device are to the service.
YubiKeys compatible with FIDO2:
OTP + U2F + CCID
USB-A Small Form