Re: FIDO2 keys and MFA

[Blake M Bourgeois <bbour53 () LSU EDU>]

Just wanted to note, my current understanding is that FIDO2 keys do not work like a traditional MFA method for Azure AD 
at this time and may not be a fully suitable compromise. (If I'm incorrect, please let me know-this would be something 
great to be incorrect about!)

If you're using the enhanced security info portal (combined registration for MFA and SSPR) you can provide self-service 
FIDO2 enrollment by adding it as an authentication method. A FIDO2 key will provide certificate-based passwordless 
authentication for users and will satisfy MFA requirements, but is not available as a verification method at sign-in, 
per se.

Depending on how you're configuring MFA enrollment, it is worth noting that the first time a user goes to the security 
info registration page, a FIDO2 key cannot be configured. Users must configure an app or phone call, depending on what 
you have enabled in your environment.

Also, right now in my experience, the FIDO2 key is only available for passwordless authentication in very limited, 
browser based contexts. It's not available for desktop applications (Outlook, Teams) and it's not available on mobile.

I only have experience with a Yubikey, but it is possible to use the Yubico Authenticator and the Yubikey to enroll as 
an app that generates the 6 digit OTP verification code. The code can be pulled up on any device with the Yubico 
Authenticator (for example, I can plug in my key to my desktop and open the app to view any enrolled OTP codes, then 
tap the key to my NFC enabled phone and view the codes there, as well). You can use this method to allow security 
tokens to fulfill MFA login requirements in all contexts, desktop and mobile, and it may be the only way to enroll in 
traditional MFA before the user can access the full featured registration portal after initial enrollment.

Blake Bourgeois, GCED, CISSP
Security Analyst 3, IT Security and Policy
Information Technology Services
Louisiana State University
Office 225-578-1218
bbour53 () lsu edu<mailto:bbour53 () lsu edu>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Beth Albertson
Sent: Monday, May 11, 2020 8:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] FIDO2 keys and MFA

We are in the process of implementing Azure MFA for our staff and students.  We have a small percentage of students 
without smart phones, and would like to offer them the option of using a FIDO2 key.  I was wondering if other 
Universities are using FIDO2 keys, and if so, who is picking up the cost?  Are students expected to buy their own 
device?  Also, we, like most Universities are all online during the Covid crisis, so it seems we would have to mail the 
FIDO2 keys to users if we pick up the cost.  Thank you in advance for any information you can provide.

Sincerely,

Beth Albertson, CISSP(r), PMP(r)
Director of Information Security
Western Washington University
beth.albertson () wwu edu<mailto:beth.albertson () wwu edu>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cbbour53%40LSU.EDU%7Cff5db3c5a94043ba6a6908d7f610152b%7C2d4dad3f50ae47d983a09ae2b1f466f8%7C0%7C0%7C637248421257378048&sdata=5HJ1%2B6hBu13b3SuGrGPsyw%2BN%2B9hjcT%2FMVnnACCfHKMA%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community