Educause Security Discussion mailing list archives
Re: FIDO2 keys and MFA
From: Blake M Bourgeois <bbour53 () LSU EDU>
Date: Tue, 12 May 2020 16:32:27 +0000
Just wanted to note, my current understanding is that FIDO2 keys do not work like a traditional MFA method for Azure AD at this time and may not be a fully suitable compromise. (If I'm incorrect, please let me know-this would be something great to be incorrect about!) If you're using the enhanced security info portal (combined registration for MFA and SSPR) you can provide self-service FIDO2 enrollment by adding it as an authentication method. A FIDO2 key will provide certificate-based passwordless authentication for users and will satisfy MFA requirements, but is not available as a verification method at sign-in, per se. Depending on how you're configuring MFA enrollment, it is worth noting that the first time a user goes to the security info registration page, a FIDO2 key cannot be configured. Users must configure an app or phone call, depending on what you have enabled in your environment. Also, right now in my experience, the FIDO2 key is only available for passwordless authentication in very limited, browser based contexts. It's not available for desktop applications (Outlook, Teams) and it's not available on mobile. I only have experience with a Yubikey, but it is possible to use the Yubico Authenticator and the Yubikey to enroll as an app that generates the 6 digit OTP verification code. The code can be pulled up on any device with the Yubico Authenticator (for example, I can plug in my key to my desktop and open the app to view any enrolled OTP codes, then tap the key to my NFC enabled phone and view the codes there, as well). You can use this method to allow security tokens to fulfill MFA login requirements in all contexts, desktop and mobile, and it may be the only way to enroll in traditional MFA before the user can access the full featured registration portal after initial enrollment. Blake Bourgeois, GCED, CISSP Security Analyst 3, IT Security and Policy Information Technology Services Louisiana State University Office 225-578-1218 bbour53 () lsu edu<mailto:bbour53 () lsu edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Beth Albertson Sent: Monday, May 11, 2020 8:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] FIDO2 keys and MFA We are in the process of implementing Azure MFA for our staff and students. We have a small percentage of students without smart phones, and would like to offer them the option of using a FIDO2 key. I was wondering if other Universities are using FIDO2 keys, and if so, who is picking up the cost? Are students expected to buy their own device? Also, we, like most Universities are all online during the Covid crisis, so it seems we would have to mail the FIDO2 keys to users if we pick up the cost. Thank you in advance for any information you can provide. Sincerely, Beth Albertson, CISSP(r), PMP(r) Director of Information Security Western Washington University beth.albertson () wwu edu<mailto:beth.albertson () wwu edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cbbour53%40LSU.EDU%7Cff5db3c5a94043ba6a6908d7f610152b%7C2d4dad3f50ae47d983a09ae2b1f466f8%7C0%7C0%7C637248421257378048&sdata=5HJ1%2B6hBu13b3SuGrGPsyw%2BN%2B9hjcT%2FMVnnACCfHKMA%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- FIDO2 keys and MFA Beth Albertson (May 11)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Ravi Kotecha (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Tomassetti, Tina (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Telfer, Will (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Garrett McManaway (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Beth Albertson (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Sabo, Eric (May 18)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Tim Cappalli (May 18)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Ravi Kotecha (May 12)