Slowly, but surely, the world is moving authentication away from password-based authentication and even 2FA/MFA. I’ve been meaning to write something about this for a while and recently the perfect opportunity arose.
Then FEITIAN reached out to me, asking me to review one of their keys, and I thought: “why not now”? I’m using this opportunity to write a little about MFA interception, and how you can easily protect your Azure AD with FIDO2 keys. Let’s all go passwordless!
Also, I went completely down the rabbit hole trying to figure out why FEITIAN must be SHOUTED in all caps. I tried, but I couldn’t find any reasoning behind it 😊.
Let’s do a quick history lesson, just for fun.
In the beginning there were passwords. We soon discovered they weren’t such a good idea, but hey, it was better then just allowing anonymous access.
Next, we simply added something-you-have to the something-you-know in the form of physical device which showed a dynamic (either time- or hash-based), one-time password (OTP). Sure, an OTP fob could be stolen as well, but the risk of both credentials being compromised at the same time was a lot smaller than just leaking a password.
All the while, things like phishing attacks were becoming more common (and easier to pull off). The adoption of this MFA-thing really took flight because of it. The industry (like Microsoft, and Google) began musing on just getting rid of passwords as a whole.
Most organizations are still at this point, although passwordless authentication is on the rise.
So why should we use a FIDO2 key?
Well, even though MFA has made us resilient to brute-force attacks, it’s still vulnerable to phishing. Granted, it’s harder to phish an MFA-protected session, but adversary-in-the-middle (AitM) attacks are on the rise and becoming easier to pull off (evilginx2, I’m glaring at you).
In a nutshell, this kind of attack points the user to the expected sign-in screen but tricks them into accessing it via a reverse proxy. As this proxy simply fetches and serves the original pages, they are identical and (besides the URL) there are no red flags for end-users. All traffic to and from the IDSP is, however, captured by the attacker so they have access usernames, passwords (including OTPs), cookies, et cetera.
To counter this kind of attack, you can use so-called “phishing resistant authentication methods“. All of them are passwordless solutions, and one of which is a FIDO2 key. The key aspect here is that the stored credential ‘knows’ which hostname(s) can use it. It simply won’t offer it as an authentication option to an unknown hostname, which eliminates this attack vector.
Well, unless the attacker also hijacks your FQDN, in which case you probably should’ve implemented FIDO2 earlier.
Using a separate key also means that your credentials aren’t tied to a specific device (see: What about PIN-less?), allowing you to use it on other endpoints as well. That property also improves your physical security: you can store (and transport) them separately.
I’m betting that if your device is stolen but your key is still in your pocket, you’re going to sleep a little easier that night.
Introducing the FEITIAN BioPass K49
For this post, I’m using FEITIAN’s new BioPass K49 key, successor to the BioPass K26.
Just to be transparent: although FEITIAN provided this key for free, I’m not being paid for this review and it reflects my personal opinion.
The hardware is (very) good
Both the K26 and K49 are USB-C keys. If you really need something with USB-A, you can consider the K50 or its K45 predecessor. Personally, I just use a USB-C to A adapter, which I carry along anyway.
It seems to be a very durable key. Time will tell, and I will update this post if anything breaks within a year. Its form-factor is nice, and I’m liking the size of it: my house key is actually bigger.
The round fingerprint sensor has a nice feel to it and reminds me of the smooth surface of a FidgetCube, if you happen to know it. Best of all: the fingerprint scanner responds extremely quick and has a very good hit/miss ratio.
Somehow, my fingers always tend to pose a challenge to fingerprint scanners, so this is something I always test, and I’m impressed 😊.
The key supports the FIDO2 and FIDO U2F (Unified Two-Factor). That’s all I need right now, so no complaints in this department. If I ever have some additional requirements (like NFC or something), I’m sure I’ll find another match in the wide range of products offered.
Addressing the elephant in the room: when Google released their TitanKeys, people weren’t happy they used FEITIAN tech. Being a Chinese manufacturer with less-than-transparent production pipelines, FEITIAN was considered ‘risky’. Since the initial concerns in 2018, however, I haven’t seen any news, warnings or negative advisories about the use of their keys.
The software… well, exists
FEITIAN provides its own configuration software (FEITIAN SK Manager). As is often the case with software made by hardware shops, it’s not quite a masterpiece of user-friendliness. It simply does what it’s designed to do. Luckily, you don’t need to install it at all, as FIDO2 is available and integrated in most OSs.
“OSs” looks weird. Is that even how you pluralize an abbreviation? Obviously English is not my native language 😊.
In Windows, using a FIDO2 key simply spawns a flow in the “Windows Hello” configuration tool (found under Settings > Accounts > Sign-in options > Security key), making it an effortless experience. So, unless you’ve got some advanced configuration to do (which the K49 basic feature set doesn’t need), I suggest you just stick to that.
Don’t forget to register your fingerprint, though.
The price… is right
Pricewise, we’ll have to see. This key hasn’t been released yet, so official price information isn’t available, but FEITIAN expects it to be a little more (~ 30%) expensive than their current K26 offering. That would put it around the $85 mark; a lot cheaper than most alternatives.
Enabling FIDO2 in Azure AD
Before you can use any FIDO2 keys in Azure AD, you need to allow it. That’s as easy as ABC:
- Access your Azure AD portal.
- Browse to Security > Authentication methods.
- Click on FIDO2 Security Key and enable it.
Now that’s out of the way, let’s get going.
Adding your Azure AD credential
Adding the key as a sign-in method
Your users then need to register the key as a sign-in method. It’s a very easy process, and you can safely let this happen in self-service. Just point them to https://aka.ms/mysecurityinfo.
Of course, authentication is required for this page. Users that still have a password can use that and any MFA required. However, at some point, your users will no longer have passwords (duh). No worries, as they can use Azure AD’s temporary access pass (TAP).
I’ll write a full post on how to onboard new users some other time. For now, let’s just continue.
- Click on Add sign-in method.
- Select Security key in the drop-down menu.
- Click on the Add button.
There may be some authentication stuff going on in between if you’ve left it sitting idle for too long. Just go with the flow.
- The K49 is USB-C, so we click on the USB device button.
- Click on the Next button.
I already had my key plugged in at this point. If you haven’t, you will be prompted to do so.
Your browser will now send a request to the key. This triggers the Windows Hello configuration tool you can also find under Settings > Accounts > Sign-in options > Security key, which will handle this process.
- We’re shown which credential is being created and which app requested it.
Click the OK button.
- We’re warned that some hardware info is shared.
Click the OK button.
I haven’t set up this key at this point yet and. As such, the tool will require me to perform the minimally required configuration, which is configuring a PIN.
- Enter your PIN, twice. This can be any combination of 4 to 63 characters.
- Click the OK button.
- Touch your key.
Some of you may wonder how a PIN is different from a password. I’ll get to that. Let’s finish up, first.
Enabling biometric authentication
If you read the last dialog (which I’m sure you did 😊), you will notice it states: “perform any additional setup tasks such as registering your fingerprint”. Microsoft should make this suggestion much more prominent (or even an optional part of the process) in my humble opinion. Users will forget to do this.
Yes, you read that correctly. Touching your key doesn’t do anything yet besides confirming you have physical access. It doesn’t identify you in any way.
In fact, you can touch your key with anything that registers as human. I’m sure a hot dog will work just fine.
We still have a little more configuration to do:
- Open Settings.
- Navigate to Accounts > Sign-in options.
- Click on Security key blade.
- Click on the Manage button next to Sign in to […] security key.
- Touch your key.
- Click on the Set up button below Security Key Fingerprint.
- Enter your PIN and press ENTER.
- Touch the sensor until it’s satisfied.
- Click the Done button.
- Click the Close button.
What about PIN-less?
Okay, we need to address this PIN-thing. I can already hear people asking “how is this any different than a password”?
I’ve had to explain this to people over-and-over-again for TPM PINs as well, so from now on I’m going to refer them to this section 😊.
Yes, on the surface this PIN looks like a password. And if your organization requires numeric PINs, it even looks less secure. However, the real magic happens beneath the surface.
Your PIN is stored inside a heavily protected part of the hardware only and it isn’t allowed to go outside. Ever. All authentication is performed locally, inside the device’s security perimeter, and only the resulting verdict is sent back to the outside world.
In this case, this secure part is inside your FEITIAN key (and that fact has some additional benefits, we’ll get to that). This complete and utter isolation (and dedicated protection) is what makes a PIN way more secure.
Most modern devices also have their own, built-in, protected area. Your Windows laptop probably has a Trusted Platform Module (TPM) chip. Your iPhone stores this kind of stuff inside its Secure Enclave (which is basically Apple’s version of a TPM).
But… you’ve still got a password
To get the whole passwordless experience (at least regarding Azure AD), I would have to eliminate the Azure AD password completely. That’s a story for another time, though.