Secure Windows Sign-in beyond password! It’s time we do it!

Would you secure your house with a fingerprint door lock? Or facial recognition?

In this article I will look at securing Windows Sign-In on Windows, Windows 365, Azure Virtual Desktop and even Azure Virtual Machine. I will explore the world of FIDO Security keys available and supported today, to discuss which persona they are suited for and how it will work in real life. They are not all equal, but each have their strength, be it security or user friendly depending on your persona.

To start, lets talk a little bit of history. The Password has been around since the beginning, and security keys have also been around some years. Not that widely useful, but the last years we seen standards being developed and services developed support for security keys.

Passwords are to weak to be secure in these days

So that begs the question, why are not everyone running around with a security key now that we know it would elevate our weakest protection, a single password?

Most Customers are on a path to better protect their Identity and credentials, and have implemented multifactor authentication (MFA). Like a mobile application or sms code. Even forced to use number matching soon with Microsoft’s Authenticator.

But we don’t use MFA during sign-in for Windows much. Perhaps you have enabled Windows Hello for Business with (WHfB) a 4-6 digit pin-code. It might seem weaker, but has the protection of only working for one specific device and you don’t have to write it down to be remembered. Maybe even played with facial recognition or tested fingerprint scanning on your device? We did have built-in fingerprint scanners in a lot of laptops, but we haven’t embrace it much. Keep in mind you need to deactivate weaker options, or anyone can switch to weakest one available.

Facial recognition or fingerprint scanning

I once used a MacBook for testing, while also wearing my Apple Watch. Togethere I could use proximity authentication, meaning the MacBook unlocked the sign-in when my watch got within Bluetooth range. I liked it a lot, and even used Microsoft Authenticator on the watch to approve web authentication. Unfortunately that app for Apple Watch will cease to work when Microsoft now enforces number matching.

Today I will explore the following enhanced security Add-On: WHFB, FIDO USB with Fingerprint, FIDO Card with fingerprint and FIDO USB with NFC.

WHfB – The magic in Windows and pin-code for Windows Sign-In

WHfB is the feature in Windows 10/11 which integrates with Azure AD to enhance sign-in security to Windows. WHfB uses the TPM 2.0 chip and bit-locker to protect your credentials. They are only accessible using the methods you have configured on this specific device. Most used method is pin-code of 4-6 digits, seems weak, but you don’t have to write it down to be remembered. And it doesn’t work from any other device, rendering the code completely useless without stealing your device.

Fingerprint scanning for Windows Sign-In

Next familiar method is fingerprint scanning, which have been around for a decade or more. Previously it was the hardware vendors software taking control of Windows Sign-In and we could swipe a finger instead of a password. It requires some effort from the end-user to have their fingers of choice scanned, but it wasn’t that difficult. But it was without Windows Hello’s security, and the swipe feature was not that good. Laptops mainly started losing the fingerprint, because customers opted it away. It was only increasing the cost and not used, leaving all laptops with a mark after where it used to be.

Today we can use fingerprint scanning with Windows Hello for Business, and we enable multiple fingerprints in case you cut yourself in the kitchen. Even mobile phones started using fingerprint to unlock your phone, but it did not work in gloves or when your freezing at the bus stop. Today facial recognition have mostly taken over for the last couple of years on mobile devices.

I have personally used facial recognition with Logitech Brio camera, but during this article I did find the HP Elitebook 840 G8’s fingerprint scanner to make for a faster and better sign-in experience then using the built-in camera or Logitech Brio for facial recognition. My laptops fingerprint scanner is improved since the previous one seen in earlier models.

The old fingerprint scanner

Summary: Affordable, biometric secure, faster and precise beyond facial recognition.

Remember to disable the weaker options, because you are not any more secure, then the least secure option enabled.

Facial recognition for Windows Sign-In

Which brings me over to facial recognition using an infrared camera (IR). Its kind of difficult to steal your face. No, a picture is not enough, hence the IR requirement to measure heat in your face and with eye movement registration. But its not widely adopted, mostly due to the hardware requirement, the IR camera. Today most costumers around the world buy laptops without IR in their camera. So it is a big cost to change all laptops, or if you do it organically it could take upwards of three years right.

Also I find it a bit quirky to use, as I have to stare into the camera lens for too long. However it is more disability friendly, because it doesn’t require any movement, but looking into the camera.

Summary: Convenient, biometric secure and disability friendly.

Remember to disable the weaker options, because you are not any more secure, then the least secure option enabled.

Backstory to this article

I was dealing with an Kerberos issue after having SSO enabled for Azure Virtual Desktop, the solution seem to be configuring Kerberos Server Object. It is described by Microsoft as a requirement for enabling WHFB or Security key sign-in to AVD. According to my theory its not because of those features, but because when the device doesn’t have your credentials it fails to fetch a Kerberos ticket from your domain controllers. It only has an Access token and a Cloud Kerberos ticket from AAD. Without the additional Information from the Kerberos server object it cant trade them in for a regular Kerberos ticket. I will dive deeper into this in another blogpost.

So it got me thinking about Security keys again, and its been a while since I last played around with a FIDO standard Security key.

Security key personas

We can divide it into users with a shared device or private device. Using a shared device, you would detach your security key when leaving the office or when a colleague are to use the device. The security key could be attached to your keychain or access card string, although for that last use-case I would recommend looking a security cards with fingerprint built-in. It holds the same security technology, but can double as your access card to physical doors in your office. This is a bit tricky, which we also see common in secure print solutions. Access card from the security company aren’t always compatible with the card reader on printers, and for a security card, it might not be compatible with your physical security system.

When using a private device, a device we don’t share with others, we would probably just leave the security key connected to the device. It would be the user-friendly way, rather than remembering to bring your security key around. Unless you switch between multiple devices, it would probably be a routine to detach the security when switching devices.

I have previously written about Cloud PCs for consultants, and this is also a use-case for security keys. Provide consultants with a security key to elevate security when consultants access your services or a Cloud PC.

Security key standard

FIDO is not a type of dog, its a standard architecture for Security keys developed by some of the largest vendors out here. It makes sure the security keys follows a secure and common architecture, making it much easier for services to integrate support.

It is also a certificate of approval issued to vendors committed to adhere to the high standard of a FIDO certification.

Security keys used in this article

In this post we will look at one biometric key and one non-biometric with NFC/BLE support.

Biometric means using something secure from your body. Fingerprint or facial recognition, and I have been using facial recognition for about two years. I will revisit fingerprint authentication, and try to understand the different benefit from a security key with NFC/BLE feature.

Feitian K49 and K40

USB Fingerprint Security Key

We attempted to use fingerprint scanning before, usually built-in to your laptop. But with a security key (USB-C/A) it makes it moveable between devices, and work with any PC or Mac. You don’t need a device with built-in fingerprint scanner. So its much easier to adopt a security key with fingerprint, opposed to facial recognition.

Fingerprint scanning is more secure then pin-code, so we can recommend using only fingerprint on sign-in. Using a pin-code and fingerprint is usually unnecessary and it I didn’t like it, so neither will a regular user.

Fingerprint is more secure compared to facial recognition, due to the precision available in todays technology to read fingerprints, compared to facial recognition. Which is why facial recognition also uses IR in camera to measure heat from your face and also the option to require your eyes to blink or move, are two additional features to secure authentication with facial recognition.

USB NFC/BLE Security Key

Much like the USB Fingerprint key, but instead of using your fingers to authenticate, the NFC or Bluetooth key can wirelessly be nearby and still used as authentication when you push a button on it. It is very much like we use with Multi-Factor Authentication (MFA), where the factor is stored or available on a mobile device. But the mobile MFA will work on any device associated with your organization (tenant). Oppose to a security key, which will be configured to only work with a specific device.

They come with biometric factor as well, but this example is without biometric support. I could recommend pairing it with a pin-code, but it only works for those devices you configure the security key for. Your device and security key needs to be stolen in order to use this authentication method. It is still difficult to steal, but not as difficult as biometrics. But keep your security key safe, or stored away from your device. Most will probably keep it in a keychain or somewhere where it moves around with you.

I mentioned earlier an experience using proximity authentication with an Apple Watch and a MacBook with Apple ID authentication into MacOS. This would also be possible using an NFC/BLE security key, but not support by Windows Hello for Business and does require a third party software at least.

Sign- In Use-Cases and recommendation

Lets discuss the different use-case where I have use and run sign-in using these security keys.

Windows 10/11 – Supports sign-in with a variety of methods, but I recommend using a security key with either fingerprint or NFC+pin-code. Facial recognition is cool, and what I been using up until I rediscovered security keys.

Windows 10 / 11 with security key

Websites – Depending on your device OS, it would use your already achieved access token, but through Windows Hello we can also have websites rely on Windows Hello for Business and use your security key to authenticate. Perhaps if your only use security keys for privileged access or applications with sensitive information.

Windows 365 – There are multiple ways to open your Windows 365 Cloud PC, and usually they follow the sign-in already used on your device, especially on a Windows device located in the same domain/tenant. This is what Single Sign-On is about, unless your elevated to higher privileges, you shouldn’t need to authenticate more then once at the time your entering your device. If your like me, a consultant, the Cloud PC will belong to a customers domain and don’t have the same credentials/access token as my local device. In that case using the Windows 365 remote application will require you to sign-in, and have SSO from that application into the Cloud PC. If your using the web-browser to enter your Cloud PC, it will require the same sign-in before you see all your Cloud PCs and will have SSO further into them. For a consultant we can require stronger authentication (security keys) upon sign-in to the remote app or web portal for Windows 365.

Sign-in from the Windows 365 App

Azure Virtual Desktop – AVD uses an application called Remote Desktop. You can be authenticated to multiple tenants/customers in this application. But otherwise work very much the same as Windows 365, in fact the backend of Windows 365 is a large installation of AVD. Lets discuss that in a future article. AVD also supports a web-browser, and again it will work very much the same as Windows 365.

Guide: How-to enable security sign-in for cloud customers

Besides having a device and a security key that fits the device, we need some minor configurations before we can add our security key and use it for Windows sign-in. If you attempt to add the security key before proper setup, it will be allowed, but you will not have the option to do Windows sign-in with the key.

This quick guide is meant for customers running with Windows 10/11, Azure AD Join and Intune Management.

  1. Create a new Authentication Strength, besides the built-in, to enable approved keys (AAGUID). The Guid can be found online, or obtained by asking the vendor. It makes sure users can only use security keys you have approved, and not someone they got for free, which potentially can have harmful software or hardware.
    • Feitian K40 (ePass FIDO NFC: ee041bce-25e5-4cdb-8f86-897fd6418464)
    • Feitian K49 (BioPass FIDO2: 77010bd7-212a-4fc9-b236-d2ca5e9d4084)
    • Vendors usually publish a lists of these AAGUID, and Feitian’s is here.
  2. Create a Conditional Access Policy for the app “Security Info Registration” to secure access to key administration and grant access with MFA or Compliant device required. We do this to prevent attackers from adding their own security keys after brute-forcing or socially engineering.
  3. Create a Conditional Access Policy for the Apps you require a security key to access, and chose the new authentication strength made in the first step.
  4. Enable Windows Sign-In with keys on the client, can be done from Intunes Windows Hello configuration, or by targeting a group using configuration profile (Windows Hello for Business – Use Security Key For Sig-in: Enabled). This can take some time before its configured on your device, just in case your quick to try it out after configuration.
  5. Navigate to aka.ms/mysecurityinfo and add an authentication method, chose security key from drop-down menu.
  6. If your using biometric, go to settings\accounts\sign-in options and under security key, chose manage to add your fingerprint.
  7. When everything is applied, you should now be able to sign-in only by touching your fingerprint reader on the security key, when your at the sign-in to Windows.

Thank you!

I would like to thank Della Han at Feitian Technologies for reaching out to the community on LinkedIn and providing me with these security keys.

Feitian’s security keys have the certificate from the FIDO Alliance and have been added in Azure Active Directory through Microsoft’s list of approved security keys.


Leave a Reply

Ehlo!

I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts