FEITIAN BioPass FIDO2 Security key for personal identity protection

Posted on by
3

Personal identity protection

In this blog post, we will use a FEITIAN BioPass FIDO2 Security key for personal identity protection. I already discussed using a FIDO2 security key for MFA in FEITIAN FIDO2 security keys – Working Hard In ITWorking Hard In IT. After that, we looked at configuring the biometric security key out of the box or after a reset in Configure a FEITIAN FIDO2 BioPass security key – Working Hard In ITWorking Hard In IT

Your online credentials do not only deserve but need adequate protection against abuse. That means protecting your credentials. Unfortunately, the reality is that the most used way of doing so, the user password combo, while ubiquitous, has been insufficient for a truckload of reasons for a long time. I will not address this here, but you can read about it all day long online.

Multifactor authentication comes to the rescue, and there are two prevalent and secure forms of this. First of all, we have the software-based solution in the form of an “authenticator” app that lives on a (hopefully) secured smartphone. The second is hardware-based security keys that protect your credentials in a secure, tamper-proof vault. These come in many interface forms, but USB-A or USB-C is very popular, and the most future-proof ones are FIDO2 security keys. I prefer FIDO2 keys with biometric capabilities. These allow us to go fully passwordless in use cases that support this.

Lab setup with the FEITIAN BiosPass K26 security key

We set up a FEITIAN BioPass FIDO2 Security key for personal identity protection in our earlier blog post. Now we will use that security key to protect some of our online credentials for personal use.

FEITIAN BioPass FIDO2 Security key for personal identity protection

Microsoft personal account

Many of us have a Microsoft personal account. Think Outlook, OneDrive, Teams, etc. These are not just for O365 personal or business subscriptions but also work with Microsoft’s free offerings.

What I will do now is configure an account to leverage a security key. In this case, this is the FEITIAN BioPass FIDO2 K26 USB-C model I configured with my fingerprint in

First of all, log in to your account via Microsoft account | Sign In or Create Your Account Today – Microsoft.

If you already have MFA set up, you might need to approve the challenge as I do below. In that case, your security key will become the second option for MFA.

Once you log in, click on the security panel.

There you will find the” Advanced security options panel,” which you click.

Now you can “Add a new way to sign in,” which is what we want.

Select “Use a security key.”

Next, you find the instructions on what you will need to do to onboard your security key, both in writing and via images.

Windows Security notifies you that you are setting up your security key and tells you what application makes this request. In our example, it is the Chrome web browser.

Click “OK” and follow the instructions

Windows Security informs you that a credential will be stored on your security key so you can log in without having to type a username. Click “OK” to continue.

Touch the security key when requested. Remember we already stored your on the security key, but you need to provide your pin code to verify that this key belongs to you.

Enter your PIN-code and click “OK.”

Touch your security key again, and this time it verifies a fingerprint of yours. When that is successful, you will see that you need to name your security name to identify which one it is quickly. Do so and click “Next.”

You have now successfully onboarded the security key and are ready to use it instead of a password.

That is it. Tell me now, that wasn’t to be right? You can see the security key you added to your sign-in options.

FEITIAN BioPass FIDO2 Security key for personal identity protection

Now that you have added the FEITIAN BioPass FIDO2 security key to your personal Microsoft account, you can now use it to log in to Outlook, OneDrive, and Teams. Of course, teams can be a bit picky when dealing with a security key and if your account belongs to multiple tenants as a guest user and you do not always use the tenant in which your account lives. But you can work through that.

Try it out!

Open a private or incognito browser window, so you are not already authenticated. Then, navigate to Microsoft account | Sign In or Create Your Account Today – Microsoft. Click on “Sign In” to continue.

This time you select “Sign In with Windows Hello or a security key” or use the “Sign in options” button.

The security key is the option that you are after, so select that.

The form prompts you to touch your security key, which, as it is a FEITIAN BioPass FIDO2 device, will read your fingerprint and validate that.

That will log you on. The following prompt asks if you want to stay signed in or not.

Realize that you no longer need to type in your username or password. Having the key is one factor. Knowing the PIN or presenting the fingerprint while touching the key provides for a secure second factor. Note that you might opt not to stay signed in for maximum security for the authentication always to be required.

Also, note that if you navigate to onedrive.com versus login.live.com, the experience is similar but different. When writing this article,  in onedrive.com, you need to enter your account name before continuing and selecting another option for authentication than a password. With login.live.com, you get that option directly.

Finally, don’t forget that you can go genuinely passwordless and remove your password when you are ready to take that step.

Google account

Adding an MFA option to your google account is pretty straightforward.  You have the option to add a security key next to push notifications to an authenticator app, a voice or an SMS message, or a Google prompt to a phone where you signed in with your Google account. Note that I gave the security key a sensible name for identification. See Use a security key for 2-Step Verification – Computer – Google Account Help for more information and guidance.

FEITIAN BioPass FIDO2 Security key for personal identity protection

The above screenshot is of the FETIAN BioPass FIDO2 security key added to a Google account. Note that for now, Google does not let you go completely passwordless. The fingerprint on your security key is the second factor after entering your password. We’ll see how this evolves in the future.

Twitter

Recently Twitter also announced support for a security key in Stronger security for your Twitter account. Once you have done that, you will have a login process as described below.

First, navigate to twitter.com and select Sign in, where you opt for username, e-mail, or phone.

Fill out your username when requested. Click “Next” to continue.

Enter your password en click “Log in” to carry on.

Now MFA kicks in, and you will need to touch your security key to respond to the MFA challenge. Note that you still have to enter your password here. You cannot (yet) go passwordless here.

The security key will read and verify (one of) your registered fingers prints and if that matches, allow your login. That’s it, and I am now reading my Twitter stream!

Call to action

First of all, start using MFA for your personal computing needs. Authenticator apps on smartphones are the usual first choice. Secondly, give FIDO 2 security keys a go either as a secondary or primary MFA device. While not all applications support a FIDO2 security key, many do, and I encourage anyone to try it out and see where it fits in. On that note, you can even use it for access to your Windows laptop or PC and even servers with the right (free) MFA provider and software. That means you have the best possible protection even when Windows Hello is unavailable to you due to a non-compatible camera on your client or because it does not work for your use case.

When and where supported, you are now ready to go passwordless, and you have at least two forms of MFA set up. Last but not least, you have your recovery keys and know the recovery process for your services when you lose access to a service. Well done!

Configure a FEITIAN FIDO2 BioPass security key

Posted on by
Reply

Introduction

In this blog post, we will configure a FEITIAN FIDO2 BioPass security key. As you might know from a previous blog post, FEITIAN FIDO2 security keys – Working Hard In ITWorking Hard In IT, I have a FEITIAN FIDO2 BioPass security key. That’s the one I use to test scenarios in the lab. What I write here will work with any biometric security key with the native tools. Only the vendor-specific tools will differ.

Figure 1: The FEITIAN BioPass FIDO2 security key

Before you can use your FEITIAN security key, we need to set it up. That is a pretty straightforward process. You can use the native Windows 10 or Windows 11 tools or download the tool the FIDO2 vendor provides. Both work perfectly well, but the vendor tool often offers more capabilities.

Initial configuration

Below I will show you how to use the Windows 10 native built-in tool to configure a FEITIAN FIDO2 BioPass security key. That tool is available on Windows 19H1 and onwards and in Windows 11. After that, I will peek at the FEITIAN tool (see 未标题-1 (ftsafe.com)). You can download the FEITIAN tool from the Microsoft Store.

You can also use the built-in Chrome tools to do this, which is not only applicable on an Apple or Linux device but also on a Windows Server 2019 OS with the desktop experience where the built-in tool is not available.

Figure 2: Chrome can manage security keys

In Windows Server 2022, however, you do have built-in tools available. You can find it in Settings under Accounts, Sign-in options,  Security Key.

Figure 3: Windows Server 2022 allows you to manage security keys with a built-in tool

Windows 10 built-in tool

But let’s run over how to do this with the built-in tool in Windows 10 or Windows 11.

Type “Window Security” in the search bar and click on “Windows Security.”

In the left pane, click on “Account Protection.”

Figure 4: Under Account Protection, Windows Hello, you can manage your sign-in options

Under “Windows Hello,” click on “Manage sign-in options.”

Figure 5: Manage your security keys

Depending on what type of client you have and if you have Windows Hello capable devices (camera, fingerprint reader, and such) and a supported environment for it, specific options will be available or not. For our use case, a FIDO2 security key, we are interested in the bottom one, “Security Key.” Select it and click on the “Manage” button.

If you have not yet inserted your security key, the tool will ask you to do so. That screen will go away once you have inserted your security key. If you have already inserted it, you will not see this screen.

Figure 6: You really do have to plug in your security key

It will ask you to touch your security key. Don’t worry; this does not require your fingerprints yet. Which is logical as they are not there yet.

Figure 7:Touch your security key when asked

First of all, we now need to add the Security Key PIN to your security key when it is a new one or one that you have reset. That PIN helps secure your key from undesired use and can be anything between 4 and 64 characters.

Figure 8: An unconfigured security key requires you to add a PIN first

A note about your PIN

Note that a PIN does not have to be limited to 4 digits; it can be more. You can use numbers, letters, special characters, etc. That means that “My1stPIN!” is acceptable. But please do not use “1111”. You get the idea. Use something sensible and reasonably secure. It is worth noting that it will be locked out if you type in your key incorrectly too many times. You’ll need to reset your security key, which causes a bit of a hassle, as you can imagine. So choose wisely and make it something you can remember and type in correctly quickly. Also, it is wise to have a backup MFA device (smartphone, 2nd security key).

Figure 9: Enter a  sensible PIN

After you have set the PIN, you can enter one or more fingerprints. For example, I usually register two fingerprints of both hands. That makes sure I can log in when my thumb is in a band-aid and helps easily access the security key when I plug it into either my client device’s right or left side.

Figure 10: It takes 4 recordings to store your fingerprint.
Figure 11: Tab that security key gently 4 times
Figure 12: Success, your fingerprint is registered.

You can register different fingerprints now or come back and add them later.

Figure 13: Done!. Close the setup tool.

That’s it. The FEITIAN FIDO2 security key is now ready for use with any service that supports it.

FEITIAN BioPass FIDO2 Manager

If you have downloaded the FEITIAN BioPass FIDO2 Manager tool from the Microsoft store, you will find it works similarly but with some extra advantages.

Figure 14: BioPass FIDO2 Manager from the Microsoft Store

For one, you can easily list the fingerprints and test them. That way, you can figure out which ones to delete or replace. Quite handy, but it gets even better!

Figure 15: Give your fingerprints a more straightforward name

The cool thing is that you can double-click the fingerprint entries and rename them. That comes in very handy! However, I want to see this capability natively in the Windows built-in tool as well.

I will show you how to use it with your personal Microsoft account and Twitter in a subsequent blog post. With Microsoft, you have the option of going 100% passwordless, and you can delete your password. With other services, this is not always possible yet. But don’t worry, having MFA is helping you avoid 99,9% of unauthorized access to your accounts already. Why? Because most “hacks” of your identity are not real hacks or breaking into the service, but people logging into your account via stolen, derived, or guessed passwords. MFA blocks that.

FEITIAN FIDO2 security keys

Posted on by
2

FEITIAN FIDO2 security keys

I requested a lab trial sample of some FEITIAN FIDO2 security keys as they offered them to interested and qualifying parties for testing purposes. I was interested in their biometric security keys. So I reached out to see if I qualified, and they sent me two securities for testing in the lab. One is the K26 BioPass FIDO2® with a USB-C interface, which has, you guessed it, biometrics, meaning fingerprints.  The other one is the iePass FIDO® with both a  USB-C and lightning interface. This one has no biometrics but works with touch and makes a good choice for Apple devices. Now, the focus for these security keys is most often professional use cases. Still, I also wanted to point out that you can leverage a security key for your personal online accounts.

FEITIAN FIDO2 security keys
Figure 1: FEITIAN security keys

Yes, you as an individual should also be serious about protecting your online presence. For many of us, if not most, our smartphone is the primary MFA device we use. But I am also interested in an alternative.

FEITIAN

FEITIAN has a wide range of FIDO2 security keys for the many different needs and budgets out there. For me, biometrics is a must for the best possible security. However, they also offer other models, including versatile FEITIAN FIDO2 security keys that offer multiple interfaces like USB, NFC, and Bluetooth. That makes them more widely employable, but as said, I am focusing my efforts on biometric capable ones.

When it comes to biometrics, FEITIAN is the first to offer me that capability. Hence they caught my interest. In addition, ad far as I know, FEITIAN was the first vendor to achieve the FIDO Biometric Component Certification on April 29, 2021.  That is a requirement to qualify for FIDO Level 3 and higher Certification. Next to that, they are very responsive to my communications and feedback. So far, so good! I  know of one other vendor that has biometric FIDO2 keys available, that’s TrustKey. I know Yubikey has had them coming but so far they are not available.

Why a FIDO2 security key?

I usually use a smartphone as my primary MFA tool. A smartphone offers push notification MFA challenges that are easy to approve, allows TOTP code to access services, and can receive single-use passcodes via SMS or e-mail. On top of that, a good smartphone is fingerprint protected. That is a lot of flexibility on a single device most of us carry around daily anyway.

Redundancy for your smartphone

You can use a second smartphone for redundancy, but I use a FIDO2 security dongle where possible. I hang it on my key chain, and even when I merely forgot my phone that day, I have the security keys as a second option handy. That is far more likely to work than counting on having that second phone in my pocket.

So why use a FIDO2 security key? Well, firstly, when using MFA, and most certainly when going ultimately passwordless, you need a second way of accessing your account. I don’t just mean your emergency recovery key or such, but a backup device to answer your MFA challenges. I do this just in case you forget or lose or damage your smartphone or FIDO2 security key and can’t wait for all that to be fixed, replaced, and otherwise handled.

FIDO2 keys as primary and backup MFA solution

Secondly, sometimes FIDO2 security keys are the primary choice, depending on the variety of organizations’ needs, processes, and approaches to dealing with MFA.

Biometrics

I prefer security keys with biometrics. Together with their PIN code, the registered fingerprints provide a device that remains very secure, even when lost. It is also still secure when you leave the security key on your device. Merely touching it is not enough. The fingerprint needs to match even when your device or service does not prompt for your PIN. That keeps your kids or colleagues out of your accounts when you are not around. Secondly, you can register the fingerprints of another person you trust. That comes in handy if access is needed and you are incapacitated. A use case for this is for break glass accounts to Azure, for example.

Where to use FIDO2 security keys?

People use FIDO2 security keys most often to secure applications, services in professional settings (Azure AD, O365, websites of various professional services, etc.). That said, I use them for my personal security needs as well where ever I can. They are my second MFA device next to my smartphone. I like them, and I promote them to friends and family as I explain to them about MFA and the passwordless future. Yes, I do that. It is a requirement. That requirement materializes as mandatory security training when they dare ask me to help them select a new laptop or computer.

So in a few upcoming blog posts, I will discuss how to set them up and use them with various personal and professional services. Think about Microsoft’s Outlook, Teams, OneDrive, and services like Twitter, my WordPress blog, and my personally hosted IAAS VM for RDP or console access.

Figure 2: That’s me logging in to Twitter with my FEITIAN BioPass security key.

You can also use them with your client device or on a server with the right MFA provider or security vendors software and protect access when services like Windows Hello are not available to you for whatever reason.

I have found the FEITIAN FIDO2 security keys easy to use and to work reliably. In addition, they appear to be of high quality and solid enough to survive on my keychain.

Mind you, you cannot use a FIDO2 security key everywhere yet, which I find a pity. It shows security still has some work to do. But, where I can use a FIDO2 security key in combination with a smartphone authenticator app.

No matter what, use MFA wherever you can

Remember that with MFA, you are far less likely to become a victim of unauthorized access to your clients and services. It makes so much sense it should be the default for everyone today. It is an essential step on the road to an actual passwordless world in a zero-trust environment. We are getting closer to that world as recently, Microsoft allows you to remove the password from your personal Microsoft account when you have MFA in place.

Disclaimer

FEITIAN did not sponsor me or otherwise reward me for writing this blog post. However, they did provide me with the two FIDO2 security keys, which I appreciate as it helps me test and show scenarios in the lab and at presentations.  For that, I would like to thank them.

LDAP_ALTERNATE_LOGINID_ATTRIBUTE is a gem

Posted on by
7

Introduction

The registry value LDAP_ALTERNATE_LOGINID_ATTRIBUTE is a gem. It is found under the HKLM\SOFTWARE hive in the key \Microsoft\AzureMfa. It plays a critical part to get the NPS extension for Azure MFA to work in real-life scenarios.

LDAP_ALTERNATE_LOGINID_ATTRIBUTE is a gem

For the NPS extension for Azure MFA to work we need to have a match between the User Principal Name (UPN) in the on-premises Active Directory and in Azure Active Directory (AzureAD). The mapping between those two values is not always one on one. You can have Azure AD Connect use different a attribute to populate the Azure Active Directory UPN than the on-premises UPN.

There are many reasons you can need to do so and it happens a lot in real-world environments. Changing a UPN is possible but not always in the manner one wants. Sometimes these reasons are technical, political, or process-driven. In the end, you don’t want to break other processes, confuse your users or upset the powers that be. No matter what the reason, what can you don when you cannot change the UPN to make them match up?

LDAP_ALTERNATE_LOGINID_ATTRIBUTE is a gem

When you have installed the NPS extension for Azure MFA you will find part of its configuration in the registry. In there you can add values or leverage existing ones. One of those is LDAP_ALTERNATE_LOGINID_ATTRIBUTE. It allows using the NPS extension for Azure MFA despite the fact the UPN for users does not match between on-premises Active Directory and the UPN in Azure Active Directory.

What it does is instead of sending the on-premises UPN to Azure AD it uses an alternate value. The trick is the select the attribute that was used to populate the Azure AD UPN in scenarios where these do not match. In our example that is the mail attribute.

AD connect uses the mail attribute to populate the Azure AD UPN for our users. So we have [email protected] there.

AD DS mail attribute set to a different value than the UPN.

In our example here we assume that we cannot add an alternate UPN suffix to our Active Directory and change the users to that. Even if we could, the dots in the user name would require a change there. That could get messy, confuse people, break stuff etc. So that remains at [email protected].

Our AD DS UPN is set to the domain name suffix and the account name has no dots.

When we have the NPS extension for Azure MFA set up correctly and functioning we can set the LDAP_ALTERNATE_LOGINID_ATTRIBUTE to “mail” and it will use that to validate the user in Azure and send an MFA challenge.

LDAP_ALTERNATE_LOGINID_ATTRIBUTE to the rescue

Need help configuring the NPS extension for Azure MFA ?

By the way, if your need help configuring the NPS extension for Azure MFA you can read these two articles for inspiration.

Conclusion

There are a lot of moving parts to get an RD Gateway deployment with NPS extension for Azure MFA to work. It would be a pity to come to the conclusion it takes a potentially disruptive change to a UPN, whether on-premises and/or in Azure is required for it to work. Luckily there is some flexibility in how you configure the NPS extension for Azure MFA via its registry keys. In that respect, LDAP_ALTERNATE_LOGINID_ATTRIBUTE is a gem!