In April, Microsoft announced their support for the WebAuthn standard that would bring password-less online authentication to Microsoft Edge using FIDO2 security keys. Today Microsoft has enabled this feature and Windows 10 users can now use Edge to perform password-less logins to their Microsoft account using a FIDO2 compatible security key.
“This combination of ease of use, security and broad industry support is going to be transformational,” stated Microsoft in an announcement. “Every month, more than 800 million people use a Microsoft account to create, connect, and share from anywhere to Outlook, Office, OneDrive, Bing, Skype and Xbox Live for work and play. And now they can all benefit from this simple user experience and greatly improved security.”
Using security keys like a YubiKey or Feitian BioPass, users can login to Microsoft services that include their Microsoft account, Outlook.com, Cortana, Skype, OneDrive, Office, the Microsoft Store, and Xbox Live on the PC. Google’s Titan Security key is not FIDO2 compatible and thus will not work with this feature.
In order to use this new feature, users will need to be running Windows 10 Build 1809, otherwise known as the October 2018 Update. Microsoft also plans on offering this feature to enterprise and education customers by integrating it into the Azure Active Directory in the future.
Under the hood
FIDO2 devices protect your account by utilizing a private/public encryption key pair that is created by the security key.
This private encryption key is stored on and known only to the device that created it and can only be unlocked using a PIN known to you or a biometric signal such as a gesture or touch of a button. The public decryption key, which is used to decrypt information encrypted by the private key, is then sent to Microsoft and stored as part of your Microsoft account.
When authentication occurs, Microsoft will send a short lifetime one-time use number, called a nonce, to the security key. This nonce is then signed by the device using the private encryption key and sent back to Microsoft. Microsoft will then use its stored public encryption key and verify that it can decrypt the nonce using it.
If it is able to decrypt the nonce, then it knows that you are the owner and allows the authentication to proceed.
Configuring a security key on your Microsoft account
As previously stated, in order to use this feature in Microsoft Edge you need to be running Build 1809 of Windows 10. If you using that version or later, you can setup security key authentication on your Microsoft account by performing the following steps:
- Open the Microsoft account page.
- When at the page, login and click on Security. When the Security page opens, at the very bottom you will see a link titled more security options, which you should click on. When you click on this link you will be prompted to enter your password again, which is expected and should be done.
- At the Additional Security Options page, scroll down and under the section “Windows Hello and security keys” click on the Set up a security key link.
- You will now be at a page asking what type of security key you wish to use. If you are using a YubiKey, Feitian, or other FIDO2 compatible key, select USB device and click Next.
- Microsoft will now prompt you to enter your key.
- Once you enter the key, please follow the rest of the instructions to create your private/public key pair and finish the setup.
If you are not using a FIDO2 compatible key, Microsoft will display a message stating that the key is not compatible.
Once your security key is configured, when you try to log into a Microsoft service, you will be prompted to press the button on your key to automatically authenticate you and log you in.