Contact Us

How Do You Deploy FIDO2 Security Keys in a Cloud-Only Deployment?

How to Deploy FIDO2 Keys in a Cloud Only Deployment
15 Oct 2023

Starting Your FIDO2 Cloud-Only Deployment

Congratulations on taking the courageous step to go passwordless! Embracing a passwordless approach is not just a nod to the future of digital security, but a giant leap towards it. As organizations increasingly shift to cloud-only infrastructure(s), the integration of FIDO2 security keys becomes a popular choice for protecting our digital assets; however, FIDO2 alone might not be enough to allow you to go passwordless…

If you’re utilizing Azure, you might gravitate towards FIDO2 due to its popularity as a passwordless authentication approach. That said, as discussed in our piece about FIDO2 for on-premises AD, it doesn’t mesh well with all old systems. We suggest acquiring a hardware token like the YubiKey 5 series which caters to both FIDO2 and smartcard authentication. This allows you to apply FIDO2 in most cases and revert to smartcard authentication when FIDO2 isn’t an option. We’ve crafted a detailed guide on how to activate smartcard authentication in Azure. This enables seamless onboarding of both FIDO2 credentials and smartcards for users via an Azure-centric passwordless CMS, ensuring top-tier passwordless authentication without additional infrastructure needs.

This post takes a look at the high-level steps associated with the process of deploying FIDO2 keys efficiently in a cloud-only environment. Additionally, we’ll guide you through the maze of choices, pointing you towards the most credible vendors and solutions available in the market.

How To Deploy FIDO2 Security Keys (Cloud-Only)

Implementing FIDO2 security keys in a cloud-only deployment significantly bolsters security by moving away from easily compromised passwords. The TL;DR here is simple. Buying, shipping, and onboarding these things isn’t a nightmare, it’s a night terror! Any time you get the end-user involved, things become increasingly complex, and as our fellow developers know, FRUSTRATING. The adoption process requires careful planning, user education, and continuous monitoring to ensure the most effective and secure utilization. The following provides an exceptionally high-level overview of how to go about deploying FIDO2 keys in a cloud-only environment.

Evaluate and Choose a FIDO2 Security Key

There are multiple vendors offering FIDO2 security keys, such as Yubico (with their YubiKey series), Feitian, SoloKeys, and more. Choose a key that meets your security, form factor (USB-A, USB-C, NFC, etc.), and budget requirements. Wondering what’s the right solution for your business? Take our short quiz HERE to learn what’s best for your organization!

Select a Cloud Identity Provider (IdP) that Supports FIDO2

Ensure your cloud identity provider or service supports FIDO2/WebAuthn authentication. Providers like Azure Active Directory (EntraID), Google Cloud Identity, and Okta support FIDO2 authentication.

Configure Cloud Identity Provider for FIDO2 Authentication

Access the admin console/dashboard of your cloud IdP.

Navigate to the authentication or security section.

Enable FIDO2/WebAuthn as an authentication method.

User Enrollment

Direct users to register their FIDO2 security keys with the cloud IdP.

Users log into their accounts.

In the security or profile settings, there should be an option to “Add Security Key” (or something similar).

Users follow the on-screen instructions, which will typically involve inserting the FIDO2 key and tapping it to register.

It’s a good idea to encourage users to enroll multiple keys, just in case one is lost.

Policy Implementation

Enforce the use of FIDO2 security keys for specific apps, user groups, or certain conditions (like accessing sensitive data).

Set up recovery methods in case a user loses their key — this could be backup codes, mobile authentication apps, or backup FIDO2 keys.

Ongoing Education of Users

Conduct training sessions or provide documentation explaining how to use FIDO2 keys.

Highlight the benefits, such as enhanced security and the convenience of passwordless authentication.

The Best FIDO2 and Smartcard CMS for Azure

While the process is relatively straight forward, it’s also evident that there are a huge number of moving parts. You could absolutely take on this task by yourself, and we support your decision to do so …Or, hear me out, you could simply choose EZCMS from Keytos, and we’ll take care of everything for you!

The increasing emphasis on zero-trust has forced organizations to completely rethink their user onboarding processes. We are proud to showcase EZCMS, the best FIDO2 and Smartcard CMS for Azure and the answer to all your passwordless onboarding problems. Take the leap and alleviate your FIDO2 onboarding pains with a solution specifically designed for cloud-only deployments.

You Might Also Want to Read