At Keytos, we are passionate advocates and experienced users of YubiKeys, and we’re excited to share our enthusiasm for FIDO2 authentication. Our team deeply appreciates the robust security that YubiKeys provide, and we are always eager to explore and promote cutting-edge passwordless solutions. Over the years, we’ve crafted numerous detailed guides filled with step-by-step tutorials and helpful screenshots to help you seamlessly integrate YubiKeys into your security setup. Whether you’re a seasoned expert or a newcomer, our content has something for everyone. Our mission with this blog is simple: to make the powerful benefits of YubiKey accessible to the everyday security practitioner looking to implement secure login methods within Azure. We know that transitioning to hardware-based multifactor authentication can seem daunting, so we’ve tailored this guide to help you understand and execute the setup process with ease. So, if you’re ready to enhance your security framework and step into the world of passwordless authentication, let’s get started!
YubiKeys are compact, powerful devices designed to fortify your digital accounts against unauthorized access and phishing attacks. These devices offer a physical layer of security for authentication processes, making them more resistant to online threats than traditional password-only systems. Ideal for use across various platforms, including some legacy systems not yet supporting FIDO2, YubiKeys provide a versatile and cost-effective solution to secure your data. This guide focuses on deploying YubiKeys in Azure using the most secure methods: FIDO2 and Smartcard PIV.
When looking at phishing resistant authentication methods, you have two primary options: FIDO2 and Smartcard (PIV). Each has its strengths, and the choice depends on your specific needs and environment.
FIDO2: This modern authentication method provides excellent phishing resistance but isn’t universally compatible yet—for example, native apps on iOS devices don’t support FIDO2.
Smartcard (PIV): A great alternative for systems where FIDO2 isn’t available. Smartcard authentication has been used by governments for 30 years, so it is supported by most devices that you will use solving the compatibility gap of FIDO2. Before you go and by an additional smartcard, your YubiKey can function as a smartcard, storing certificates and enabling authentication across diverse environments.
TL;DR: Set up your YubiKey to accommodate both methods, and you’ll never have to think about how you’re authenticating! Just plug in your key and log right in!
Log into the Azure portal as an administrator.
Navigate to Entra ID -> Security -> Authentication methods.
Activate “Passkey (FIDO2)” support and specify which users can employ this method.
Users can register their YubiKey at myprofile.microsoft.com, selecting FIDO2 as their preferred sign-in method. Verification through a pre-established multifactor authentication method is required if they haven’t already done so. While this sound great for testing, we recommend using EZCMS for streamlined management of YubiKeys and certificates (think of each a new user and the chicken and egg problem of setting up passwordless authentication).
In addition to Passkeys (FIDO2) we recommend setting up as a smartcard as a reliable alternative. This requires setting up a Certificate Authority (CA), either hosted in Azure or on-premises, and integrating the CA certificates within Azure for secure authentication.
Incorporating YubiKeys into your Microsoft 365 setup enhances security significantly. By adhering to the outlined steps, you can shield your organization’s data against a multitude of security threats without a complex deployment process. Using EZCMS simplifies the management of YubiKeys, facilitating the distribution and administration of certificates seamlessly.
After configuring the authentication methods, it’s wise to conduct a trial run by registering a YubiKey for personal use and attempting to log in. Tweak Azure settings as needed to balance stringent security measures with user accessibility. Ensure that the setup meets all organizational security standards while remaining user-friendly.
By following these steps, you can effectively secure your Azure environment with YubiKeys, leveraging our EZCMS platform for streamlined management and operational efficiency. Ready to start? Visit our documentation / setup guide for more detailed instructions or schedule a consultation to speak with one of our experts.
