Contact Us

On-Premises Active Directory using FIDO2 – Passwordless Authentication – Am I Doing This Right?

On-Premises Active Directory using FIDO2 – Passwordless Authentication – Am I Doing This Right?
13 Oct 2023

The growing demand amongst businesses of all shapes and sizes for passwordless authentication has brought FIDO2 to the forefront of the cybersecurity community. As businesses continue to adopt hybrid work environments, there is an increasing need to find solutions that integrate well with both on-premises and cloud-based systems. In the following post, we’ll discuss how FIDO2 can be implemented for on-premises Active Directory (AD) and how you can use PIV certificates to complement FIDO2 for legacy systems.

On-Premises Active Directory – Going Passwordless with FIDO2

FIDO2’s security and ease of use have made it a popular choice for many organizations. In fact, estimates indicate that 60% of organizations will be starting their passwordless journey in 2023. This has made Microsoft create connectors for FIDO2 to work on premise. How it works? User SSOs into Azure AD. Azure AD issues a Kerberos token for legacy applications to accept. To set up Azure AD as a Kerberos server follow this guide.

Note: You must use Azure AD Connect since Azure AD Connect Cloud Sync does not synchronize device objects.

FIDO2 On premise with Azure AD

Using PIV to Complement FIDO2

As discussed earlier, FIDO2 was created for the cloud. While you can use Azure AD as a Kerberos server and breach the gap to FIDO2 on premises, it is not native behavior for AD authentication. while also adding an external dependency (Azure AD) for on-premises operations. PIV/Smartcard authentication has been a part of AD authentication since the beginning of this century and best of all, they work very similar to FIDO2. The only difference between the two is the infrastructure behind the issuance of the cards. However, thanks to modern tools, this infrastructure is offered as SaaS offering. Watch our webinar below on the difference between FIDO2 and Certificate Based Authentication.

On-Prem Authentication with Smartcards

Government Compliance requirements still require smartcards for government agencies and their contractors, to solve this issue Microsoft also created a connector that allows you to use smart cards in Azure without the need to deploy all the on-premises AD services such as: Domain Controllers, ADFS servers, Certificate Authorities, CRL (Certificate Revocation List) Servers, etc. This solution is Azure CBA, learn how to deploy Azure CBA.

Working in Harmony

As you can see, Microsoft has “built” bridges for Smartcard authentication to be used in the cloud and for FIDO2 to be used on premises, but they are just that, bridges that will not give you the best experience in the other environment. To have the best user experience and compatibility for legacy and modern authentication the answer is to have both FIDO2 and Smartcard authentication enabled in your organization, while this might sound like a lot of work, thanks to the work that Microsoft, Yubico, and Keytos have done together achieving this is seamless for the user and the IT administrator, since when a YubiKey is registered using EZCMS, the same key will hold both a FIDO2 key and a Smartcard certificate, giving the user the best user experience for both scenarios without the user knowing if they are using a smartcard certificate or a FIDO2 key, all the user needs to know is that their YubiKey is the tool they use for passwordless authentication.

You Might Also Want to Read