How To Manage Yubikey and Smart Card Inventory for Entra ID
Overview - How To Manage Key Inventory and Prevent Supply Chain Attacks for Hardware Tokens
EZCMS best practices recommend that all hardware tokens (Yubikey, FIDO2 Keys, and Smartcards) issued are pre-registered by your organization. This pre-registration allows you to keep track of your inventory as well as preventing supply chain attacks where you send the keys to the user and someone changes the key for a compromised Key.
What Keys are Supported for Entra ID Passwordless Authentication with EZCMS?
| Key Type | Certificate Authentication Support | FIDO2 Support | Hardware Attestation Support |
|---|---|---|---|
| YubiKey 5C NFC | yes | yes | yes |
| YubiKey 5 NFC | yes | yes | yes |
| YubiKey 5C | yes | yes | yes |
| YubiKey 5 Nano | yes | yes | yes |
| YubiKey 5C Nano | yes | yes | yes |
| Feitian K9-PIV | yes | yes | yes |
| Feitian K40-PIV | yes | yes | yes |
| Feitian Mifare Card (Keytos Edition) | yes | yes | yes |
| Feitian 125 Khz Prox Card (Keytos Edition) | yes | yes | yes |
| hid crescendo c2300 | yes (please contact us if custom programming of cards) | no | no |
How To Register a Hardware Token for Entra ID Bootstrapping
- Open your EZCMS client application.
- Login as an administrator.
- Select the “Admin Manage Security Tokens”.
- Select the “Register Security Tokens” tab.
- Connect the smart card you want to register.
- Click “Refresh”.
- Select the hardware token you want to register.
- If you are using a different administration Key, enter the Key Most people use the default, this is for organizations that have custom keys created for them.
- Click “Next” to register the hardware token.
- This key is now registered in your inventory and can be assigned to a user.