Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
FIDO2
&
Microsoft
ANTHONY NADALIN
MICROSOFT
https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/windows-integration/web-
authentication
Windows Hello
Password-less authenticationUser-friendly experienceEnterprise-grade security
47M
enterprises have deployed
Windows Hello ...
FIDO2
Private preview
began
WebAuthn
Support
available to
Windows 10 Insiders
Self-provisioned keys
for MSA
Windows 10
Oct...
Admin controls
End-user self-provisioning
FIDO2 for
Azure AD accounts
Public preview begins
JANUARY
2019
FIDO2
Private pre...
Save Discard
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No
Verifica...
REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No...
REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No...
REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No...
REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No...
REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No...
REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No...
REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No...
Wingtip Toys
Wingtip Toys
Wingtip Toys
Wingtip Toys
Wingtip Toys
Wingtip Toys
Wingtip Toys
Wingtip Toys
Wingtip Toys
FIDO2 security key
1
Windows 10 device
6 3
4
7
9
2
3
4
5
2
1
User plugs FIDO2 security key into computer
Windows detects F...
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
Upcoming SlideShare
Loading in …5
×

Microsoft's Implementation Roadmap for FIDO2

1,778 views

Published on

This presentation on Microsoft's implementation of FIDO2 was given at the FIDO Authentication Seminar in Austin, Texas on January 28, 2019.

Published in: Technology
  • Be the first to comment

Microsoft's Implementation Roadmap for FIDO2

  1. 1. FIDO2 & Microsoft ANTHONY NADALIN MICROSOFT
  2. 2. https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/windows-integration/web- authentication
  3. 3. Windows Hello
  4. 4. Password-less authenticationUser-friendly experienceEnterprise-grade security 47M enterprises have deployed Windows Hello for Business active Windows Hello users 6.5K growth in biometric capable computers 350%
  5. 5. FIDO2 Private preview began WebAuthn Support available to Windows 10 Insiders Self-provisioned keys for MSA Windows 10 October 2018 Update SPRING 2018 JULY 2018 OCTOBER 2018
  6. 6. Admin controls End-user self-provisioning FIDO2 for Azure AD accounts Public preview begins JANUARY 2019 FIDO2 Private preview began WebAuthn Support available to Windows 10 Insiders Self-provisioned keys for MSA Windows 10 October 2018 Update SPRING 2018 JULY 2018 OCTOBER 2018
  7. 7. Save Discard METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes Allowed methods Documentation = Recommended Registration settings Usage and insights Getting started ACTIVITY Audit logs TROUBLESHOOTING + SUPPORT Troubleshoot New support request MANAGE Authentication methods Password protection (Preview) i i i i i i i i i i Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods 1 group Yes Text message i
  8. 8. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes … FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No KEY RESTRICTION POLICY + add AAGUID Allow Block Yes No Enforce key restrictions Restrict specific keys Yes No Manage security keys Manual set-up All users All users Select users
  9. 9. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No KEY RESTRICTION POLICY + add AAGUID Allow Block Yes No Enforce key restrictions Restrict specific keys Manage security keys Manual set-up All users Select users All users
  10. 10. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No KEY RESTRICTION POLICY + add AAGUID Allow Block Enforce key restrictions Restrict specific keys Manage security keys Manual set-up No users selected … Yes No
  11. 11. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No Manage security keys Manual set-up Search by name or email address Search OK Cancel Search by name of email addressPilot Add users and groups …No users selected
  12. 12. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No Manage security keys Manual set-up Search by name or email address Search OK Cancel Search by name of email addressPilot group Pilot group Pilotgroup@wingtiptoys.com Pilot group corp pilotgrpcorp@wingtiptoys.com Pilot group NYC pilotgrpmkt@wingtiptoys.com PG PG PG Add users and groups …No users selected
  13. 13. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No Manage security keys Manual set-up Search by name or email address Search Search by name of email addressPilot group Add users and groups OK Cancel Pilot group Pilotgroup@wingtiptoys.com PG x OK Cancel …No users selected
  14. 14. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No KEY RESTRICTION POLICY + add AAGUID Allow Block Enforce key restrictions Restrict specific keys Manage security keys Manual set-up Pilot group … Yes No
  15. 15. Wingtip Toys
  16. 16. Wingtip Toys
  17. 17. Wingtip Toys
  18. 18. Wingtip Toys
  19. 19. Wingtip Toys
  20. 20. Wingtip Toys
  21. 21. Wingtip Toys
  22. 22. Wingtip Toys
  23. 23. Wingtip Toys
  24. 24. FIDO2 security key 1 Windows 10 device 6 3 4 7 9 2 3 4 5 2 1 User plugs FIDO2 security key into computer Windows detects FIDO2 security key Windows device sends auth request Azure AD sends back nonce User completes gesture to unlock private key stored in security key’s secure enclave FIDO2 security key signs nonce with private key PRT token request with signed nonce is sent to Azure AD Azure AD verifies FIDO key Azure AD returns PRT and TGT to enable access to on-premises resources 8 7 8 9 5 6

×