Azure AD / Windows 10

Experience a password-less sign-in with YubiKey

Posted by

Just a quick post how it looks like when you enroll a security key in the form of Yubikey from Yubico. I have a YubiKey 5, with support for USB-A and NFC, there are a multiple other key option depending on your needs, you should try their Quiz to find the right key for you: https://www.yubico.com/quiz

To get everything here to work you need to enable the authentication options in your tenant. There is a nice How-to guide for security key so I will not cover the pre-requirements here, just the end-user experience

Enrollment/registration experience

When this is done browse this url: https://myprofile.microsoft.com and click Security info

20190813 myprofile1.jpg

You should get to a page looking like this, if you don’t, make sure you hit all requirements in your tenant and assign it to right users.

20190813 myprofile2

Click + Add method above the first sign-in method Phone

20190813 myprofile3

Press the security key that you have, USB or NFC device

20190813 myprofile4

20190813 myprofile5

I’m using the new excellent Edge chromium browser and it will ask me for some permission

20190813 myprofile6

Sorry for the Swedish here, but the important text is in English (strange mix of language here, but still in preview 🙂 )

20190813 myprofile7

So after inserting the key, it will ask me for a pin and then it will ask you to touch the key to check for physical presence.

20190813 myprofile820190813 myprofile9

Again it will ask for some permissions in Edge

20190813 myprofile10

And now you are back to the my profile and Security Info, it will ask you to name the security key and info you that everything was good!

20190813 myprofile11

So long so good, now the key is enrolled, but does it work? Lets try!

Sign-in experience

First I will logout from all sessions, close the browser and open a new fresh window and browse to my favorite site, https://devicemanagment.microsoft.com

The sign-in page show up, and now you have to press the option at the bottom “Sign in with a security key”

20190813 logon1

You will be redirected to a prompt from Windows, telling you to insert the security key

20190813 logon220190813 logon3

When the key is inserted, enter your pin code, press OK

20190813 logon4

and now time to touch the key again, to verify you are in front of the computer

20190813 logon5

In my case, I get an option to select what account to sign-in with. My key was previously enrolled with a personal MSA account and now a business account. So my key secures both the private and the business account now, really nice. So in this case I select my business account and then I’m redirected to my Device management Dashboard!

20190813 logon6

This is a really nice feature, just keep in mind to have a backup authentication method if you loose your YubiKey 🙂

What about you? Have you tried it out yet or are you testing?

Leave a comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.