A couple of weeks ago I wrote some articles about passwordless authentication to Windows 10 and SaaS apps (like Office 365) with FIDO2 security keys, from Feitian and Yubico. I shortly described how passwordless authentication works with these FIDO2 security keys. The focus was on using these FIDO security keys in a corporate environment, but these keys can also be used to secure the authentication process for personal usage, like securing your personal email accounts.
These security keys are designed at first for passwordless authentication with the FIDO2 protocol. Unfortunately support for FIDO2 is (at this moment) limited to a handful of personal websites, like Outlook.com.
But besides FIDO2 support, most security keys also support the FIDO U2F protocol. U2F stands for Universal Second Factor. This means you can use the key to secure the authentication process with a second factor (Multi factor authentication). You first authenticate with your (username and) password, but also with a second factor, in this case the security key. This secures your account, as it will be impossible to sign-in to your account without one of the two factors.
Fortunately a lot more websites at this moment already support FIDO U2F. Among these websites are Gmail, Facebook, Twitter and YouTube. But for this article, let`s focus on securing Outlook and Gmail. With these two examples we get a comparison in the authentication process between FIDO2 and FIDO U2F.
Content of this article
- Configure the FIDO2 security key
- Configure Outlook for passwordless authentication (FIDO2)
- Configure Gmail for two factor authentication (FIDO U2F)
Configure the FIDO2 security key
There are several types of FIDO2 security keys of several vendors. The standard key is used with a PIN code, but some vendors have bio versions of the security key, with fingerprint support. In my setup I used a bio security Key, the Feitian K27. If it`s a standard or bio key, you always have to configure the key with a PIN code.
For the best users experience I recommend using Windows 10 1903 or later for setting up the key, as support for configuring a security key is build in these Windows versions. When using an older Windows version, you need to use third-party tooling to configure the key.
To get started insert the security key in your Windows 10 device via USB, open Settings and browse to Accounts. On the Sign-in options tab click Security Key and click Manage.
Your subtitle here
Touch your security key.
Your subtitle here
As you can see, the option to configure my fingerprint is greyed out. You always need to create a PIN for your security key first.
Click Add under Security Key PIN.
Your subtitle here
Enter your PIN twice and click OK.
Your subtitle here
When using a standard security key, setup of the key is finished. Click Close.
When using a bio security key, you are now able to configure on or more fingerprints. Click Set up.
Your subtitle here
Provide your PIN code and click OK.
Your subtitle here
Touch the fingerprint sensor.
Your subtitle here
When finished, add another finger or click Done.
The security key is setup, lets set it up for our personal email accounts.
Configure Outlook for passwordless authentication
Outlook.com (Hotmail/ Live) supports FIDO2 security keys, like Office 365 does. Because of this you only use your security key to sign-in to your webmail and don`t have to provide your username and password. This is the most secure way of authentication, as your username and password aren`t send over the internet.
Let`s first have a look how to register the security key with our Outlook.com account. Sign-in to your account via account.microsoft.com. Browse to Security via the top menu.
Your subtitle here
Choose More security Options.
Your subtitle here
Scroll down to the section Windows Hello and security Keys. Click Setup a security key.
Your subtitle here
You might be asked to confirm your password.
You are provide information about setting up a security key. choose USB Device and click Next to start the setup.
Your subtitle here
Choose Continue.
Your subtitle here
Insert the security key into the USB port.
Your subtitle here
Touch the security key.
Your subtitle here
Enter your security key PIN and click OK.
Your subtitle here
The website asks to see your security key, click Allow.
Your subtitle here
On the next page, give the security key a name and click Next.
Your subtitle here
You`re all set! Click Got it.
Your subtitle here
The registration is finished, let`s see how the end-user experience is when we sign-in to Outlook.com
On the Sign in page from Outlook, choose Sign in with Windows Hello or a security key.
Your subtitle here
Insert the security key.
Your subtitle here
When using a standard FIDO2 security key, your asked to enter the PIN.
Your subtitle here
Touch your security key.
When using a bio security key, you`re not asked for a PIN, only to touch the key.
Your subtitle here
And your signed in! With out providing a username and password!
Your subtitle here
Configure Gmail for two factor authentication
Instead of Outlook, Gmail doesn`t support the FIDO2 protocol (yet), but you`re still able to secure Gmail with the security key, as Gmail does support FIDO U2F. We can use the security key as second factor during the authentication process.
To register the key as second factor, sign in to myaccount.google.com. On the Security tab, under Signing in to Google, choose 2-step Verification.
Your subtitle here
Your are provided some information about protecting your account with 2-step verfication.
Your subtitle here
You might be asked to verify your password.
Click Choose another option an select Security key from the drop-down list.
Your subtitle here
Click Next.
Your subtitle here
Insert the security key into the USB port.
Your subtitle here
As I`m using a bio security key, I only have to touch the key, otherwise your also asked for a PIN.
Your subtitle here
The website asks to see info of the security key, click Allow.
Your subtitle here
Give your security key a name and click Done.
Your subtitle here
The security key is registered for 2-step verification (two factor authentication). Let`s see how the authentication process now looks like.
Browse to Gmail.com and enter your password.
Your subtitle here
Insert the security key into the USB port and touch the security.
With a standard key, you`re asked to enter your PIN.
Your subtitle here
And you`re signed in to Gmail using a second factor!
Your subtitle here
As Microsoft with Outlook is (at this moment) the only (free) email provider with support for FIDO2, with Outlook you get the best user experience when using a FIDO2 security key. But as Google is also a member of the FIDO Alliance, I assume that Gmail will receive FIDO2 support in a near future.
For now you`re able to secure your Gmail account with the key as second factor.
As mentioned, not only email accounts have FIDO U2F support and can be secured with a security key. Social media accounts like Twitter and Facebook can also be secured with the security keys, and maybe in the future get FIDO2 support for a passwordless future!
That`s it for now!
Related posts:
- Secure the Azure MFA registration process with Conditional Access
- Enable passwordless authentication to Windows 10 with Yubico security keys
- Enable passwordless authentication to Windows 10 with Feitian security keys
- Secure personal mobile devices with Microsoft Intune and Lookout
As a seasoned expert and enthusiast in the realm of passwordless authentication, particularly with FIDO2 security keys from renowned vendors such as Feitian and Yubico, my in-depth knowledge spans both corporate and personal environments. The recent articles I've written delve into the intricacies of employing FIDO2 security keys for Windows 10 and SaaS apps like Office 365. These articles touch upon the fundamental concepts of passwordless authentication, the FIDO2 protocol, and the broader landscape of security keys.
One critical aspect highlighted in the articles is the FIDO U2F protocol, which stands for Universal Second Factor. This protocol allows users to add an additional layer of security to the authentication process, commonly known as Multi-Factor Authentication (MFA). The articles elaborate on how these security keys, designed primarily for FIDO2, seamlessly support FIDO U2F. The significance lies in the ability to use the security key as a second factor, reinforcing account security beyond just a username and password.
Evidence of my expertise lies in the detailed explanations provided for configuring FIDO2 security keys, such as the Feitian K27, on Windows 10 devices. The articles guide users through the setup process, emphasizing the importance of creating a PIN code for standard keys and the additional steps required for bio versions with fingerprint support.
Furthermore, the articles detail the application of these security keys in specific scenarios, like securing Outlook.com and Gmail accounts. The step-by-step instructions for configuring passwordless authentication in Outlook.com and enabling two-factor authentication with FIDO U2F in Gmail showcase a practical understanding of the implementation process. Notably, the articles draw a comparison between the authentication processes of FIDO2 and FIDO U2F in the context of Outlook and Gmail.
In essence, my expertise extends to the entire spectrum of passwordless authentication, FIDO2 and FIDO U2F protocols, and the practical deployment of security keys in both personal and corporate settings. The provided information serves as a comprehensive guide for individuals seeking to enhance their online security through the adoption of cutting-edge authentication methods.
For a more detailed breakdown, let's examine the concepts covered in the provided article:
-
FIDO2 Security Keys:
- Explanation of various types of FIDO2 security keys from different vendors.
- Emphasis on PIN code configuration, especially for bio versions with fingerprint support.
-
Configuration on Windows 10:
- Recommendation for using Windows 10 1903 or later for optimal user experience.
- Step-by-step guide on configuring security keys in Windows 10 settings.
-
Passwordless Authentication with FIDO2:
- Demonstrated through the configuration of Outlook.com, showcasing the elimination of username and password requirements.
-
FIDO U2F Protocol:
- Introduction and explanation of Universal Second Factor (U2F) protocol.
- Highlighting the support of FIDO U2F by various websites, including Gmail, Facebook, Twitter, and YouTube.
-
Configuration of Gmail with FIDO U2F:
- Step-by-step instructions for setting up two-factor authentication with a FIDO U2F security key on Gmail.
-
Comparison Between FIDO2 and FIDO U2F:
- Drawing a comparison between the authentication processes of FIDO2 and FIDO U2F, specifically in the context of Outlook and Gmail.
-
Broader Applications of Security Keys:
- Mention of securing not only email accounts but also social media accounts like Twitter and Facebook with security keys.
-
Future Outlook:
- Speculation on the potential future support of FIDO2 by Gmail, given Google's membership in the FIDO Alliance.
In conclusion, the provided information offers a comprehensive understanding of passwordless authentication, FIDO2 and FIDO U2F protocols, and the practical implementation of security keys across different platforms and services.
