Disclaimer
This blog is my personal platform. The opinions shared here are solely mine and do not reflect the views of any individuals, institutions, or organisations with which I am affiliated, unless explicitly noted. I am solely responsible for the content presented here.
Introduction
As we continue to navigate the complexities of modern cybersecurity, the importance of protecting identities has never been clearer. Microsoft’s recent announcement regarding mandatory Multi-Factor Authentication (MFA) for accessing the Azure, Entra, and Intune portals is a testament to the growing need for robust identity security. This mandate not only signals a new era of security practices but also underscores the urgency for organisations to rethink how they approach authentication.
Table of contents
1. Recap: Understanding Passwordless Authentication
Before diving into why passwordless authentication is more critical than ever, I encourage you to check out Part 1 and Part 2 of this series. In those posts, I covered the fundamentals of passwordless authentication, including the differences between passkeys and FIDO2 keys, and provided a step-by-step guide on setting up a security key as a form of MFA on your Microsoft account. If you’re new to the concept or need a refresher, those posts will give you a solid foundation.
2. The Implications of Microsoft’s Mandatory MFA
Microsoft’s decision to enforce MFA across key portals like Azure, Entra, and Intune is a significant step in the fight against identity theft and unauthorised access. By requiring an additional layer of security, Microsoft is helping organisations reduce the risk of breaches caused by compromised passwords - a common vulnerability in traditional security models.
However, this shift also presents new challenges, particularly around the concept of emergency access, often referred to as “break glass” accounts. These accounts are essential for IT administrators to regain access during emergencies, but with no current exclusions from the mandatory MFA requirement, organisations must find new ways to balance security with accessibility.
3. The Rising Importance of FIDO2 Keys
In the context of mandatory MFA, passwordless authentication through FIDO2 keys has emerged as a critical solution. FIDO2 is an open standard that enables strong, passwordless authentication using public-key cryptography. It’s designed to provide a secure, phishing-resistant alternative to traditional passwords and is particularly valuable when securing critical accounts.
Here’s why researching and implementing FIDO2 keys is more crucial now than ever:
1. Enhanced Security: FIDO2 keys offer unparalleled security by ensuring that sensitive information is never transmitted or stored in a way that could be intercepted by attackers. This makes them an ideal solution for protecting high-value accounts.
2. User-Friendly Experience: FIDO2 keys simplify the authentication process for users. Instead of juggling complex passwords or SMS codes, users can authenticate with a simple tap, making the login process faster and more secure.
3. Break Glass Account Compatibility: With mandatory MFA in place, FIDO2 keys provide a secure method for maintaining access to break glass accounts. They enable organisations to meet security requirements without sacrificing the accessibility needed during critical incidents.
4. Introducing FIDO2 Security Key Providers
Choosing the right FIDO2 security key is crucial for ensuring compatibility and security within your organisation. Below, I’ll introduce you to some leading companies in the FIDO2 space, all of which are part of the FIDO Alliance, and give you an overview about their products.
4.1. Company Profiles for FIDO2 Manufacturers
Feitian
Feitian is renowned for producing a wide range of security hardware, including FIDO2 keys. Their keys support various protocols like FIDO2, U2F, and smart card authentication. They offer USB-A, USB-C, NFC, and Bluetooth options, catering to a variety of devices and needs.
Established: 1998
Overview: Feitian Technologies is a leading global provider of cybersecurity products and solutions, serving customers in over 100 countries. The company operates five international branches across Asia, Europe, and North America, and employs over 700 staff, with more than half in R&D. Feitian focuses on innovative, cost-effective products with international patents and certifications.
Headquarters: Publicly traded, with a strong commitment to providing reliable and effective security solutions.
Website: https://portal.ftsafe.com/
Key chosen for testing: ePass K9 Plus
***
HID Global
HID Global is a major player in identity solutions, and their FIDO2 keys are designed with enterprise-grade security in mind. HID’s keys support multi-protocol capabilities, allowing seamless integration with existing infrastructures. They are known for their durability and reliability.
Overview: HID Global offers hardware and software solutions for secure access, identity management, and IoT connectivity across more than 100 countries. The company uses technologies like RFID and Bluetooth to connect and secure physical and digital assets. HID Global is part of the ASSA ABLOY Group and supports over 2 billion identified and tracked objects worldwide.
Headquarters: Austin, Texas, with a workforce of over 4,000 employees globally.
Website: https://www.hidglobal.com/
Key chosen for testing: HID Crescendo
***
Hideez
Hideez focuses on creating smart security solutions, including FIDO2 keys that double as proximity cards for physical access. Their all-in-one approach is ideal for organisations looking to merge digital and physical security in one device.
Founded: 2017
Overview: Hideez was founded by Oleg Naumenko after a personal cyber-attack, leading to the creation of the Hideez Key - a comprehensive digital security solution. The company specialises in wireless authentication, password management, and RFID locks. Hideez combines hardware and software for robust data and digital identity protection.
Headquarters: Dover, Delaware, with a development office in Kyiv, Ukraine.
Website: https://hideez.com/
Key chosen for testing: Hideez Key 4
***
Thales
Thales offers a broad range of security products, including FIDO2 keys that are tailored for high-security environments. Their keys often feature tamper-proof designs and are certified to the highest standards, making them suitable for sectors like finance and government.
Founded: 2000 (roots trace back to 1893)
Overview: Thales Group is a French multinational specialising in electrical systems and equipment for aerospace, defense, transportation, and security. The company provides a broad range of solutions, including those for secure authentication.
Headquarters: France.
Website: https://cpl.thalesgroup.com/
Key chosen for testing: SafeNet eToken Fusion Series
***
Token2
Token2 specialises in cost-effective, user-friendly FIDO2 keys. Their products are designed with simplicity in mind, making them a great choice for small to medium-sized enterprises. They offer both single and multi-use keys, including options with additional OTP (One-Time Password) functionality.
Founded: 2013 (spin-off from University of Geneva research)
Overview: Token2 is a cybersecurity company focused on multifactor authentication. It was established by researchers from the University of Geneva and offers a range of hardware and software solutions designed for secure and user-friendly authentication.
Headquarters: Geneva, Switzerland.
Website: https://www.token2.com/home
Key chosen for testing: Token2 T2F2-Dual FIDO2, U2F and TOTP Security Key with NFC, USB-A and USB-TypeC Connectors
The one I originally ordered does not seem to be available anymore but the one below is very similar to the one I use.
***
Yubico
Yubico is perhaps the most well-known name in the FIDO2 space. Their YubiKey products are the gold standard for secure, easy-to-use authentication. They offer a variety of models supporting USB-A, USB-C, NFC, and Lightning connectors, and are compatible with a wide range of devices and platforms.
Founded: 2007
Overview: Yubico is a pioneer in secure access and authentication solutions, contributing significantly to the FIDO2, WebAuthn, and U2F standards. The company delivers hardware-based passkey security solutions to customers in over 160 countries, setting global standards for secure authentication.
Headquarters: Yubico has a significant international presence and is known for its innovative contributions to authentication standards.
Website: https://www.yubico.com/
Key chosen for testing: YubiKey 5C NFC
5. Preparing for the Future of Identity Security
As Microsoft pushes forward with its security enhancements, it’s clear that passwordless authentication will play a pivotal role in the future of cybersecurity. The enforcement of mandatory MFA is just the beginning; organisations must now proactively enhance their identity security frameworks to stay ahead of emerging threats.
Implementing FIDO2 keys from trusted providers like Feitian, HID Global, Hideez, Thales, Token2, and Yubico is a strategic move that not only aligns with Microsoft’s security roadmap but also future-proofs your organisation against cyber threats. By adopting these keys, you’re not just complying with new security mandates—you’re leading the charge towards a more secure, passwordless future.
6. Upcoming Entra ID Security event
If you’re interested in mastering Microsoft Entra ID security and are based in the UK (or don’t mind commuting), I invite you to join us for an exclusive workshop hosted by Threatscape on October 24th at The Imperial War Museum Duxford. This event, led by Microsoft MVP Ru Campbell (shout out to Ru :), please go and check out his blog), will offer valuable insights into identity threats and practical strategies to protect against them. Spaces are limited, so be sure to secure your spot today!
7. Conclusion
Stay tuned for Part 4 of our series, where we’ll dive into the technical specifications of FIDO2 keys and discuss some of the current limitations you might encounter during implementation. We’ll also cover how to enforce security policies across your organisation to ensure a smooth transition to passwordless authentication.
If you have any questions or your organisation needs assistance with setting up FIDO2 keys, feel free to reach out to Threatscape, where I work. You can do it via the contact form on our website -> https://www.threatscape.com/contact-us/ and we will be more than happy to lend a helping hand.
Let’s take the next step together toward a passwordless future.
Comments