Disclaimer
This blog is my personal platform. The opinions shared here are solely mine and do not reflect the views of any individuals, institutions, or organisations with which I am affiliated, unless explicitly noted. I am solely responsible for the content presented here.
Introduction
Welcome to the final part of this Passwordless Authentication series! If you’ve followed the previous three posts (Part1, Part2, Part3), you’ve gained an in-depth understanding of the rapidly changing landscape of digital security. Today, I’ll round off the series by discussing some of the most important facets of passwordless authentication, including evolving methods, Microsoft's passwordless scenarios, FIDO2 standards, and insights from real-world testing.
Passwords have long been the default security measure, but as threats evolve, so too must our approaches to authentication. Passwordless authentication promises not only enhanced security but also a smoother user experience. From traditional methods like PINs to modern standards like FIDO2, organisations and users alike are realising the limitations of passwords. In this post, we’ll explore different methods of authentication and dive deep into the latest findings around FIDO2, including a newly discovered vulnerability that every security-conscious user should be aware of.
Table of contents
1. Authentication method types
Before diving into passwordless methods, let’s briefly revisit the three classic authentication models:
Something You Know The classic password or PIN falls into this category. The user must know a specific piece of information to gain access. While this has been the go-to for decades, it’s increasingly vulnerable to phishing attacks, data breaches, and weak password choices.
Something You Have This category refers to possession-based authentication, such as physical security tokens, smart cards, or mobile devices. More secure than passwords alone, it requires an attacker to physically steal or clone the device to gain unauthorised access.
Something You Are Biometric authentication - such as fingerprint scans, facial recognition, or iris scans - fits into this model. Biometrics offer a more unique and secure method of authentication since it's difficult to replicate or steal these features.
2. Microsoft’s passwordless authentication scenarios
Microsoft is one of the pioneers in promoting passwordless authentication. They’ve incorporated multiple scenarios that enable users to skip passwords entirely while maintaining robust security. Here are some recommended methods based on device type:
Microsoft’s scenarios highlight how passwordless authentication can be adapted to different device types, balancing convenience with security.
3. FIDO2 and Web browser support
FIDO2 is rapidly becoming the gold standard for passwordless authentication, with widespread support across major web browsers, including Chrome, Firefox, Safari, and Edge. The growing compatibility ensures users can leverage FIDO2 security keys or biometrics across various platforms and devices. Most modern browsers now fully support the WebAuthn API, which allows websites to offer passwordless logins using FIDO2 security keys, built-in biometrics, or mobile authentication apps.
The below table outlines the compatibility of various web browsers for authenticating Microsoft Entra ID and Microsoft accounts using FIDO2.
Important Note
Authenticator passkeys are not supported by browsers such as Google Chrome or Microsoft Edge on Android devices. The ability to create and sign in using Authenticator passkeys from browsers is contingent on future API updates from the Android platform.
4. Synced vs. Non-synced passkeys
Passkeys represent a new approach to passwordless sign-ins, replacing traditional passwords with unique digital keys. They can be synced across devices through services like Apple’s iCloud Keychain, Google’s Password Manager, or Microsoft’s Authenticator app, allowing users to authenticate seamlessly across multiple platforms.
However, there are non-synced passkeys that stay isolated to a single device, which offers better security for high-stakes environments but may come at the cost of user convenience. Determining whether to use synced or non-synced passkeys depends on the specific security needs of the user or organisation.
Device-Bound vs. Synced Passkeys
Originally, security keys (like YubiKeys) were used for strong, device-bound authentication. However, synced passkeys store credentials in the cloud, allowing users to securely access their accounts from multiple devices. This development prioritises both security and user convenience by removing the need for dedicated hardware while maintaining the high security of modern platform authenticators like Apple’s Secure Enclave or Android’s Trusted Execution Environment (TEE).
Device-Bound Passkeys
Device-bound passkeys are categorised into discoverable and non-discoverable credentials, determined by their ability to be located across devices. However, their key feature lies in the WebAuthn properties isBackupEligible and isBackupSynchronized, both set to zero for device-bound passkeys. This ensures these credentials are tied exclusively to the device on which they were created, with no option for backup or synchronisation across multiple devices.
For example, both Windows 10 and 11 currently use device-bound passkeys for Windows Hello, as Microsoft hasn't introduced synced passkeys. Therefore, passkeys generated via Windows Hello can only be used on the originating device. Similarly, Google has stated that its non-discoverable passkeys will remain unsynced in future updates to preserve their device-bound security. In contrast, Apple’s ecosystem - particularly iOS - supports only synced passkeys, making device-bound passkeys impossible to create using WebAuthn.
Synchronising Passkeys to the Cloud
To prevent the loss of credentials when a device is lost or replaced, the industry has adopted cloud synchronisation for discoverable credentials. This transforms passkeys from being strictly device-bound to multi-device, stored in the user’s cloud account (e.g., iCloud or Google Cloud).
This means that if a user loses their phone, they can retrieve their credentials from the cloud and sync them to a new device. This system also allows passkeys to be suggested when logging into new devices, providing a seamless experience. Cloud-based passkey storage reduces the security risks of losing physical devices while improving user convenience across platforms.
Synced Passkeys
Synced passkeys, also called discoverable or resident credentials, differ from device-bound keys due to their cloud backup capabilities. The isBackupEligible and isBackedUp flags are set to 1 for these passkeys, confirming their eligibility and synchronisation with cloud services.
Platforms supporting cloud-based passkeys automatically create synced passkeys when the requireResidentKey parameter is set. This ensures credentials are accessible across devices. However, native Windows environments lack this functionality unless paired with a third-party password manager.
Although synced passkeys can identify the authenticator used to store them, most lack cryptographic attestation, which limits their security verification. Despite this, syncing credentials to the cloud enhances the usability of WebAuthn by addressing risks tied to lost devices.
5. Findings from FIDO2/Passwordless Testing: Key Insights and Caveats
In my testing of FIDO2 passwordless authentication across various platforms and devices, several important findings and caveats emerged. Below is a breakdown of the key insights, which can help guide implementation and troubleshooting when using passwordless solutions like FIDO2 keys.
Key Findings:
FIDO2 Key Registration Limit:
You can register up to 10 security keys with your Microsoft account. This limit is useful for those needing multiple keys for different devices or accounts.
NFC vs. USB Registration:
If at least one of your devices supports NFC, it’s better to register your FIDO2 key using NFC. By registering the key via NFC, you can use it with both NFC and USB. However, if you register it via USB, it will only work with USB and cannot use NFC functionality.
Device Compatibility Issues:
Not all workstations and laptops support NFC. In such cases, an external NFC security card reader is a helpful workaround for devices that lack built-in NFC capabilities.
FIDO2 Keys Ready to Use:
Most FIDO2 keys function as HID (Human Interface Devices) straight out of the box and don't require additional driver installation for basic use, making them highly convenient.
Biometric Setup with Windows Hello:
Some FIDO2 keys require additional software to set up fingerprint authentication with Windows Hello. This is necessary for biometric-enabled services using FIDO2.
Multi-Account Support:
A single FIDO2 key can secure multiple accounts, such as Microsoft, Google, and others. However, the number of passkeys you can store on the key depends on the manufacturer’s specifications.
Passkey Functionality:
FIDO2 passkeys use cryptographic algorithms to create a public and private key pair for authentication. These keys can be device-bound (locked to a single device) or synced across devices via a cloud service, like iCloud or Google for mobile devices.
B2B Collaboration Limitations:
Registration of FIDO2 credentials is not supported for B2B collaboration users in the resource tenant. If your FIDO key is registered in the home tenant, you will be prompted for an MFA code when accessing an external tenant as a guest. This can be resolved by using token trust between tenants or conditional access policies that enforce phishing-resistant authentication.
Hybrid Deployment Endpoints:
In hybrid FIDO2 deployments, certain Microsoft Entra ID endpoints must be accessible for registration and authentication. These include:
For a full list of endpoints needed to use Microsoft online products, see Office 365 URLs and IP address ranges -> https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-faqs
Administrator Provisioning:
Currently, administrator provisioning and deprovisioning of security keys is unavailable. Users will need to manage keys manually.
Handling UPN Changes:
If a user’s UPN (User Principal Name) changes, passkeys tied to the previous UPN won’t update automatically. The user must sign in to My Security Info, delete the old passkey, and register a new one.
Passkey Limit Workaround:
Microsoft recommends not registering more than three passkeys with your account. If signing in becomes problematic with more than three, use the Sign-in options to sign in without entering a username.
Note - personal Experience:
In my experience across Windows, macOS, and iOS, I encountered no issues managing nine FIDO2 keys, a phone passkey, and additional MFA options simultaneously.
FIDO2 Key Use for Windows Login:
Setting up a FIDO2 key with your Windows account works for logging into Windows only if you use a Microsoft account, not a local user profile.
Windows Hello Integration:
Windows Hello can act as a FIDO2 authenticator for storing passkeys, but only with built-in laptop authentication like fingerprint readers or face recognition.
Self-Service Password Reset (SSPR) Limitation:
Even if you register FIDO2 keys or Microsoft Authenticator as your primary methods, for Self-Service Password Reset (SSPR) you will still be prompted to use less secure options like SMS or email.
Testing on Android (Samsung Galaxy 14):
I tested passkeys and FIDO2 keys on Samsung Galaxy 14 (Android 14, One UI 6.1). Despite months of troubleshooting, I couldn’t get the passkeys or FIDO2 keys to work. Microsoft Authenticator wasn’t recognised as a valid location to save passkeys, likely due to Samsung Wallet overriding passkey storage.
Additionally, I couldn’t successfully register or log in with FIDO2 keys on Android, regardless of whether I used NFC or USB.
Google Account Passkey Issue:
On the Samsung Galaxy 14, when trying to log into a Google account with a passkey set up, the device wouldn’t allow me to select a different authentication method. I had to delete the passkey via desktop before being able to use a hardware key or Google Authenticator.
Error Handling – “NotAllowedError”:
If you encounter a “NotAllowedError” during FIDO2 key registration on Windows, it’s likely due to a CTAP2 authenticatorMakeCredential failure. Detailed logs can be found in the Microsoft-Windows-WebAuthN/Operational event log.
FIDO2 Key Issues for Domain Admins in Hybrid Environments:
When using FIDO2 keys in hybrid environments, high-privilege accounts like Domain Admins may experience login failures. This happens because default security policies don’t grant Microsoft Entra permissions to sign in to on-premises resources. To fix this, update the msDS-NeverRevealGroup property for the Microsoft Entra Kerberos Computer Object.
Unsupported Scenarios:
Unsupported Authentication Methods:
Signing in or unlocking a Windows device using passkeys in Microsoft Authenticator is not supported.
Windows Server AD Domain Services (on-prem-only) environments are not supported.
Scenarios such as RDP, VDI, Citrix that involve non-WebAuthn security keys are unsupported.
S/MIME and Run as functionalities using security keys are unsupported.
Offline Access with Security Keys:
You must sign in to a device online before using a security key to unlock it offline. Without an initial online sign-in, the key won’t work for offline authentication.
Multiple Microsoft Entra Accounts on One Key:
When using a security key with multiple Microsoft Entra accounts, WebAuthN will default to the last account added to the key, without the ability to select an account during sign-in.
Device and Version Requirements:
Microsoft Entra devices need to run Windows 10 version 1909 or higher, while hybrid joined devices should use Windows 10 version 2004 or newer for full compatibility.
These findings illustrate the nuances of implementing FIDO2/passwordless authentication in various environments, offering both best practices and solutions to common challenges encountered along the way.
6. FIDO2 security keys I tested and their main features
During the course of this series, I tested several FIDO2 security keys. Here are some highlights:
Feitian
Website: https://portal.ftsafe.com/
Key chosen for testing: ePass K9 Plus
Feitian ePass K9 Plus
The slimmest USB-A key I’ve encountered, even thinner than the YubiKey 5C. It’s flat and feels durable, though the fully exposed USB port raises concerns about potential damage if stored carelessly. There is a dedicated opening on the cover where you can attach a lanyard or similar item.
***
HID
Website: https://www.hidglobal.com/
Key chosen for testing: HID Crescendo
HID Crescendo USB-A
The design is compact, and when plugged in, it doesn’t protrude much. A button is used to authenticate, and the LED indicator on the button shows whether the login was successful. It comes with a lanyard that loops through both the USB key and its cover, making it harder to misplace either part.
HID Crescendo USB-C
This is a small, convenient security key with a clickable button for authentication. However, the design has a drawback - the lanyard only attaches to the USB-C cover, not the key itself, making it easy to lose. There’s also no feature on the key to attach it to a keychain or similar item.
***
Hideez
Website: https://hideez.com/
Key chosen for testing: Hideez Key 4
Hideez Key 4
This is one of my favorite keys, distinct from the others I’ve tried. Its unique design incorporates RFID, and it comes with a metal keychain that allows it to be securely stored with my house and car keys. The micro-USB port is covered, and the button lights up to confirm a successful login. Additionally, it offers features like a password vault and OTP generator. The downside is that it requires Hideez software, Bluetooth connectivity, and periodic recharging, roughly every 60 days or less.
***
Thales
Website: https://cpl.thalesgroup.com/
Key chosen for testing: SafeNet eToken Fusion Series
Thales SafeNet eToken Fusion USB-A
Built with sturdy materials and metal accents, it includes a lanyard attachment and an LED to indicate successful logins. It also offers the option for full customisation, allowing companies to print their brand on the keys when ordering in bulk.
Thales SafeNet eToken Fusion USB-C
Similar to the USB-A model, it’s constructed with durable materials and metal accents, featuring a lanyard slot and an LED indicator for login status. It also supports customisation for bulk orders, allowing you to add your brand to the key.
***
Token2
Website: https://www.token2.com/home
Key chosen for testing: Token2 T2F2-Dual FIDO2, U2F and TOTP Security Key with NFC, USB-A and USB-TypeC Connectors
The one I originally ordered does not seem to be available anymore but the one below is very similar to the one I use.
Token2 T2F2 Dual-ALU
Though no longer sold, I appreciated its dual compatibility with both USB-A and USB-C, which saved me from needing adapters or converters. The aluminum model I have is better than the standard version, which uses a flimsy, transparent plastic cover, revealing the internal components. It’s easy to use, and you can attach it to a keyring.
***
Yubico
Website: https://www.yubico.com/
Key chosen for testing: YubiKey 5C NFC
YubiKey 5C NFC
Slim with a slot for a keychain or lanyard. Initially, I thought it felt flimsy, but after daily use over a couple of years - including keeping it in my pockets and attached to other keys - it has proven to be much more durable than expected. The USB-C port has held up well over time.
7. Recently found FIDO2 vulnerability
There’s been a lot of chatter recently about a vulnerability discovered in FIDO2 security keys, and it’s led to some confusion and misinformation online. To help clear things up, I encourage everyone to check out Jay Kerai’s post - he offers a great take on the situation and addresses the concerns we’ve seen over the last week or so.
As for my take, I like to compare the FIDO2 vulnerability to the risk of being involved in a plane crash. Yes, plane crashes happen, but they’re incredibly rare, and air travel remains one of the safest modes of transportation. Similarly, while this FIDO2 vulnerability is real, the risk of it affecting you is extremely low.
The Plane Crash Analogy
Think about flying. Fear of plane crashes is common, yet statistically, commercial air travel is one of the safest ways to get from point A to point B. Between 2018 and 2022, the odds of dying in a plane crash were about 1 in 13.7 million flights. By comparison, nearly 41,000 people died in car accidents in the U.S. in 2023 alone. The numbers show that while the risk of an airplane accident exists, it’s much more likely you’ll get into a car crash.
The same logic applies to FIDO2. Is there a vulnerability? Yes, but it’s currently the safest form of authentication available. It’s far more secure than traditional passwords, or even passwords combined with SMS-based two-factor authentication. Could you be affected? Technically, yes, but the odds are so slim that it shouldn't deter you from using FIDO2.
You can read the full paper on the FIDO2 vulnerability here -> https://ninjalab.io/eucleak/
Yubico's advisory can be found here Infineon ECDSA Private Key Recovery Customer Resources – Yubico
8. Conclusion
The journey to a passwordless future is both exciting and challenging. While passwordless authentication, especially with FIDO2, offers superior security and a streamlined user experience, it’s not without its caveats. Organisations need to carefully assess their user base, security requirements, and the capabilities of their devices when deploying these systems.
Testing shows that passwordless methods like FIDO2 significantly reduce the risks of phishing, data breaches, and weak passwords, but they also present new challenges in terms of device management, backup, and recovery. The recently discovered vulnerabilities further remind us that no system is completely foolproof, though the risks are vastly reduced compared to traditional password-based methods.
In the grand scheme of things, FIDO2 is still your best bet for keeping your accounts secure. The recent vulnerability is like the risk of a plane crash - yes, it’s technically possible, but the odds are incredibly slim. Just as you wouldn't stop flying because of an isolated incident, you shouldn't abandon FIDO2 for something less secure.
As we conclude this series, one thing is clear: the future of authentication is passwordless, and now is the time to begin planning your transition. Stay secure, and as always, keep innovating.
I would like to, once again, extend my sincere appreciation to the teams at Feitian, HID, Hideez, Thales, Token2, and Yubico. Their generous sharing of information and provision of resources were instrumental and truly invaluable throughout this process.
Thank you for following along with the Passwordless Authentication series! Be sure to check out the earlier posts if you missed them.
Very much thank you for sharing these great articles, it is much appreciated the work you've put in it.
Also very interested, educational and great tips needed in our ever evolving security landscape.