Prochain SlideShare
Microsoft's Implementation Roadmap for FIDO2
- 1. FIDO2 & Microsoft ANTHONY NADALIN MICROSOFT
- 2. https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/windows-integration/web- authentication
- 3. Windows Hello
- 4. Password-less authenticationUser-friendly experienceEnterprise-grade security 47M enterprises have deployed Windows Hello for Business active Windows Hello users 6.5K growth in biometric capable computers 350%
- 5. FIDO2 Private preview began WebAuthn Support available to Windows 10 Insiders Self-provisioned keys for MSA Windows 10 October 2018 Update SPRING 2018 JULY 2018 OCTOBER 2018
- 6. Admin controls End-user self-provisioning FIDO2 for Azure AD accounts Public preview begins JANUARY 2019 FIDO2 Private preview began WebAuthn Support available to Windows 10 Insiders Self-provisioned keys for MSA Windows 10 October 2018 Update SPRING 2018 JULY 2018 OCTOBER 2018
- 7. Save Discard METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes Allowed methods Documentation = Recommended Registration settings Usage and insights Getting started ACTIVITY Audit logs TROUBLESHOOTING + SUPPORT Troubleshoot New support request MANAGE Authentication methods Password protection (Preview) i i i i i i i i i i Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods 1 group Yes Text message i
- 8. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes … FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No KEY RESTRICTION POLICY + add AAGUID Allow Block Yes No Enforce key restrictions Restrict specific keys Yes No Manage security keys Manual set-up All users All users Select users
- 9. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No KEY RESTRICTION POLICY + add AAGUID Allow Block Yes No Enforce key restrictions Restrict specific keys Manage security keys Manual set-up All users Select users All users
- 10. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No KEY RESTRICTION POLICY + add AAGUID Allow Block Enforce key restrictions Restrict specific keys Manage security keys Manual set-up No users selected … Yes No
- 11. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No Manage security keys Manual set-up Search by name or email address Search OK Cancel Search by name of email addressPilot Add users and groups …No users selected
- 12. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No Manage security keys Manual set-up Search by name or email address Search OK Cancel Search by name of email addressPilot group Pilot group Pilotgroup@wingtiptoys.com Pilot group corp pilotgrpcorp@wingtiptoys.com Pilot group NYC pilotgrpmkt@wingtiptoys.com PG PG PG Add users and groups …No users selected
- 13. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No Manage security keys Manual set-up Search by name or email address Search Search by name of email addressPilot group Add users and groups OK Cancel Pilot group Pilotgroup@wingtiptoys.com PG x OK Cancel …No users selected
- 14. REQUIRE REGISTRATION: METHOD TARGET ENABLED Password All users Yes Phone call All users Yes Microsoft Authenticator app No Verification code – authenticator app No Verification code – hardware token No Windows Hello No FIDO No PIN No Email address No Security questions 5 groups Yes = Recommended Save Save Discard Allowed methods Documentation Registration settings TROUBLESHOOTING + SUPPORT Troubleshoot New support request ACTIVITY Audit logs MANAGE Authentication methods Password protection (Preview) Usage and insights Getting started Authentication methods Wingtiptoys – Azure AD Security Home > Authentication methods > Authentication methods TARGET USERSENABLE Save Discard CONFIGURE REGISTRATION Required All users Select users NAME + add users and group 1 group Yes FIDO2 Security Keys Yes No Allow self-service set-up for groups Yes No Enforce Attestation Yes No KEY RESTRICTION POLICY + add AAGUID Allow Block Enforce key restrictions Restrict specific keys Manage security keys Manual set-up Pilot group … Yes No
- 15. Wingtip Toys
- 16. Wingtip Toys
- 17. Wingtip Toys
- 18. Wingtip Toys
- 19. Wingtip Toys
- 20. Wingtip Toys
- 21. Wingtip Toys
- 22. Wingtip Toys
- 23. Wingtip Toys
- 24. FIDO2 security key 1 Windows 10 device 6 3 4 7 9 2 3 4 5 2 1 User plugs FIDO2 security key into computer Windows detects FIDO2 security key Windows device sends auth request Azure AD sends back nonce User completes gesture to unlock private key stored in security key’s secure enclave FIDO2 security key signs nonce with private key PRT token request with signed nonce is sent to Azure AD Azure AD verifies FIDO key Azure AD returns PRT and TGT to enable access to on-premises resources 8 7 8 9 5 6
Identifiez-vous pour voir les commentaires