Portiva asked FEITIAN if they would like to send a trial set of FIDO keys to test and to validate its usability with Windows 10 and mobile devices.
Wikipedia states FIDO (“Fast IDentity Online”) Alliance as an open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.
FEITIAN provides strong authentication solutions to fit the needs that covers financial, healthcare, government, enterprise, payment, and more. Backed with a strong and experienced R&D team, FEITIAN is able to quickly react to the industry trends and market requests, with easy integration at competitive cost.
I’ve tested the K27 device from FEITIAN which is an USB-A device that allows for biometric and FIDO2 authentication.
Why a FIDO security key
Passwordless is a term that is currently circulating in the security scene. This means that users don’t need to remember or need to know their password to log on to resources. True passwordless means that the user doesn’t have a password anymore, so password phishing attempts are mitigated as hackers need to use the external device to authenticate. Using your security key on unmanaged devices will also prevent keyloggers from recording your password.
A security key is a good step to become passwordless as users don’t need to use their password anymore where they can set a long, secure and memorable password which they don’t need to provide every time. The security key is also 1 of the factors for multi factor authentication. The FEITIAN K27 combines 2 factors in 1 device. You have the following factors for authentication:
- Something you have – some physical object in the possession of the user, such as a USB stick with a secret token, a bank card, a key, etc.
- Something you know – certain knowledge only known to the user, such as a password, PIN, TAN, etc.
- Something you are – some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
- Somewhere you are – some connection to a specific computing network or utilizing a GPS signal to identify the location.
The FEITIAN K27 combines something you have as it’s my USB stick and something you are/know as it requires my fingerprint or PIN to work.
First time use
You first need to register your fingerprints on the FEITIAN K27 before you can use it correctly. Users can manage fingerprint, PIN or reset a security key by using FEITIAN’s BioPass FIDO2 manager on computers running on Windows 10 lower than Build 18298. Users running on Windows 10 Insider Preview Build 18298 can now set up a security key straight from System Settings Panel.
You can check which build you are running on by going to “run”
And then type “winver”
And click on OK
This means that my device has the correct build version to use the FEITIAN K27 without the manager. In my case I went to the sign-in options in Windows 10.
And clicked on Manage at “security key”
First add a security PIN
And click on OK
Now you can add your fingerprints
First enter your security PIN
Touch the sensor
Add as many fingers as you like and click on done and close the screen.
Connect to Office 365
Now we would like to connect the FEITIAN K27 to Office 365. Go to https://portal.office.com
Go to “My account”
Security and privacy
Go to “update your phone numbers used for account security”
Add security method
Select “security key”
Sign in with two-factor authentication and repeat the above two steps to add a security key
Select an USB device or NFC but the K27 doesn’t have NFC.
Click on continue
Touch your key
And name your key
Done and that’s all it takes to register your security key with your Azure AD account.
Testing the FEITIAN K27
Logging in on the Windows 10 workplace
Log off or go to the lock screen on your Windows 10 workplace.
Note that if you use Windows Hello Face it will try to authenticate you directly where I had to cover the camera.
Click on the security key icon
And touch your security key.
Logging in using Chrome to https://portal.office.com
In this test I’ll be connecting using the browser to Office 365. Your managed workplace will most likely sign you in with SSO and you don’t need to present a passcode. You will normally provide your password but in this case I can also select to use my security key
Touch your key
Note that if you wait to long it will fallback automatically to your pin
And afterwards you will still need to use your finger
And your connected with Office 365 without the need of using your password.
Pairing and testing with your Google account
Note that you already need MFA on your Google account before you can setup a security key.
Go to your Google account
And click on Security
Select 2-Step verification
Scroll down and select the Security Key
Select USB or Bluetooth
Touch your key
Give it a name and click on Done.
Now for testing I’ll use an in-private browser where I’ll still need to use my password but for my second factor, I can use the security key in stead of my Chrome authenticator
Pairing and testing with your Twitter account
Note that you already need MFA on your Twitter account before you can setup a security key.
It is possible to pair your security key with a Twitter account. Go to your Twitter account and click on settings and privacy and then on Security under account
Then select Two-factor authentication
Select the security key
And now start an in-private session and try to logon
You can now logon to Twitter with your security key
Pairing and testing with your Facebook account
Note that you already need MFA on your Facebook account before you can setup a security key.
Go to you Facebook account and go to security and login
Click on edit at ‘Use two-factor authentication’
Click on setup at the security key
OK and try to logon in an in-private browser
You will now be logged in at Facebook