#1 2020-09-13 21:33:20

Registered: 2020-09-12
Posts: 2

5 Comments on Securing Your Windows 10 Login With Yubikey

Authentication  Azure Active Directory  Azure AD AzureAD FIDO modern authentication Multi-Factor Authentication password yubikey           Getting Rid of Passwords in Azure AD / Office 365.
July 15, 2019.

3 Comments on Getting Rid of Passwords in Azure AD / Office 365

This article is based on the public preview of the use of hardware tokens/ Microsoft  Authenticator to do sign-in without passwords released in July 2019 Using Microsoft Authenticator for Passwordless Sign-in.
You used to be able to do this by running the  following  in PowerShell for the last few years New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn Interestingly, if you have done this in the past, the new Azure AD portal settings for doing this do not take this into consideration.
So first, if you have run the above then you need  to remove  it with Remove-AzureADPolicy –Id <get the ID using Get-AzureADPolicy> before you implement the below, otherwise it is turned on for everyone even though Azure AD Portal says it is not enabled:  So to start, visit the Azure AD Portal at https://portal.azure.com and select Azure Active Directory.
Then select Authentication Methods (under Security) and then Authentication Method Policy (Preview) or go directly there with https://portal.azure.com/#blade/ Microsoft _AAD_IAM/ActiveDirectoryMenuBlade/AuthenticationMethods.
Click  Microsoft  Authenticator passwordless sign-in and choose Enable and to pilot choose Select Users and the group you want to pilot with.
Otherwise if you want to turn it on for  all users , just leave the default.
Note that nothing changes for the user – they need to do stuff before it works for them.
which results in  As the notice says, also ensure that you have MFA with push  notification s enabled.
This option has been available for a year or so now, and you will find it on Password Reset > Authentication Methods (or directly with https://portal.azure.com/#blade/ Microsoft _AAD_IAM/ActiveDirectoryMenuBlade/PasswordReset).
This is not the same setting as the blue bar at the top of the page you are  currently  on.
For the user.

From within Microsoft Authenticator

they need to go to the settings and register the device with their login.
This is a one time process and once you have done the above and they have registered the device, they can choose to do password-less sign-in.
From a login perspective, it looks like this:  Enter your username to an Azure AD login.
On your phone.

In the notification from the Microsoft Authenticator app

you select the displayed number (which changes number, and the position of the number each time).
Hardware Tokens Instead of Passwords (FIDO2).
This is the second option made available in Azure AD in July 2019.
This allows the use of hardware tokens such as Windows Hello and FIDO2 devices (i.e.

Yubikey and others) to authenticate to the platform

Note that this is not MFA – you have one factor, the hardware token.
There is no requirement to implement a second factor with the hardware token as this replaces the password and is not storing a password.
That is, if you do not have the token you do not have access – you cannot guess or intercept the token exchange.
To turn on this feature select the FIDO2 Security Key option under Authentication Methods (under Security) and then Authentication Method Policy (Preview).

As with the Microsoft Authenticator option above

Enable the feature and select All Users or Select Users.

Unlike the Microsoft Authenticator option

you now have the choice of Self Service and Key Restrictions Self Service is useful when you have All Users selected, as the user registers their own security key.
Without Self Service you need to configure a key for each user.
Self Service requires the new registration service which is mentioned above and linked to at the top of the configuration page in Azure AD portal.
Enforce Attestation allows you to ensure that a specific model / device of hardware security key is used.
Enforce Key Restrictions requires that you add the key by its AAGUID as shown:  From here you can also Restrict Specific Keys to only allow keys you have issued to be used.
Block would allow you to have any key.
Enhanced Registration Preview.
This preview has been available since early 2019, but now supports passwordless and security token as authentication methods.
Click the link in the blue bar and ensure everyone whom you have enabled the new authentication policy for is included for the new registration preview.
In the graphic below, this is the lower of the two options – your tenant might show only the lower option.
To direct users to the new preview experience visit http://aka.ms/mfasetup or if you have a Conditional Access login but you have not registered, you will be directed here anyway.
On the security info page, if you have already registered for MFA you will be shown your current authentication methods:  If you have not registered before you will be asked to register – either way, you get to pick the methods you want to use for authentication.
These need to be:   Authenticator App – you can add up to five of these.
Security Key.
To add a new Security Key select this and follow the steps but make sure you are running Microsoft Edge on Windows 10 1903 or later or Firefox.
On Chrome (which supports FIDO2 for Google Services) you get the below:  On a supported browser, you will see the following series of prompts:   The above is for a USB key.
NFC keys and readers will have different prompts along the lines of holding the device near to the reader.
Then you need to name your key:.
Signing In With A Security Key.
Login to Office or your selected cloud app and enter your username and click next.
Now you can click “Sign in with Windows Hello or a security key”  As with registration.

You now need to enter your PIN and press the button on the USB device

scan your fingerprint, look at your camera or hold your NFC device next to the reader – whatever your device requires you to do.
On your MFA registration page at https://aka.ms/mfasetup your security device is listed:  Your login did not require a password – yippee.

MFA MVP security yubikey           Securing Your Windows 10 Login With Yubikey

January 20, 2017.
5 Comments on Securing Your Windows 10 Login With Yubikey.
The Yubikey is a small USB connected hardware device that can generate a variety of security codes.
Being virtually indestructible and easy to clip to a key ring (Yubikey 4) or leave inside your only device (Yubikey 4 Nano) you can now use this token to login to Windows.
Once you have got your token from Yubico (via Amazon or other resellers) for around £40 you start the very simple Windows Hello authentication registration process by downloading the Yubikey app from Windows App Store.  Signing in after a restart requires full credentials (password or PIN), which means a stranger who steals your PC and the YubiKey can’t use it to access your device Open the Store app, search for Yubikey and click the logo for the app.
Click the Get button to install the app then then launch to start it.
In a corporate environment you can push the app to your devices with MDM solutions like Intune.
Launch the app.
You will need to have a PIN login enabled for the device to work and so you will see a warning if you do not have this enabled.
If you need to set up a PIN then close the Yubikey app and type “PIN” in the search box in Windows and choose “Setup PIN sign-in”  Scroll down and click Add under PIN.

You will need to reenter your password so other people cannot set up a PIN on your behalf
Enter a PIN and confirm the same PIN  You will now be able to use a PIN to sign in
The PIN setup process will continue and you will be asked to confirm your PIN again
You can now use your PIN to sign into your computer

which as it is tied to the computer hardware, is more secure than your password.
But we are not stopping there – we can now restart the Yubikey app.
Either launch it from the Store app, from the search box on the Start Menu or From the Start menu, select All Apps >Start > YubiKey for Windows Hello  Click Register to start the process of pairing your Yubikey to your computer  Insert your Yubikey into any USB port on the PC and press Continue  Name the Yubikey, as at login it will ask you to insert this named key.
Click Continue once you have a name  At this point it should register the device and all is good.
If you find that Windows Companion Devices are disabled then you will get this error:  It reads “Oh no.
An error occurred during registration.
Windows companion devices are disabled on this system.
Contact your system administrator”.
This is because the local security policy on your computer or network via your Active Directory and IT driven polices does not allow companion devices.
On systems running Windows Pro or Windows Enterprise systems, you must enable the option to Allow companion device for secondary authentication in the Local Security Policy.
If your organization manages your security policy, contact your IT administrator and request this change before installing this app.
You cannot change local security policy on systems running Windows Home, however this option is enabled by default.
Note that you will also get this on domain joined systems as well, as secondary auth is not supported on domain joined machines (even for individual users) at this time.
To modify local security policy    Open the Local Group Policy Editor.
To do this, press the Windows key, type R, and then type gpedit.msc.
In the Local Group Policy Editor, from the top level Local Computer Policy, navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Secondary Authentication Factor.
In the right pane, click the link to Edit policy setting.
(You can also double-click the setting to Allow companion device for secondary authentication.) The default state is Not configured.
In the setting screen, select the option for Enabled, and click OK.
If this option is already selected, your policy is set and you can click Cancel.
Exit the Local Group Policy Editor and the Management Console.
Select Category  2003  2004  2007  2008  2008 R2  2010  2012  2012 R2  2013  2016  2019  2FA  64 bit  AADConnect  aadrm  AADSync  access  acdc  active directory  activesync  add-in  ADDS  ADFS  ADFS 2.0  ADFS 3.0  ADFS Connector  AdminSDHolder  adsiedit  Advanced Threat Protection  agent  AIP  android  antivirus  anycast  app password  Application Guard  archive  asterisk  asterisknow  ATP  Authentication  autodiscover  autodiscover v2  az  Azure  Azure Active Directory  Azure AD  Azure Information Protection  AzureAD  backup  baseline  bing  bios  booking  bpos  branding  cafe  calendar  certificates  Chrome  citrix  Click To Run  Click2Run  cloud  Cloud PBX  Clutter  cmak  compliance  conditional access  conversation  crm  cross-forest  cyber bullying  dell  Deployment  device  device registration  dirsync  dkim  DLP  dmarc  DNS  domain  door  download  draytek  DSC  duplicate  dynamic delivery  Dynamics  EAS  ebs 2008  Edge  EM+S  email  encryption  Endpoint Manager  enterprise mobility + security  Entourage  EOP     Exchange Online Protection  error  EWS  exchange  exchange online  Exchange Server  EXO  ExpressRoute  federation  FIDO  firewall  Focused Inbox  FOPE  Free/Busy  GeoDNS  Global Catalog  GPO  Group Policy  groups  hosting  hotfix  https  hybrid  hyper-v  IAmMEC  IFilter  iis  illustration  install  Intune  iOS  ip  iPad  iPhone  ipsec  ipv4  ipv6  iQ.
Suite  IRM  isa  ISA Server 2004  ISA Server 2006  JetNexus  journal  journaling  Kemp  kerberos  lab  licence  Live Event  load balancer  Load Master  loadbalancer  logo  Lync Server  mailbox  malware  management  mcafee  mcas  mcm  mcsm  mdatp  MDM  media player  MFA  microsoft  Microsoft 365  Microsoft Cloud App Security  Microsoft Defender Advanced Threat Protection  Microsoft Teams  migration  Mobile Device Management  mobile phones  modern authentication  monthly channel  move  msExchDelegateListBL  msExchDelegateListLink  MSOL  multi-factor auth  Multi-Factor Authentication  MVP  MX  ndr  Netscaler  networking  NTL  OAuth  OD4B  ODFB  off  offensive  Office  Office 365  Office 365 Advanced Threat Protection  Office 365 Groups  Office 365 ProPlus  oledb  OneDrive  OneDrive For Business  openmanage  orange  organization relationships  osma  Outlook  owa  OWA for Devices  password  paxton  pbx  permissions  PFDAVAdmin  phish  phishing  phone factor  pkcs  pki  places  policy  powershell  pptp  preview  Proof Of Concept  proxy  pst  PSTN  PSTN Conferencing  Public Folders  recovery  remote desktop  remote web workplace  retention  retention policies  rms  room  router  rras  rtp  rules  rww  Safe Attachments  Safe Documents  Safe Links  Salesforce  sbs 2008  SCOM  sdk  search  security  Security and Compliance Center  self-service password reset  semi-annual channel  send-on-behalf  server administrator  server core  shared mailbox  sharepoint  sip  Skype For Business Online  Skype for Business Server  smarthost  smartphone  sms  smtp  spam  spf  spoof  spv  SQL  sql express  SSL  SSO  sspr  sstp  starttls  storage card  Stream  supervision  sync error  sysprep  Teams  TechEd  terminal server  Terminal Services  text message  Threat Management  TLS  tmg  token2  transport  transport agent  ts gateway  Uncategorized  unif  unified messaging  update  upgrade  vc++  vhd  virtual pc  virtual server  virtualisation  vista  visual studio  vm  VNet  Voicemai  voicemail.


Basketball Star Slot

Board footer

Powered by FluxBB