This week is all about FIDO2 security keys. More specifically about configuring FIDO2 security key restrictions to make sure that users can only use specific FIDO2 security keys, or to prevent users from using specific FIDO2 security keys. That makes this blog post a follow up on this post about enabling password-less sign-in with security keys. In this post I’ll provide a short introduction about the FIDO2 security key AAGUID (and how to find it), followed by the steps to configure the FIDO2 security key restrictions. I’ll end this post by looking at the end-user experience.
FIDO2 security key AAGUID
According to the FIDO2 specification each authenticator should provide an Authenticator Attestation GUID (AAGUID) during attestation. An AAGUID is a 128-bit identifier that indicates the type (for example make and model) of the authenticator. The AAGUID should be identical across identical authenticators that are created by the same manufacturer, and should be different from the AAGUID of authenticators of different types and different manufacturers. To ensure this, the AAGUID is randomly generated.
The AAGUID of a FIDO2 security can be used to configure restrictions for the end-users, by either only allowing specific FIDO2 security keys based on their AAGUID or by only blocking specific FIDO2 security keys based on their AAGUID. To help with that some manufactures (like Yubico) provide a complete list of the AAGUIDs of their FIDO2 security keys.
When this information is not easily available, it’s possible to find the AAGUID by using the get_info.py script that’s available in the Python-FIDO2 library provided by Yubico. That script can make the device WINK, which will provide the information about the FIDO2 security that includes the AAGUID. Below (in Figure 1) is an example of FIDO2 security key that is sending a WINK. The information provided when sending the WINK includes the AAGUID and on some devices also the FIDO2 security key name and model.
Another method to retrieve the AAGUID of a FIDO2 security key is to register the security key as a sign-in method. That can be achieved via the Security method section of My account. After registering the security key, the AAGUID can be found with the security key as shown below in Figure 2.
Below is an overview of the FIDO2 security keys that I’ve had available during testing, including their AAGUID.
|FIDO2 security key||FIDO2 AAGUID|
|Yubikey 5 NFC (Firmware version: 5.1.x)||fa2b99dc9e3942578f924a30d23c4118|
|Yubikey 5C (Firmware version: 5.1.x)||cb69481e8ff7403993ec0a2729a154a8|
|Feitian ePass FIDO-NFC Security Key K9||ee041bce25e54cdb8f86897fd6418464|
|Feitian BioPass FIDO2 Security Key K26||77010bd7212a4fc9b236d2ca5e9d4084|
|Feitian BioPass FIDO2 Security Key K27||77010bd7212a4fc9b236d2ca5e9d4084|
|Feitian BioPass FIDO2 Security Key K33||12ded7454bed47d4abaae713f51d6393|
|eWBM Goldengate Security Key G310||95442b2ef15e4defb270efb106facb4e|
|eWBM Goldengate Security Key G320||87dbc5a14c944dc88a4797d800fd1f3c|
Configuring FIDO2 security key restriction
The configuration steps are pretty straightforward and can be achieved by adjusting the FIDO2 Security Keys authentication method. That can be achieved by performing the 3 steps mentioned below. Those steps are fully focussed on configuring the KEY RESTRICTION POLICY. When the FIDO2 Security Keys authentication method is not yet enabled, make sure to also perform the required actions for that. In other words, make sure to enable the authentication method and configure the target of the authentication method.
- Open the Azure portal and navigate to Azure Active Directory > Security > Authentication methods > Authentication method policy (preview) to open the Authentication methods – Authentication method policy (preview) blade
- On the Authentication methods – Authentication method policy (preview) blade, select FIDO2 Security Key to open the FIDO2 Security Key settings section
- On the FIDO2 Security Key settings section, provide at least the following information (see also Figure 3 for an overview of the available options) and click Save
- Enforce key restrictions: Select Yes
- Restrict specific keys: Select Block to create a key restriction policy that will blacklist the specified AAGUIDs and select Allow to create a key restriction policy that will whitelist the specified AAGUIDs
- Click Add AAGUID and specify the specific AAGUIDs that should be blocked (blacklisted) or allowed (whitelisted)
Let’s end this post by having a look at the end-user experience. When the end-user wants to register a security key (either not on whitelist, or on the blacklist), via the Security info section in My Profile, the end-user can walk through the complete process of adding another sign-in method. At the end of the process, the end-user will receive an error with the message that the particular key type has been blocked by the organization. The message doesn’t provide a list of supported security keys.
For more information about password-less authentication deployment and password-less FIDO2 security keys, refer to the following articles:
- Complete a passwordless authentication deployment in Azure Active Directory – https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment
- Enable passwordless security key sign-in (preview) – https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless–security-key