This is the first article from the series focused on the FIDO keys from couple manufacturers.
In last months I was asked multiple times about ‘the best’ aka ‘the most secured’ models of the FIDO2 keys.
Those questions moved me to prepare tests of the multiple types of the security keys.
According to official webpage
FEITIAN provides strong authentication solutions to fit the needs that cover financial, healthcare, government, enterprise, payment, and more. Backed with a strong and experienced R&D team, FEITIAN is able to quickly react to the industry trends and market requests, with easy integration at a competitive cost.
Additionally Feitian is a member of Microsoft Intelligent Security Association and FIDO Aliance
In this article I’d like to share with you my thought after 2 weeks of using FEITIAN Technologies Co., Ltd. security keys:
|Model||ePass FIDO NFC Security Key K9||BioPass FIDO Security Key K27||AllinPass FIDO-UC Security Key K33|
|Supported OS||Windows, MacOS, Chrome OS, Android||Windows, MacOS, Chrome OS, Android||Windows, MacOS, Chrome OS, Android|
|Interface||USB-A, NFC||USB-A , NFC, Biometric||USB-C , NFC, BLE, Biometric|
|Optional appplet||HOTP, TOTP, PIV (on demand)||PIV (on demand)|
|Security algorithm||SHA256 with ECDSA on P-256, SHA-1||ECDSA, SHA256, AES, HMAC, ECD||ECDSA, SHA256, AES, HMAC, ECDH|
|Standard||FIDO U2F, FIDO2||FIDO U2F, FIDO2||FIDO2|
|Metal chassis||ABS + Metal chassis, Battery|
|ePass FIDO NFC Security Key K9||ee041bce-25e5-4cdb-8f86-897fd6418464|
|BioPass FIDO Security Key K27||77010bd7-212a-4fc9-b236-d2ca5e9d4084|
|AllinPass FIDO-UC Security Key K33||12ded745-4bed-47d4-abaa-e713f51d6393|
Azure AD integration
As you may already know I’m focused on the Azure AD security at my work, that is why I have decided to check how those keys will work after integration with Azure AD and accessing resources like – Teams, Exchange Online, SharePoint Online, Azure Portal and integration with Windows Hello for Business where possible.
In order to do the tests for this article I have created dedicated user called feitiantester in my lab.
In my lab, I have created a dedicated group called Passwordless which is used for FIDO2 Security Key authentication method.
To configure Authentication Methods please open the following URL: https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/AdminAuthMethods
Because one of the provided keys was not working I have decided to configure block restriction for its AAGUID
After one week from test I have received new sample of the K27 key. That means there will be no block AAGUIDS within the environment.
As you may discovered I’m allowing self-service set up so all Passwordless group members will be able to enroll keys on their own.
To configure authentication method from end user perspective we need to use the following URL: https://mysignins.microsoft.com/security-info
PIN Key setup
Below are the screens from the ePass FIDO NFC Security Key K9 configuration
As you can see for the standard key we are required only to setup PIN and we are ready to go
Biometric Key Setup
To scan your fingerprint for biometric keys it is required to download additional software from this link: https://www.ftsafe.com/download/webdownload/BioPass_FIDO2_Manager.exe
After the installation run BioPass FIDO2 Manager.
At the very first step you have to click Add Fingerprint, and then you will be asked to Set up PIN
If you want you can check if your finger print was scanned successfully using Test Fingerprint option
So when you have set up PIN and Biometric you can add a new key for the Authentication method as we did previously.
Bluetooth Key Setup
One of the provided keys have Bluetooth as an alternative way of communication with computer.
To setup it you have to press small button on the key for at least 5 seconds until Bluetooth icon will light blue.
Then you can follow standard Bluetooth parring procedure on your system
After pairing you can try to login to the Azure Portal using security key working in the Bluetooth mode.
As you most probably noticed I have shown you how those keys could work with Azure AD and related services.
The final comparison between other manufacturers’ keys will be described in the last episode of the series.
Test devices were provided by the FEITIAN Technologies Co., Ltd.