A couple of weeks ago I wrote some articles about passwordless authentication to Windows 10 and SaaS apps (like Office 365) with FIDO2 security keys, from Feitian and Yubico. I shortly described how passwordless authentication works with these FIDO2 security keys. The focus was on using these FIDO security keys in a corporate environment, but these keys can also be used to secure the authentication process for personal usage, like securing your personal email accounts.
These security keys are designed at first for passwordless authentication with the FIDO2 protocol. Unfortunately support for FIDO2 is (at this moment) limited to a handful of personal websites, like Outlook.com.
But besides FIDO2 support, most security keys also support the FIDO U2F protocol. U2F stands for Universal Second Factor. This means you can use the key to secure the authentication process with a second factor (Multi factor authentication). You first authenticate with your (username and) password, but also with a second factor, in this case the security key. This secures your account, as it will be impossible to sign-in to your account without one of the two factors.
Fortunately a lot more websites at this moment already support FIDO U2F. Among these websites are Gmail, Facebook, Twitter and YouTube. But for this article, let`s focus on securing Outlook and Gmail. With these two examples we get a comparison in the authentication process between FIDO2 and FIDO U2F.
Content of this article
- Configure the FIDO2 security key
- Configure Outlook for passwordless authentication (FIDO2)
- Configure Gmail for two factor authentication (FIDO U2F)
Configure the FIDO2 security key
There are several types of FIDO2 security keys of several vendors. The standard key is used with a PIN code, but some vendors have bio versions of the security key, with fingerprint support. In my setup I used a bio security Key, the Feitian K27. If it`s a standard or bio key, you always have to configure the key with a PIN code.
For the best users experience I recommend using Windows 10 1903 or later for setting up the key, as support for configuring a security key is build in these Windows versions. When using an older Windows version, you need to use third-party tooling to configure the key.
To get started insert the security key in your Windows 10 device via USB, open Settings and browse to Accounts. On the Sign-in options tab click Security Key and click Manage.
Touch your security key.
As you can see, the option to configure my fingerprint is greyed out. You always need to create a PIN for your security key first.
Click Add under Security Key PIN.
Enter your PIN twice and click OK.
When using a standard security key, setup of the key is finished. Click Close.
When using a bio security key, you are now able to configure on or more fingerprints. Click Set up.
Provide your PIN code and click OK.
Touch the fingerprint sensor.
When finished, add another finger or click Done.
The security key is setup, lets set it up for our personal email accounts.
Configure Outlook for passwordless authentication
Outlook.com (Hotmail/ Live) supports FIDO2 security keys, like Office 365 does. Because of this you only use your security key to sign-in to your webmail and don`t have to provide your username and password. This is the most secure way of authentication, as your username and password aren`t send over the internet.
Let`s first have a look how to register the security key with our Outlook.com account. Sign-in to your account via account.microsoft.com. Browse to Security via the top menu.
Choose More security Options.
Scroll down to the section Windows Hello and security Keys. Click Setup a security key.
You might be asked to confirm your password.
You are provide information about setting up a security key. choose USB Device and click Next to start the setup.
Choose Continue.
Insert the security key into the USB port.
Touch the security key.
Enter your security key PIN and click OK.
The website asks to see your security key, click Allow.
On the next page, give the security key a name and click Next.
You`re all set! Click Got it.
The registration is finished, let`s see how the end-user experience is when we sign-in to Outlook.com
On the Sign in page from Outlook, choose Sign in with Windows Hello or a security key.
Insert the security key.
When using a standard FIDO2 security key, your asked to enter the PIN.
Touch your security key.
When using a bio security key, you`re not asked for a PIN, only to touch the key.
And your signed in! With out providing a username and password!
Configure Gmail for two factor authentication
Instead of Outlook, Gmail doesn`t support the FIDO2 protocol (yet), but you`re still able to secure Gmail with the security key, as Gmail does support FIDO U2F. We can use the security key as second factor during the authentication process.
To register the key as second factor, sign in to myaccount.google.com. On the Security tab, under Signing in to Google, choose 2-step Verification.
Your are provided some information about protecting your account with 2-step verfication.
You might be asked to verify your password.
Click Choose another option an select Security key from the drop-down list.
Click Next.
Insert the security key into the USB port.
As I`m using a bio security key, I only have to touch the key, otherwise your also asked for a PIN.
The website asks to see info of the security key, click Allow.
Give your security key a name and click Done.
The security key is registered for 2-step verification (two factor authentication). Let`s see how the authentication process now looks like.
Browse to Gmail.com and enter your password.
Insert the security key into the USB port and touch the security.
With a standard key, you`re asked to enter your PIN.
And you`re signed in to Gmail using a second factor!
As Microsoft with Outlook is (at this moment) the only (free) email provider with support for FIDO2, with Outlook you get the best user experience when using a FIDO2 security key. But as Google is also a member of the FIDO Alliance, I assume that Gmail will receive FIDO2 support in a near future.
For now you`re able to secure your Gmail account with the key as second factor.
As mentioned, not only email accounts have FIDO U2F support and can be secured with a security key. Social media accounts like Twitter and Facebook can also be secured with the security keys, and maybe in the future get FIDO2 support for a passwordless future!
That`s it for now!