Microsoft announced today that its Windows 10 biometric authentication technologies will be updated to support FIDO2-compatible security keys from companies like YubiKey.
“Microsoft and its partners have been working together on FIDO2 security keys for Windows Hello to enable easy and secure authentication on shared devices,” Microsoft’s Pieter Wigleven explains. “Security keys allow you to carry your credential with you and safely authenticate to an Azure AD joined Windows 10 PC that’s part of your organization. A user can walk up to any device belonging to the organization and authenticate in a secure way – no need to enter a username and password or set-up Windows Hello beforehand.”
Today’s announcement is tied to the finalization of the FIDO2 specification by the Fast Identity Online (FIDO) working group. And it should be seen as yet another step in Microsoft’s quest to eliminate passwords from the security stack.
“Unlike traditional passwords, FIDO2 keys rely on high-security, public-key cryptography to provide strong authentication,” Wigleven continues. “These keys have all the benefits of a Trusted Platform Module (TPM) while also being portable enabling the increasing number of mobile workers. The security key holds your credential and can be protected with an additional second factor like fingerprint (integrated into the security key) or a PIN to be entered at the Windows sign-in.”
FIDO2-compatible security keys will take a number of forms, but the most familiar, perhaps, is the YubiKey-style USB key. Other firms will make similar keys, and others still are working on NFC enabled smart cards. It’s possible that phone apps like Microsoft Authenticator could be adapted to be FIDO2-compatible as well, Microsoft says.
The only downside? It’s not clear when this support will be broadly available. Microsoft notes only that it is in a limited preview release right now. But if you’re interested in testing this support, you can sign-up for Microsoft’s waitlist.