Windows Hello Will Support FIDO2 Security Keys

Posted on April 17, 2018 by Paul Thurrott in Windows 10 with 3 Comments

Windows Hello Will Support FIDO2 Security Keys

Microsoft announced today that its Windows 10 biometric authentication technologies will be updated to support FIDO2-compatible security keys from companies like YubiKey.

“Microsoft and its partners have been working together on FIDO2 security keys for Windows Hello to enable easy and secure authentication on shared devices,” Microsoft’s Pieter Wigleven explains. “Security keys allow you to carry your credential with you and safely authenticate to an Azure AD joined Windows 10 PC that’s part of your organization. A user can walk up to any device belonging to the organization and authenticate in a secure way – no need to enter a username and password or set-up Windows Hello beforehand.”

Today’s announcement is tied to the finalization of the FIDO2 specification by the Fast Identity Online (FIDO) working group. And it should be seen as yet another step in Microsoft’s quest to eliminate passwords from the security stack.

“Unlike traditional passwords, FIDO2 keys rely on high-security, public-key cryptography to provide strong authentication,” Wigleven continues. “These keys have all the benefits of a Trusted Platform Module (TPM) while also being portable enabling the increasing number of mobile workers. The security key holds your credential and can be protected with an additional second factor like fingerprint (integrated into the security key) or a PIN to be entered at the Windows sign-in.”

FIDO2-compatible security keys will take a number of forms, but the most familiar, perhaps, is the YubiKey-style USB key. Other firms will make similar keys, and others still are working on NFC enabled smart cards. It’s possible that phone apps like Microsoft Authenticator could be adapted to be FIDO2-compatible as well, Microsoft says.

The only downside? It’s not clear when this support will be broadly available. Microsoft notes only that it is in a limited preview release right now. But if you’re interested in testing this support, you can sign-up for Microsoft’s waitlist.


Tagged with ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (3)

3 responses to “Windows Hello Will Support FIDO2 Security Keys”

  1. Polycrastinator


    Interestingly, there's already an app in the Windows Store which allows a Yubikey to be used for Windows Hello on a per PC basis, but having it as something that would work on any PC across an organization would be pretty awesome. I'd most love for them to hurry up and support U2F in Edge, though. We know that's coming, too, but it's already there in Firefox and Chrome.

  2. wright_is

    I'm waiting for the YubiKey Neo to be updated. It works with LastPass and my Android smartphone (NFC) as well as my PC (USB).

    A FIDO2 replacement would have to have both USB and NFC.