Password killer FIDO2 comes bounding into Azure Active Directory hybrid environments

A preview of muddy paws all over your on-prem resources, or a passwordless future?


Hybrid environments can now join the preview party for FIDO2 support in Azure Active Directory.

Microsoft has a bit of a thing about passwordless authentication. Back in 2004, then-chairman Bill Gates predicted the death of passwords because humans are terrible at managing them.

Anyone born around then will be turning 16 shortly and yet passwords still linger on.

One way to move on is via a FIDO2 security key (or something biometric on the device); the FIDO alliance has already signed up the likes of Google and Mozilla for browser authentication and back in October 2019 Microsoft unveiled a preview of FIDO2 security support in Azure Active Directory.

The problem was that while going password-free with a FIDO2 key, Microsoft's Authenticator app or Windows Hello was all well and good, but it didn't work with a hybrid-joined device, as the company acknowledged at the time.

As of this week, Microsoft is flinging open the doors to hybrid Azure AD-joined Windows 10 devices. Apparently, "this has been the top most requested feature from our passwordless customers."

Not "Ohgodohgodohgod, please make the patch pain stop."

Patch me if you can

That hybrid support means FIDO2 authentication can be used for on-premises as well as cloud resources. There are, however, some provisos. Your Windows Servers (2016 and 2019) need to be up to date on the patch front. You'll also need a refreshed version of Azure AD Connect (1.4.32.0 or later) and PCs wanting to the use the preview feature are going to have to submit to the tender mercies of the Windows Insider program.

To be precise, Windows 10 Build 18945 or later needs to be installed, quite an elderly incarnation of 20H1 for Fast Ring testers dating back to July last year. It has long been superseded, and even signing up for the more stable Slow Ring will inflict something considerably more recent on the PCs of eager users.

Interestingly, 18945 was also the Windows Server vNext Preview Build that first extended FIDO2 security keys to hybrid environments for braver admins.

As Microsoft (and chums) march towards a passwordless future, we look forward to a brave new world where forgotten strings of characters have been replaced by dropped and dangling dongles. ®


Biting the hand that feeds IT © 1998–2020