FIDO2 Security keys

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

The FIDO (Fast Identity Online) Alliance works to promote open authentication standards and eliminate the usage of passwords as a form of authentication. FIDO2 is the most recent standard that combines the online authentication (WebAuthn) standard.

FIDO2 security keys are an unbreakable standards-based passwordless authentication solution that can take any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and businesses to utilize the standard to sign in to their resources without a username or password by using an external security key or a platform key integrated into a device.

Users can register and then pick a FIDO2 security key as their primary form of authentication at the sign-in screen. These FIDO2 security keys are commonly USB devices, although they could also be Bluetooth or NFC. A hardware device that conducts authentication increases accounts security because no password is revealed or guessed.

FIDO2 security keys can be used to sign in to their Azure AD or hybrid Azure AD joined Windows 10 devices, allowing them to access cloud and on-premises services with a single sign-on. Users can also sign in using browsers that are supported. FIDO2 security keys are an excellent choice for organizations that are concerned about security or have scenarios or employees who are unwilling or unable to utilize their phones as a second factor.


We have a reference paper that lists which browsers support FIDO2 authentication with Azure AD, as well as best practices for developers who want to include FIDO2 authentication in their apps.


When a user logs in with a FIDO2 security key, the following procedure is used:

1. The FIDO2 security key is inserted into the user’s PC.

2. The FIDO2 security key is recognized by Windows.

3. Windows sends a request for authentication.

4. A nonce is returned by Azure AD.

5. The user completes their gesture to unlock the private key stored in the safe enclave of the FIDO2 security key.

6. The FIDO2 security key, along with the private key, signs the nonce.

7. The primary refresh token (PRT) token request is delivered to Azure AD with a signed nonce.

8. Azure AD uses the FIDO2 public key to validate the signed nonce.

9. PRT is returned by Azure AD to provide access to on-premises resources.

Professional Labs is the premier cloud managed service provider. Contact us for more information
Contact Us | Professional labs (