FIDO2 is basically password-less login from web browsers to Cloud. Microsoft has delivered to his promise of password-less login by introducing native FIDO2-based authentication to Windows 10 and Azure AD, at the same time in July 2019. Instead of Password Login, users can use Password-less login to Windows and no additional sign on to Azure AD or Office365 with FIDO2 Security Key.
1) Power On (FIDO2 Login)
When Power On, Windows OS starts to run with login form. Users are requested to connect FIDO2 Security Key to USB connector and push registered fingerprint on the fingerprint sensor to identify users and login to Azure AD/Windows 10. It means that internet connection should be established at the first time.
2) Windows OS Screen
Users move to Azure AD cloud site without any additional authentication. It means that Windows Login is permitted by Azure AD in the cloud.
3) SSO move to Cloud
Users move to Azure AD cloud site without any additional authentication. It means that Windows Login is permitted by Azure AD in the cloud.
Azure AD Joined Device (PC)
Azure AD join is for organizations that want to be cloud-first or cloud-only. All organizations can deploy Azure AD joined devices or PCs. Azure AD join also works in a hybrid environment and has access to both cloud and on-premises apps and resources. Global or cloud device administrators can manage the joined devices by updating and/or remove devices. FIDO2 Windows Login by Azure AD is available for
- Azure AD account (Work or School account)
- Windows 10 Pro or Enterprise version 1904 or above
- Azure AD joined device
Off-line Windows OS Login
In order to use OS login authorized by Cloud, internet connection is required. After power on, device*(PC) tries to activate USB terminals for FIDO2 Security Key together with wired or wireless Internet connection. If internet connection is achieved, the original FIDO2 authentication works with connected Azure AD, automatically. Even if no internet connection is achieved, Widows perform FIDO2 Login with FIDO2 Security Key since All credential data required for authentication has been copied with hmac-secret message authentication to Windows. Note that on-line environment is requested at the first time to work Windows Login.
HMAC-secret is “Keyed-Hashing for Message Authentication code”, using “secret key” and “encryption hash function” for calculation. The hash value must be calculated by combining the parameter that is actually sent to the API and Secret, and this hash value must be sent to the API. Since it is a hash value that is sent, even if transmission data is leaked, Secret cannot be read. This prevents the risk of actual data leakage.
