When you insert your key and subsequently get prompted for pin and fingerprint, that is essentially three factor authentication. A person told me on the sysadmin reddit board that something was wrong and you should only authenticate by putting in the key and using EITHER the pin or the fingerprint. Not both. Another youtuber stated that you get prompted for a PIN if you are too slow to use your fingerprint. Any thoughts? I haven't been able to get just one or the other. With my Azure MFA when using a Yubikey, I have to enter both pin and fingerprint
Michael, so this is interesting thought. I guess I would say maybe, but lean towards it's still two factor? Reason being, is that the touch isn't really a fingerprint. It's just anything conductive. I could touch it with a toe, the back of my hand, one of my clients I think, even had his cat registering a touch on the device. So...it's not really something unique to you. So, I guess it's three factors from the perspective you need to have the pin, the key, and physically be present to use it? But, in the same respect, it could also be closer to two factors because there isn't much security in just the touch of a conductive piece of metal. Also for me, sometimes I have two security keys plugged in; maybe they are even for different services. The touch helps to identity which key you are trying to use for authentication. So, I guess I really don't think of that touch as being much of a security mechanism. However, if you do want to disable the touch aspect on the YubiKey specifically, it does appear that you can customize the policies around PIN and Touch - docs.yubico.com/yesdk/users-manual/application-piv/pin-touch-policies.html
Is there a way to set this up as the users FIRST and ONLY method of MFA? For users with tinfoil hats who refuse to install the authenticator on their phone....
@penguin12902, that's a really good question. I haven't actually tried it, so I'm not 100% sure. But, you can go in to the authentication method where you enabled FIDO2 and disable the other options. I've never tried to reduce it down to just that single option, but that's where I would start. Disable everything except for FIDO2 and see if that does it.
@@Ben_Stegink I was unable to make it work. However I was able to have my user choose "use a different authenticator" and they use the Yubico Authenticator App with the Fido2 key.
Thank you! I couldn't find where to enable Security Keys on Azure AD. Super helpful!!
You're welcome, glad I could help!
Brilliant video, and thank you for the guide in the description too
No problem 👍
When you insert your key and subsequently get prompted for pin and fingerprint, that is essentially three factor authentication. A person told me on the sysadmin reddit board that something was wrong and you should only authenticate by putting in the key and using EITHER the pin or the fingerprint. Not both. Another youtuber stated that you get prompted for a PIN if you are too slow to use your fingerprint. Any thoughts? I haven't been able to get just one or the other. With my Azure MFA when using a Yubikey, I have to enter both pin and fingerprint
Michael, so this is interesting thought. I guess I would say maybe, but lean towards it's still two factor? Reason being, is that the touch isn't really a fingerprint. It's just anything conductive. I could touch it with a toe, the back of my hand, one of my clients I think, even had his cat registering a touch on the device. So...it's not really something unique to you. So, I guess it's three factors from the perspective you need to have the pin, the key, and physically be present to use it? But, in the same respect, it could also be closer to two factors because there isn't much security in just the touch of a conductive piece of metal.
Also for me, sometimes I have two security keys plugged in; maybe they are even for different services. The touch helps to identity which key you are trying to use for authentication.
So, I guess I really don't think of that touch as being much of a security mechanism.
However, if you do want to disable the touch aspect on the YubiKey specifically, it does appear that you can customize the policies around PIN and Touch - docs.yubico.com/yesdk/users-manual/application-piv/pin-touch-policies.html
Is there a way to set this up as the users FIRST and ONLY method of MFA? For users with tinfoil hats who refuse to install the authenticator on their phone....
@penguin12902, that's a really good question. I haven't actually tried it, so I'm not 100% sure. But, you can go in to the authentication method where you enabled FIDO2 and disable the other options. I've never tried to reduce it down to just that single option, but that's where I would start. Disable everything except for FIDO2 and see if that does it.
@@Ben_Stegink I was unable to make it work. However I was able to have my user choose "use a different authenticator" and they use the Yubico Authenticator App with the Fido2 key.