Add a layer of security to your(s) (organization) account(s)!
Because I forgot to mention some important thing about hardware which I’m describing on this article I want to update this article. Please scroll to bottom to read additional information about FIDO2 Security Key.
Yep, the very strange title of that post.
Some time ago I contacted the company named IDmelon on Twitter. They decided to support my blog and send me their product - IDmelon Reader. About this - I will write something more later.
But they have also another great product on their portfolio.
I tested it and works… Pretty nice! Everything you need to do is pair your phone with your computer and add an account from IDmelon to your application. After that - you can start using IDmelon Authenticator for multiple services. And it works perfectly - even on GitHub.
Ok, so let’s start from the beginning.
When the application is installed on your phone, you need to create your account and activate it. When the application will be fully activated, there is a time for to next step…
Yes - you need to install the specific application on your device where you will be using that authentification method. If you want to avoid this, please scroll to the bottom and read the next section. Application is available to download for Windows and macOS systems and can be downloaded from here.
When the application is installed you need to pair it with your phone. To that phone, notifications will be sent.
The application after configuring looks like on the below screen:
And from basic configuration it is everything.
No, you don’t need to install software on your device if you have a physical reader.
It looks like a very small Pendrive.
Everything that you need to do with that device - insert to the USB port and install drivers - on Windows they are built into the System. Don’t know what with macOS.
After that - this physical reader works exactly like application, but…
The IDmelon Reader is the first smartphone BLE reader in the world that supports the FIDO standards.
It’s a note from the IDmelon website.
From my perspective - it works much better because you don’t need to install the application on every device - especially if that device is a shared device. For a shared device, you NEED TO USE an IDmelon Reader.
Btw: in the next couple of days I will show you how to deploy the application through MEM.
So we have configured everything, using or application or reader and we want to start using that software.
I will show you how to configure it to log on to the…
From the Administration side, your administrator needs to ensure that FIDO2 Security Keys has enabled on the Azure AD > Your Tenant > Security > Authentication methods > Policies like on the below screen:
From the end-user we need to first have configured MFA on the user account, for example, the Microsoft Authenticator application - that is how I configured it for my user - Alex Wilber.
Start with logon to the MySignins portal and click on the “Add method” button, select Security Key.
I will be using a USB device. Read the next couple of information from the Microsoft site and please remember about:
You should see a popup to touch your key.
In this step, you should receive information on your phone if you want to configure your account and add it to the application.
Now, when end-user want to sign in, should use an option named “Use Security Key” instead of the password.
Because I also received IDmelon Reader as I wrote earlier - that I want to show you a bit of different behavior if you’re using key instead of application on your device.
First thing: Key MUST BE USED on the shared devices due to security reasons.
The second thing - the key can be used without any installation of additional drivers and software. Just plug in and use it.
Third thing. If you want to use it, please remember that you should have turned on Bluetooth on your phone. The reader is using Bluetooth technology.
Fourth thing. How does it work? When Browser is asking to use a Security Key, Reader is looking for a phone with that key. You’re receiving a popup and everything you need to do - is confirm or reject this operation.
What is amazing - you don’t need to unblock your phone. It’s waking up without any of your interaction!
Like on the physical security keys - you are not able to use them. You need to start configuring it from the beginning.
I spoke with the IDmelon team about that - they are offering a Premium account for one year for costs 12$. If you upgrade your account to Premium, the “keys” will be secured by Cloud HSM and you will be able to restore them.
By default, you’re registering and your account is marked as basic tier. On this tier, you can add only one account. If you add a second account, your tier will be updated automatically to the standard tier. It will cost you 6$ per year.
From my point of view - 12$ isn’t a big expense. But you can secure your accounts.
On your application, you can see all of your accounts which you’re protecting, and logs what was done on those accounts.
This activity log you can also view on the Individual Panel
For now - it will be everything for that article.
I have some more ideas about this solution, but… Probably in the next articles.
If you have any questions, drop a comment or send an email.
That is update what I want to provide for all my readers.
I was thinking, that this key what I received can works only as a “reader” - like I described on that article. But after a conversation with IDmelon team on Twitter they provided me information that this key can be switched from Reader to Security Key mode.
In that second mode, you don’t need to have a phone. This Key is working like the Yubico keys.
You need to set up PIN for that key - and can be used to authenticate to many different websites and services.
I will try to write about this later.