Say goodbye to passwords! How to enable FIDO2 passwordless authentication.

We’ve all heard the advice: choose a long, complicated password that features a mix of letters, numbers and symbols, and use a different password for each account. 

But a password isn’t going to keep your data safe. 

Even the most complicated password is just as vulnerable to attacks as “123456,” “password,” “qwerty,” and every other password on those “Top 10 Most Common Password” lists. 

In this article, we’ll look at why a strong password is useless against many common password-based attacks, and how you can protect your business - by taking passwords out of the equation! 

By the end of this tutorial, you’ll have implemented an innovative passwordless authentication system, using FIDO2 security keys.

Passwords won’t keep your business safe 

There’s a large and ever-growing list of password-based attacks that hackers can use against your business. Depending on the nature of the attack, it often doesn’t even matter whether your employee is using a simple password such as “letmein” or a complex password such as “F9g1b5!P#i%K+mL.” 

Let’s explore some of the most common password-based attacks, and look at why password strength has absolutely no impact on whether these attacks succeed, or fail.

1. Credential Stuffing 

A credential stuffing attack is where a malicious third party attempts to gain unauthorized access to an account using thousands, or even millions of stolen credentials. 

Credential stuffing attacks rely on your employees reusing their credentials across multiple accounts. According to LastPass’ 2019 Global Password Security Report, the average employee reuses each password 13 times, which means a hacker could gain access to your corporate accounts due to a data breach that has absolutely nothing to do with your business. 

During a credential stuffing attack, a hacker attempts to “stuff” publicly-known credentials into all of your corporate accounts, applications and services. If the attacker automates the credential stuffing attack using a web automation tool such as Selenium or cURL, then they could potentially attack your business with millions of different username and password combinations. 

If one of your employees is in the habit of reusing their passwords, then it doesn’t matter how complex their password is - your business is vulnerable to credential stuffing attacks. 

2. Phishing 

Phishing is a fraudulent attempt to obtain sensitive information, including login credentials. Most phishing attacks take the form of email spoofing, instant messages or phone calls, and often misdirect the victim to a fake website that emulates the look and feel of a legitimate business. 

Security awareness specialists KnowBe4 reported a 600% rise in phishing email attacks during the COVID-19 pandemic, making spammy messages and nuisance phone calls a serious and growing threat to your business. 

If a malicious third party manages to trick an employee into handing over their password, then all of the random numbers, letters and symbols in their password won’t be enough to keep your business safe. 

3. Keystroke logging

Keystroke logging, sometimes referred to as keylogging, is where malware monitors the user’s keyboard, records every single thing they type, and then transmits this information to a third party. 

Keystroke loggers have no problem recording complicated passwords, so it doesn’t matter whether your employee’s password is as simple as “123456” or a complex jumble of letters, numbers and mathematical symbols. If one of your employees types their password while they’re being monitored, then this information will be shared with the person operating the keystroke logger. 

So, how do I keep my business safe? 

There’s no one-size-fits-all approach to protecting your business, but Office 365 supports a wide range of protocols and authentication methods that can help you achieve enterprise-grade security. 

In this tutorial, I’ll show you how to close all password-based security loopholes, by implementing passwordless authentication. 

Go passwordless: What are FIDO2 security keys?

FIDO2 is a security key that most commonly takes the form of a USB device. As part of a FIDO2-based security system, the user configures their chosen device to act as a security key, and then uses this key to access their account. For example, if an employee configures a USB device to act as a security key, then they’ll need to insert this device into their laptop’s USB port, in order to access their Office 365 account. 

By using a hardware device to handle authentication, you can protect your organization against password-based attacks - even the best hacker can’t steal something that doesn’t exist! 

For users who struggle to remember long, complicated passwords, or anyone who’s frustrated by multiple security methods such as MFA, passwordless authentication represents a convenient and secure way to access your account. 

In the following sections, I’ll show you how to setup passwordless authentication for all of your Office 365 accounts. With cyberattacks on the rise, I’ll also show how to add some extra security to your FIDO2-protected accounts, by only allowing employees to log in from a trusted network. 

MFA and SSPR: Enabling the combined registration experience

Passwordless authentication methods require the combined registration feature, which allows users to register for both MFA and SSPR in a single, combined flow.

Your user administrator or global administrator can enable combined registration in Azure Active Directory (AD): 

● Sign into the Azure Portal

● Select “Azure Active Directory.” 

● In the left-hand menu, select “User settings > Manage user feature preview settings.” 

● Find the following section “Users can use the combined security information registration experience.” This setting combines Multi-Factor Authentication and self-service password reset into a single user experience. If you want to enable combined registration for all employees, then push this slider into the “All” position. Alternatively, you can pick and choose which employees have access to passwordless authentication, by pushing the slider into the “Selected” position and then selecting one or more groups. 

● When you’re happy with your selection, click “Save.”

Passwordless login: How to enable FIDO2

Now, you’re ready to enable FIDO2:

● Sign into the Azure Portal. 

● Select “Azure Active Directory.” 

● In the left-hand menu, navigate to “Security > Authentication methods > Authentication method policy (Preview).” 

● Select “FIDO2 Security Key.” 

● In the section that appears, drag the “Enable” slider into the “Yes” position. 

● Find the “Target” slider and then choose either “All users” or “Select users,” depending on whether you want to setup passwordless authentication on an organization-wide basis. 

● Save your FIDO2 configuration, by clicking “Save.” 

Now, all employees included in the “Target” group will have the option to provision a USB or NFC device as an FIDO2 security key. 

Turn your USB or NFC device into a security key 

To create an FIDO2 security key, your employees need to: 

● Head over to the My Profile page. 

● Log into their Office 365 account. 

● In the left-hand menu, select “Security Info.” 

● At this point, your employee will be prompted to setup Multi-Factor Authentication, if it isn’t already configured for their account. They can follow the onscreen instructions to setup MFA, or why not check out our step-by-step guide to protecting your account with Multi-Factor Authentication? 

● Once MFA is configured, select “Add method.” 

● In the subsequent popup, select “Security key” and then click “Add.”

● At this point, they’ll be prompted to sign into their account using MFA; click “Next” and follow the onscreen instructions. 

● Your employee can now choose whether to use a USB or NFC device as their security key. 

● When prompted, connect your chosen USB or NFC device to your computer. 

● Create a PIN for this security key, by following the onscreen instructions. 

● You should now perform the required gesture for this security key, such as tapping a button or sensor on the device you’re using as your FIDO2 key. 

● When prompted, create a meaningful name for this security key - this step is particularly important for users who have multiple FIDO2 devices. 

● When you’re happy with the information you’ve entered, click “Done.” 

And that’s it! Your employee has now successfully provisioned an FIDO2 security key. 

Now, when the user tries to access their Microsoft accounts, they’ll have the option to sign in using their chosen security key, for example inserting their USB device into their laptop’s USB drive. 

Boost your security: How to block untrusted networks

After protecting your accounts with passwordless authentication, you may want to add an extra layer of security to the combined registration experience. 

In this section, I’ll show you how to setup a Conditional Access policy that prevents users from accessing their account, unless they’re connected to a trusted network. 

Don’t forget to disable security defaults! 

Microsoft’s security defaults are a collection of security settings that protect your organization against 99.9% of password-based attacks. By enabling the security defaults, you can enforce MFA across your organization and block dangerous legacy authentication protocols

However, if you’re going to use Conditional Access policies then you’ll need to disable security defaults: 

● Head over to the Azure Active Directory and sign into your admin account. 

● In the left-hand menu, select “Properties.” 

● Select “Manage Security defaults.’ 

● Drag the “Enable Security defaults” slider into the “Off” position. 

● Click “Save.” 

Security defaults are now disabled. If you previously used security defaults to enforce MFA, then you can make MFA mandatory for all users via the Microsoft 365 admin center, and then block legacy authentication protocols using Conditional Access policies. 

Secure your accounts, with Conditional Access

Once security defaults are disabled, you can create your Conditional Access policy: 

● Sign into the Azure Portal

● Select “Azure Active Directory.” 

● In the left-hand menu, select “Security > Conditional Access.” 

● Select “New Policy.” 

● Give this policy a descriptive name. 


● Under “Assignments,” select “Users and groups.” You can now apply this policy to all user accounts, by selecting “All users,” or pick and choose which groups this policy should apply to, using “Select users and groups.” 


● In the left-hand menu, select “Cloud apps or actions.” 


● Find the “Select what this policy applies to” slider, and push it into the “User actions” position. 



● Select “Register security information.” 


● In the left-hand menu, select “Conditions.” 


● Choose “Locations.” 


● Drag the “Configure” slider into the “Yes” position.

● Click the “Select” button. 


● Towards the bottom of the screen, find the “Enable policy” slider and push it into the “On” position. 


● Select the “Include” tab. 


● Choose “Any location.” 


● Select the “Exclude” tab. 


● Choose “All trusted locations.” 


● In the left-hand menu, select “Access controls > Grant.” 


● In the subsequent panel, select “Block access.” 


You can now make this policy live, by clicking “Create.” 


Share this article on social media

If you found this article useful, please share it on social media. 

Subscribe to our blog...

We will only use your email to send you new blog posts.