Introduction

Ensuring robust access control is vital in today’s security environment. Break glass accounts, designed for emergency access, must be secured with the best methods available. Deploying FIDO2 keys is an effective way to enhance the security of these accounts. This guide provides a concise overview of the process of implement them in Entra ID.

What are FIDO2 Keys?

FIDO2 keys are hardware security devices that offer strong authentication through public key cryptography, requiring physical possession to access systems, thus making unauthorized access difficult.

Why Use FIDO2 Keys for Break Glass Accounts?

Break glass accounts provide emergency access for administrators. Securing these accounts with FIDO2 keys ensures that only authorized personnel can access them, reducing the risk of compromise.

Prerequisites

Before deploying FIDO2 keys, ensure you have:

• A compatible FIDO2 key (e.g., YubiKey)
• Global Administrator
• Basic knowledge of account management and security practices

Step-by-Step Deployment Guide

Step 1: Acquire FIDO2 Keys

I will use Yubico 5C Nano in my setup. A recommendation is also to register a backup key to the account if something breaks with the primary one. To get more information of the Yubico about best practices for Yubico visit https://yubico.com/start. You can see the firmware version using Yubico Keymanager software, but it’s not possible to upgrade firmware on a Yubico.

Step 2: Prepare Entra ID for FIDO2

You will need to enable FIDO2 under authentication methods. You can read more about this here:

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2

You need to decide if you going to support all FIDO2 keys without a whitelist of supported keys. If you decide to go for a whitelist with AAGUIDs you can find more information about them for Yubico on this link:

https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs

You can also find AAGUIDs under authentication methods if you have a user that has already registered a FIDO2 key.

You also need to configure authentication methods policies. Here is the options to choice from. The settings needs to be aligned with your requirements and onboarding process.

1. Allows user to register FIDO2 keys. This can be enabled if you do not have a process where IT handles the registrations and provides key.
2. This setting enforce the Key to be genuine. If you have a Yubico you can check this here: https://www.yubico.com/genuine/
3. This settings activate if we will use an allow or blocklist for AAGUIDs.
4. Decide if we will allow or block AAGUIDs.
5. This setting add the AAGUIDs for Microsoft Authenticator app for Android and iOS.
6. A list of allowed or blocked AAGUIDs.

Note: Make sure that you also have upgraded to the new authentication methods. You can read more about this here.

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage

Steps to Deploy

In this step we will manually add FIDO2 key to a break-glass account. This means that you need to allow self-service set up:

1. Log in to https://mysignins.microsoft.com/security-info with the break-glass account. Note: if you do not have a MFA method for this account we recommend to issue a TAP key to pass the MFA requirement for security key setup. You can see more about TAP here:
   https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
2. Under security info use the + Add sign-in method.
3. If the configuration is correct you should see the Security key as an alternative. If you do not see this you need to look at the authentication methods again.

4. Now follow the guide. When you get choices be sure that you select security key and if you use a USB or NFC key.
5. Select security key and click add.
6. Configure you PIN code and touch the key. You have now enrolled your FIDO key.
7. If you will configure a backup key you can add another authentication method and security key again.
8. Test your key and clean-up other MFA methods on the account if you have any other MFA methods registered.
9. You can now update your CA policies to use phishing resistant MFA for Break-glass accounts.

Best Practices

• Store FIDO2 keys securely when not in use.
• Periodically test break glass accounts and FIDO2 keys to ensure functionality.
• Keep deployment and configuration documentation up to date.
• Train relevant personnel on the use and management of FIDO2 keys.
• Also, a good practice is to follow the guide to have good monitoring of the account. See more here: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access.

Conclusion

Deploying FIDO2 keys on break glass accounts enhances security and ensures that only authorized personnel can access critical systems in emergencies. By following this guide, you can implement a robust authentication mechanism that safeguards your organization’s break-glass accounts in Entra ID.