Skip to main content

Securing Azure Services with Fetian FIDO

Hey Folks 

Here again with another security topic with Fetian Fido. And once again Fetian devices proved their excellent quality and stability.

For this I choose Fetian



K33AllinPass FIDO Security Key – FEITIAN (ftsafe.com)

and 

K39Single-button FIDO Security Keys | FEITIAN (ftsafe.com)


Use case 

In an organization following changes needs to be implemented. 

1. Update the password policy

2. Update the user session time out to 30 minutes

Once these changes being implemented, the following issues need to be addressed

1. Users' complaint new passwords need to be so long

2. Users complain sessions time out makes them work so much slower with the longer passwords

3. Etc...


Solution 

One of my friends reached out to me to help solve this problem. All I could think of was using passwordless auth with FIDO devices. We have decided to use Fido2 keys for better security and flexibility for the users.

The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard.

According to MS Docs

"FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device. "

Users can register and then select a FIDO2 security key at the sign-in interface as their main means of authentication. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC. With a hardware device that handles the authentication, the security of an account is increased as there's no password that could be exposed or guessed.

The following settings were configured in Azure Active Directory for our Fido solution and provided users access to configure the devices by themselves


AAGuides were configured to only use the above-mentioned keys within the organization/

AAGuides for Fetian can be found here

Products – FIDO Security Keys (ftsafe.com)


Why Feitian

A few months back I did another review of one of the Fetian products and was impressed a lot. And when looking for a proper fit k33 and k39 (successor of k34) caught my eye. Also, Fetian Fido2 keys are endorsed by Microsoft as a supported product with Microsoft Services It's based in Beijing, China. They're active in over 100 regions. Most all the devices are really straightforward to configure with most of the vendor instructions.  So far I found 1 device which is slightly different from other devices is AllinPass (k33) has some extra steps and requires USB C connectivity to a PC to set up the fingerprints

K33 was proposed to high-risk users, The AllInPass is a Bluetooth-enabled security key with a built-in biometric fingerprint reader, all packed into the size of a keyless car key. That's definitely not the case here, Fetian has clearly put time and effort into industrial design, and it pays off.  



K39 was proposed to all the other users, K39 is a simple USB stick-style key with a USB C interface. Which is really easy to use and they can have it in their keychains. Personally, I like K39 because of the below reasons. 

  1. Easy to configure
  2. Unlike other keys, it has some muscle to it
  3. USB C gives more flexibility with devices (Laptop or Mobile)
  4. etc.



You must be wondering why we chose 2 mobile-friendly keys from Fetian. We wanted to provide the opportunity for the users to use these keys with their company-provided mobile devices as well.

But at the moment Microsoft does not support FIDO with either android or iOS, but it's in development


https://learn.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility#supported-browsers

But as per Microsoft these are under development. So, we want users to use the keys on mobile devices soon after they releases this feature for mobile devices 

 

Conclusion

In summary,
  • Fetian K33 and K39 devices are two awesome productions that match perfectly with our solution
  • Both these Fetian devices are mobile friendly that help the organization in the long run and they don't need to change to another set of Fido devices in future
  • Most organizations are looking at mobile Fido support by Microsoft, even google supports it. I think this should be worked on as a priority.
  • Why you need to consider Fetian... Well, I have outlined many advantages and points throughout my blog :D 

Look at my previous device review.

Comments

Popular posts from this blog

Updating Azure VM Data Disk Sizes

Summary Hope you are doing great, this time I came up with a simple azure DevOps solution for updating VM disk sizes. The current project that I'm in has a bunch of virtual machines. So, we need a way to update the VM disk with minimal administrative effort and changes.  In this scenario, we have used Bicep as the IAC language Azure DevOps pipelines YAML variable files  Here is the high-level workflow for a particular VM in the solution YAML Pipeline file got two workflows, firstly the VM build pipeline, and the second is the disk update one. If you focus on the green arrow and the purple arrow, basically I'm modifying the same bicep module file and passing the same set of variables. You may wonder why we cannot use the same flow to build the VM and update the disk later, that's because for the disk updates VM needs to be in a shutdown state, and other components in the 1st flow need the VM up and running especially the extension modules YAML Variable Files I have decided t

Deploying an Automation Account with a Runbook and Schedule Using Bicep

Introduction Automation is a key component in many organizations' cloud strategy. Azure Automation allows you to automate the creation, deployment, and management of resources in your Azure environment. In this post, we will walk through the process of deploying an Automation Account with a Runbook and Schedule using Bicep, a new domain-specific language for deploying Azure resources. Intention My intention at the  end is to run a PowerShell  script to start and shutdown Azure VMs based on tag values. PowerShell  script that I have used is from below l ink.  And two  of me   collogue s ( Michael Turnley   and Saudh Mohomad helped to modify the  PowerShell  script. Prerequisites Before we begin, you will need the following: An Azure subscription The Azure CLI installed on your machine. The Azure Bicep extension for the Azure CLI Creating the Automation Account The first step in deploying an Automation Account with a Runbook and Schedule is to create the Aut