From 91ad3f0f1f64d2ee01d9ca6fb9e5df524c98ea89 Mon Sep 17 00:00:00 2001 From: Aabha Thipsay Date: Thu, 25 Oct 2018 15:30:11 -0700 Subject: [PATCH] First draft Microsoft compatible security keys --- .../hello-for-business/FIDOTest.md | 15 ----------- .../microsoft-compatible-security-key.md | 27 +++++++++++++++++++ 2 files changed, 27 insertions(+), 15 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/FIDOTest.md create mode 100644 windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md diff --git a/windows/security/identity-protection/hello-for-business/FIDOTest.md b/windows/security/identity-protection/hello-for-business/FIDOTest.md deleted file mode 100644 index 769d4859f3..0000000000 --- a/windows/security/identity-protection/hello-for-business/FIDOTest.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments -description: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: mikestephens-MS -ms.author: mstephen -ms.localizationpriority: medium -ms.date: 08/20/2018 ---- -# Test Page for FIDO -I was there hello diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md new file mode 100644 index 0000000000..e71013ebe8 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -0,0 +1,27 @@ +--- +title: Microsoft compatible security key +description: Windows 10 enables users to sign in to their device using a security key. How is a microsoft compatible security key different (and better) than any other FIDO2 security key +keywords: FIDO2, security key, CTAP, Hello, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: aabhathipsay-MS +ms.author: aathipsa +ms.localizationpriority: medium +ms.date: 10/25/2018 +--- +# What is a Microsoft compatible security key? +Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) from the start with a mission to replace passwords with an easy to use, strong credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users. + +The FIDO2 CTAP specification contains a few optional features and extensions which are crucial to provide that seamless and secure experience. + +A security key **must** implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft compatible: + +| #
| Feature / Extension trust
| Why is this required?
| Relevant Section in FIDO2 CTAP specification
| +| --- | --- | --- | --- | +| 1 | Resident key | This feature enables the security key to be portable, where your credential is stored on the security key | Section XXX | +| 2 | Client pin | This feature enables security keys to protect your credentials with a second factor like PIN
We recommend strong multi-factor credentials for authentication to all Microsoft services| Section XXX | +| 3 | hmac-secret | This extension ensures you can sign-in to your device when it’s off-line or in airplane mode | Section XXX | +| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like MSA and AAD | Section XXX | +