![]() Once you have finalized your list of security keys with AAGUID numbers, and therefore finalized the configuration of the FIDO2 Security key section, please ‘ Save’ your configuration within the Azure AD. One key which I didn’t allowed was the Nitrokey FIDO2 Security key, this as this security key doesn’t support the attestation enforcement configured within Azure AD (using a non-trusted / self-signed certificate). In my example I’ve set this feature to ‘ Enabled’ and will show you later on that a key will be blocked by this setting.Īs you noticed earlier I’ve allowed the use of 5 security keys within my tenant, these are: Enforcing attestation therefore means that during the enrollment process the certificate is checked to confirm if its legitimate and therefore brings in more secure security keys. If you enable this setting, it will require that keys which you are using have a trusted certificate, therefore you will disable security keys which have a self-signed certificate from being used. The second setting is called ‘ Enforce Attestation’. This makes shipping or providing your security keys to end users also much easier as you don’t need to organize those keys based on user and provide them with a random scrambled PIN which they forget within a day. This as you don’t want to provision each single key for your users with a PIN, you want users to do this on their own based on the self-servicing model. The first setting will enable users to enroll security keys themselves, I would strongly encourage you to enable this setting. Next to the Target settings you will find the General section in which you can ‘ Allow self-service set up’ for end users and ‘ Enforce attestation’.
0 Comments
Leave a Reply. |