Windows Hello adding support for FIDO2 Security Keys

If you're looking to ditch your passwords for something a little more secure, it's been a good week. After the debut of the new WebAuthn standard last week, Yubico followed things up with a new security key (opens in new tab) built to work with FIDO2 and WebAuthn API authentication standards. Now, Microsoft is taking things a step further by announcing Windows Hello will support FIDO2 security keys as well.

Windows Hello's support for FIDO2 keys will work specifically with Yubico's USB FIDO2 Security Key, along with additional form factors from other partners. The feature is currently available as part of a limited preview via the Windows Technology Adoption Program, and it works with both Windows 10 and for Azure Active Directory users.

Though it's easy to see this sort of thing extending to the consumer sphere, Microsoft appears to be focused on enterprise scenarios for the moment. From Microsoft:

Security keys allow you to carry your credential with you and safely authenticate to an Azure AD joined Windows 10 PC that's part of your organization. A user can walk up to any device belonging to the organization and authenticate in a secure way – no need to enter a username and password or set-up Windows Hello beforehand. Unlike traditional passwords, these keys rely on high-security, public-key cryptography to provide strong authentication. These keys have all the benefits of a Trusted Platform Module (TPM) while also being portable enabling the increasing number of mobile workers.

"Microsoft's FIDO2 implementation using the Security Key by Yubico is just the beginning of a passwordless world; there are no limits as to where this technology can take us," said Stina Ehrensvard, CEO and Founder, Yubico. "Passwords have been an age-old pain point for both individuals and organizations, and now, we have developed a unified open standard that can finally solve the problem at scale."

As it stands, Windows Hello already takes advantage of biometrics, like facial or fingerprint recognition, to allow users to log in without a password. However, support for FIDO2 security keys allows for a form of two-factor authentication, requiring the key itself along with a PIN or fingerprint to log in, all while eliminating the need for a password.

Microsoft is currently running a limited preview program for Windows Hello FIDO2 Security Key support, and you can sign up to join the waitlist. And if you want to get your hand on one of Yubico's new FIDO2 Security Keys now, they're available to order for $20 (opens in new tab).

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl.

7 Comments

This is nice because Microsoft needs to cover the whole spectrum of security options to work on Windows Hello. That said, I think that for most cases, using an object to unlock your PC is not the most convenient case, and for those cases, biometric measures are the most efficient and secure.
Though not the most efficient, the safest combination probably involves both biometrics and a physical key like this.
Correct, Real0359. The main use for these keys (according to the section of the standard they follow) is as a second factor device. So, I'm thinking to get one to avoid having to use a smart phone for dual factor.
The problem with bio-metric is that it may still require an object, not all devices have cameras built in and certainly not one that works with Windows hello, since it seems to not use a normal camera and the same with fingerprint readers.
My computer have none, but then I do not use passwords to get into it anyway.
A cheap USB fingerprint reader solves that.
I would settle for a combination of a biometric & a password/PIN
Yea, but a little button is easier and I can go for complex passwords that way.

Show more comments

Windows Central Newsletter