🧰 FIDO2 Tools Collection

Table of Contents

Security Key EOBO
MDS Checker
YubiKey PIN Generator
Assembled list of Fido AAGUIDs
Enforce Security Key Logon
Add Kerberos object from on-premise AD to Azure AD
Terms of Use (ToU) Passkeys

Security Key EOBO

Security Key EOBO (Enrollment On Behalf Of) facilitates Yubikey configuration and enrollment in Microsoft Entra ID.

NOTE: This project is found in a separate repository here.

MDS Checker

MDS Checker is a lightweight Windows utility that provides the following key features:

• Presentation of YubiKey Model Name, Image, Firmware Version and Serial Number
• Presentation of Fido Meta Data Service (MDS) inclusion (Yes/No)
• If present in MDS, presentation of YubiKey FIDO certification(s) e.g. "L1" or "L2"
• Presentation of YubiKey AAGUID in an IdP-friendly format with a copy control

These features greatly simplify tasks related to AAGUID white-listing and aides the user in assessing the likelihood of performing successful attestation checks. In addition the utility helps the user assess current or pending security key certification status.

💾 Installation

1. Download the MSI here
2. Double-click the MSI package to begin installation
3. Follow on-screen instructions to complete installation.

📖 Usage

1. Double-click MDS Checker desktop shortcut to run the app
2. Approve elevation (run-as) when prompted(!)
3. Insert a YubiKey to acquire it's attributes (this happens automatically)
4. Use the Copy button to copy the AAGUID to clipboard
5. Optionally paste the AAGUID into your IdP (RP) for white-listing purposes.

NOTE: The app must be run as administrator!

YubiKey PIN Generator

The YubiKey PIN Generator is a Python script that facilitates configuration of a YubiKey(s). The script:

• Sets a random and non-trivial PIN (default: 4 digits)
• If selected (and supported by the YubiKey) sets PIN to expire on first use
• Prints YubiKey model, serial number, intial PIN (and change flag) to a JSON output file
• Prompts for configuration of additional YubiKey(s).

💻 Prerequisites

The following are prerequisites towards running the script:

• Python installed on client
• Python-fido2 installed on client
• Yubikey Manager (CLI) installed on client.

NOTE: Refer to swjm.blog for detailed setup instructions.

📖 Usage

To run the script, simply execute command: python yubikey-pin-gen.py

NOTE: Refer to swjm.blog for detailed usage instructions.

🗎 The output.json file

The script will outout a file on working directory called output.json.

Here is an example:

[
    {
      "Model": "YubiKey 5C NFC",
      "Serial number": 12345678,
      "PIN": "6855",
      "PIN change required": true
    }
]

Assembled list of Fido AAGUIDs

The AAGUID, short for "Authenticator Attestation Globally Unique Identifier" is part of the FIDO2 specification. The AAGUID (in most cases) identifies the authenticator make and model. As such it allows the Relying Party (RP) or Identity Provider (IdP) a simple way to include (or exclude) authenticators during registration/enrollment and authentication without for example implementing the Fido Metadata Service.

A CSV file containing "all" AAGUIDs can be found here.

⚠️ Last updated: 2024-09-18 at 2:53:00 CET

Enable Security Key Logon

Registry keys

The file Enable-Security-Key-Logon.reg contains a registry key that will enable security key logon on Windows 10 & Windows 11.

📖 Usage

To use this registry key, download it or save content to file (with .reg extension) and double-click on it.

Administrative template (ADMX)

The archive file Enable-Security-Key-Sign-in-ADMX-1.0.zip adds security key sign-in as a GPO control to the existing credentialproviders.admx view (not the file itself) to "augment" a Windows Server GPO where this control is not yet available (e.g on Windows Server 2019 and earlier).

📖 Usage

For usage instructions, see readme.txt inside the archive.

Provisioning package

The file Enable-Security-Key-Sign-in-1.0.ppkg contains a provisioning package that will enable security key logon on Windows 10 & Windows 11. The package is unsigned and not encryped.

📖 Usage

To use this package download it and double-click on it (or import into Windows Configuration Designer and go from there).

Enforce Security Key Logon

Registry keys

The file Disable-PasswordProvider.reg contains a registry key that will DISABLE password-based logon on Windows 10 & Windows 11.

📖 Usage

To use this registry key, download it or save content to file (with .reg extension) and double-click on it. To disable _ additional _ credential providers you can expand this key using a listing provided at https://swjm.blog

script

The file Enforce_security_key_sign-in.ps1 constitutes a PowerShell script meant for Microsoft Endpoint Manager (Intune) configuration of Windows 10 and 11 clients. The script is _ adapted _ from an original script created by Craig Wilson (https://craigwilson.blog/) and works by DISABLING alternative credential providers.

📖 Usage

See: https://swjm.blog

Add Kerberos object from on-premise AD to Azure AD

The file Add-Kerberos-object-to-AAD.ps1 PowerShell script is designed to establish an Azure AD Kerberos Server object within your on-premise AD, enabling seamless FIDO2 (SSO) access to on-premise resources like network shares. It's important to note that this isn't mandatory for FIDO2 security key sign-in, but it does broaden the scope of security key utilization beyond PC login.

📖 Usage

See: https://swjm.blog

Terms of Use (ToU) Passkeys

The file Terms-of-Use-(ToU)-Passkeys.pdf is an example of a "Terms of Use" (ToU) that can be presented to users when accessing company resources. This example ToU stipulates that users must set a non-trivial PIN on the security key and transfers the responsibility to the user.

📖 Usage

See: swjm.blog