How do I log in to my personal Windows 10 using a FIDO2 key?
Solution 1:
First there are certain prerequisites you need to have before you can use the FIDO2 functionality.
1) The FIDO2 capability requires using the Windows 10 October 2018 Update (version 1809) and Microsoft Edge browser. (Note: that the update maybe still blocked due to some driver issues like Intel drivers - I don't know all the issues have been addressed - you have to check yourself here.)
2) Microsoft is using the WebAuthn
and FIDO2 CTAP2
specifications, which require that both a private and public key get added to a device. Organizations will need to have a Trusted Platform Module (TPM) on the device to store these keys. The TPMe can be implemented via hardware or software (usually present in business notebooks like HP, DELL).
What makes a key compatible with Microsoft solution? You should read it at: What is a Microsoft-compatible security key?
The details about the Microsoft's implementation is described at All about FIDO2, CTAP2 and WebAuthn .
The support for enterprise version will be available as the enterprises raise their version up to the above named update and MS enables it for them (full support in AD and Azure AD).
To enable a Microsoft Account (MSA) to use FIDO2
1) You are already using Windows 10 1809 (October update) as said above you can setup Windows Hello to use FIDO2
2) To enable it go to your Microsoft Account page and enter the Security\More Security from Windows Edge (it won't work at IE, Chrome, Firefox, etc.)
- If you have setup everyting you should see the following screen:
- If something did not work out you will see the following:
Solution 2:
You cannot login to your own Windows 10 non-domain computer using a security key.
You CAN if you're using Azure Active Directory. Passwordless login via hardware security key is a online AAD controlled feature and cannot be done locally without third party software.
You cannot if you're logging into a local account on a non-domain Windows 10 instance.
The "Sign-In Options" setup page that lets you select a security key describes it as "Manage a physical security key that can log you into APPLICATIONS." Your Windows 10 login is not an application; your online Microsoft account login is an application.
Confusion is ripe around this topic because Microsoft uses the phrase "Windows Hello" instead of "login" -- most of the readers think of the user login process on a Windows 10 box when someone says "Windows Hello" and not application logins. Edge will let you login to Microsoft online application using "Windows Hello" methods, like fingerprints or facial recognition. Placing an app-only login method under Windows Hello that can't be used for Windows login was a bad idea that generated all this confusion.
Reference: https://answers.microsoft.com/en-us/windows/forum/all/adding-a-security-key-for-pc-login-in-windows-10/ffd27920-5c51-4b04-afb8-21e1a6810536?page=2