I'm looking for advice on provisioning FIDO2 keys on behalf of our users. Most recommend allowing users to enroll themselves, but that's not feasible for us due to a few reasons. First, management wants the process to be as painless as possible for our staff. Second, many of our employees struggle with technology; even with step-by-step guides, I'd expect many issues arising. Finally, we have over 15,000 staff members to enroll in about six months, and I anticipate our service desk being overwhelmed if we distribute the keys directly. I noticed the Microsoft Graph Beta has some capabilities, but it seems to be geared towards third-party MFA apps and not suitable for manual use. I also found a mention of a PowerShell module related to passkeys, but there's limited information available. We're not using Yubico keys, but I'm curious if anyone has suggestions on how to handle this challenge effectively.
5 Answers
Yubi offers comprehensive services for managing FIDO2 keys, but if you want a DIY approach with YubiKeys, YubiEnroll could work, though implementing that with such a large user base might be challenging. Just be cautious about scalability.
Have you considered using an Authenticator app instead? It requires less hardware and might simplify the process. However, I know some folks prefer not to use personal devices for MFA. Physical keys can be a better secure option, but they can be more economical than deploying smartphones. FIDO2 keys have also proven to be more resilient against phishing attacks than rolling codes.
We use YubiEnroll for our YubiKeys, and it has been working well for us. What brand of keys are you actually planning to use?
Remember, the Graph API you're looking at is designed for third-party integrations, not for direct admin provisioning. You really need user self-enrollment, which is a crucial part of maintaining security standards. Treat it as a serious responsibility, as it could backfire if not handled properly.
One challenge is the requirement for users to perform an 'authenticator gesture' when enrolling the keys. This means that even if you pre-deploy them, each user will still need to touch their key to complete the process. Training them might be essential, perhaps with incentives. Maybe offer the first 100 users a gift card or enter the first 1000 enrollments into a raffle. To motivate compliance, maybe implement a deadline with consequences for those who don't enroll in time.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures