We've got a new executive who wants to roll out FIDO2 keys for everyone in our organization, and he's pretty keen on integrating them with our access control system. I've found a few options that cover all the bases like biometric, USB, NFC, and Bluetooth connectivity—specifically the Crayonic KeyVault K1, Feitian AllinPass FIDO2, and StarSign Key Fob. I've already checked with our access control vendor, and they confirmed that any of these devices should be compatible. Has anyone had experience with these vendors, or are there any potential pitfalls I should be aware of? Just to note, I asked about YubiKey as an option, but it was a no-go, so that's off the table.
3 Answers
I tried testing a FIDO2 Card with an HID PROX sticker, and it worked well, but I never went into a full rollout. Cards might not be what you’re after, though, just thought I'd share my experience!
It sounds like you're gearing up for a solid implementation! Be prepared to handle any unexpected challenges since it seems new tech can sometimes lead to hiccups. Have you considered how these keys might affect workflow initially, or if everyone is on board with the change? It might be worth thinking about training sessions to get everyone up to speed.
Just a heads-up: I almost made a big mistake when enabling FIDO2 by accidentally turning on a feature that would have disabled any FIDO2 keys not on our approved list. Thankfully, I read up on it first. I’d also recommend keeping Emergency Access accounts to have additional methods like authenticator codes. It's safer than relying solely on FIDO2 if there’s an issue.
That makes sense, but isn't having other forms like TOTP kinda against the idea of FIDO2 security? If you're mixing methods, are you really maximizing the FIDO2 benefits?
Wait, are your emergency accounts still using Microsoft Authenticator? Maybe keep that on a secure device separate from regular admin phones! You definitely don’t want those credentials exposed.