Chris Merkel 🐀👨🏼🍳This is the best post I've seen on deploying FIDO2 keys at scale in an enterprise. The insights on how analytics, automation and notification services are used are fantastic. #authentication #fido2 #azuread
Jerry Dixon@chrismerkel thanks for sharing that one - very good write-up!
Peter Yang, MD - Yaz@chrismerkel I also liked this write-up from Cloudflare https://blog.cloudflare.com/how-cloudflare-implemented-fido2-and-zero-trust/
Sam Hetchler (Kg6hxm)@chrismerkel great read. Thanks for sharing.
ITX Mike@chrismerkel Yubi has got to get some serious competition. Their prices make them difficult to pitch to smaller business. $45 USD a key is tough to swallow for cost conscious small business owners "Let's just text their phones instead. That's free" 🤷♂️
@mspsadmin I think in a small biz context, it probably would make more sense to use phones as the FIDO2 key...
@chrismerkel Absolutely. And most of our Microsoft clients use notifications via authenticator. But, inevitably they get new phones and migrate back to SMS without saying anything. Having keys and phones for backup would be nice. Avoid disruptions if you try rely on a single method. Backup codes rarely work because they can never find them (along with their passwords 😬)
Ross Grady@chrismerkel This article jibes with my experience at <large tech company> which used a very similar flow to provision 10s of 1000s of users.
I look forward to reading any future posts that cover implementing FIDO2 auth for ssh, because I'm curious whether they also had the experience of having to cover an extraordinarily long & arcane list of corner cases involving multi-hop ssh from box to box, endless automation-related humanless auth cases, etc, etc.
Kileen@chrismerkel thanks! I continually find myself appreciating what Palantir releases. I used their write-up to deploy ASR rules to workstations https://blog.palantir.com/microsoft-defender-attack-surface-reduction-recommendations-a5c7d41c3cf8