PA-06: Require FIDO2 Security Keys for Administrators
Overview
This guide walks you through the end-to-end process of selecting, procuring, distributing, and managing FIDO2 hardware security keys for administrative users. Hardware security keys provide the strongest form of phishing-resistant authentication available and are required for all users with privileged roles at this baseline level.
Control ID: PA-06 Category: Privileged Access Baseline Level: Level 3 (Maximum Security) Severity: Critical License Required: Microsoft Entra ID P2
Why This Matters: Hardware security keys provide the highest authentication assurance. Unlike software-based MFA, keys cannot be phished, cloned, or remotely compromised. Level 3 mandates this protection for all admin access. For privileged accounts that can cause significant damage if compromised, this level of protection is essential.
Prerequisites
| Requirement | Details |
|---|---|
| Role Required | IT Administrator with purchasing authority, or Security Administrator |
| License Required | Microsoft Entra ID P2 (required for this Level 3 control; also covers PIM activation requirements and Conditional Access) |
| Budget | Approximately $50-150 per privileged user (2 keys each) |
| Access | Microsoft Entra admin center for configuration |
Time Estimate
Full implementation: 2-4 weeks depending on procurement timelines
- Vendor selection and procurement: 1-2 weeks
- Configuration and pilot: 2-3 days
- User provisioning (per user): 15-30 minutes
- Documentation: 2-3 hours
Understanding FIDO2 Security Keys
Key Types and Form Factors
| Form Factor | Pros | Cons | Best For |
|---|---|---|---|
| USB-A | Universal compatibility | Requires adapter for USB-C devices | Desktop users |
| USB-C | Modern device compatibility | Not compatible with older devices | Laptop users, mobile |
| NFC | Works with phones | Slower, requires tap | Mobile-first users |
| USB-A + NFC combo | Maximum flexibility | Larger, more expensive | Most privileged users |
Recommended Vendors
| Vendor | Models | Price Range | Notes |
|---|---|---|---|
| Yubico | YubiKey 5 Series | $50-75 | Industry leader, durable |
| Feitian | ePass FIDO2 | $20-40 | Budget-friendly, certified |
| Titan Security Key | $30-35 | Good value, Google ecosystem | |
| Token2 | T2F2 Series | $15-30 | Budget option |
| Thales | SafeNet eToken | $50-100 | Enterprise features |
Recommendation: For most organizations, the YubiKey 5 NFC ($50-55) or YubiKey 5C NFC ($55-60) provides the best balance of security, compatibility, and durability.
Step-by-Step Instructions
Step 1: Determine Requirements
Answer these questions to guide your selection:
| Question | Your Answer | Impact |
|---|---|---|
| How many privileged users need keys? | ___ | Quantity calculation |
| What devices do they use? (USB-A/C/both) | ___ | Form factor selection |
| Do they use mobile devices for admin? | ___ | NFC requirement |
| Government/compliance requirements? | ___ | FIPS certification needs |
| Budget per user? | $___ | Vendor selection |
Quantity calculation:
- Primary key: 1 per user
- Backup key: 1 per user (stored separately)
- Spares for replacements: 10-20% of user count
- Total = (Users x 2) + Spares
Step 2: Select and Procure Keys
For most organizations, recommend:
| User Type | Primary Key | Backup Key | Total per User |
|---|---|---|---|
| Desktop admins | YubiKey 5 NFC | YubiKey 5 NFC | 2 x $50 = $100 |
| Mobile-first | YubiKey 5C NFC | YubiKey 5C NFC | 2 x $55 = $110 |
| Mixed devices | YubiKey 5C NFC | YubiKey 5 NFC | $50 + $55 = $105 |
Procurement options:
-
Direct from vendor:
- Yubico: store.yubico.com (volume discounts available)
- Feitian: ftsafe.com
-
Resellers:
- CDW, SHI, Insight (often faster, may have existing contracts)
- Amazon Business (convenient, verify authenticity)
-
Enterprise purchasing:
- Contact vendor sales for volume pricing (usually 50+ units)
- Request sealed, tamper-evident packaging
- Consider managed service options
Order lead time: Plan for 1-2 weeks for standard orders, longer for large quantities.
Step 3: Prepare the Entra ID Environment
Before distributing keys, ensure Entra ID is configured:
- Navigate to entra.microsoft.com
- Go to Protection > Authentication methods > Policies
- Click FIDO2 security key
- Verify settings:
| Setting | Recommended Value |
|---|---|
| Enable | Yes |
| Target | All users (or select privileged users) |
| Allow self-service set up | Yes |
| Enforce attestation | No (unless required by policy) |
| Enforce key restrictions | No (unless blocking specific vendors) |
- Click Save
Step 4: Create Distribution and Tracking System
Set up a system to track key distribution:
Create a tracking spreadsheet:
| User | Primary Key S/N | Primary Issue Date | Backup Key S/N | Backup Location | Registered? | |
|---|---|---|---|---|---|---|
| John Doe | john.admin@company.com | YK-12345 | 2025-01-07 | YK-12346 | IT Safe A | Yes |
| Jane Smith | jane.admin@company.com | YK-12347 | 2025-01-07 | YK-12348 | IT Safe B | Yes |
Security considerations:
- Store backup keys in a secure location (safe, locked cabinet)
- Consider storing backups in a different location than primary keys
- Implement sign-out sheet for backup key access
- Document serial numbers for all keys
Step 5: Prepare User Communication
Send this communication before key distribution:
Subject: Your New Security Key - Action Required
You have been selected to receive a hardware security key as part of our enhanced security program. This key will be your primary method of authentication for administrative access.
What Is a Security Key? A small USB device that proves your identity when you sign in. It's more secure than passwords or phone-based authentication because it cannot be phished or intercepted.
What You'll Receive:
- One primary security key (keep with you)
- One backup key (stored securely by IT)
What You Need to Do:
- Attend the distribution session on [date/time] at [location] OR Pick up your key from [person/location]
- Register your key following the provided instructions
- Test signing in with your new key
Timeline:
- Key distribution: [date]
- Registration deadline: [date]
- Enforcement begins: [date]
Questions? Contact IT Security at [email]
Step 6: Distribute Primary Keys
In-person distribution (recommended for accountability):
- Verify user identity before handing over key
- Have user sign for receipt of key
- Record serial number and issue date
- Provide quick-start card with registration instructions
- Offer to assist with immediate registration
Remote distribution:
- Ship keys via tracked, signature-required delivery
- Use tamper-evident packaging
- Include registration instructions
- Follow up to confirm receipt and registration
- Consider video call for registration assistance
Step 7: Guide Users Through Registration
Provide these step-by-step instructions:
Registering Your Security Key:
- Open a browser and go to mysignins.microsoft.com
- Sign in with your admin account (using current MFA method)
- Click Security info
- Click + Add sign-in method
- Select Security key from the dropdown
- Click Add
- Choose USB device
- Insert your security key into a USB port
- When prompted, touch the key (touch sensor or button)
- Name your key (e.g., "YubiKey Primary" or "Office Key")
- Click Done
Testing Your Key:
- Open a new private/incognito browser window
- Go to portal.azure.com
- Enter your username
- When prompted for authentication, insert your key
- Touch the key when the browser prompts
- Verify you can sign in successfully
Step 8: Store Backup Keys Securely
Backup key storage best practices:
-
Physical security:
- Use a locked safe or security cabinet
- Consider using sealed, tamper-evident envelopes
- Store in a different location than primary keys
-
Access control:
- Limit access to designated personnel only
- Maintain access log for backup key retrieval
- Require manager approval for backup key access
-
Inventory management:
- Check inventory monthly
- Match serial numbers to tracking spreadsheet
- Immediately report missing keys
Backup key access procedure:
BACKUP SECURITY KEY ACCESS PROCEDURE
=====================================
1. User reports lost/damaged primary key to IT
2. IT verifies user identity and documents reason
3. Manager approves backup key release (email/ticket)
4. IT retrieves backup key from secure storage
5. IT updates tracking spreadsheet
6. User registers backup key as new primary
7. IT orders replacement backup key
8. When replacement arrives, store as new backup
Step 9: Enforce and Monitor
Enable enforcement:
After all users have registered keys:
- Go to Protection > Conditional Access > Policies
- Open your phishing-resistant MFA policy (see PA-05)
- Change from Report-only to On
- Click Save
Monitor key usage:
- Go to Monitoring & health > Sign-in logs
- Filter by Authentication method: FIDO2 security key
- Review for:
- Users not using their keys
- Failed authentication attempts
- Unusual sign-in patterns
Step 10: Establish Ongoing Management
Regular tasks:
| Task | Frequency | Owner |
|---|---|---|
| Audit key inventory | Monthly | IT Security |
| Review sign-in logs for FIDO2 usage | Weekly | IT Security |
| Check for unregistered users | Monthly | IT Admin |
| Order replacement keys | As needed | IT Admin |
| Update tracking spreadsheet | Ongoing | IT Admin |
Key lifecycle management:
| Event | Action |
|---|---|
| New privileged user | Issue primary + backup key, track registration |
| Lost primary key | Issue backup, order replacement backup, revoke lost key |
| Damaged key | Issue replacement, revoke damaged key |
| Employee departure | Revoke all keys, return to inventory or destroy |
| Key replacement (proactive) | Every 3-5 years or per vendor recommendation |
Verification Checklist
- FIDO2 authentication method enabled in Entra ID
- Security keys procured (primary + backup for each user)
- Tracking spreadsheet created with serial numbers
- User communication sent with registration instructions
- All primary keys distributed and tracked
- All users have registered their primary key
- Backup keys stored securely with access controls
- Conditional Access policy enforcing phishing-resistant MFA
- Sign-in monitoring configured
- Lost/damaged key procedure documented
- Regular audit schedule established
Troubleshooting
"Key not recognized when inserted"
- Try a different USB port (preferably directly on device, not hub)
- Check browser compatibility (Chrome, Edge, Firefox support WebAuthn)
- Ensure the key is inserted fully
- Try on a different device to isolate the issue
- If key is defective, replace and track for warranty claim
"Touch not detected on key"
- Ensure user is touching the correct part of the key
- YubiKey: Touch the gold/metal disk area
- Some keys have a button instead of touch sensor
- Touch may need to be held for 1-2 seconds
- Some USB hubs may interfere - try direct connection
"Registration fails with an error"
Common errors and solutions:
| Error | Cause | Solution |
|---|---|---|
| "This security key doesn't meet requirements" | Key not FIDO2 certified | Verify key is FIDO2 (not U2F only) |
| "Another user has already registered this key" | Key previously registered | Remove from other account or use different key |
| "Request timed out" | Key not touched in time | Retry, touch key promptly when prompted |
| "Key attestation failed" | Attestation enforcement blocking | Disable attestation enforcement in policy |
"User locked out - lost both keys"
- Verify user identity through secondary channel (in-person, video call)
- Temporarily exclude user from enforcement policy
- Issue new keys from spare inventory
- User registers new keys
- Re-enable policy enforcement
- Order replacement spares
- Document incident
"User says key is slow to respond"
- NFC keys may have slight delay - this is normal
- Ensure key firmware is current (some vendors offer updates)
- Try USB connection instead of NFC
- Check for USB power issues (try different port)
Cost Considerations
Initial Investment
| Component | Unit Cost | Quantity | Total |
|---|---|---|---|
| YubiKey 5 NFC (primary) | $50 | [users] | [users x $50] |
| YubiKey 5 NFC (backup) | $50 | [users] | [users x $50] |
| Spare inventory (15%) | $50 | [users x 0.15] | [users x $7.50] |
| Shipping | ~$5/order | - | ~$20-50 |
| Total per user | ~$107.50 |
Example Budget (20 Privileged Users)
| Item | Cost |
|---|---|
| Primary keys (20 x $50) | $1,000 |
| Backup keys (20 x $50) | $1,000 |
| Spares (3 x $50) | $150 |
| Shipping | $30 |
| Total | $2,180 |
Ongoing Costs
| Item | Annual Estimate |
|---|---|
| Replacement keys (10% loss/damage) | [users x 0.1 x $50] |
| New hires | [new users x $100] |
| Administrative time | [hours x hourly rate] |
ROI Considerations
While security keys have upfront costs, consider:
- Cost of a privileged account compromise (average: $4.35M per breach)
- Reduced helpdesk costs (no password reset for key users)
- Improved productivity (faster sign-in than OTP codes)
- Compliance benefits (meets highest MFA requirements)
Related Controls
- PA-05: Require Phishing-Resistant MFA for Admins - Conditional Access policy to enforce key usage
- PA-03: Configure Emergency Access Accounts - FIDO2 keys for break-glass accounts
- PA-04: Require PIM for All Privileged Roles - Combine with PIM for comprehensive protection