PA-06: Require FIDO2 Security Keys for Administrators

Overview

This guide walks you through the end-to-end process of selecting, procuring, distributing, and managing FIDO2 hardware security keys for administrative users. Hardware security keys provide the strongest form of phishing-resistant authentication available and are required for all users with privileged roles at this baseline level.

Control ID: PA-06 Category: Privileged Access Baseline Level: Level 3 (Maximum Security) Severity: Critical License Required: Microsoft Entra ID P2

Why This Matters: Hardware security keys provide the highest authentication assurance. Unlike software-based MFA, keys cannot be phished, cloned, or remotely compromised. Level 3 mandates this protection for all admin access. For privileged accounts that can cause significant damage if compromised, this level of protection is essential.

Prerequisites

RequirementDetails
Role RequiredIT Administrator with purchasing authority, or Security Administrator
License RequiredMicrosoft Entra ID P2 (required for this Level 3 control; also covers PIM activation requirements and Conditional Access)
BudgetApproximately $50-150 per privileged user (2 keys each)
AccessMicrosoft Entra admin center for configuration

Time Estimate

Full implementation: 2-4 weeks depending on procurement timelines

  • Vendor selection and procurement: 1-2 weeks
  • Configuration and pilot: 2-3 days
  • User provisioning (per user): 15-30 minutes
  • Documentation: 2-3 hours

Understanding FIDO2 Security Keys

Key Types and Form Factors

Form FactorProsConsBest For
USB-AUniversal compatibilityRequires adapter for USB-C devicesDesktop users
USB-CModern device compatibilityNot compatible with older devicesLaptop users, mobile
NFCWorks with phonesSlower, requires tapMobile-first users
USB-A + NFC comboMaximum flexibilityLarger, more expensiveMost privileged users

Recommended Vendors

VendorModelsPrice RangeNotes
YubicoYubiKey 5 Series$50-75Industry leader, durable
FeitianePass FIDO2$20-40Budget-friendly, certified
GoogleTitan Security Key$30-35Good value, Google ecosystem
Token2T2F2 Series$15-30Budget option
ThalesSafeNet eToken$50-100Enterprise features

Recommendation: For most organizations, the YubiKey 5 NFC ($50-55) or YubiKey 5C NFC ($55-60) provides the best balance of security, compatibility, and durability.

Step-by-Step Instructions

Step 1: Determine Requirements

Answer these questions to guide your selection:

QuestionYour AnswerImpact
How many privileged users need keys?___Quantity calculation
What devices do they use? (USB-A/C/both)___Form factor selection
Do they use mobile devices for admin?___NFC requirement
Government/compliance requirements?___FIPS certification needs
Budget per user?$___Vendor selection

Quantity calculation:

  • Primary key: 1 per user
  • Backup key: 1 per user (stored separately)
  • Spares for replacements: 10-20% of user count
  • Total = (Users x 2) + Spares

Step 2: Select and Procure Keys

For most organizations, recommend:

User TypePrimary KeyBackup KeyTotal per User
Desktop adminsYubiKey 5 NFCYubiKey 5 NFC2 x $50 = $100
Mobile-firstYubiKey 5C NFCYubiKey 5C NFC2 x $55 = $110
Mixed devicesYubiKey 5C NFCYubiKey 5 NFC$50 + $55 = $105

Procurement options:

  1. Direct from vendor:

    • Yubico: store.yubico.com (volume discounts available)
    • Feitian: ftsafe.com
  2. Resellers:

    • CDW, SHI, Insight (often faster, may have existing contracts)
    • Amazon Business (convenient, verify authenticity)
  3. Enterprise purchasing:

    • Contact vendor sales for volume pricing (usually 50+ units)
    • Request sealed, tamper-evident packaging
    • Consider managed service options

Order lead time: Plan for 1-2 weeks for standard orders, longer for large quantities.

Step 3: Prepare the Entra ID Environment

Before distributing keys, ensure Entra ID is configured:

  1. Navigate to entra.microsoft.com
  2. Go to Protection > Authentication methods > Policies
  3. Click FIDO2 security key
  4. Verify settings:
SettingRecommended Value
EnableYes
TargetAll users (or select privileged users)
Allow self-service set upYes
Enforce attestationNo (unless required by policy)
Enforce key restrictionsNo (unless blocking specific vendors)
  1. Click Save

Step 4: Create Distribution and Tracking System

Set up a system to track key distribution:

Create a tracking spreadsheet:

UserEmailPrimary Key S/NPrimary Issue DateBackup Key S/NBackup LocationRegistered?
John Doejohn.admin@company.comYK-123452025-01-07YK-12346IT Safe AYes
Jane Smithjane.admin@company.comYK-123472025-01-07YK-12348IT Safe BYes

Security considerations:

  • Store backup keys in a secure location (safe, locked cabinet)
  • Consider storing backups in a different location than primary keys
  • Implement sign-out sheet for backup key access
  • Document serial numbers for all keys

Step 5: Prepare User Communication

Send this communication before key distribution:

Subject: Your New Security Key - Action Required

You have been selected to receive a hardware security key as part of our enhanced security program. This key will be your primary method of authentication for administrative access.

What Is a Security Key? A small USB device that proves your identity when you sign in. It's more secure than passwords or phone-based authentication because it cannot be phished or intercepted.

What You'll Receive:

  • One primary security key (keep with you)
  • One backup key (stored securely by IT)

What You Need to Do:

  1. Attend the distribution session on [date/time] at [location] OR Pick up your key from [person/location]
  2. Register your key following the provided instructions
  3. Test signing in with your new key

Timeline:

  • Key distribution: [date]
  • Registration deadline: [date]
  • Enforcement begins: [date]

Questions? Contact IT Security at [email]

Step 6: Distribute Primary Keys

In-person distribution (recommended for accountability):

  1. Verify user identity before handing over key
  2. Have user sign for receipt of key
  3. Record serial number and issue date
  4. Provide quick-start card with registration instructions
  5. Offer to assist with immediate registration

Remote distribution:

  1. Ship keys via tracked, signature-required delivery
  2. Use tamper-evident packaging
  3. Include registration instructions
  4. Follow up to confirm receipt and registration
  5. Consider video call for registration assistance

Step 7: Guide Users Through Registration

Provide these step-by-step instructions:

Registering Your Security Key:

  1. Open a browser and go to mysignins.microsoft.com
  2. Sign in with your admin account (using current MFA method)
  3. Click Security info
  4. Click + Add sign-in method
  5. Select Security key from the dropdown
  6. Click Add
  7. Choose USB device
  8. Insert your security key into a USB port
  9. When prompted, touch the key (touch sensor or button)
  10. Name your key (e.g., "YubiKey Primary" or "Office Key")
  11. Click Done

Testing Your Key:

  1. Open a new private/incognito browser window
  2. Go to portal.azure.com
  3. Enter your username
  4. When prompted for authentication, insert your key
  5. Touch the key when the browser prompts
  6. Verify you can sign in successfully

Step 8: Store Backup Keys Securely

Backup key storage best practices:

  1. Physical security:

    • Use a locked safe or security cabinet
    • Consider using sealed, tamper-evident envelopes
    • Store in a different location than primary keys
  2. Access control:

    • Limit access to designated personnel only
    • Maintain access log for backup key retrieval
    • Require manager approval for backup key access
  3. Inventory management:

    • Check inventory monthly
    • Match serial numbers to tracking spreadsheet
    • Immediately report missing keys

Backup key access procedure:

BACKUP SECURITY KEY ACCESS PROCEDURE
=====================================
1. User reports lost/damaged primary key to IT
2. IT verifies user identity and documents reason
3. Manager approves backup key release (email/ticket)
4. IT retrieves backup key from secure storage
5. IT updates tracking spreadsheet
6. User registers backup key as new primary
7. IT orders replacement backup key
8. When replacement arrives, store as new backup

Step 9: Enforce and Monitor

Enable enforcement:

After all users have registered keys:

  1. Go to Protection > Conditional Access > Policies
  2. Open your phishing-resistant MFA policy (see PA-05)
  3. Change from Report-only to On
  4. Click Save

Monitor key usage:

  1. Go to Monitoring & health > Sign-in logs
  2. Filter by Authentication method: FIDO2 security key
  3. Review for:
    • Users not using their keys
    • Failed authentication attempts
    • Unusual sign-in patterns

Step 10: Establish Ongoing Management

Regular tasks:

TaskFrequencyOwner
Audit key inventoryMonthlyIT Security
Review sign-in logs for FIDO2 usageWeeklyIT Security
Check for unregistered usersMonthlyIT Admin
Order replacement keysAs neededIT Admin
Update tracking spreadsheetOngoingIT Admin

Key lifecycle management:

EventAction
New privileged userIssue primary + backup key, track registration
Lost primary keyIssue backup, order replacement backup, revoke lost key
Damaged keyIssue replacement, revoke damaged key
Employee departureRevoke all keys, return to inventory or destroy
Key replacement (proactive)Every 3-5 years or per vendor recommendation

Verification Checklist

  • FIDO2 authentication method enabled in Entra ID
  • Security keys procured (primary + backup for each user)
  • Tracking spreadsheet created with serial numbers
  • User communication sent with registration instructions
  • All primary keys distributed and tracked
  • All users have registered their primary key
  • Backup keys stored securely with access controls
  • Conditional Access policy enforcing phishing-resistant MFA
  • Sign-in monitoring configured
  • Lost/damaged key procedure documented
  • Regular audit schedule established

Troubleshooting

"Key not recognized when inserted"

  1. Try a different USB port (preferably directly on device, not hub)
  2. Check browser compatibility (Chrome, Edge, Firefox support WebAuthn)
  3. Ensure the key is inserted fully
  4. Try on a different device to isolate the issue
  5. If key is defective, replace and track for warranty claim

"Touch not detected on key"

  1. Ensure user is touching the correct part of the key
    • YubiKey: Touch the gold/metal disk area
    • Some keys have a button instead of touch sensor
  2. Touch may need to be held for 1-2 seconds
  3. Some USB hubs may interfere - try direct connection

"Registration fails with an error"

Common errors and solutions:

ErrorCauseSolution
"This security key doesn't meet requirements"Key not FIDO2 certifiedVerify key is FIDO2 (not U2F only)
"Another user has already registered this key"Key previously registeredRemove from other account or use different key
"Request timed out"Key not touched in timeRetry, touch key promptly when prompted
"Key attestation failed"Attestation enforcement blockingDisable attestation enforcement in policy

"User locked out - lost both keys"

  1. Verify user identity through secondary channel (in-person, video call)
  2. Temporarily exclude user from enforcement policy
  3. Issue new keys from spare inventory
  4. User registers new keys
  5. Re-enable policy enforcement
  6. Order replacement spares
  7. Document incident

"User says key is slow to respond"

  1. NFC keys may have slight delay - this is normal
  2. Ensure key firmware is current (some vendors offer updates)
  3. Try USB connection instead of NFC
  4. Check for USB power issues (try different port)

Cost Considerations

Initial Investment

ComponentUnit CostQuantityTotal
YubiKey 5 NFC (primary)$50[users][users x $50]
YubiKey 5 NFC (backup)$50[users][users x $50]
Spare inventory (15%)$50[users x 0.15][users x $7.50]
Shipping~$5/order-~$20-50
Total per user~$107.50

Example Budget (20 Privileged Users)

ItemCost
Primary keys (20 x $50)$1,000
Backup keys (20 x $50)$1,000
Spares (3 x $50)$150
Shipping$30
Total$2,180

Ongoing Costs

ItemAnnual Estimate
Replacement keys (10% loss/damage)[users x 0.1 x $50]
New hires[new users x $100]
Administrative time[hours x hourly rate]

ROI Considerations

While security keys have upfront costs, consider:

  • Cost of a privileged account compromise (average: $4.35M per breach)
  • Reduced helpdesk costs (no password reset for key users)
  • Improved productivity (faster sign-in than OTP codes)
  • Compliance benefits (meets highest MFA requirements)

Related Controls

Additional Resources