Windows Hello biometric MFA - your account is not validated #223
-
|
Hi, I have setup adfsmfa with my AD FS server hosted in a VM; currently using TOTP and Biometrics as the MFA providers. From the host machine using the IdP initiated SSO URL, I am trying to login and register the biometric device through a web browser. For Windows Hello based authentication over web browser, is it required that the host also be part of the domain? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
|
Hi, No, it is not required that the machine is linked to the domain (only in case of Windows Hello For Business, but then no need for adfsmfa), for example, you can register your Android or Apple phone or your personal tablet in addition to any PC (Windows, Linux). it is the WebAuthN protocol which is quite open. I think it's more about the biometrics settings that are not updated according to your needs. In the Configuration / Security / biometrics, you can test these parameters, they have the advantage of working in the majority of cases with high security options
In the biometric Provider configuration, don't forget to change the default entries (eg :contoso.com)
Never forget to check the logs in the Event Viewer, there can and should be information that can help you Let us know. regards |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for replying. I have identical configurations for the mentioned parameters. The device I'm using is fido-UAF certified. Should I be using a fido2/U2F device as a security key? In Event Viewer, I was not able to find any logs from adfsmfa specifically. AD FS logs did not provide any relevant information. |
Beta Was this translation helpful? Give feedback.
-
|
Hi, Yes, the fact that your device is compatible with FIDO-UAF and not with FIDO2-U2F is certainly the problem. However, if you disable extensions (exts) and user verification (uvn), which lowers the level of security, this may pass. Regards |
Beta Was this translation helpful? Give feedback.
Hi,
Yes, the fact that your device is compatible with FIDO-UAF and not with FIDO2-U2F is certainly the problem.
However, if you disable extensions (exts) and user verification (uvn), which lowers the level of security, this may pass.
The list of supported devices is obtained by ADFSMFA from the fido alliance: https://mds.fidoalliance.org.
You can to confirm your tests on
https://webauthntest.azurewebsites.net/login.html
https://www.passwordless.dev
Regards