Evaluating the FEITIAN FIDO2 Security Key

I just received an ePass FIDO2 U2F USB-C + NFC (K40) security key from FEITIAN Technologies Co., Ltd.  The key retails for $27.50 and can be purchased on the FEITIAN website (here).

I unboxed it and plugged it in, and enrolled it with Microsoft 365 within seconds (https://mysignins.microsoft.com/security-info)!

Frontback

Scanning the QR code on the back of the package brings you to the user manual (here).

Manual

What is FIDO2?

FIDO2 is the latest generation of the U2F protocol. U2F (“Universal 2nd Factor”) is an open authentication standard that enables Internet users to securely access any number of online services with one single security key instantly and with no drivers or client software needed. FIDO stands for (“Fast Identity Online”) and is an open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords.

The FIDO Alliance decided to partner with the World Wide Web Consortium (W3C) to standardize FIDO Authentication for the entire web platform. They then worked within the W3C to finalize the API, which became known as Web Authentication, or WebAuthn. WebAuthn was officially recognized as a W3C web standard in March 2019. Today, WebAuthn is part of the FIDO Alliance’s FIDO2 specifications.

Why FIDO2?

Windows Hello for Business is natively built into Windows and is already FIDO2 Certified but there is one big reason to consider a physical FIDO2 security key instead of WH4B. FIDO2 security keys can be used as a Passwordless sign-in option for shared workstations, whereas WH4B is limited to a single user per workstation.

Both WH4B and FIDO2 security keys include URL Binding, which provides phishing-resistant authentication. In other words, if your users receive an attacker-in-the-middle or phishing email, then they will be protected when clicking on the link because the key will not authenticate, since the cryptographic match will only occur against the original website that registered the key.

What about the Mobile Experience?

The Microsoft Authenticator App or Certificate-based Authentication are currently the only passwordless experience available when performing local authentication on an iOS or Android devices to access a Microsoft 365 application. You can still use FIDO2 security keys with mobile devices to access supported websites other than Microsoft 365.

Despite FIDO2 security keys offering NFC or lightning connectors, Microsoft does not support physical security keys for iOS or Android for accessing Entra Azure AD or Microsoft 365 applications (yet!).

image

Reference: https://learn.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility#supported-browsers

Who is FEITIAN?

Established in 1998, FEITIAN Technologies is a leading global provider of cyber security products and solutions. FEITIAN headquarters are located in Beijing, China.
Tower B, Huizhi Mansion,
No.9 Xueqing Road, Haidian District,
100085 Beijing, China

Their customers include Google, Symantec, J.P. Morgan, Toyota, Nintendo, NEC, Adidas, Toshiba, Hitatchi, Yamaha, Audi, Fujitsu and more than 200 banks and 6,000 customers in 100 countries (Reference here).

FEITIAN joined the FIDO2 board of directors on August 26, 2016.

Where can I use a FIDO2 Key?

You can use a FIDO2 key to unlock a Windows 10 or Windows 11 workstation instead of using a username and password. Both Azure AD Join, or traditional Domain Join are supported. You can also use a FIDO2 key to sign into websites such as Microsoft 365, Google, Facebook, Twitter, GitHub, LastPass, OKTA, Coinbase, and other supported websites (see here for more).

Who does FEITIAN Compete with?

FEITIAN has multiple product lines across PKI, OTP, Smart Cards and Smart Card Readers to display cards. FEITIAN is likely number one in China, whereas it faces competition from Yubico in the United States, and Token2 in Europe. Other noteworthy competitors are Thales and HID. There are about 24 total FIDO2 manufacturers that Microsoft supports (see full list here).
Out of the 24, FEITIAN is the only one that supports all five modalities including Biometric, USB, NFC, BLE, and FIPS. For comparison, Yubico does not support Bluetooth Low Energy (BLE). As shown in the table above, BLE support is currently limited to the Windows operating system when authenticating to Azure AD or Microsoft Accounts.
The key I was evaluating did not support BLE but I read the manual (here) and it looked pretty straight forward to set it up on Windows.

image

What if I forget my PIN?

For Windows 10 version 1903 and later, PIN management is embedded (follow FEITIAN’s instructions here). For older Windows builds you can download “BioPass FIDO2 Manager’ from the built-in Windows app store or download it from the website https://ftsafe.com/support/resources
For macOS and Linux, you can download their PIN management software from the same website.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s