Passwordless Azure VM SSH login using FIDO2 security keys (Part 3)

This post is part of a series.

• Part 1 – FIDO2 and configuration
• Part 2 – Conditional Access policy to allow access only from a compliant device
• Part 3 – Passwordless SSH login in action (this post)

Finally, we can see this passwordless ssh login in action. There are two scenarios depicted below. The first one is what happens when the user tries to login from a compliant device. The second one is what happens when the user tries to login from a noncompliant device. Both scenarios show a passwordless authentication, however one is stopped from connecting to the server due to the noncompliant device.

Note: I am demonstrating this flow from devices which have Azure CLI already installed.

(1) SSH login from a compliant device

The authentication flow in the video above is the following:

1. Try to ssh to the VM “az ssh vm –ip ##.##.##.##“, which fails because I don’t have a token yet, since I haven’t authenticated.
2. Type “az login” to authenticate, which triggers the new browser window to open.
3. I chose my user ‘ChristieC’ and I am prompted for the login. The default authentication method for this user is the FIDO2 security key login.
4. I am presented with the prompt to enter the PIN to unlock the security key (user verification) and I touch the key (user presence) to allow it to proceed.
5. Now that I am authenticated, I try to ssh again “az ssh vm –ip ##.##.##.##“, which triggers the new browser window to open to very the Conditional Access policy requirements as shown in the message “Your device is required to be managed to access this resource“.
6. Once my device is verified to be compliant and I accept the certificate, then I’ve successfully connected to the server.

(2) SSH login from a noncompliant device

But what happens if I try to login with the same user, but from a device that is not compliant?

As you can see above, I can still authenticate using the FIDO2 security key, however I cannot ssh to the server from the noncompliant device due the the Conditional Access policy in place. I can then chose to follow the steps to bring that device into compliance.

In summary, this demo shows a passwordless SSH login using FIDO2 security keys as well as some Conditional Access policies to check device compliance.