does not register to Azure AD

I was preparing a video about not-phish able authentication methods and I wanted to register my ATKey.Pro FIDO (type C) to my authentication methods.

At the end of my registration flow I was confronted with this pop-up.

We detected that this particular key type has been blocked by your organization.

Azure AD audit logs

The error message gives the indication more info can be found in Azure AD. Based on the correlation ID. Sadly enough, in the logs there is only a confirmation that my registration failed. No specific reason why.

FIDO2 security key settings

In Azure AD you are able to set FIDO2 key restrictions. That way you are able to block certain brands or models of FIDO2 keys in your organization. But on my tenant and that from others, this settings was not configured.

Setting the attestation required to no setting did also not make a difference.

Have you tried resetting it?

So I did what most people would do, reset your FIDO key.

But then again no luck…

Firmware updates

So lets see if a firmware update might the issue?
I downloaded the “ATKey for windows” app via the Windows store and updated my key to the latest firmware.

My key was on version 1.00.13 and could upgrade to version 1.00.15. The upgrade process was easy and done in about 3min. But this also was not the solution to my problem. My key was still refused for registration.

Reach out to AuthenTrend

I was getting desperate. I had read in a random forum post that a person in the past had to do a firmware upgrade in order to get his token to work. So I did what any person would do after all of his due diligence checks failed. Send a support email to AuthenTrend.

And they replied in about 4hours:

So according to their response there is currently a ‘problem’ in the latest firmware of the usb c.
They expect the fix for firmware 1.00.15 to be released on March 10.
MVP Peter Klapwijk did confirm that firmware 1.00.15 does fix the problem for USB A devices.

So if you are running into this issue, and you start searching on the internet, I hope you find this blog. Because I just wasted 3h’s trying all sort of things to get my key working :).
Dough if Microsoft starts to block a certain model/firmware/brand of FIDO2 keys because of compliance reasons. It would be nice that this also reflects in the audit logs. A clear error logs would have saved me a lot of time.

Leave a Reply

Your email address will not be published. Required fields are marked *