Security

No Changes to Entra Attestation Capable FIDO2 Keys and Happy 3K!

January 8, 2025 by ClaytonT Leave a Comment

Received confirmation from Microsoft’s website that there are no changes from last month.

Also, wanted to say thank you to all for the 3K plus downloads of this PowerShell module. I know I mentioned this before, but I never thought this would take off, but knew it would be useful for some, and just wanted to make life easier for you. If there are any other features you’d like to see, please let me know!

PowerShell Gallery: EntraFIDOFinder 0.0.14
GitHub: EntraFIDOFinder
Interactive Webpage: Interactive FIDO2 Finder
FIDO Alliance: https://fidoalliance.org

Hope you have a great day!

Dec 23, 2024 – EntraFIDOFinder v0.0.14 is Out with New Features!

December 23, 2024 by ClaytonT Leave a Comment

It’s the second to last Monday of the year, so figured I’d release a new version of the EntraFIDOFinder before the end of the year. Here are the main additions.

New Features:

Using -AllProperties now gives you all of the basic information for the key(s), but also gives you all of the data from the FIDO Alliance as well
AAGUID can now be piped in, whether it is 1 key or 100 keys, it will take it
AAGUID can now be imported from a .CSV, .TXT, or .XLSX
Using -DetailedProperties you can now gain access to any of the regular or FIDO Alliance properties to create your output
Added a GitHub Action to directly copy the FIDO Alliance data and merge it into the JSON data and update where necessary
Web Version: You can click on a key and get more information, then there is a button inside it which will show you all of the data in JSON

I did some other cleanup and prepping for some future updates, but what do you think? Any other features we should add? Are there fields not in the standard that you think should be?

Here are a couple sample outputs:

"50a45b0c-80e7-f944-bf29-f552bfa2e048", "973446ca-e21c-9a9b-99f5-9b985a67af0f" | Find-FIDOKey

Vendor      : ACS
Description : ACS FIDO Authenticator
AAGUID      : 50a45b0c-80e7-f944-bf29-f552bfa2e048
Bio         : No
USB         : Yes
NFC         : No
BLE         : No
Version     : FIDO 2.1 PRE
ValidVendor : Yes

Vendor      : ACS
Description : ACS FIDO Authenticator Card
AAGUID      : 973446ca-e21c-9a9b-99f5-9b985a67af0f
Bio         : No
USB         : No
NFC         : Yes
BLE         : No
Version     : FIDO 2.1 PRE
ValidVendor : Yes

"50a45b0c-80e7-f944-bf29-f552bfa2e048" | Find-FIDOKey -AllProperties
{
  "Vendor": "ACS",
  "Description": "ACS FIDO Authenticator",
  "AAGUID": "50a45b0c-80e7-f944-bf29-f552bfa2e048",
  "Bio": "No",
  "USB": "Yes",
  "NFC": "No",
  "BLE": "No",
  "Version": "FIDO 2.1 PRE",
  "ValidVendor": "Yes",
  "metadataStatement": {
    "legalHeader": "Submission of this statement and retrieval and use of this statement indicates acceptance of the appropriate agreement located at <https://fidoalliance.org/metadata/metadata-legal-terms/.">,
    "aaguid": "50a45b0c-80e7-f944-bf29-f552bfa2e048",
    "description": "ACS FIDO Authenticator",
    "authenticatorVersion": 10000,
    "protocolFamily": "fido2",
    "schema": 3,
    "upv": [
      {
        "major": 1,
        "minor": 1
      },
      {
        "major": 1,
        "minor": 0
      }
    ], and more data below

Here is a screenshot of the web version:

Thank you for taking the time to read this and using EntraFIDOFinder. This started out as a quick side project that grew a lot faster than I thought it would. I’ve learned a lot building the backend to this and even some of the front end. I can’t believe it’s almost at 1.2k downloads! Thank you!

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.14
GitHub: https://github.com/DevClate/EntraFIDOFinder
Web Version: https://devclate.github.io/EntraFIDOFinder/Explorer/

Hope you have a great day!

v0.0.13 EntraFIDOFinder is out

December 2, 2024 by ClaytonT Leave a Comment

New Version of EntraFIDOFinder is out and i’ve added a better way to find out which version of FIDO they are using too. I’ve updated it for the PowerShell version and the webversion.

Enhancements

Filter by FIDO version from FIDO Alliance (PowerShell and Web Version)
- Using ValidateSet for versions (“FIDO U2F”, “FIDO 2.0”, “FIDO 2.1”, “FIDO 2.1 PRE”)
Added -AllProperties
- Default to terminal shows basic fields, but added -AllProperties that I’ll add more of the useful fields first
Show-FIDODbVersion now shows you your current version and if it needs to be updated

I did notice that there is a difference for AAGUID 30b5035e-d297-4ff7-b00b-addc96ba6a98 where on Microsofts website it says it should be compatible with BLE, but mine script isn’t seeing that. I’m going to check this week and see why its doing that. Hopefully it is a quick fix.
UPDATE: Same day Microsoft updated their webpage to show that it isn’t compatible with BLE, making mine correct again.

Let me know your thoughts and what you would like to see and or not see…

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.13
GitHub: https://github.com/DevClate/EntraFIDOFinder

Hope you have a great day!

October 14, 2024 – Tomorrow is MFA Enforcement day and we have our first FIDO2 key update

October 14, 2024 by ClaytonT Leave a Comment

Today is the last day before Phase 1 of MFA Enforcement of Microsoft portals being turned on. This includes break glass accounts as well, so make sure you have your FIDO keys, Certs, or a dedicated computer with Windows Hello for Business setup.

You can learn more of the details at Microsoft Learn – https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication

If you want to see what accounts will be affected, check out Daniel Bradley’s great blog at https://ourcloudnetwork.com/how-to-assess-the-impact-of-mfa-enforcement-in-azure/

This past Saturday we had our first update to the FIDO2 key database. The OneSpan DIGIPASS FX1 BIO now has been approved for NFC. It looks like it was updated later on Friday as the page shows last updated on the 11th, but when I had checked that morning there wasn’t an update.

Also, I’ve updated the module to show the change in database as well as when you check which version of the database you have it automatically tells you if it is outdated instead of needing to then run the -NewVersion parameter.

Added Cmdlet Get-FIDODbLog which will show you the database merge log so you don’t have to go to the web to see it and will have it right in your terminal.

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.10
GitHub: https://github.com/DevClate/EntraFIDOFinder
Interactive Key Explorer: https://devclate.github.io/EntraFIDOFinder/Explorer/

Hope this helps with your security journey, and if there is anyway I can help, please feel free to reach out.

EntraFIDOFinder Update

October 9, 2024 by ClaytonT Leave a Comment

October 15, is less than a week away for the MFA requirement on certain 365 Apps. Please make sure you are all set by then. Make sure to go through all your accounts, especially those old ones that you rarely ever touch, and see if you still need it or what is the best way to protect it now. For some you will be able to delete and others you will need something such as a cert, FIDO2 key, or Windows Hello for Business. For those that will need a FIDO2 key, I’ve pulled from Microsoft Learn the current Attestation capable FIDO2 keys that are compatible with Entra. The database may say that it was last updated September 30, 2024, but I reviewed it today(Oct 9th) and the list still hasn’t changed. Once they do update it, I’ll update mine as well as show the changes.

With that said, I’ve now created a function called Show-FIDODbVersion that will show you what your current version is, and if you use Show-FIDODbVersion -NewestVersion, it will show you the newest version out. Would you rather me, show the difference as soon as you run Show-FIDODbVersion if there is or do you want them seperate?

Also working on automating the update process so that it can be checked daily with minimal intervention.

Are there any other features you’d like to see? I’m going to be adding at least vendor links and I’ve been trying to find pricing, but more than a handful of them do not even show pricing and not sure how valuable it will be if only a few of the vendors have pricing. How critical is cost to you?

I hope EntraFIDOFinder has been useful for you, and I can’t believe it has over 100 downloads already. I wasn’t even going to publish this, but figured there was someone else out there that didn’t want to just look at a static website and scroll through, so that is why I created the module and the interactive webpage.

PowerShell Gallery: EntraFIDOFinder
GitHub: EntraFIDOFinder
EntraFIDOFinder Explorer

Enjoy your day and get secure!

GitHub Copilot Password Warning

October 4, 2024 by ClaytonT Leave a Comment

Did you know that GitHub Copilot is now sensing hard coded credentials and giving you a warning? It’s not perfect, but even if something looks like hard coded creds it will flag it, as on another script I had, it contained numbers that looked like they could be private, and it gave me a warning about it. Honestly, I rather find more potentials credentials then not. That’s it for today, hope you have a great day!