Review – Feitian K33 Fido 2 Passkey

With attacks on the rise and people becoming tired of authenticator alerts (which leads to them just accepting anything), now is the time to start looking at alternatives, uncluding Fido2

I was lucky enough to be sent a Fido 2 K33 device from Feitian technologies to give a thorough testing. Whilst I’ve been sent the device for testing, I have NOT been paid for this review, these opinions are my own and completely unbiased.

The hardware

Starting with the hardware, it comes in a simple cardboard box and is literally just the device, no cables or instructions included, but I’m sure everyone has a USB-C cable these days

The device itself is small and light enough to fit on a set of keys, on-off button on the right hand side and a large fingerprint on the front.

Prior to unboxing, make sure you give it a good charge before using

Hardware Support & Features

The K33 has some advantages over the other Feitian options. Firstly the fingerprint gives an extra layer of protection to avoid someone grabbing the device and simply using it to authenticate (especially useful if on a set of keys).

It also features USB, Bluetooth and NFC connectivity so is completely cross-platform (there’s even a Linux application), although I personally found Bluetooth to work more reliably than NFC.

One thing to note, if you switch to MFA for everything and have this as the ONLY secondary authentication, if you lose it, you are stuck. A few sites will give you a backup/emergency code (listed below), but I’d always suggest having a secondary authentication option, even something like SMS, or a second FIDO2 key.

Application for Windows

The K33 will work out of the box with Windows 10 or Windows 11, but if you want more control over the device itself, the BioPass manager app (available in the Windows store), works well and lets you rename fingerprints which is always a bonus.

First Setup

To configure with the app, you’ll need to plugin to the USB-C on the bottom of the unit.

Once plugged in, you can setup a PIN or add fingerprints onto the device:

Once added, double clicking on a fingerprint gives the option to rename, I’ve added the ones I’m most likely to use when I pick it up:

Bluetooth

To enter pairing mode, press and hold the button on the side for 5 seconds

On my machine, it displayed as the following, but yours may be different

Windows Login

The first thing I want to do is add this as a Windows Hello authentication method (via bluetooth, I don’t like too many wires)

Navigate to Settings – Accounts – Sign-in Options

And we are selecting Security Key

Click Manage

Then you need to press the button on the side of the key and authenticate with your fingerprint

I can skip the next screen because I have configured the token via the app, but if you want to go direct, you can configure the fingerprint and PIN here

That’s Windows Hello all setup, to login, press the button on the side and authenticate with a fingerprint

M365 MFA

Now I want to secure my M365 environment

First go to this page (you may need to MFA if it’s already setup)

https://mysignins.microsoft.com/security-info

Click Add Sign-in method

I’m using Bluetooth so select USB key, but if you are using a device with NFC, you can configure that way

You will then get a few popups and a familiar screen to turn on and authenticate the device

Once authenticated, give it a name

If you want, you can also click the Change text at the top to make this your default sign-in method (it’s listed as hardware token)

Azure

If you want to allow Fido2 auth for Azure AD objects, that can also be done by following this guide:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key

You can even restrict to particular token types if needed

We can also use the token to secure other services:

Twitter

Navigate to this URL: https://twitter.com/settings/account/login_verification

Tick Security Key

Add the key

Again, you’ll have the standard Windows Security popups and then you’ll be prompted to name it:

As warned in the next popup, I would suggest adding another authentication method, if you lose the Fido2 token, break it, or it’s flat, you’ll be locked out!

You’ll also be given a backup code as a last resort, think of it as a break glass and store appropriately!

Gmail

To secure Gmail, navigate to this page: https://myaccount.google.com/signinoptions/two-step-verification/enroll-welcome?hl=en

Select Get Started and verify it’s you

Now we want to click Show more Options

And select Security Key

Click Next (unless you want to use key only)

Then simply follow the same steps as we have used for the others

Again, you are given the option to save a backup key

Outlook.com accounts

I’m sure most people have a personal Outlook.com style account as well so we can also use it for MFA on there, or go one step further and passwordless:

Navigate to https://account.live.com/proofs/manage

In Security click on Turn On MFA

Click Next

Like Twitter, you will be given a recovery code as a last resort, store it safely!

Now we want to add the device

Select Security Token

Again, Bluetooth is classed as USB

Follow the now-familiar steps and name the key

You can even go one step further and remove the password altogether, follow this guide for extra security

https://support.microsoft.com/en-gb/account-billing/how-to-go-passwordless-with-your-microsoft-account-674ce301-3574-4387-a93d-916751764c43

Hopefully you have found this useful, as always, comments are more than welcome!

Posted in Windows