Auditing FIDO2 authentication for Windows Sign-in

This text outlines how to audit FIDO2 security key authentication on Windows client devices. It primarily focuses on analyzing Windows Event Logs, particularly those related to WebAuthN and CTAP protocols. Authentication events can be traced by mapping steps like challenge generation and response processing to specific event IDs. The process involves examining events like WebAuthN Ctap GetAssertion (IDs 1003-1005) and Cbor encode GetAssertion requests (ID 1103) where the key identifier from Entra ID can be found. Successful and unsuccessful PIN verification attempts, vital for security assessments, can be tracked through Ctap Usb Send Receive events. Finally, the text also guides on parsing CBOR-encoded data within these events to extract crucial details like credential IDs and user presence information.