3.10 FIDO U2F

The FIDO U2F method facilitates you to connect the FIDO U2F compliant token to the computer or laptop and touch the flashing token to authenticate. When you try to authenticate on any device, token connected to the device is compared with the enrolled token. If the token details match, you are authenticated successfully.

HINT:While you enroll and test the FIDO U2F authentication on any browser except Google Chrome, ensure to install the Advanced Authentication Device Service on the system. The Google Chrome contains a built-in module.

3.10.1 Enrolling the FIDO U2F Authenticator

  1. Click the U2F icon in Add Authenticator.

    A message Press button "Save" to begin enrolling. is displayed.

  2. (Optional) Specify a comment related to U2F in Comment.

  3. (Optional) Select the preferred category from Category.

  4. Click Save.

    A message Please touch the flashing U2F device now is displayed. You may be prompted to allow the site permissions to access your security keys.

  5. Touch the FIDO U2F button when there is a flash on the device.

    A message Authenticator "U2F" enrolled is displayed. If there is no flash for more than 10 seconds, reconnect your token and repeat the steps.

NOTE:To use U2F in Google Chrome on Linux, you must perform the following steps:

  1. Download or create a copy of the file 70-u2f.rules in the Linux directory: /etc/udev/rules.d/ from https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules.

    If the file is already available, ensure that the content is similar to that specified in https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules.

    NOTE:If your version of UDEV is lower than 188, use the rules specified at https://github.com/Yubico/libu2f-host/blob/master/70-old-u2f.rules.

  2. Save the file 70-u2f.rules and reboot the system.

3.10.2 Testing the FIDO U2F Authenticator

  1. Click the U2F icon in Enrolled Authenticators.

  2. Click Test.

    A message Please touch the flashing U2F device now is displayed. You may be prompted to allow the site permissions to access the security keys in U2F device.

  3. Touch the FIDO U2F button when there is a flash on the device.

    A message Authenticator "U2F" passed the test is displayed. If the connected token is invalid, a message Token is not registered is displayed.

The following table describes the possible error messages along with the workaround for the FIDO U2F authentication.

Table 3-3 FIDO U2F authenticator - error messages

Error

Possible Cause and Workaround

Cannot reach local FIDO U2F Service. Ask your admin to enable it. You may use Google Chrome browser, it has a built-in U2F support

The FIDO U2F service is not installed properly.

Install the U2F service and try again.

Timeout. Press "Save" to start again

The session has timed out.

Click Save and enroll again.

Enroll failed: Device not attested. Ask your administrator to upload your token attestation certificate

The token does not contain attested certificate. Contact your administrator to add the attestation certificate to your token.

Unexpected error: U2F token error: The visited URL does not match the application ID or it is not in use

The Facets are not configured appropriately. Contact you administration to check the Facets settings.