9.12 FIDO2

The FIDO2 method facilitates users to use the devices that comply with FIDO standards for authenticating to any web-based environment. The devices can be built-into the platform or external devices connected through USB. The FIDO2 method uses the Web Authentication (WebAuthn) API, and Client to Authenticator Protocol (CTAP). The WebAuthn enables strong authentication with public key cryptography and allows password-less authentication.

NOTE:On the Safari browser, while authenticating to a web application with the FIDO2 method, a user must click Next to initiate the authentication. This applies irrespective of the order of the FIDO2 method in a chain.

NOTE:Advanced Authentication FIDO2 method supports authentication to the following:

  • Portals: Administration, Helpdesk, Self-Service, and Reporting

  • Events: OAuth 2.0, SAML 2.0, and Windows logon (from Advanced Authentication 6.3 SP6) including the workstation lock or log off cases in compliance with Interactive logon: Smart card removal behavior policy.

    From Advanced Authentication 6.3 SP7, the Crescendo C2300 smartcard is supported for Windows logon.

FIDO2 method supports the following browsers with specific device:

  • Firefox and Google Chrome browsers with the U2F device

  • Microsoft Edge browser with Windows Hello authentication

  • Google Chrome browser:

    • With Touch ID authentication on macOS

    • Using Crescendo C2300 smartcard on Windows

While you use Google Chrome browser, it is required to set a valid domain name for your Advanced Authentication server rather than an IP address.

If users have enrolled the FIDO2 method using the Windows Hello in Microsoft Edge 17 or earlier supported browser versions then they must authenticate using the same browser. After upgrading to the latest version of Edge that supports the FIDO 2.0 standards, users must re-enroll the FIDO2 method.

For more information about the WebAuthn and FIDO2 authenticators, see these articles: Web Authentication, Web API for FIDO 2.0, and Microsoft Web authentication.

An Example of Authenticating with the FIDO2 Method

Thomas, an end user, has enrolled the FIDO2 method in the Advanced Authentication Self-Service portal by using the FIDO compliant U2F token. He wants to authenticate to the mycompany.com website. When he opens the browser and follows the prompts to access the website. Then, he is required to touch the token when there is a flash. Thomas is validated with the device and gets authenticated to mycompany.com.