The FIDO2 method facilitates users to use the devices that comply with FIDO standards for authenticating to any web-based environment. The devices can be built-into the platform or external devices connected through USB. The FIDO2 method uses the Web Authentication (WebAuthn) API, and Client to Authenticator Protocol (CTAP). The WebAuthn enables strong authentication with public key cryptography and allows password-less authentication.
NOTE:On the Safari browser, while authenticating to a web application with the FIDO2 method, a user must click Next to initiate the authentication. This applies irrespective of the order of the FIDO2 method in a chain.
NOTE:Advanced Authentication FIDO2 method supports authentication to the following:
Portals: Administration, Helpdesk, Self-Service, and Reporting
Events: OAuth 2.0, SAML 2.0, and Windows logon including the workstation lock or log off cases in compliance with Interactive logon: Smart card removal behavior policy.
The Crescendo C2300 smartcard is supported for Windows logon.
FIDO2 method supports the following browsers with specific device:
Firefox and Google Chrome browsers with the U2F device
Microsoft Edge browser with Windows Hello authentication
Google Chrome browser:
With Touch ID authentication on macOS
Using Crescendo C2300 smartcard on Windows
While you use Google Chrome browser, it is required to set a valid domain name for your Advanced Authentication server rather than an IP address.
If users have enrolled the FIDO2 method using the Windows Hello in Microsoft Edge 17 or earlier supported browser versions then they must authenticate using the same browser. After upgrading to the latest version of Edge that supports the FIDO 2.0 standards, users must re-enroll the FIDO2 method.
To authenticate with the FIDO2 method using the Crescendo C2300 card as second-factor authenticator to Windows workstation, see
For more information about the WebAuthn and FIDO2 authenticators, see these articles: Web Authentication, Web API for FIDO 2.0, and Microsoft Web authentication.
You can configure following options for the FIDO2 method:
Resident Key Requirement: Resident keys are discoverable credentials like private key stored on the authenticator rather than the website (relying party). When the relying party (RP) sends a request to create or retrieve a credential, the authenticator searches for credential with the provided domain name of the RP. Authenticator discovers the credentials that are associated with the RP. To achieve the Username-less login experience Resident key is required.
Select the required option that indicates the Resident key requirement on the RP during enrollment and authentication. The available options are:
Preferred (Default): Represents the relying party favors to create the resident key if the browser supports it. The enrollment and authentication with FIDO2 succeed irrespective the availability of the resident key.
NOTE:Google Chrome creates and stores the resident key whereas Firefox does not support creation of resident key.
Required: Represents the relying party must create the resident key and display an error message if creation of the resident key is not possible. The enrollment and authentication with the FIDO2 method happen only on the resident key supported browsers.
For example, if the Resident Key Requirement is set to Required then user cannot enroll the FIDO2 method on the Firefox as the browser does not have that capability. However, one can use Chrome to enroll the FIDO2 method.
Discouraged: Represents the resident key is not mandatory to complete enrollment and authentication with the FIDO2 method. The relying party does not require the resident key.
User Verification: Select the required option to allow the authenticator (FIDO2 devices) to verify the authorized user and send the verification response to RP.
Select the required option that indicates the User Verification that is necessary to perform enrollment, testing, and authentication with the FIDO2 method. The available options are:
Preferred (Default): Indicates a prompt to specify the PIN is displayed on the supported browsers like Chrome and prompt is not displayed on the unsupported browsers like Firefox. The enrollment and authentication with FIDO2 succeed in both cases.
Required: Indicates PIN is mandatory to complete enrollment, testing and authentication with the FIDO2 method. Therefore, the enrollment and authentication with FIDO2 succeed only on resident key and PIN supported browsers.
Discouraged: Indicates the prompt to specify PIN is not displayed to users during enrollment, testing and authentication with the FIDO2 method.
NOTE:Some platform and/or browser combinations do not support User Verification or Resident Key for FIDO2 devices. Therefore, FIDO2 enrollment and authentication might fail if you set User Verification and Resident Key Requirement as Required.
Username-less login enabled: This option allows users to authenticate to the Web Authentication event using the FIDO2 compliant cards without specifying the username. The option is set to OFF by default and user must specify the username to authenticate with the FIDO2 method.
Set this option to ON to allow users to authenticate with FIDO2 card that contains username. The FIDO2 Login button is displayed on the Web Authentication login page. When users tap the card, username gets pre-filled in the Username.
NOTE:Before you set the Username-less login enabled to ON, ensure to fill the domain ID in Username-less login RP ID.
Username-less login RP ID: Unique ID required for username-less login functionality of FIDO2 method.
Thomas, an end user, has enrolled the FIDO2 method in the Advanced Authentication Self-Service portal by using the FIDO compliant U2F token. He wants to authenticate to the mycompany.com website. When he opens the browser and follows the prompts to access the website. Then, he is required to touch the token when there is a flash. Thomas is validated with the device and gets authenticated to mycompany.com.