With the FIDO U2F authentication method, users can authenticate with the touch of a finger on the U2F device.
Advanced Authentication supports the Microsoft policy Interactive logon: Smart card removal behavior that allows you to specify an action on the U2F. You can configure the policy to perform a force log off or lock a session when a user removes the U2F device from a computer. This policy is supported for Windows only. When the user removes the U2F device from the computer, the Windows Client runs an action that is specified in the Interactive logon: Smart card removal behavior policy.
IMPORTANT:To use the FIDO U2F authentication for Access Manager in the OAuth 2.0 event, you must configure an external web service to perform enrollment and authentication for one domain name. For more information, see Configuring a Web Server to Use the FIDO U2F Authentication.
The YubiKey tokens may flash with a delay when the token is initialized in a combination mode. For example, when authentication uses OTP and U2F methods. This may cause the users to wait for the token to flash before enrollment or authentication. Therefore, it is recommended to flash the tokens only in the U2F mode if the other modes are not needed.
NOTE:Ensure to set a valid domain name for your Advanced Authentication server rather than an IP address and host the domain name appropriately before users authenticate to any event or device using the U2F method.
You can configure the following settings for this method: