2.10 FIDO2

The FIDO2 method facilitates you to use any FIDO compliant device either in-built with the system or connected through USB to register and authenticate to the web environment. When you try to authenticate, FIDO compliant device and user gesture, such as tap on token and swipe fingerprint on reader are validated.

NOTE:If the FIDO2 method is enrolled using the Windows Hello in Microsoft Edge 17 or earlier supported browser versions then you must authenticate using the same browser. After upgrading to the latest version of Edge that supports the FIDO 2.0 standards, you must re-enroll the FIDO2 method.

NOTE:On the Safari browser, while authenticating to a web application with the FIDO2 method, click Next to initiate the authentication. This applies irrespective of the order of the FIDO2 method in a chain.

FIDO2 Terms

  • Resident Key: A security key that gets stored on the FIDO2 device during enrollment and is discoverable to the browser during the FIDO2 testing and authentication. This is supported on few browsers like Google Chrome, Microsoft Edge.

  • User Verification: A mechanism to verify the identity of a user with PIN or biometrics.

The above actions are displayed on the Self Service Portal based on the settings configured by the administration.

The following table lists the supported and unsupported browsers for the enrollment, testing and authentication with the FIDO2 method on the old Enrollment Portal:

Operating System

Browser

User Verification

Resident Key

Linux

Chrome

Yes

Yes

 

Firefox

No

No

Mac OS

Chrome

Yes

Yes

 

Firefox

No

No

 

Safari

Yes

Yes

Windows

Chrome

Yes

Yes

 

Firefox

Yes

Yes

 

Edge

Yes

Yes

Android (with built-in FIDO2 device)

Chrome

Yes

Yes

 

Firefox

Yes

Yes

Android (with external FIDO2 device)

Chrome

No

No

 

Firefox

No

No

iOS

Safari

Yes

Yes

NOTE:Some platform and/or browser combinations do not support User Verification or Resident Key for FIDO2 devices. Therefore, FIDO2 enrollment and authentication fails if the administrator has configured User Verification and Resident Key Requirement as required.

2.10.1 Enrolling the FIDO2 Authenticator

  1. Click the FIDO2 icon in Add Authenticator.

  2. (Optional) Specify a comment related to FIDO2 in Comment.

  3. (Optional) Select the preferred category from Category.

  4. Click Save.

    A message Waiting for Web Authentication data is displayed.

  5. Connect the device that complies with FIDO standards.

  6. Perform the action associated to the device.

    For example, if you use the FIDO2 device, connect it to the computer, set the pin, and touch the device when you see a flash.

  7. Click Save.

    A message Authenticator "FIDO2" enrolled is displayed.

2.10.2 Testing the FIDO2 Authenticator

  1. Click the FIDO2 icon in Enrolled Authenticators.

  2. Click Test.

    A message Waiting for Web Authentication data is displayed.

  3. Perform the action associated to the enrolled device.

    A message Authenticator "FIDO2" passed the test is displayed.