How to Implement FIDO2 WebAuthn with SecureAuth

Back to Blog
September 01, 2020
Dusan Vitek

Make password-less and biometrics an integral part of your strong MFA deployment strategy

By Dusan Vitek, Director, Product Marketing, SecureAuth

As part of your MFA deployment strategy, you can enable users to register their FIDO2 devices as a login multi-factor authentication (MFA) option. SecureAuth supports both roaming authenticators – USB, NFC or Bluetooth-based hardware security keys such as YubiKeys and Google Titan Security Key, and bound authenticators, sometimes also called platform authenticators, such as TouchID on macOS, Windows Hello on Windows 10-based PCs, Android Fingerprint, etc.

Titan Security Key

Titan Security Key from Google supports FIDO2 WebAuthn protocol. Users can use Titan Security Key for machine login or SSO login with modern cloud IAM solutions such as SecureAuth Identity Platform.  

Getting Started is Easy 

The first step is to configure and save the global settings for FIDO2 in the SecureAuth Identity Platform Administration Console. Once the settings are in place, the system will automatically generate a FIDO2 registration and management page.

The FIDO2 WebAuthn registration and management page is localized and translated based on the user’s browser language settings. To customize the text on the page, you can use the Authentication API.

Share the WebAuthn registration page URL with your users to guide them through the process to register their FIDO2 WebAuthn devices. Once end users register their WebAuthn device using the unique page, it becomes available as a login option to assert their access to resources.

  1. On the left side of the Identity Platform page, click Multi-Factor Methods.
  1. Click the pencil icon for FIDO2 (WebAuthn). The configuration page for FIDO2 (WebAuthn) appears.

FIDO@ WebAuthn

  1. Set the following configurations.

Authentication Policy
Select the login authentication policy for the FIDO2 registration page. The authentication policy includes the login workflow, the adaptive authentication rules to analyze, and the available authentication methods to select to register the FIDO2 device.

Data Stores
Enter the data stores to authenticate and allow user access to register their FIDO2 device. Start typing to bring up a list of data store names. You can enter more than one data store.

Groups
Use one of the following options:

  • Slider in the On position (enabled): Allow users from every group in your selected data stores access to this FIDO2 registration page.
  • Slider in the Off position (disabled): Enter the specific groups who are allowed access to this FIDO2 registration page.

This creates the FIDO2 registration page and provides the registration URL. Share this URL with your end users to register and manage their FIDO2 devices.

Note: if you turn off WebAuthn as a login method, it prevents end users from seeing it as an MFA choice during login. The FIDO Enrollment URL page stays active for end users to manage their FIDO2 devices.

FIDO2 WebAuthn

Helping your users register FIDO2 (WebAuthn) devices
Copy and share the FIDO Enrollment URL with your end users. For example, to encourage end users to register their FIDO2 device, share the URL in an email blast.

Related information
Define the login workflow and multi-factor methods settings in a policy URL

Compatibility
We have tested SecureAuth Identity Platform with many of the common FIDO2 WebAuthn authenticators.

Availability
SecureAuth’s support for FIDO2 WebAuthn is available in select subscription plans of the SecureAuth Identity Platform.

Documentation 
FIDO WebAuthn Setup Guide
Define login workflow and multi-factor method settings in a policy

Blog series on FIDO2 and WebAuthn 

Learn more
Follow us on Twitter at @SecureAuth, on LinkedIn at linkedin.com/company/secureauth-corporation/ and or bookmark our blog at secureauth.com/blog.

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Recorded Webinars

Analyst Reports

Innovation Labs

Documentation

Support Portal

Events & Webinars

Events

Webinars

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Leadership

Newsroom

Careers

Contact