FIDO2 WebAuthn is a set of Web APIs that attempts to alleviate the problems users and organizations can encounter managing an ever-growing list of passwords. The problems are obvious as passwords can become compromised and users can forget which password they use with which site. WebAuthn is a major step forward in that it uses public-key cryptography and digital signatures to enable passwordless authentication between servers, browsers and authenticators. WebAuthn can also be used as an additional MFA factor.
WebAuthn is supported by major browsers to include Chrome, Firefox, Edge and Safari. For more information about WebAuthn, see the FIDO Alliance article at https://fidoalliance.org/fido2/.
To use FIDO2 WebAuthn with EmpowerID, you simply decide what flows you want to use, configure a few system settings, and apply the flow(s) to one or more targets. Targets can include Password Manager policies, applications, and individual users (EmpowerID Persons).
EmpowerID supports the following WebAuthn flows:
MFA — Users authenticate by presenting their username, password and FIDO2 credential
Passwordless Login — Users authenticate by presenting their username, FIDO2 credential and a PIN / biometric
Usernameless Login — Users authenticate by presenting their FIDO2 resident key credential and a PIN/biometric
Configure system settings
On the navbar, expand Infrastructure Admin > EmpowerID Servers and Settings and click EmpowerID System Settings.
Search for the settings shown in the below table and then set their values accordingly.
EmpowerID System Setting | Purpose |
---|---|
FIDO2UsernamelessLoginEnabled | This setting determines whether the FIDO2 usernameless prompt appears on the login page. |
OauthTokenIssuerName | This setting specifies the FIDO2 server name. Set the value to identify the environment, such as ClientName-Dev, ClientName-UAT, etc. |
MaximumRegisteredAssetsPerPersonPerType | This setting specifies the number of FIDO2 assets that a user can register. By default, the value is set to three. |
To edit the value of a setting, click the Edit icon for the setting as shown below, enter the new value and save your changes.
Enable WebAuthn on Password Manager policies
On the navbar, expand Password Management and click Password & Login Policies.
From the Policies tab of the Find Password Manager Policies page, search for the policy to which you want to enable WebAuthn and then click the Display Name link for that policy.
On the View page for the policy, click the Edit link.
Click the Authentication Settings tab and then select the desired type of WebAuthn from the Default FIDO2 Registration Capability field.
Save your changes.