FIDO2 WebAuthn

Owned by
Phillip Hanegan
Last updated: May 06, 2022
6 min read

FIDO2 WebAuthn is a set of Web APIs that attempts to alleviate the problems users and organizations can encounter managing an ever-growing list of passwords. The problems are obvious as passwords can become compromised, and users can forget which password they use with which site. WebAuthn is a major step forward in that it uses public-key cryptography and digital signatures to enable passwordless authentication between servers, browsers, and authenticators. WebAuthn can also be used as an additional MFA factor.

WebAuthn is supported by major browsers including Chrome, Firefox, Edge, and Safari. For more information about WebAuthn, see the FIDO Alliance article at https://fidoalliance.org/fido2/.

To use FIDO2 WebAuthn with EmpowerID, you decide what flows you want to use, configure a few system settings, and apply the flow(s) to one or more targets. Targets can include Password Manager policies, applications, and individual users (EmpowerID Persons). This article demonstrates how to apply WebAuthn to Password Manager policies.

EmpowerID supports the following WebAuthn flows:

  • MFA – Users authenticate by presenting their username, password, and FIDO2 credential

  • Passwordless Login – Users authenticate by presenting their username, FIDO2 credential, and a PIN/biometric

  • Usernameless Login – Users authenticate by presenting their FIDO2 resident key credential and a PIN/biometric

User security keys must support FIDO2.

Configure system settings

  1. Expand Infrastructure Admin > EmpowerID Servers and Settings on the navbar and click EmpowerID System Settings.

  2. Search for the settings shown in the below table and click the edit button to set their values for your environment.

EmpowerID System Setting

Purpose

EmpowerID System Setting

Purpose

FIDO2UsernamelessLoginEnabled

This setting determines whether the FIDO2 usernameless prompt appears on the login page.

OathTokenIssuerName

This setting specifies the FIDO2 server name. Set the value to identify the environment, such as ClientName-Dev, ClientName-UAT, etc.

MaximumRegisteredAssetsPerPersonPerType

This setting specifies the number of FIDO2 assets that a user can register. By default, the value is set to three.

 

Enable WebAuthn on Password Manager policies

  1. On the navbar, expand Password Management and click Password & Login Policies.

  2. From the Policies tab of the Find Password Manager Policies page, search for the policy you want to enable WebAuthn and then click the Display Name link for that policy.

     

  3. On the View page for the policy, click the Edit link.

     

  4. Click the Authentication Settings tab and select the desired WebAuthn from the Default FIDO2 Registration Capability field.

     

  5. Save your changes.

 

Manage FIDO2 WebAuthn tokens

To assign registered FIDO2 WebAuthn tokens to users or delete tokens from the system, do the following:

  1. On the navbar, expand Single Sign-On and click MFA Devices.

  2. Search for FIDO2 to return a list of registered FIDO2 WebAuthn tokens.

     

  3. Click the drop-down arrow to the left of the key you want to manage.

  4. Select the action you want to perform. You can either assign the token to a person or delete the asset.

  1. Click Assign Token To Person.

     

  2. Search for the person to whom you want to assign the token, click the record for the person to select it, and then click Submit.

  1. Click Delete Asset.

     

  2. Confirm that you want to delete the token.

User Experience

Based on the FIDO2 capability enabled on the Password Manager policy, the end user’s experience will differ as outlined below.

MFA FIDO2 (Username + Password + FIDO2 credential)

If the MFA FIDO2 capability is enabled, the FIDO2 authenticator device can be used only for second factor.

  • Registration Flow – On the first login, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type:

    • If Security Key, the user must touch the security key

    • If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

  • Sign-In Flow – From the second login onwards, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type chosen during the registration step:

    • If Security Key, the user must touch the security key

    • If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

      Sign-In Flow Experience

 

PasswordlessLogin FIDO2 (Username + FIDO2 credential)

  • Registration Flow – On the first login, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type:

    • If Security Key, the user must touch the security key and enter PIN/biometric

    • If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

  • PasswordlessLogin Flow – When the user runs the Passwordless Login workflow and enters the correct username/login, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type chosen during the registration step:

    • If Security Key, the user must touch the security key and enter PIN/biometric

    • If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

PasswordlessLogin Flow Experience

 

UsernamelessLogin FIDO2 (FIDO2 credential + Resident Key)

  • Registration Flow – On the first login, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type:

    • If Security Key, a resident key is generated linking the username to the domain (e.g., sso.empoweriam.com), following which the user must touch the security key + enter PIN/biometric

    • If Laptop/PC, a WebAuthn credential is generated on the device linking the username to the domain (e.g., sso.empoweriam.com), the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

  • UsernamelessLogin Flow – On the next login, when the login page loads, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type chosen during the registration step:

    • If Security Key, the user must touch the security key and enter PIN/biometric

    • If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

      UsernamelessLogin Flow Experience

 

Special Features / Use Cases

  1. A single FIDO2 Authenticator device can be associated with more than one identity.

  2. A single identity can have a maximum of x FIDO2 assets as specified by the MaximumRegisteredAssetsPerPersonPerType system setting.

  3. If a FIDO2 authenticator associated with more than one identity is presented during any login flows, EmpowerID will prompt the user to choose the identity for login.

  4. Users can run the “RegisterFido2Authenticator” WF to register additional FIDO2 authenticator devices.

    User experience when multiple identities are associated with a single FIDO2 authenticator device