FIDO2 WebAuthn

FIDO2 WebAuthn is a collection of Web APIs designed to address the issues users and organizations face when managing a growing number of passwords. Compromised passwords and difficulty remembering multiple passwords for various sites are common challenges. WebAuthn represents a significant advancement by employing public-key cryptography and digital signatures to enable passwordless authentication between servers, browsers, and authenticators. Furthermore, WebAuthn can also be utilized as an additional MFA factor.

Major browsers, such as Chrome, Firefox, Edge, and Safari, support WebAuthn. For more information about WebAuthn, refer to the FIDO Alliance article at https://fidoalliance.org/fido2/.

To integrate FIDO2 WebAuthn with EmpowerID, determine the desired flows, configure the necessary system settings, and apply the flow(s) to one or more targets, which can include Password Manager policies, applications, and individual users (EmpowerID Persons). This article illustrates how to apply WebAuthn to Password Manager policies.

EmpowerID supports the following WebAuthn flows:

  1. MFA – Users authenticate by providing their username, password, and FIDO2 credential.

  2. Passwordless Login – Users authenticate by submitting their username, FIDO2 credential, and a PIN or biometric.

  3. Usernameless Login – Users authenticate by presenting their FIDO2 resident key credential and a PIN or biometric.

User security keys must support FIDO2.

Configure system settings

  1. Expand Infrastructure Admin > EmpowerID Servers and Settings on the navbar and click EmpowerID System Settings.

  2. Search for the settings in the table below and click the edit button to set their values for your environment.

EmpowerID System Setting

Purpose

EmpowerID System Setting

Purpose

FIDO2UsernamelessLoginEnabled

This setting determines whether the FIDO2 usernameless prompt appears on the login page.

OathTokenIssuerName

This setting specifies the FIDO2 server name. Set the value to identify the environment, such as ClientName-Dev, ClientName-UAT, etc.

MaximumRegisteredAssetsPerPersonPerType

This setting specifies the number of FIDO2 assets that a user can register. By default, the value is set to three.

 

Enable WebAuthn on Password Manager policies

  1. On the navbar, expand Password Management and click Password & Login Policies.

  2. From the Policies tab of the Find Password Manager Policies page, search for the policy you want to enable WebAuthn and then click the Display Name link for that policy.

     

  3. On the View page for the policy, click the Edit link.

     

  4. Click the Authentication Settings tab and select the desired WebAuthn from the Default FIDO2 Registration Capability field.

     

  5. Save your changes.

 

Manage FIDO2 WebAuthn tokens

To assign registered FIDO2 WebAuthn tokens to users or delete tokens from the system, do the following:

  1. On the navbar, expand Single Sign-On and click MFA Devices.

  2. Search for FIDO2 to return a list of registered FIDO2 WebAuthn tokens.

     

  3. Click the drop-down arrow to the left of the key you want to manage.

  4. Select the action you want to perform. You can either assign the token to a person or delete the asset.

  1. Click Assign Token To Person.

     

  2. Search for the person to whom you want to assign the token, click the record for the person to select it, and then click Submit.

  1. Click Delete Asset.

     

  2. Confirm that you want to delete the token.

User Experience

Based on the FIDO2 capability enabled on the Password Manager policy, the end user’s experience will differ as outlined below.

MFA FIDO2 (Username + Password + FIDO2 credential)

If the MFA FIDO2 capability is enabled, the FIDO2 authenticator device can be used only for second factor.

  • Registration Flow – On the first login, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type:

    • If Security Key, the user must touch the security key

    • If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

  • Sign-In Flow – From the second login onwards, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type chosen during the registration step:

    • If Security Key, the user must touch the security key

    • If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

      Sign-In Flow Experience

 

PasswordlessLogin FIDO2 (Username + FIDO2 credential)

If the PasswordlessLogin FIDO2 capability is enabled, the FIDO2 authenticator device can be used for both PasswordlessLogin and the second factor.

  • Registration Flow – On the first login, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type:

    • If Security Key, the user must touch the security key and enter PIN/biometric

    • If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

  • PasswordlessLogin Flow – When the user runs the Passwordless Login workflow and enters the correct username/login, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type chosen during the registration step:

    • If Security Key, the user must touch the security key and enter PIN/biometric

    • If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

PasswordlessLogin Flow Experience

 

UsernamelessLogin FIDO2 (FIDO2 credential + Resident Key)

If the UsernamelessLogin FIDO2 capability is enabled, EmpowerID can use the FIDO2 authenticator device for UsernamelessLogin, PasswordlessLogin, and second factor.

  • Registration Flow – On the first login, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type:

    • If Security Key, a resident key is generated linking the username to the domain (e.g., sso.empoweriam.com), following which the user must touch the security key + enter PIN/biometric

    • If Laptop/PC, a WebAuthn credential is generated on the device linking the username to the domain (e.g., sso.empoweriam.com), the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

  • UsernamelessLogin Flow – On the next login, when the login page loads, EmpowerID will prompt the user to perform one of the below actions based on the authenticator type chosen during the registration step:

    • If Security Key, the user must touch the security key and enter PIN/biometric

    • If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc.)

      UsernamelessLogin Flow Experience

 

Special Features / Use Cases

  1. A single FIDO2 Authenticator device can be associated with more than one identity.

  2. A single identity can have a maximum of x FIDO2 assets as specified by the MaximumRegisteredAssetsPerPersonPerType system setting.

  3. If a FIDO2 authenticator associated with more than one identity is presented during any login flows, EmpowerID will prompt the user to choose the identity for login.

  4. Users can run the “RegisterFido2Authenticator” WF to register additional FIDO2 authenticator devices.

    User experience when multiple identities are associated with a single FIDO2 authenticator device