FIDO2 WebAuthn is a set of Web APIs that attempts to alleviate the problems users and organizations can encounter managing an ever-growing list of passwords. The problems are obvious as passwords can become compromised and users can forget which password they use with which site. WebAuthn is a major step forward in that it uses public-key cryptography and digital signatures to enable passwordless authentication between servers, browsers and authenticators. WebAuthn can also be used as an additional MFA factor.
To use FIDO2 WebAuthn with EmpowerID, you simply decide what flows you want to use, configure a few system settings, and apply the flow(s) to one or more targets. Targets can include Password Manager policies, applications, and individual users (EmpowerID Persons). This article how to apply WebAuthn to Password Manager policies.
EmpowerID supports the following WebAuthn flows:
MFA — Users authenticate by presenting their username, password and FIDO2 credential
Passwordless Login — Users authenticate by presenting their username, FIDO2 credential and a PIN / biometric
Usernameless Login — Users authenticate by presenting their FIDO2 resident key credential and a PIN/biometric
Configure system settings
On the navbar, expand Infrastructure Admin > EmpowerID Servers and Settings and click EmpowerID System Settings.
Search for the settings shown in the below table and click the edit button to set their values for your environment.
EmpowerID System Setting | Purpose |
|---|---|
FIDO2UsernamelessLoginEnabled | This setting determines whether the FIDO2 usernameless prompt appears on the login page. |
OauthTokenIssuerName | This setting specifies the FIDO2 server name. Set the value to identify the environment, such as ClientName-Dev, ClientName-UAT, etc. |
MaximumRegisteredAssetsPerPersonPerType | This setting specifies the number of FIDO2 assets that a user can register. By default, the value is set to three. |
Enable WebAuthn on Password Manager policies
On the navbar, expand Password Management and click Password & Login Policies.
From the Policies tab of the Find Password Manager Policies page, search for the policy to which you want to enable WebAuthn and then click the Display Name link for that policy.
On the View page for the policy, click the Edit link.
Click the Authentication Settings tab and then select the desired type of WebAuthn from the Default FIDO2 Registration Capability field.
Save your changes.
User Experience
Based on the FIDO2 capability enabled on the Password Manager policy the end user’s experience will differ as outlined below.
MFA FIDO2 (Username + Password + FIDO2 credential)
If the MFA FIDO2 capability is enabled, the FIDO2 authenticator device can be used only for second factor.
Registration Flow — On first login, the user will be prompted to perform one of the below actions based on the authenticator type:
If Security Key, the user must touch the security key
If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc)
Sign-In Flow — From the second login onwards, the user will be prompted to perform one of the below actions based on the authenticator type chosen during the registration step:
If Security Key, the user must touch the security key
If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc)
PasswordlessLogin FIDO2 (Username + FIDO2 credential)
If the PasswordlessLogin FIDO2 capability is enabled, the FIDO2 authenticator device can be used for both PasswordlessLogin and second factor.
Registration Flow — On first login, the user will be prompted to perform one of the below actions based on the authenticator type:
If Security Key, the user must touch the security key and enter PIN/biometric
If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc)
PasswordlessLogin Flow — When the user runs Passwordless Login workflow, and enters the correct username/login, the user will be prompted to perform one of the below actions based on the authenticator type chosen during the registration step:
If Security Key, the user must touch the security key and enter PIN/biometric
If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc)
UsernamelessLogin FIDO2 (FIDO2 credential + Resident Key)
If the UsernamelessLogin FIDO2 capability is enabled, the FIDO2 authenticator device can be used for UsernamelessLogin, PasswordlessLogin and second factor.
Registration Flow — On first login, the user will be prompted to perform one of the below actions based on the authenticator type:
If Security Key, a resident key is generated linking the username to the domain (e.g., sso.empoweriam.com) following which the user must touch the security key + enter PIN/biometric
If Laptop/PC, a WebAuthn credential is generated on the device linking the username to the domain (e.g., sso.empoweriam.com) following which the user must enter a PIN/biometric (fingerprint, FaceID etc)
UsernamelessLogin Flow — On the next login, when the login page loads, the user will be prompted to perform one of the below actions based on the authenticator type chosen during the registration step:
If Security Key, the user must touch the security key and enter PIN/biometric
If Laptop/PC, the user must enter a PIN/biometric (fingerprint, FaceID, etc)
Special Features / Use Cases
A single FIDO2 Authenticator device can be associated to more than one identity.
A single identity can have a maximum of x FIDO2 assets as specified by the MaximumRegisteredAssetsPerPersonPerType system settings.
During any of the login flows, if a FIDO2 authenticator associated with more than one identity is presented, the user will be prompted to choose the identity for login (below image).
Users can run the “RegisterFido2Authenticator” WF to register additional FIDO2 authenticator devices.
IN THIS ARTICLE