More and more authentication methods are available to Workspace One Access and one of them is FIDO2. I’ve seen multiple use cases with the well-known Yubico Security Keys.
But did you know you can also use Windows Hello as Security key? So, to put it in context, you can
use Biometrics or PIN as identifier and login to Workspace One Access without sending credentials!
Rock On!
How does FIDO2 work?
FIDO2 is like having a digital key that unlocks your online accounts instead of typing passwords. Here's how it works:
Getting Set Up:
You register your digital key (could be a special USB device or your phone's fingerprint scanner) with your online accounts.
Your accounts create a special code just for you and store part of it on their servers.
Logging In:
When you want to log in, instead of typing your password, the website asks your digital key for verification.
Your digital key responds with the correct code without ever revealing your actual password.
The website checks if the code matches, and if it does, you're in!
The cool part? No more entering passwords, and it's much safer too because your actual password never gets sent over the internet. It's like using a super-secure key to unlock your accounts instead of a flimsy password.
The configuration
Windows Hello
Microsoft achieved FIDO2 certification around May 2019. It works out of the box since the Windows 10 May 2019 update, so since it is around for a while, and I hope you’re on a OS newer than W10 May 2019 it should work right away. Needles to point out you should already have Windows Hello enabled and configured. I added the link to sources below
Workspace One Access
1. Go to Integrations, authentication methods and enable FIDO2
2. Next edit your authentication policy so we can define the rules when registering a FIDO2 authenticator. We do want additional MFA when registering, right?
Add a rule. In my example below I use ALL RANGES and ALL DEVICE TYPES. Most import part is to enable “and user is registering FIDO2 authenticator”
I choose to use Password and additional authentication with HUB or Authenticator. Configure according to requirements.
3. Now add or edit your policy rule(s) and enable FIDO2 (of course you add additional methods to add security for example Intelligent Hub Push MFA)
That was the configuration part, easy right?
The User Experience
Well, this is what it is all about right? So, let's wake Mr. Freeman and register a Passkey!
"Rise and shine, Mr. Freeman. Rise and shine. Not that I wish to imply you have been sleeping on the job. No one is more deserving of a rest. And all the effort in the world would have gone to waste until... well, let's just say your hour has come again. The right man in the wrong place can make all the difference in the world. So, wake up, Mr. Freeman!
Registration
1. When browsing to Workspace One Access the user gets this screen, click on “register”.
2. The user needs to authenticate according the “FIDO registration Policy” (off topic but did you notice the new OR method in the policies? By using that the user can choose the MFA method instead of using FALLBACK)
3. Click on “Select Authenticator”
4. Windows Security will Pop UP. I always login with a compatible Windows HelloID camera so it immediately recognizes me. Click OK
5. Now the key is saved
6. The user needs to enter a specific name for this “key”. In this example I enter “HomeComputer”
7. And the key is registered!
Logging In:
1. Click on the “Sign in with FIDO2 Authenticator” button.
2. Select the passkey.
3. Windows Security uses My Hello camera and immediately recognizes me once again. Click OK.
4. And the user is in!
Remove a passkey:
There are 2 parts in play, the key in Workspace One Access and the passkey on the local device.
1. Workspace One Access:
Look up the user in Workspace One Access and go to “Two-Factor Authentication”, here you will find the FIDO2 Key.
2. Device:
Remove the passkey in Accounts by clicking on the dots next to the specific passkey.
Conclusion, sidenotes & some sources:
I think this is a great alternative for machines where certificates are not an option, but you still want a user-friendly login experience.
The passkey is device specific; you can limit the number of passkeys the user can register in the FIDO2 authentication method.
Think about additional MFA in combination. Push MFA like Intelligent HUB works very user-friendly since I don’t have to enter any credentials but do MFA.
Sources:
Questions, remarks or want to debate the solution? Feel free to contact me!
Comments