How to Enable FIDO2 Authentication

FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

Delinea leverages the WebAuthn API to enable password less authentication to the Privileged Access Service using either on-device or external authenticators. On-device authenticators are biometric authenticators integrated into the device hardware. Popular examples are Mac Touch ID, Windows Hello, and fingerprint scanners. External authenticators are security keys that you plug into the device's USB port; for example, a YubiKey.

Refer to https://webauthn.io/ and https://fidoalliance.org/fido2/ for more information about WebAuthn and FIDO2, respectively.

To enable FIDO2 authentication for users:

  1. Log in to Admin Portal.

  2. Click Access > Policies.

  3. Select a policy set or create a new one.

  4. Specify the users/roles to which this policy applies using the Policy Assignment options.

    This configuration option is particularly important if you are creating a new policy.

  5. Click User Security Policies > User Account Settings.

  6. Select Yes in the Enable users to register FIDO2 Authenticators drop-down box.

  7. Choose Yes or No in the Require users to setup FIDO2 Authenticator on login drop-down.

  8. Enter a name in the FIDO2 Security Key Display Name field.

    This name should be recognizable by your users.

  9. (Optional) Select an authentication profile to require users to provide additional authentication before they can activate and modify the FIDO2 Authenticator in the Admin Portal.

    See Creating Authentication Profiles or information about authentication profiles.

  10. Click Save.

Users can now log in to Admin Portal and activate their FIDO2 authenticator(s). You can direct users to Using FIDO2 Authenticatorsfor activation instructions.

Using FIDO2 Authenticators with a New Tenant URL

FIDO2 authenticators are associated with the portal URL. If your company gets a new portal URL, because you configured a tenant URL or for another reason, then users with FIDO2 authenticators will need to log in with the new URL and re-activate their authenticators. Users who do not activate their authenticators on the new URL will not see their authenticator as an authentication option. For example, if you are changing the URL from https://aad0123.my.abc.com to https://company.my.abc.com, then users who authenticated to https://aad0123.my.abc.com using their FIDO2 authenticator must log into the new URL -- https://company.my.abc.com -- and activate their authenticator.

Verify the following to ensure a smooth transition for your users:

  1. You have configured an alternative authentication mechanism for FIDO2 users so they can log in with the new URL and activate their FIDO2 authenticator(s). For example, if you have a role containing all your users with FIDO2 authenticator(s), then make sure the authentication profile associated with that role has email address or security questions enabled. See Reference Content — Authentication for information about each authentication mechanism.

  2. You have confirmed with the relevant users that they can log in to Privileged Access Service using the alternative authentication mechanisms and they have re-activated the FIDO2 authenticator(s). Instructions for users to activate their FIDO2 authenticator(s) are here: Using FIDO2 Authenticators.