FIDO2 (YubiKey) Two-Factor Authentication Configuration

Overview

FIDO2

FIDO2 (Fast Identity Online, second edition) is an open authentication standard that uses physical devices for authentication. Delinea uses this standard for two factor authentication (2FA) with FIDO2 providing the second authentication after a normal password entry. Any FIDO2-enabled user attempting access to a Secret Server account must have a FIDO2 device in hand. The device eliminates many password-related issues, such as phishing and man-in-the-middle attacks. It also speeds up the login process over callback or texting 2FA.

YubiKey

YubiKey is a FIDO2-compliant product series from Yubico, a commercial company. We recommend two of their devices, the YubiKey 5 Series and the Security Key.

Configuration

Prerequisites

  • One FIDO2 device. We recommend the YubiKey series.
  • A Secret Server Vault license or greater.
  • Administer Users or User Owner permissions in Secret Server.
  • A Firefox or Chromium browser, such as Google Chrome or Microsoft Edge.

Enabling FIDO2 for a Single User

  1. In Secret Server, go to Access > Users. The User Management page appears.
  2. Click on the user you wish to edit.
  3. Click Edit in the User Details section at the top of the page (in the General tab).

  4. Click on the Multifactor Authentication list and select FIDO2:

  1. Click the Save button.

Enabling FIDO2 for Multiple Users

  1. In Secret Server, go to Access > Users. The User Management page appears.
  2. Select the check box next to each user you wish to include. The Enable Users link appears at the top alongside the Disable Users.

  3. Click the three dots next to Enable Users and select Enable Two-Factor Authentication from the dropdown list:

  4. In the Enable Two-Factor Authentication popup, select FIDO2 in the Two-Factor Authentication Provider drop-down list.

  5. Click the Save button. The Bulk Progress popup appears.

  6. When the Task Complete message appears, click the Close button.

Disabling FIDO2 for Users

The process to disable FIDO2 for both single and multiple users is almost identical to enabling them. There are two differences:

  • For a single user, select <None> for the Multifactor Authentication list on the Edit User page, and thenSave.

  • For multiple users:

    1. Select Disable Two-Factor Authentication in the drop-down list made available after selecting multiple user checkboxes in the User Management page, the Disable two-factor authentication popup appears.
    2. From the popup select FIDO2 before clicking Save. See the previous section for a visual example.
Disabling FIDO2 2FA does not remove device registration information from Secret Server. If FIDO2 is re-enabled, the user can use the FIDO2 device without re-registering it.

Unregistering Users from FIDO2

Resetting FIDO2 serves to unregister existing users. There is no way to reverse this action, users will have re-register the FIDO2 device, even if it is the same device they used previously.

Resetting FIDO2 for both single and multiple users is very similar to enabling FIDO2 for multiple users. The only difference is that you select Reset Two-Factor Authentication in the drop-down list made available after selecting a single or multiple user checkboxes in the User Management page. See the image above for a visual example. The operation is exactly the same for single and multiple users.

Registering FIDO2 Devices (End-User Operation)

  1. After an admin registers your user in Secret Server, you are prompted upon your next login to use either the "security key with the localhost" (Chrome) or that "localhost wants to register an account with one of your security keys. You can connect and authorize one now or cancel" (Firefox).​
Legacy Microsoft Edge is not supported. Edge Chromium, version 79 or higher, is required for FIDO2 support.

  1. Insert your FIDO2 device into a USB port on the computer.

  2. Activate it by touching the sensor on the device.

  3. After a successful registration, you are again prompted with the same screen, which is authenticating the current session with the credentials that were just registered.

  4. From then on, you will be prompted for your security key after a successful login. Once the key is authenticated, the Secret Server Dashboard appears.

Only one FIDO2 device per user can be registered at any given time. The 2FA settings, however, can be temporarily disabled or reset in the case of a lost or forgotten FIDO2 device.
 

Auditing and Security

  • Upon registration your FIDO2 Credential, FIDO2 Public Key JSON string, and the FIDO2 Counter are all stored in your user's audit log.
  • Upon each successful FIDO2 authentication, the FIDO2 counter value is updated and noted in your audit log.

 

Troubleshooting and Issues

  • If you encounter an error or do not complete authentication before the process times out, then you will be redirected back to the username and password login screen where the process can be reattempted.
  • Authentication activities are logged in your audit log, to help with the tracking of any potential issue reproduction steps.
  • System errors are logged in the Secret Server.log file in the Secret Server log directory.