FIDO2 (YubiKey) Two-Factor Authentication Configuration

Overview

FIDO2

FIDO2 (Fast Identity Online, second edition) is an open authentication standard that uses physical devices for authentication. Delinea uses it for two factor authentication (2FA) with FIDO2 providing the second authentication after a normal password entry—any FIDO2-enabled user attempting access to a Secret Server account must have a FIDO2 device in hand. The device eliminates many password-related issues, such as phishing and man-in-the-middle attacks. It also speeds up the long on process over callback or texting 2FA.

YubiKey

YubiKey is a FIDO2-compliant product series from Yubico, a commercial company. We recommend two of their devices--YubiKey 5 Series and Security Key by Yubico.

Configuration

FIDO2 configuration follows these steps, which we cover in detail in this section:

  1. Enable FIDO2 in your Secret Server.

  2. Set up the user's credentials.

  3. Distribute the FIDO2 device to the user.

  4. User registers his or her device.

Prerequisites

  • One FIDO2 device. We recommend the YubiKey series.
  • A Secret Server Vault license or greater.
  • Administer Users or User Owner permissions in SS.
  • A Firefox or Chrome browser.

Enabling FIDO2 for a Single User

  1. In Secret Server, go to Admin>Users The User Management page appears.
  2. Click on the related user to proceed to the User page.
  3. Click Edit in the User Details section.
  4. Click on the Multifactor Authentication list and select FIDO2.

  1. Click the Save button.

Enabling FIDO2 for Multiple Users

  1. In Secret Server, go to Admin>Users The User Management page appears.
  2. Click to select the unlabeled check box next to each user you wish to include. The Enable Users link appears at the top.

  3. Click the three dots next to Enable Users and select Enable Two-Factor Authentication from the dropdown list.

  4. In the Enable Two-Factor Authentication popup select FIDO2 in the Two-Factor Authentication Provider list. Click the Save button. The Bulk Progress popup appears.

  5. When the Task Complete message appears, click the Close button.

Disabling FIDO2 for Users

Disabling FIDO2 for users, for both single and multiple, is almost the same as enabling them. There are two differences:

  • For a single user, select <None> for the Multifactor Authentication list on the Edit User page.
  • For multiple users, select Disable Two-Factor Authentication in the Select Bulk Operation list on the Users page.
Disabling FIDO2 2FA does not remove device registration information from Secret Server. If FIDO2 is re-enabled, the user can use the FIDO2 device without re-registering it.

Unregistering Users from FIDO2

Resetting FIDO2 serves to unregister existing users. There is no way to reverse it — users will have re-register a FIDO2 device, even the same one.

Resetting FIDO2 for both single and multiple users is very similar to enabling FIDO2 for multiple users. The only difference is you select Reset Two Factor Authentication in the Select Bulk Operation list on the Users page. That is right, for single users — you do a bulk operation.

Registering FIDO2 Devices (End User Operation)

  1. After an admin registers the user in Secret Server the user is prompted upon his or her next log on. For example, in Chrome:

img

​ Or in Firefox:

img

Legacy Microsoft Edge is not supported. Edge Chromium, version 79 or higher, is required for FIDO2 support.

  1. The user inserts his or her FIDO2 device into a USB port on the computer.

  2. The user activates it by touching the sensor on the device.

  3. After successful registration, the user is again prompted with the same screen, which is authenticating the current session against the credentials that were just registered.

  4. From then on, the user is prompted for his or her security after a successful username-password login. Once the key is authenticated, the Secret Server Dashboard appears.

Only one FIDO2 device per user can be registered at any given time; however, the 2FA settings can be temporarily disabled or reset in the case of a lost or forgotten FIDO2 device.
 

Auditing and Security

  • Upon registration, a user's FIDO2 Credential, the FIDO2 Public Key JSON string, and the FIDO2 Counter is stored in the User's audit log.
  • Upon each successful FIDO2 authentication, the FIDO2 counter value is updated and noted in the User's audit log.

 

Troubleshooting and Issues

  • If the user encounters an error or does not fulfill the authentication before the process times out, the user is redirected back to the username and password log on screen where the process can be reattempted.
  • Authentication activities are logged in the user's audit log.
  • System errors are logged in the Secret Server.log file in Secret Server's log directory.