Set up FIDO2 authentication
This article applies to Digital Access version 6.8.0 and later versions.
This article describes how to set up FIDO2 as authentication method in Smart ID Digital Access component. The FIDO authentication method provides support for cross-platform Security Keys to be used as Authenticator Attachment allowing signing algorithms ES256, EdDSA, ES384, ES512, RS256, RS384 and RS512.
Prerequisites
Step-by-step instruction
Enable self-service for FIDO registration
Log in to Digital Access Admin with an administrator account.
Go to Manage Accounts and Storage > Self Service > FIDO2 Provisioning
Check the checkbox Enable FIDO2 (WebAuthn) credentials Self Service Provisioning.
When enabling, an API gets automatically added to Web Resource "api", /rest/<version>/webauthn/registration. And a web page is also added to Web Resource "Access Point" /wa/fido/fidoProfileProvisioning.html
Caution:
It is strongly recommended to protect the above resources with multi-factor authentication. This ensures strong authentication required for users to create FIDO2 Credentials via self-service.
Add FIDO2 authentication method
Log in to Digital Access Admin with an administrator account.
Go to Manage System > Authentication Methods.
Click Add Authentication Method... and select FIDO. Click Next.
Enter a Display Name for authentication method.
Configure Relying Party Settings
Enter Relying Party ID as a valid domain string that identifies the WebAuthn Relying Party. When an authenticator is registered to a Relying Party, that registration is only valid for authenticating to that Relying Party.
An example of Relying Party ID is "login.example.com".
Enter Relying Party Name
Caution:
It is not recommended to change Relying Settings after registration of FIDO2 credentials for user since it would cause authentication to fail.
Configure Registration Settings (Optional)
Choose Discoverable Credentials that specifies if credential should be discovered during authentication. If Discoverable Credential (formerly known as Resident Credential or Resident Key) is set to Required then users can do username-less authentication and do not need to enter username during the authentication flow. Required is the default setting.
Refer to the Security Key vendor for details on supported browsers and if Resident Credential supported or not.Choose User Verification, that specifies if user verification needed during registration. Required is the default setting.
Configure Authentication Settings (Optional)
Choose User Verification, that specifies if user verification needed during authentication. Required is the default setting.
Click Add Authentication Method Server… Select an authentication server.
Click Next >, Next > and Next >.
In Extended Properties add relevant properties for the authentication method.
Click Next > and then Finish Wizard.
Click Publish, that is marked blue, showing that updates have been done.