FIDO authentication
Note
FIDO authentication requires the STA or STA Premium plan. For more information, see Subscription plans.
You can allow users in a virtual server to self-provision a passkey on a computer or mobile platform authenticator, or on a physical security key, like a USB stick or smart card. Built-in platform authenticators include Windows Hello for Business and other biometrics, like fingerprint and face ID on mobile platforms and computers.
STA does not differentiate between platform authenticators and security keys. When FIDO authentication is required, no fallback authentication method is available.
You can add FIDO as an authentication requirement in your policies and scenarios. When a policy or scenario requires FIDO authentication, a user must log in with their FIDO token.
Before you can turn off FIDO authentication, you must remove it from all policies and scenarios.
All FIDO authentications and errors are logged in the access logs.
Add FIDO authenticators
You can enable users to enroll up to nine FIDO passkeys during authentication. This allows users to use alternatives such as a secondary PC or mobile phone to access resources.
To enable users to enroll multiple FIDO authenticators:
-
On the STA Access Management console, select the Settings tab.
-
Under Authentication, select FIDO-Based Authentication.
-
Select Edit.
-
Enter the maximum number of FIDO authenticators that a user can enroll and then select Save.
If you allow users to self-provision more than one FIDO authenticator, then the option to add an authenticator displays during login, after they cancel the FIDO prompt.
Add FIDO authentication to policies
You can add FIDO as an authentication requirement in your policies and scenarios. FIDO authentication can be used in combination with a password, but it cannot be used with token-based authentication (OTP) or certificate-based authentication (CBA).
-
On the STA Access Management console, select Policies.
-
Add a policy or scenario, or select a policy or scenario to edit.
-
Select the users and applications.
-
In the Decision section, select FIDO and then select how often you want users to authenticate with their FIDO token.
The FIDO option is available only if FIDO is enabled for some users in Settings > FIDO.
-
Select Save.
Manage FIDO authenticators
To manage FIDO authenticators for specific users:
-
Follow the instructions in View users on the STA Access Management console.
-
To view a user's details, groups, and applications, select the user and then select the Overview tab.
-
To view a user's access details, select the user and then select the Access Attempts tab.
-
To view a user's authenticator details, select the user and then select the Authenticators tab.
-
To delete a FIDO authenticator, from the Authenticators tab, select the icon for the FIDO authenticator and then select Delete.
-
To view information about FIDO access attempts, see the access logs.
-
Delete FIDO authentication from policies
You can delete FIDO as an authentication requirement in your policies and scenarios.
-
On the STA Access Management console, select Policies.
-
In the Decision section, unselect FIDO and then select how often you want users to authenticate with their FIDO token.
The FIDO option is available only if FIDO is enabled for some users in Settings > FIDO.
-
Select Disable.
Self-provision with FIDO
To test your setup and ensure that it works as intended, you can follow the self-provisioning steps that your users will follow. See self-provisioning rules for groups.
Prerequisites
-
Group: You need a group that you can use for self-provisioning FIDO tokens.
-
Users: The users must not already have a FIDO authenticator enrolled, and must be assigned to the FIDO group.
-
FIDO: FIDO must be enabled in Settings > FIDO.
-
Self-provisioning: Self-provisioning must be allowed for the group who will use FIDO.
-
Policy: An authentication policy must apply to the FIDO group and an application that you can use for self-provisioning, such as the User Portal. The policy must require authentication with FIDO.
-
Application: The application must be covered by the authentication policy.
User self-provisioning steps
-
Go to the logon page for the application (for example, the User Portal).
-
Select Start.
-
Enter the Username and then select Login.
-
Select Add Authenticator.
-
Enter either your synced password (if you have one) or the Verification code that was sent by email.
The verification code is sent only if no synced password is available.
-
Select Security Key or Windows Hello, and then select Submit.
There might be additional options on the Add Authenticator screen, depending on your policies and self-provisioning configuration.
-
Follow the browser instructions. There are different steps for different types of FIDO tokens.
For example, for some security keys, you might need to insert the key into your computer and touch the key, or for Windows Hello you might need to use the camera, fingerprint reader, or a PIN.
-
If you see a message that requests access to your security key, camera, or fingerprint reader, select Allow.
-
Enter an Authenticator Nickname and select Continue.
-
Log in with your FIDO token.
-
Follow the steps for your FIDO token.