Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Thales Authenticator Lifecycle Manager

FIDO Key Management

search

FIDO Key Management

FIDO Key Management provides administrators with secure and real-time control over FIDO authenticators connected to the local workstation. Using the Thales Authenticator Lifecycle Service (running on port 9333), administrators can perform FIDO device discovery, registration, configuration, lifecycle operations (such as device reset and revocation), and functional testing.

The FIDO Key Management window is optimized for routine device operations and complements the Device Inventory by enabling actions that require physical access to a FIDO key.

Under FIDO Key Management, administrators can perform the following operations:

Connect to the Thales Authenticator Lifecycle Service

For each new login session, Thales Authenticator Lifecycle Manager automatically connects to the Thales Authenticator Lifecycle Service before you perform any operations on FIDO devices.

When you open the FIDO Key Management window, the connection to the Thales Authenticator Lifecycle Service (Windows service) is established automatically. If the service is stopped or the automatic connection attempt fails, click Connect to Service to retry.

After the connection is successfully established, the Service Connected message is displayed.

Do not perform device operations in multiple browser tabs simultaneously, as performing actions such as configuration, enrollment, reset, or remote unlock across different tabs at the same time may lead to unexpected errors or inconsistent device or service behavior.

View Connected FIDO Devices List

Once the Thales Authenticator Lifecycle Service is connected, it automatically begins scanning for connected FIDO devices. After the scanning is complete, the detected devices are loaded and displayed on the window.

Note

Additional devices can be connected at any time, and clicking the Refresh button will load them and display on the window.

The connected FIDO devices are displayed in a collapsible list. Device details are presented in two views to help administrators access information efficiently.

  • Summary View: Displays essential device details in a compact format for quick identification and action. The summary view displays:

    • Device name
    • Device serial number
    • Device status as NOT CONFIGURED, READY, CONFIGURED, ENROLLED, IN STOCK, and REVOKED

    Note

    NOT CONFIGURED devices can be configured by using the Configure button and CONFIGURED devices can be assigned to users using the Assign button.

  • Expanded View: Displays complete device information, including lifecycle and compliance details, for in-depth management. After you click the expand arrow icon for the desired device, the following additional details are displayed:

    • AAGUID
    • FIDO Version
    • Device Type
    • Assigned User
    • Identity Provider
    • Policy Name

Configure FIDO Devices

Device configuration can be done using the following options:

Configure Multiple FIDO Devices

  1. Under Connected FIDO Devices, click Configure multiple devices.

  2. On the Devices configuration window, you can configure devices using one of the following two options:

    • Stop when done: Enables configuration of all devices that are currently connected. The process stops automatically once the configuration of these devices is complete.
    • Keep configuring new devices until I manually stop the process: Enables continuous configuration mode. When this option is selected, the system automatically detects and configures each new device connected one by one by the administrator for configuration. The process continues until you manually stop it. Device configuration using this option can be initiated even if no devices are currently connected.

Stop when done

  1. Under Policy, select a policy to be applied to the devices.

  2. Under Configuration mode, ensure that the Stop when done option is selected.

  3. Click Continue anyway.

  4. Under Confirm configuration settings, select Start Configuration.

    The device configuration is started. It may take some time to complete.

    During device configuration, each device appears in green as soon as its configuration is completed.

    Removing a device during configuration may result in an inconsistent device state.

  5. After the configuration completes successfully, the Configuration Completed message is displayed. Click Close.

    You can export the enrollment logs by clicking the Download report button to save a report (CSV or JSON) of the configuration session.

    After you click Close, Thales Authenticator Lifecycle Service automatically begins scanning for the connected FIDO devices. After the scanning completes, the detected devices are reloaded and displayed with their updated status under Connected FIDO Devices.

Keep configuring new devices

  1. Under Policy, select a policy to be applied to the devices.

  2. Under Configuration mode, select the Keep configuring new devices until I manually stop the process option.

    If an admin initiates the device configuration process when no devices are connected, the Keep configuring new devices until I manually stop the process option is selected by default.

  3. Click Continue.

  4. Under Confirm configuration settings, select Start Configuration.

  5. Thales Authenticator Life Cycle Manager waits for you to connect devices for configuration. Start connecting the devices to be configured.

    After you begin connecting the devices, Thales Authenticator Lifecycle Manager automatically starts configuring them. Each device is displayed in green as soon as its configuration is completed.

    Removing a device during configuration may result in an inconsistent device state.

  6. Click Stop configuration when you want to stop configuring additional FIDO devices.

  7. After the configuration completes successfully, the Configuration Completed message is displayed. Click Close.

    You can export the configuration logs by clicking the Download report button to save a report (CSV)of the configuration session.

    After you click Close, Thales Authenticator Lifecycle Service automatically begins scanning for the connected FIDO devices. After the scanning completes, the detected devices are reloaded and displayed with their updated status under Connected FIDO Devices.

Configure Selected FIDO Devices

  1. Under Connected FIDO Devices, select the FIDO devices to be configured, and click Configure devices.

  2. Under Device configuration, select a policy to be applied to the selected devices, and click Continue anyway.

  3. Under Confirm configuration settings, select Start Configuration.

    The device configuration is started. It may take some time to complete.

    During device configuration, each device appears in green as soon as its configuration is completed.

    Removing a device during configuration may result in an inconsistent device state.

  4. After the configuration completes successfully, the Configuration Completed message is displayed. Click Close.

    You can export the configuration logs by clicking the Download report button to save a report (CSV or JSON) of the configuration session.

    After you click Close, Thales Authenticator Lifecycle Service automatically begins scanning for the connected FIDO devices. After the scanning completes, the detected devices are reloaded and displayed with their updated status under Connected FIDO Devices.

Configure Specific FIDO Devices

  1. Under Connected FIDO Devices, select the target device, and click Configure.

  2. On the Configure Device window, select a policy to be applied to the device, and click Continue anyway.

    The configuration is started. It may take some time to complete.

  3. After the policy is successfully applied to the device, the Configuration Complete! message is displayed. Click Close.

    You can export the configuration logs by clicking the Download report button to save a report (CSV or JSON) of the configuration session.

Apply Linked Policy

Use the Apply Linked Policy action to quickly configure connected devices by applying their associated policies.

You can,

Apply Linked Policy to a Ready Device (Single Device)

  1. Under Connected FIDO Devices, locate the target device with the Ready status, and click Apply Linked Policy for the device.

  2. On the Configure Device window, select the policy to be applied to the device, and click Apply Policy.

  3. After the policy is successfully applied to the device, the Configuration Complete! message is displayed. Click Close.

    You can export the configuration logs by clicking the Download report button to save a report (CSV or JSON) of the configuration session.

Apply Linked Policy to Ready Devices (Bulk)

  1. Under Connected FIDO Devices, next to the Configure multiple device button, click the three-dots , and select Apply Linked Policy to Ready Devices.

  2. Review the list of the detected devices and click Start Configuration to configure the devices.

    The device configuration is started. It may take some time to complete.

    During device configuration, each device appears in green as soon as its configuration is completed.

    Removing a device during configuration may result in an inconsistent device state.

  3. After the configuration completes successfully, the Configuration Completed message is displayed. Click Close.

    You can export the configuration logs by clicking the Download report button to save a report (CSV or JSON) of the configuration session.

Assign FIDO Devices to Users

Once FIDO devices are configured, they can be assigned to users for authentication purposes.

  1. Under Connected FIDO Devices, search for and locate the device to be assigned to a user, and click Assign.

  2. On the Assign Device to User window, in the Select Identity Provider field, select an identity provider, and click Next.

  3. Search for the user to whom a device needs to be assigned, select the user, and click Next.

    Note

    For the SafeNet Trusted Access (STA) identity provider, search for a user using the exact user ID.

  4. Review the device assignment details and click Assign Device.

    You can enable the Send email notification toggle to notify users upon successful enrollment of their device(s).

  5. The Assign Device to User window is opened to verify the administrator’s presence. Touch the device when prompted (most devices blink).

  6. After the device enrollment is complete, the Enrollment Successful message is displayed. Click Done.

    You can export the enrollment logs by clicking the Download report button to save a report (CSV or JSON) of the enrollment session.

Tip

You can verify the device status by clicking the Refresh Devices button on the Connected FIDO Device window or by navigating to the Device Inventory window.

View Initial PIN

Administrators can view a device user PIN and Admin PIN for administrative verification.

Caution

Use this option only in secure environments to prevent unauthorized PIN exposure.

Permission-based visibility

The ability to view PIN values depends on the following permissions assigned to the administrator:

  • talm_device_userpin_read – Allows viewing the User PIN.
  • talm_device_adminpin_read – Allows viewing the Admin PIN (applicable to enterprise devices that support administrator mode).

PIN Visibility by Permission and Device Type

User PIN Permission talm_device_userpin_read Admin PIN Permission talm_device_adminpin_read Standard device Enterprise device
Enabled Enabled User PIN User PIN and Admin PIN
Disabled Enabled No Initial PIN option Admin PIN
Enabled Disabled User PIN User PIN
Disabled Disabled No Initial PIN option No Initial PIN option

Perform the following steps to view a device user PIN and/or Admin PIN:

  1. Under Connected FIDO Devices, search for and locate the device for which you want to view the PIN, click the three-dots icon for the device, and then select Initial PIN.

  2. On the Device PIN window, click on the Show Password icon to view a device user PIN and Admin PIN.

  3. Click Close to close the window.

Reset FIDO Devices

The Reset device operation restores a FIDO device to its default state. A reset operation deletes all configurations, including the user PIN.

Caution

Resetting a device is an irreversible operation that permanently deletes all previously enrolled credentials. Ensure that alternative access mechanisms are in place before initiating this operation.

  1. Under Connected FIDO Devices, search for and locate the device to be reset, click the three-dots icon for the device, and select Reset.

  2. On the Reset Device window, click Yes, Reset Device to confirm the operation.

  3. The next steps vary depending on whether the device is managed (admin-supported) or unmanaged (self-managed devices).

    • The Reset Device window appears. For managed devices, enter the Admin PIN when prompted, click Continue, and then proceed with the steps given below for unmanaged devices.

    • For unmanaged devices,

      1. Remove the device, reinsert the device, and click Device Reconnected.

      2. Touch the device when prompted to initiate the reset operation (most devices blink). Wait for the reset operation to complete.

  4. On successful device reset, the Reset Complete message is displayed. Click Close.

Unlock Devices

A FIDO device is locked after repeated incorrect PIN attempts. When the device is locked, the user cannot authenticate until it is successfully unlocked. Thales Authenticator Lifecycle Manager provides two secure options to unlock a device:

Physical Unlock

The physical unlock option is used when the administrator has direct access to the locked FIDO device. This method does not require interaction with the end user during the unlock process and is performed entirely within Thales Authenticator Lifecycle Manager.

Before starting the physical unlock process, ensure to complete the following prerequisites:

  • An administrator account or admin role is required to perform the operation.
  • The locked FIDO device is physically available and can be connected to the administrator’s workstation.

Perform the following steps to unlock the FIDO device:

  1. Log in to Thales Authenticator Lifecycle Manager as an administrator, go to the FIDO Keys menu, and connect the locked FIDO device to the administrator workstation.

  2. The locked device is listed under Connected FIDO Devices. Click the three-dots icon for the device and select Unlock.

  3. Under Unlock device, select one of the following options to generate a new PIN:

    • Use random PIN: Thales Authenticator Lifecycle Manager generates a new PIN automatically for the device.

    • Choose PIN: Manually set a new PIN for the device.

  4. Click Submit to complete the operation.

    After the device is successfully unlocked, the success message is displayed.

  5. Click Close.

On this page