FIDO Key Management

FIDO Key Management provides administrators with secure and real-time control over FIDO authenticators connected to the local workstation. Using the Thales Authenticator Lifecycle Service (running on port 9333), administrators can perform FIDO device discovery, registration, configuration, lifecycle operations (such as device reset and revocation), and functional testing.

The FIDO Key Management window is optimized for routine device operations and complements the Device Inventory by enabling actions that require physical access to a FIDO key.

Under FIDO Key Management, administrators can perform the following operations:

• Connect to the Thales Authenticator Lifecycle Service

• View Connected FIDO Devices List

• Configure FIDO Devices

• Assign FIDO Devices to Users

• View Device PIN

• Reset FIDO Devices

• Unlock Devices

Connect to the Thales Authenticator Lifecycle Service

For each new login session, the administrator needs to connect to the Thales Authenticator Lifecycle Service before performing any operations on FIDO devices.

On the FIDO Key Management window, under Thales Authenticator Lifecycle Service Required, click Connect to Service to establish a connection with the Thales Authenticator Lifecycle Service (Windows service).

After the connection is successfully established, the Service Connected message is displayed.

View Connected FIDO Devices List

Once the Thales Authenticator Lifecycle Service is connected, it automatically begins scanning for connected FIDO devices. After the scanning is complete, the detected devices are loaded and displayed on the window.

The connected FIDO devices are displayed in a collapsible list. Device details are presented in two views to help administrators access information efficiently.

• Summary View: Displays essential device details in a compact format for quick identification and action. The summary view displays:

  • Device name
  • Device serial number
  • Device status as CCONFIGURED or NOT CONFIGURED.

  Note

  NOT CONFIGURED devices can be configured by using the Configure button and CONFIGURED devices can be assigned to users using the Assign button.

• Expanded View: Displays complete device information, including lifecycle and compliance details, for in-depth management. After you click the expand arrow icon for the desired device, the following additional details are displayed:

  • AAGUID
  • FIDO Version
  • Device Type
  • Status (CONFIGURED, NOTCONFIGURED, ENROLLED, or REVOKED)
  • Assigned User
  • Identity Provider
  • Policy Name

Configure FIDO Devices

Device configuration can be done using the following options:

• Configure Multiple FIDO Devices - To configure all the devices using a single policy in one operation.

• Configure Selected FIDO Devices - To configure selected devices using a single policy in one operation.

• Configure Specific FIDO Devices - To configure a specific device by applying a selected policy.

Configure Multiple FIDO Devices

1. Under Connected FIDO Devices, click Configure multiple devices.

   

2. On the Devices Configuration window, you can configure devices using one of the following two options:

   • Stop when done: Enables configuration of all devices that are currently connected. The process stops automatically once the configuration of these devices is complete.
   • Keep configuring new devices until I manually stop the process: Enables continuous configuration mode. When this option is selected, the system automatically detects and configures each new device connected one by one by the administrator for configuration. The process continues until you manually stop it. Device configuration using this option can be initiated even if no devices are currently connected.

Stop when done

1. Under Policy, select a policy to be applied to the devices.

2. Under Configuration mode, ensure that the Stop when done option is selected.

   

3. Click Continue.

4. Under Confirm configuration settings, select Start Configuration.

   

   The device configuration is started. It may take some time to complete.

   

   During device configuration, each device appears in green as soon as its configuration is completed.

   

5. After the configuration completes successfully, the Configuration Completed message is displayed. Click Close.

   

   After you click Close, Thales Authenticator Lifecycle Service automatically begins scanning for the connected FIDO devices. After the scanning completes, the detected devices are reloaded and displayed with their updated status under Connected FIDO Devices.

   

Keep configuring new devices

1. Under Policy, select a policy to be applied to the devices.

2. Under Configuration mode, select the Keep configuring new devices until I manually stop the process option.

   

   If an admin initiates the device configuration process when no devices are connected, the Keep configuring new devices until I manually stop the process option is selected by default.

3. Click Continue.

4. Under Confirm configuration settings, select Start Configuration.

   

5. Thales Authenticator Life Cycle Manager waits for you to connect devices for configuration. Start connecting the devices to be configured.

   

   After you begin connecting the devices, Thales Authenticator Lifecycle Manager automatically starts configuring them. Each device is displayed in green as soon as its configuration is completed.

   

6. Click Stop Configuration when you want to stop configuring additional FIDO devices.

   

7. After the configuration completes successfully, the Configuration Completed message is displayed. Click Close.

   

   After you click Close, Thales Authenticator Lifecycle Service automatically begins scanning for the connected FIDO devices. After the scanning completes, the detected devices are reloaded and displayed with their updated status under Connected FIDO Devices.

   

Configure Selected FIDO Devices

1. Under Connected FIDO Devices, select the FIDO devices to be configured, and click Configure devices.

   

2. Under Device configuration, select a policy to be applied to the selected devices, and click Continue.

   

3. Under Confirm configuration settings, select Start Configuration.

   

   The device configuration is started. It may take some time to complete.

   

   During device configuration, each device appears in green as soon as its configuration is completed.

   

4. After the configuration completes successfully, the Configuration Completed message is displayed. Click Close.

   

   After you click Close, Thales Authenticator Lifecycle Service automatically begins scanning for the connected FIDO devices. After the scanning completes, the detected devices are reloaded and displayed with their updated status under Connected FIDO Devices.

   

Configure Specific FIDO Devices

1. Under Connected FIDO Devices, select the target device, and click Configure.

   

2. On the Configure Device window, select a policy to be applied to the device, and click Apply Policy.

   

   The configuration is started. It may take some time to complete.

   

3. After the policy is successfully applied to the device, the Configuration Complete! message is displayed. Click Close.

   

Assign FIDO Devices to Users

Once FIDO devices are configured, they can be assigned to users for authentication purposes.

1. Under Connected FIDO Devices, search for and locate the device to be assigned to a user, and click Assign.

   

2. On the Assign Device to User window, in the Select Identity Provider field, select an identity provider, and click Next.

   

3. Search for the user to whom a device needs to be assigned, select the user, and click Next.

   Note

   For the SafeNet Trusted Access (STA) identity provider, search for a user using the exact user ID.

   

4. Review the device assignment details and click Assign Device.

   

5. The Assign Device to User window is opened to verify the administrator’s presence. Touch the device when prompted (most devices blink).

   

6. After the device enrollment is complete, the Enrollment Successful message is displayed. Click Done.

   

View Device PIN

Administrators can view a device user PIN and Admin PIN for administrative verification.

Perform the following steps to view a device user PIN and Admin PIN:

1. Under Connected FIDO Devices, search for and locate the device for which you want to view the PIN, click the three-dots icon for the device, and then select View PIN.

   

2. On the Device PIN window, click on the Show Password icon to view a device user PIN and Admin PIN.

   

3. Click Close to close the window.

Reset FIDO Devices

The Reset device operation restores a FIDO device to its default state. A reset operation deletes all configurations, including the user PIN.

1. Under Connected FIDO Devices, search for and locate the device to be reset, click the three-dots icon for the device, and select Reset.

   

2. On the Reset Device window, click Yes, Reset Device to confirm the operation.

   

3. The next steps vary depending on whether the device is managed (admin-supported) or unmanaged (self-managed devices).

   • The Reset Device window appears. For managed devices, enter the Admin PIN when prompted, click Continue, and then proceed with the steps given below for unmanaged devices.

     

   • For unmanaged devices,

     1. Remove the device, reinsert the device, and click Device Reconnected.

        

     2. Touch the device when prompted to initiate the reset operation (most devices blink). Wait for the reset operation to complete.

4. On successful device reset, the Reset Completed message is displayed. Click Close.

   

Unlock Devices

A FIDO device is locked after repeated incorrect PIN attempts. When the device is locked, the user cannot authenticate until it is successfully unlocked. Thales Authenticator Lifecycle Manager provides two secure options to unlock a device:

• Physical Unlock (Admin Mode): The administrator has physical access to the device and performs the unlock operation directly in Thales Authenticator Lifecycle Manager.
• Remote Unlock (Challenge–Response Method): The locked device stays with the end user, while the administrator assists remotely using Thales Authenticator Lifecycle Manager. This operation can be performed under Device Inventory.

Physical Unlock

The physical unlock option is used when the administrator has direct access to the locked FIDO device. This method does not require interaction with the end user during the unlock process and is performed entirely within Thales Authenticator Lifecycle Manager.

Before starting the physical unlock process, ensure to complete the following prerequisites:

• An administrator account or admin role is required to perform the operation.
• The locked FIDO device is physically available and can be connected to the administrator’s workstation.

Perform the following steps to unlock the FIDO device:

1. Log in to Thales Authenticator Lifecycle Manager as an administrator, go to the FIDO Keys menu, and connect the locked FIDO device to the administrator workstation.

   

2. The locked device is listed under Connected FIDO Devices. Click the three-dots icon for the device and select Unlock.

   

3. Under Unlock device, select one of the following options to generate a new PIN:

   • Use random PIN: Thales Authenticator Lifecycle Manager generates a new PIN automatically for the device.

   • Choose PIN: Manually set a new PIN for the device.

   

4. Click Submit to complete the operation.

   After the device is successfully unlocked, the success message is displayed.

   

5. Click Close.