The Specification Overview page covers the FIDO protocol in good detail. You will notice that there are two protocols: Passwordless UX (UAF) and Second Factor UX (U2F). We will concentrate on FIDO U2F. Any device that supports FIDO U2F will work, I ended up testing with the FIDO U2F Security Key but again any device will work.
Assurance Level with FIDO Token
So let's go ahead and create an Assurance level that utilizes FIDO as it's step-up authentication method. In the Access Console navigate to Access -> Assurance Levels:
I ended up putting FIDO Token under Medium and I also made it the first on the list (with smart rules the list is dynamic anyways, so it will change per user's preference):
Create a Policy to Use Assurance Level
I then created a new policy (Access -> Policies) and in the rule set I enabled Step Up Authentication(and used Medium for the Assurance Level):
And in the application I assigned this policy to it.
FIDO Universal 2nd Factor (U2F) Prerequisites
I plugged in the Yubikey into my Mac and I launched Chrome. Looking over Using Security Key for 2-Step Verification it looks like we need to make sure Google Chrome is version 40 or above:
To use Security Key, you’ll need a computer running Google Chrome version 40 or newer on ChromeOS, Windows, Mac OS, or Linux.
I double checked and I was okay:
Register a FIDO Token
At this point I went to the portal, logged in, and click on the application which is configured to require Step Up Authentication with the Medium Assurance level. Upon clicking on my application it started the Registration process:
After clicking Continue it asked me to enter a password (this is user's password used to login to the portal, in my case my AD password). So I entered my AD password:
Then I clicked on Submit and at this point it showed me instructions on how to register the FIDO token:
I already had the YubiKey Plugged in and it started to blink:
I tapped on the blinking key, it stopped blinking, and it told me that my FIDO token has been successfully registered:
After I clicked Continue it actually used the YubiKey Token for Authentication and it asked me to tap the key one more time:
After tapping on the blinking key one more time, I was successfully forwarded to my application.
Confirming FIDO Authentication
From the Access Console I went to Users -> User Event Monitor and I saw the following:
And in the Authentication Console, under Users -> Management -> My User -> Devices I also saw my YubiKey registered: