Karim Elatov

Registering and Using a FIDO U2F Device With RSA SecurID Access

Blog Post created by Karim Elatov Employee on Mar 28, 2016

FIDO

The Specification Overview page covers the FIDO protocol in good detail. You will notice that there are two protocols: Passwordless UX (UAF) and Second Factor UX (U2F). We will concentrate on FIDO U2F. Any device that supports FIDO U2F will work, I ended up testing with the FIDO U2F Security Key but again any device will work.

Assurance Level with FIDO Token

So let's go ahead and create an Assurance level that utilizes FIDO as it's step-up authentication method. In the Access Console navigate to Access -> Assurance Levels:

assurance-level-butt-ui.png

I ended up putting FIDO Token under Medium and I also made it the first on the list (with smart rules the list is dynamic anyways, so it will change per user's preference):

assurance-levels-ui.png

Create a Policy to Use Assurance Level

I then created a new policy (Access -> Policies) and in the rule set I enabled Step Up Authentication(and used Medium for the Assurance Level):

policy-select-assurance.png

And in the application I assigned this policy to it.

FIDO Universal 2nd Factor (U2F) Prerequisites

I plugged in the Yubikey into my Mac and I launched Chrome. Looking over Using Security Key for 2-Step Verification it looks like we need to make sure Google Chrome is version 40 or above:

 

To use Security Key, you’ll need a computer running Google Chrome version 40 or newer on ChromeOS, Windows, Mac OS, or Linux.

 

 

I double checked and I was okay:

Chrome-version.png

Register a FIDO Token

At this point I went to the portal, logged in, and click on the application which is configured to require Step Up Authentication with the Medium Assurance level. Upon clicking on my application it started the Registration process:

fido-reg-started.png

After clicking Continue it asked me to enter a password (this is user's password used to login to the portal, in my case my AD password). So I entered my AD password:

fido-enter-passwod.png

Then I clicked on Submit and at this point it showed me instructions on how to register the FIDO token:

register-token-instructions.png

I already had the YubiKey Plugged in and it started to blink:

yubikey-blinking.jpeg

I tapped on the blinking key, it stopped blinking, and it told me that my FIDO token has been successfully registered:

fido-token-reged.png

After I clicked Continue it actually used the YubiKey Token for Authentication and it asked me to tap the key one more time:

fido-sign-in.png

After tapping on the blinking key one more time, I was successfully forwarded to my application.

Confirming FIDO Authentication

From the Access Console I went to Users -> User Event Monitor and I saw the following:

fido-event.png

And in the Authentication Console, under Users -> Management -> My User -> Devices I also saw my YubiKey registered:

yubikey-registered-auth-con.png

Outcomes