Customize FIDO Authentication

You can customize the authentication experience for users in the following ways:

• Using Third-Party Domain

• Configure FIDO Authenticators

• Enable FIDO Synced Passkeys

Using Third-Party Domain

If your company developed an authentication client supporting FIDO authentication methods using the RSA Authentication API, you can configure a third-party domain, which is a domain other than securid.com. You are permitted to add one or more third-party domain(s). The RSA Authentication API Developer's Guide describes how to implement a web client for FIDO authentication methods.

Before you begin 

• You must be a Super Admin for the Cloud Administration Console.

• Obtain the value of the FIDO_RP_ID that is used in the FIDO web client from your web client developer.

Procedure 

1. In the Cloud Administration Console:

   • If your company is not enabled for a custom mobile app, click Access > FIDO Authentication.

   • If your company is enabled for a custom mobile app, click Access > Custom Authentication.

2. In the Host Name (FIDO_RP_ID) field, ensure the host name matches the client’s domain used to access and perform FIDO authentication.

3. In the Reserved FIDO Labels field, both Tenant Base Domain and Tenant Custom Domain are displayed as FIDO labels for use by FIDO related origins.

4. In the FIDO Relying Party Domain(s) field, click +Add to add one ore more FIDO relying party domain(s). You can click on the delete icon to remove any of the added domains.

5. Click Save.

6. (Optional) Click Publish Changes to activate the settings immediately.

Configure FIDO Authenticators

This section describes how you can manage FIDO authenticators that your users can register and use for authentication.

Note:  FIDO inline registration and new Universal 2nd Factor (U2F) authenticators are no longer supported. Previously registered U2F authenticators can still be used for step-up authentication.

Before you begin 

• Ensure that the Other FIDO2‑Certified Authenticators option is enabled on the Authenticators tab under Access > My Page. For more information, see Set Up Authenticators Settings in Manage My Page.

Procedure 

1. In the Cloud Administration Console, click Access > FIDO Authentication.

2. Select Allowed next to the authenticator you want to enable.

   By default, the list displays the FIDO authenticators that are already available in the My Page > Authenticators settings. Any changes made to an authenticator (allowed or denied) in this list are automatically reflected in the My Page > Authenticators settings. For more information, see Set Up Authenticators Settings in Manage My Page.

3. To add additional FIDO2 authenticators, click Add, enter its AAGUID, and select Allowed if you want to enable it.

   Note:  If the FIDO Alliance Metadata Service does not recognize the AAGUID, “Unknown” is displayed as the authenticator name. This indicates that the authenticator is not listed in the FIDO Metadata Service.

4. Click Save, then Publish Changes.

Enable FIDO Synced Passkeys

Previously, a FIDO credential (now called a passkey) usually resided only on the physical device it was created on. In 2022, the FIDO Alliance introduced a new type of FIDO credentials that is automatically synced to a cloud service and is then seamlessly available on all the computing devices (for example, computer, mobile, or tablet) owned by a user.

Since 2023, FIDO has adopted the term “passkey” to describe all FIDO credentials and distinguishes between two subtypes:

• Synced passkey: A credential that can be saved online and restored or used on multiple devices.

• Device-bound passkey: A credential that resides only on a physical device and cannot be extracted or restored.

Synced passkeys offer convenience but are less secure than device-bound passkeys. For this reason, RSA disables registration and use of Synced Passkey by default. RSA recommends that customers carefully consider the security reduction and potential regulatory implications before enabling the use of Synced Passkey.

Procedure 

1. In the Cloud Administration Console, click Access > FIDO Authentication.

2. To allow users to register and use FIDO synced passkeys, enable Synced Passkey.

3. Click Save, then Publish Changes.

Configure Conditions for FIDO Authenticators

You can set the minimum FIDO certification level and specify which unlisted authenticators are allowed or denied. These conditions apply only to FIDO authenticators that are not listed in the Named List.

Procedure 

1. In the Cloud Administration Console, click Access > FIDO Authentication.

2. In the General Conditions section, you can set the following:

   • Minimum FIDO Certification Level: Specify the authenticator's security level. Selecting a level includes all higher levels.

   • Allowed Authenticators: Specify makes and models to permit using commas. Use an asterisk (*) as a wildcard for broader matches. Disabled by default.

   • Denied Authenticators: Specify the makes and models to block using commas. Use an asterisk (*) as a wildcard for broader matches. Disabled by default.

3. Click Save, then Publish Changes.

Export FIDO Authenticators

Procedure 

1. To export all your configured authenticators, click Export

2. Download the generated CSV file.

Configure Grace Period for Authenticators

When you disable a previously accepted FIDO2 authenticator, you can define a grace period. During this period, users who have already registered the authenticator can continue to use it. However, they are notified that they must register a different FIDO authenticator before the grace period ends to maintain access. After the grace period ends, users can no longer use the registered authenticator for authentication.

Procedure 

1. In the Cloud Administration Console, click Access > FIDO Authentication.

2. In the Grace Period End Date, enter the end date or select it from the calendar. You can set the grace period from 5 to 30 days. The grace period ends at midnight (UTC) on the selected end date.

3. Click Save, then Publish Changes.