Getting Started with FIDO
3 days ago

Getting Started with FIDO

General FIDO Terminology

The following table includes some FIDO-related terms that are used throughout RSA documentation and their definitions.

TermDefinition
FIDO (Fast Identity Online)The Fast Identity Online (FIDO) Alliance is an open industry association with a focused mission: reduce the world’s reliance on passwords.
UAF and U2FUniversal Authentication Framework and Universal 2 Factors; the two original protocols released by The FIDO Alliance in 2013.
FIDO2

The latest FIDO certification was released in 2015 and includes the following:

  • WebAuthn: Implemented by various browsers to allow websites to manage FIDO authentication.

  • CTAP (Client to Authenticator Protocol): Allows an external authenticator to work with browsers that support WebAuthn.

FIDO Security Key

Refers to any physical device that allows a user to authenticate using FIDO protocols, such as the RSA DS100 or the RSA IShield 2 harware authenticators.

FIDO Authenticator

Refers to any mechanism that allows a user to authenticate using FIDO protocol, which can be either a security key or a software application (for example, RSA Authenticator app for iOS and Android).

Passkey

Passkey is a general term adopted in 2023 by the FIDO Alliance to refer to any FIDO2 credential. This term includes 2 important sub-types:

  • Synced passkey: The original passkey mechanism, introduced by Google, Microsoft, and Apple in 2022, which allows a passkey to be synced to a remote sync fabric (for example, Apple Keychain) and made seamlessly available on any device where the user is connected.

  • Device-bound passkey: Any passkey that resides only on a given device and cannot be synced or extracted.

FIDO Authentication with RSA

RSA Cloud Access Service CAS is a FIDO2-certified server and therefore supports only the FIDO authenticators certified by the FIDO Alliance. Specifically, it supports:

  • FIDO2-certified authenticators for both primary and additional (step-up) authentication, including support for Windows Hello.

  • FIDO-certified U2F security keys for additional authentication only.

Note:  A FIDO credential registered on a U2F Security Key should not be described by the term passkey that is only applicable to FIDO2 credentials. However, for simplicity, RSA uses the term passkey across the user interface and documentation when referring to any FIDO credentials, whether U2F or FIDO2.
This approach is already used in all browsers’ WebAuthn implementations, which can be used to register or authenticate with either a U2F security key or a FIDO2 credential, as these implementations rely on generic labels (for example, Create a passkey).

In terms of the FIDO authenticator provided by RSA:

  • The RSA DS100 and RSA Ishield 2 are FIDO Authenticators, in the form of FIDO Security Keys which support device-bound passkeys.

  • From V4.5, the RSA Authenticator for iOS and Android is a FIDO2-certified authenticator that supports device-bound passkeys.

Each RSA user can have up to five different passkeys registered with RSA CAS.

Support for FIDO authentication in RSA Agents is evolving. For further information, see the RSA documentation for each agent.

Enabling FIDO Authentication

An administrator should perform the following steps to enable FIDO authentication within CAS.

Note:  Enabling passwordless FIDO authentication in the RSA MFA Agent requires configuration in both CAS and the agent. For further information, see RSA MFA Agent for Microsoft Windows Installation and Administration Guide.

Procedure 

  1. Log in as an administrator to the Cloud Administration Console.

  2. Configure assurance levels.

  3. Configure the access policy.

To configure assurance levels, perform the following steps.

Procedure 

  1. In the Cloud Administration Console, navigate to Access > Assurance Levels.

  2. On the Assurance Levels page, you can do the following:

    1. Click Add to add FIDO-based authentication methods to an assurance level.

  3. Select options from the drop-down menus.

Note:  The menus are dynamic and list only options that are not currently being used.

FIDO-gettingstarted-1_509x206

  1. Click Save.

  2. Click Publish Changes to activate the settings immediately.

  3. Navigate to Access > Policies.

  4. Click Edit corresponding to the policy you want to check.

  5. In the Rules Sets tab, confirm that FIDO is listed under Authentication Options.

FIDO-gettingstarted-2_415x375

If you are using the Cloud Administration Console to access protected resources where RSA is not the Relying Party, you need to configure FIDO authentication for these resources. Perform the following steps.

Procedure 

  1. Navigate to Authentication Clients > Relying Parties.

  2. For each client available on this list, select Edit, then Authentication.

  3. Ensure that the policy configured for additional authentication is one of the policies set up for FIDO authentication. If it is not, configure the policy as needed.

To enable FIDO authentication for end users, perform the following steps.

Procedure 

  1. Navigate to Access > My Page.

  2. In the Authenticators tab, set Authenticators to Enabled, and then select the type of authenticators you want to enable.

 

FIDO Passkey Primary Authentication

  • During primary authentication using a FIDO passkey, CAS enables users to sign in securely without entering a username. When a user initiates FIDO passkey authentication, CAS attempts to identify the user’s account directly from the registered FIDO passkey being used for authentication.

  • If the account cannot be determined, the user receives an error indicating that the authenticator is not recognized. If the user selects Cancel, CAS prompts for a username. The user can then enter the username and complete authentication using the registered FIDO passkey.

Note:  After a successful sign-in with a username, subsequent FIDO passkey authentication attempts in the same browser default to prompting for the username.

 

Registering and Authenticating with FIDO

To register a FIDO authenticator through My Page, users should perform the following steps.

Procedure 

  1. Log in to My Page and navigate to My Authenticators > Register an authenticator.
    A list showing types of authenticators supported by the user’s organization appears. A FIDO authenticator is distinguishable by the FIDO icon FIDO-icon.

    FIDO-gettingstarted-3_415x249

    Note:  An administrator configures which FIDO authenticators each user can use.

  2. Select the FIDO authenticator you want to register and follow the prompts.

  3. Confirm that the new FIDO authenticator is listed in the My Authenticators section of My Page.

Getting Started with RSA Authenticator App for iOS and Android as a FIDO Authenticator

From v4.5, the RSA Authenticator App for iOS and Android is a FIDO2-certified authenticator and can manage device-bound passkeys for secure authentication. You can register passkeys in the app to enable passwordless access to RSA-protected resources, as well as any FIDO2-certified server. Passkeys managed in the RSA Authenticator App are device-bound for added security and cannot be exported or restored.

Notes:

  • Support of passkey in the RSA Authenticator app depends on underlying OS capabilities. Specifically:

    • Apple devices: Requires iOS 17 or later.

    • Android devices: Requires Android 14 or later. Even with Android 14, some devices may not support passkeys due to hardware or OS limitations.

  • The passkey feature requires Google Play Services, which is unavailable in China.

Enable RSA Authenticator App as FIDO Authenticator

An administrator must first enable the use of RSA Authenticator app as a FIDO authenticator. For further information, see Enabling FIDO Authentication.

Register a Mobile Passkey

Once enabled by an administrator, users can then register a passkey in the RSA Authenticator app for iOS and Android.

Procedure 

  1. Sign in to My Page using the URL provided by your administrator.

  2. Navigate to the My Authenticators tab.

  3. Click Register an authenticator.

  4. Select RSA Authenticator App.

  5. Follow the on-screen prompts and instructions on CAS and in the app to complete the registration.

Note:  Once you have registered a passkey with My Page, you can then register passkeys with websites other than RSA.

Authentication with a Mobile Passkey

  1. On the authentication interface, perform the following steps: 

    1. Select Mobile Passkey if it is available.

    2. If not, choose FIDO Passkey.

  2. Follow the on-screen prompts and instructions on CAS and in the app to complete authentication.

    1. Select the device type (iPhone, iPad, or Android device) from the browser options and click Next.

    2. Scan the displayed QR code using the QR Scan option in the RSA Authenticator or your device’s camera app, and follow the on-screen instructions.

Troubleshooting Passkey Issues

IssueHow to solve it
Issue How to solve it I am unable to locate the Passkey Provider Service screen.

Navigate to the Passkey Provider Service screen to add RSA Authenticator as an enabled service.

  1. On the home screen of the app, tap More or Settings in the lower-right corner.

  2. Tap Passkey Provider Service and select RSA Authenticator.

The FIDO icon on my credential card seems disabled.A credential card will display a disabled FIDO icon until a passkey is registered on My Page.
I have a device with Android 14 or later installed, but I do not see the passkey option.

The passkey option is available only if the device manufacturer has enabled it.

Check with your device manufacturers to find out if and when they plan to enable this feature on their Android build.

I cannot register a passkey with my browser. 

This browser does not support the technology required to use a passkey within the RSA Authenticator app. Consider using an alternative browser that supports it, such as Microsoft Edge, Google Chrome, or Safari.

I do not know how to add RSA Authenticator as a passkey provider. 

  1. Open the RSA Authenticator app.

  2. Tap More or Settings on the home screen.

  3. Tap Passkey Provider Service and switch the Authenticator toggle on.

Note:  iOS 17 allows only two credential providers (for example, Apple Keychain and Google Chrome). Enabling RSA Authenticator as a third provider requires iOS 18, which supports up to three credential providers.

I do not know how to enable a passkey. 

  1. Open the RSA Authenticator app.

  2. On the home screen, tap More or Settings.

  3. Under Passkey Provider Service, tap Learn More.

Related Articles

Trending Articles

Don't see what you're looking for?