(v12.0.9036.21357 started 2024-10-09 03:18:43 on VM2)
Web Authentication (WebAuthn), FIDO2: Works with security tokens such as YubiKey, see schema.
To configure FIDO2 for logon, manage, status, web, and web destination routing entries see here.
At first access the security token must be registered: ... The security token generates a public/private key pair. ... The authentication/confirmation must be done by a one-time password sent via SMS or email. ... The public key and the id will be stored in the user list.
FIDO2 is configured like OTP with additional keywords FIDO2:RelyingPartyID[![transport][!userVerification]] ... RelyingPartyID must be the domain or subdomain where the registration is valid and must match the URL, e.g. mycompany.com ... transport (optional) is a list (separated by |) of supported transports (how the security key is registered and accessed): .... usb, nfc or ble ... use cross-platform security key .... internal ... use platform e.g. Windows Hello .... If internal and another transport such as usb, nfc or ble is specified: The user can chose the platform during registration. .... Default is usb|nfc|ble ...userVerification (optional) specifies how the client verifies the user during authentication: .... preferred ... client verfies the user if possible (this is the default) .... required ... user verification must be done, e.g. client requests a PIN .... discouraged ... no user verification .... Note: Any abbreviations can be entered, e.g. "p" means "preferred" NOSM ... optional, do not show SMS or email selection at initial logon window (otp.htm)
The string "OTP-FIDO2" is stored as "Issuer" and it can be checked via the ISS keyword. A list of active FIDO2 sessions is shown here. A description of the state values is shown via tool tip (mouse over "State" values) or can be found here For security reasons routing entries using FIDO2 should have the UID field specified to be able to link session objects to a specific routing entry.
For FIDO2 the file OTPlist.csv is extended with three additional fields: - FIDO2idDate ... date/time when the public key has been initialized. - FIDO2id ... id to request authorization by the security token. - FIDO2pubKey ... public key to check signature received from the security token.
Currently a reset of the registration can be done only by the administrator (Delete FIDO2id in the user list entry).
Hint: To register a backup key define an additional user entry where the email address has a trailing identifier separated by #.