Add FIDO2 security key/biometrics login

# Add FIDO2 security key/biometrics login

FIDO2 lets you go passwordless by allowing your application users to use FIDO2-supported hardware security keys or built-in authenticators on their devices to log in.

There are two types of authenticators, which you can use with Asgardeo passwordless authentication.

  • Platform authenticators (also known as internal authenticators): Authenticators like fingerprint scanners, TouchID, FaceID or Windows Hello which are bound to a particular device.
  • Roaming authenticators (also known as cross-platform or external authenticators): Authenticators like hardware security keys which are external and not bound to any specific device.

What is FIDO2?

The FIDO Alliance, whose mission is to reduce the world’s reliance on passwords, introduced its latest specifications, collectively called FIDO2. FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication specification (WebAuthn) and FIDO alliance’s corresponding Client to Authenticator Protocol (CTAP).

You can configure FIDO2 passwordless login for your apps using two methods:

  • Security key/Biometrics: An application user uses a FIDO2-supported authenticator to log in without entering a username or a password.
  • Identifier first + Security key/Biometrics: An application user enters a username first. Asgardeo verifies the identity from the username and prompts the user to use a FIDO2-supported authenticator to log in. This method will be available soon in Asgardeo.

# Prerequisites

  1. To get started, you need to have an application registered in Asgardeo. If you don't already have one, register one of the following application types.

  2. Application users need to register their security keys/biometrics via the My Account app prior to using passwordless login. Be sure to educate your users on how to register a security key/biometrics via My Account.

# Enable passwordless login for an app

Follow the steps given below to enable passwordless login for your application.

  1. On the Asgardeo console, use one of the following options to start:

    • Option 1: Go to Develop > Applications.
    • Option 2: Go to Connections > Passwordless and click Set up.
  2. Select the application for which passwordless login needs to be enabled.

  3. Go to the Sign-in Method tab:

    • If you don't have a customized login flow, you can click Add Passwordless login.

      Configuring fido2 login in Asgardeo
    • If you have an already built login flow, you can add security Key/biometrics as an additional authenticator for the first step.

      Customize the login flow
  4. Click Update to save your changes.

# Try it out

Follow the steps given below.

  • FIDO2 passwordless login with platform authenticators will NOT work on the Firefox browser in macOS Catalina, Big Sur and Monterey due to browser limitations.
  • FIDO2 passwordless login with roaming authenticators will NOT work on the Firefox browser as the browser doesn't support CTAP2 (Client to Authenticator Protocol 2) with PIN.
  1. Access the application URL.
  2. Click Login to open the Asgardeo login page.
  3. On the Asgardeo login page, click Sign In With Security Key. You will be redirected to the FIDO2 login page. Sign In With Security Key in Asgardeo
  4. Follow the instructions given by your browser or device to login. Sign In With Security Key page in Asgardeo

# FIDO passkeys

FIDO passwordless authentication is not popular among end users due to common usability issues such as inability to survive device loss, being tied to a browser or having to purchase a separate authenticator.

Passkeys resolve these problems by allowing FIDO credentials to sync across multiple devices not limiting to a single vendor. With passkeys, users can log in to applications from any device even if their credentials are stored in another.

For example, if you want to log in to a web application from your PC, and your FIDO credentials are stored in a mobile device, you can scan a QR code and select the relevant passkey from the mobile device to log in.

While passkeys are set to release by the end of 2022, it is currently available as a developer preview. You can stay up-to-date on the current state and availability of passkeys by referring to the official vendor documentations of Google (opens new window), Apple, and Microsoft.