All Products
Search

This Product

    Identity as a Service:WebAuthn

    Document Center

    Identity as a Service:WebAuthn

    Last Updated:Jul 16, 2024

    WebAuthn is a component of Fast Identity Online (FIDO) 2.0.

    WebAuthn enables password-free logon to web pages with the best experience and hardware-level security. WebAuthn allows users to log on to a website by using the native device encryption and biometric authentication capabilities of a PC.

    The following authenticator types are supported:

    • Roaming authenticator: an external authenticator that is used across different devices, such as YubiKey.

    • Platform authenticator: the native authenticator of a browser, such as macOS Touch ID or Windows Hello.

    For more information, see WebAuthn.

    WebAuthn is supported by almost all modern browsers. For more information about how to check the version compatibility of a browser, see external resource: Duo Passwordless.

    Register an authenticator

    Before users log on by using an authenticator, users need to bind the authenticator to their account.

    Go to the My Account page. Find WebAuthn Authenticator in the Security Information section and click Manage. In the Manage WebAuthn Authenticator panel, register an authenticator.

    image..png

    The registration process takes 1 minute. After you click Register New Authenticator, complete the configurations as promoted.

    After the registration is complete, the enabled authenticator can be used for logon. Users can also manage the registered authenticators.

    Note: Administrators cannot manage the authenticators of users. Each user can individually register and manage an authenticator.

    Logon scenarios

    Scenario 1: Password-free logon

    WebAuthn can be used for password-free logon. This is one of the most common and convenient scenarios in which WebAuthn is used.

    On the IDaaS logon page, enter a username and select a WebAuthn authentication method for verification. Log on to the application after the verification is passed. This method can be used to log on to all web applications.

    On the General tab of the Sign-In page, the WebAuthn authentication method is displayed in the Authentication Methods section. By default, this method is disabled. You need to enable the method before it can be used.

    image..png

    After WebAuthn is enabled, the WebAuthn logon option is available on the logon page. Then, users can log on by using WebAuthn.

    IDaaS obtains the information about the registered authenticator of the specified account. If the authenticator is not registered, an error occurs and the authenticator cannot be used.

    Scenario 2: Two-factor authentication

    WebAuthn can be used for two-factor authentication. This is one of the most common and securest scenarios in which WebAuthn is used.

    If two-factor authentication is enabled, users need to be authenticated again after they enter a username and password. Users can use a WebAuthn authenticator for secure logon. The following flowchart shows the process.

    image..png

    On the Authentication Configuration tab of the Sign-In page, click the Two-Factor Authentication tab. Turn on Two-Factor Authentication and click Save.

    image..png

    If two-factor authentication is enabled, users need to be authenticated again after they enter a username and password. If users have registered a WebAuthn authenticator, users can use WebAuthn to complete identity authentication in a quick and secure manner.