Use case: FIDO credential management

This article shows an example of how to manage end-users' FIDO credentials.

Goal

  • Understand how authentication with FIDO can be enabled for an end-user.
  • Understand how to manage end-users' FIDO credentials.
  • Learn how to prepare Airlock IAM for end-user token migration to FIDO.

All following procedures are exemplary and will vary according to your setup or needs.

Initial thoughts

The following examples use the Airlock IAM Adminapp. A REST API for all administrative actions of the Airlock IAM Adminapp is available.

  • All admin actions shown below are subject to access control.
  • Review the access control configuration in the Adminapp.
  • In the following, we assume, that the administrator has all the necessary privileges.

Prerequisites

  • The IAM Adminapp is configured, so end-users and authentication tokens can be managed.
  • The FIDO Token Controller is configured in the IAM Adminapp.
  • The administrator has the privileges (roles) to perform all shown actions.
  • All examples are given on an existing end-user account.

Prepare user for migration to FIDO

Assure that token migration is enabled in the Adminapp configuration: Adminapp >> Users >> Show Migration Section.

The described procedure may also be done for multiple users at a time using the bulk change feature.

It can be enabled here: Adminapp >> Users >> Allow Bulk Changes.

IAM-Adminapp-FIDO-Token-Migration
  1. Open the Authentication Methods tab in the end-user details.
  2. Select FIDO in the Authentication Method Migration section.
  3. Optionally set a due date in the field Migrate until.
  4. Click the Save button.
  5. Migration has been prepared – the end-user will be asked to migrate to FIDO at the next login.

Enable FIDO as 2nd factor

To manually set FIDO as the second factor, do the following.

Whether FIDO is used as a 2nd factor or in passwordless mode depends on the configured authentication flow.

  • Assumptions:
  • The selection of the second authentication factor is based on the assigned auth method in the configured authentication flow.
  • The end-user has registered at least one FIDO Authenticator for the IAM account.
    • Did you know...
    • If no FIDO tab for the selected user is shown, the end-user has not yet registered a FIDO Authenticator for the IAM account. In this case, the end-user will not be able to log in using FIDO.
    • FIDO credentials cannot be added in the IAM Adminapp but only by the end-user using either the token migration or the FIDO registration self-service.
IAM-Adminapp-FIDO-set-Authmethod
  1. Open the Authentication Methods tab in the user details.
  2. In the section Select Active Authentication Method, select FIDO and click the Save button.
  3. The active authentication method for the end-user is now set to FIDO.

FIDO credential management

The following example screenshot shows the FIDO tab with two FIDO Authenticators (represented as FIDO credentials).

IAM-Adminapp-FIDO-list-tokens
  • Displayed information:
  • The information displayed per registered FIDO credential varies according to the information provided by the FIDO Authenticator.
  • Airlock IAM can derive information about the Make and model based on the FIDO Authenticators AAGUID. Unknown AAGUIDs are displayed as shown in the example screenshot. Unknown AAGUIDs may be mapped to meaningful strings in the IAM configuration.
  • Possible actions:
  • Lock (or Unlock) a FIDO credential:
    If locked, the corresponding FIDO Authenticator cannot be used anymore for authentication with the Airlock IAM account.
  • Delete FIDO credential:
    This will remove the FIDO credential from the IAM account, i.e. unassign the FIDO Authenticator from the device.
  • This action cannot be undone. FIDO Authenticators can only be associated with an IAM account by the user (not by the administrator) using a self-service.