FIDO configuration overview

This article describes how FIDO features are configured in Airlock IAM.

For details about configuration please refer to the plugin and property descriptions in the Config Editor.

The FIDO Settings configuration plugin

The configuration of all FIDO use-cases supported by Airlock IAM is based on the FIDO Settings configuration plugin.

  • It configures all general FIDO settings:
  • Basic Settings: e.g. IAM database, relying party ID.
  • Registration Settings: e.g. allowed FIDO Authenticator types, user-, and attestation verification.
  • Authentication Settings: e.g. user verification type, timeouts.
  • Advanced Settings: e.g. allowed signature algorithms.

The FIDO Settings configuration plugin is referenced by most of the other FIDO configuration plugins.

It is configured here (in the Config Editor):
>> Authentication Settings >> FIDO Settings

It is recommended to first configure the FIDO Settings plugin and afterward configure authentication, registration, and so on.

Windows 10 only supports RS256 as the algorithm for Windows Hello authentication, which is disabled in Airlock IAM by default. Thus, the RS256 algorithm needs to be enabled and configured accordingly if Windows Hello has to be used as FIDO Authenticator.

Note that this specific algorithm is disabled by default because RFC 8812 lists RS256/SHA-256 as not recommended.

Further information and links