This article describes how FIDO features are configured in Airlock IAM.
For details about configuration please refer to the plugin and property descriptions in the Config Editor.
This article describes how FIDO features are configured in Airlock IAM.
For details about configuration please refer to the plugin and property descriptions in the Config Editor.
The configuration of all FIDO use cases supported by Airlock IAM is based on the FIDO Settings configuration plugin.
The FIDO Settings configuration plugin is referenced by most of the other FIDO configuration plugins.
It is configured here (in the Config Editor):
MAIN SETTINGS >> Authentication Settings >> FIDO Settings
We recommend that you first configure the FIDO Settings plugin and afterward configure authentication, registration, and so on.
Windows 10 only supports RS256 as the algorithm for Windows Hello authentication, which is disabled in Airlock IAM by default. Thus, the RS256 algorithm needs to be enabled and configured accordingly if Windows Hello has to be used as FIDO Authenticator.
Note that this specific algorithm is disabled by default because RFC 8812 lists RS256/SHA-256 as not recommended.
FIDO supports different transport types, i.e., communication channels between the FIDO Authenticator and the FIDO client. Possible transport types are Bluetooth, USB, internal bus systems or hybrid transport types.
When an end-user registers a FIDO key or Passkey, IAM persists the transport type used for the registration. The next time the end-user logs in, IAM automatically presents the persisted transport type to the end-user.
It is possible to disable this default setting. Proceed as follows:
You may have configured a list of allowed FIDO transport types in the FIDO Settings plugin. In this case, during authentication, IAM will offer the end-user the cut quantity between the allowed transport types and the end-user's persisted transport type. If there is no cut quantity, IAM presents all transport types.
When using FIDO/Passkeys authentication, authentication may be aborted by the browser (or client) for various reasons. In these cases, it may be desirable to offer an alternative authentication factor to the used.
To maximize the user experience, it is recommended to use the on-failure goto feature in the FIDO/Passkey authentication steps to route the authentication flow to an alternative factor.
FIDO_AUTHENTICATION_FAILED
FIDO_AUTHENTICATION_TIMEOUT
FIDO_AUTHENTICATION_ABORTED
FIDO_AUTHENTICATION_NOT_ALLOWED
FIDO_WEB_AUTHN_NOT_AVAILABLE
Use the error codes and map them to flow goto targets where desired. See property On Failure Gotos in the FIDO authentication steps to get an up-to-date list of error codes with a description.