FIDO configuration overview
This article describes how FIDO features are configured in Airlock IAM.
For details about configuration please refer to the plugin and property descriptions in the Config Editor.
The FIDO Settings configuration plugin
The configuration of all FIDO use cases supported by Airlock IAM is based on the FIDO Settings configuration plugin.
It configures all general FIDO settings:
- Basic Settings: E.g., IAM database, relying party ID.
- Registration Settings: E.g., allowed FIDO Authenticator types, user-, and attestation verification.
- Authentication Settings: E.g., user verification type, timeouts, allowed FIDO transports.
- Advanced Settings: E.g., allowed signature algorithms.
The FIDO Settings configuration plugin is referenced by most of the other FIDO configuration plugins.
It is configured here (in the Config Editor):
MAIN SETTINGS >> Authentication Settings >> FIDO Settings
We recommend that you first configure the FIDO Settings plugin and afterward configure authentication, registration, and so on.
Windows 10 only supports RS256 as the algorithm for Windows Hello authentication, which is disabled in Airlock IAM by default. Thus, the RS256 algorithm needs to be enabled and configured accordingly if Windows Hello has to be used as FIDO Authenticator.
Note that this specific algorithm is disabled by default because RFC 8812 lists RS256/SHA-256 as not recommended.
Disabling the persisting of FIDO transports
FIDO supports different transport types, i.e., communication channels between the FIDO Authenticator and the FIDO client. Possible transport types are Bluetooth, USB, internal bus systems or hybrid transport types.
When an end-user registers a FIDO key or Passkey, IAM persists the transport type used for the registration. The next time the end-user logs in, IAM automatically presents the persisted transport type to the end-user.
It is possible to disable this default setting. Proceed as follows:
- Go to
Main Settings >> Authentication Settings >> FIDO Settings >> Repository - In the FIDO Database Repository dialog, Advanced Settings section, disable the Persist Transports property.
You may have configured a list of allowed FIDO transport types in the FIDO Settings plugin. In this case, during authentication, IAM will offer the end-user the cut quantity between the allowed transport types and the end-user's persisted transport type. If there is no cut quantity, IAM presents all transport types.
Using on-failure targets to improve user experience
When using FIDO/Passkeys authentication, authentication may be aborted by the browser (or client) for various reasons. In these cases, it may be desirable to offer an alternative authentication factor to the used.
To maximize the user experience, it is recommended to use the on-failure goto feature in the FIDO/Passkey authentication steps to route the authentication flow to an alternative factor.
Consider, for example, the error codes that may be returned by the FIDO Authentication Step:
FIDO_AUTHENTICATION_FAILEDFIDO_AUTHENTICATION_TIMEOUTFIDO_AUTHENTICATION_ABORTEDFIDO_AUTHENTICATION_NOT_ALLOWEDFIDO_WEB_AUTHN_NOT_AVAILABLE- NO_VALID_TOKEN
Use the error codes and map them to flow goto targets where desired. See property On Failure Gotos in the FIDO authentication steps to get an up-to-date list of error codes with a description.
Further information and links
- Authentication configuration
- as 2nd factor: FIDO 2nd factor authentication - REST flow example
- passwordless: FIDO passwordless authentication - REST flow example
- Registration configuration
- in token migration: FIDO token migration - REST flow example
- in token management: FIDO token registration - REST flow example
- Token management self-services: FIDO passkey management self-service configuration
- Token management in Adminapp: FIDO token management in the IAM Adminapp
- Supported FIDO use-cases: FIDO in Airlock IAM