EUCZero Trust Journey 2021 Day 2 - User Trust(BETA)FIDO2 Configuration in Access (Windows)

(BETA)FIDO2 Configuration in Access (Windows)

This lab is designed to help you understand how to setup and authenticate using FIDO2 (Fast Identity Online). You will discover the requirements  and implement the solution into your existing Workspace ONE Access environment. This particular lab is written for Windows 10 and will use Windows Hello in conjunction with the Chrome Browser.

Part 1: Setup FIDO2

Part 2: Register Authenticator

Part 3: Administer FIDO2 Keys

Part 1: Setup FIDO2

  1. Log into your WorkspaceONE Access tenant as the system administrator.
    • Navigate to Identity & Access Management > Authentication Methods click the pencil icon next to FIDO2.
  1. Click Enable FIDO2 Adapter
    • Set the User Verification Preference to required
    • Set the Attestation Conveyance Preference to none
    • click Save at the bottom of the page.
  1. Navigate to Identity Provider and click Built-in
  1. After the Authentication Methods loads on the Built-in IDP screen click to enable the FIDO2 authentication method.
    • Click Save at the bottom of the screen
  1. Navigate to Policies then click Edit Default Policy
  1. Click Configuration and click + ADD POLICY RULE
  1. Set the Policy to All Device Types
    • Change the switch for registering FIDO2 authenticator to YES
    • Set the authentication method to Password (cloud deployment)
    • Set the fallback method to Password (Local Directory)
  1. Move the policy you just built from the bottom to the top.
    • Now click ALL RANGES next to Web Browser. This should be your second policy from the top.
  1. Change the first authentication method to FIDO2
    • Click Save at the bottom of the page
  1. Click NEXT and SAVE

Part 2: Register Authenticator

  1. On you Windows 10 Physical device, close the Chrome and re-open it and browse to your WorkspaceONE Access URL.

Do NOT do this in the lab environment. As we will require a physical device with supported authentication Type (See below)

NOTE: This will not work in Chrome Incognito mode.

  • You should now see Sign in with FIDO2 Authenticator.
  • Click Register your FIDO2 Authenticator
  1. Note the authentication form factors on the various different browsers and operating systems. Make sure you are using one of these and not in a virtual lab environment.  
  1. Select the euc-livefire.com domain and authenticate using the Mark VMware1! account. Click Sign in
  1. At this point the registration for FIDO2 kicks in and you will be asked in by the browser to select how to verify your identity. Click Continue on the pop-up
  1. Now type your PIN for the device
  1. Give your authenticator method a name and click Save
  1. Now click Sign in with FIDO2 Authenticator and use the Face or PIN to authenticate.
  1. You should be authenticated with the user Mark to Intelligent Hub.
    • Close the Chrome  and re-open.
    • Experience seemless FIDO2 authentication to Intelligent Hub.

Part 3: Administer FIDO2 Keys

The WorkspaceONE Access admin console offers the ability to manage FIDO2 keys within the user attributes.

  1. Log into the WorkspaceONE Access admin console. This may require you to close the browser and re-open it or use a different browser.
    • Once logged in click on Users & Groups
  1. Select the user that you have been doing the tests with. (My case this is Mark Debio)
    • Click Two-Factor Authentication on the user record
  1. We are interested in the FIDO2 section on this page where you will find the current security authenticators that have been configured for this user.
  1. Select a authenticator and note the options you have to delete, rename and block this authenticator.

This concludes the lab on configuring FIDO2 authentication on WorkspaceONE Access.

 

Author: Simeon Frank

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.