FIDO2 authentication with Workspace ONE Access

We finally have the support in Workspace ONE Access for the FIDO2 hardware access tokens. It is pretty easy to set it up and use. No major roadblocks, if you have a hardware key you can test it by yourself.

To set it up, we will start in the “Authentication Methods” where will just simply edit the FIDO2 row.

We will enable it and keep everything in the defaults. If you want to know about what all those knobs do, go and check this nice video from Peter Bjork –

As a next thing we need to instruct our built-in identity provider to accept FIDO2 tokens as a valid method of authentication.

Last thing is to edit the access policies and here it’s maybe a little bit unclear.

If you want to allow the users to register their tokens themselves, you will need to update the default policy – check the “…user is registering FIDO2 authenticator” and keep the Password (cloud deployment) as the authentication option. This will allow users to pair their hardware key with their account using the username and password. Obviously you don’t need to do this if you plan to pre-register the token to user from the admin interface.

And then you need to actually create a policy that will use FIDO2 for authentication.

Because we allowed the self service. The user during the first logon see the prompt for a token with the possibility to link a new one.

I personally encountered some issues with my hardware token when I tried to use Safari. Because it was a fresh token, there was no PIN set on it and somehow Safari did not prompt for anything and the registration always failed. When I switched to Chrome, I set the PIN and then I was able to use the token normally even in Safari.

Last step of the registration is to give the token a friendly name.

And you are done.

Administrators can see and manage tokens linked to a given user in the administration console under the “Two-Factor Authentication” in the user details.

That’s it for today, pretty simple and powerful way how to completely eliminate password from your everyday signing process.