RapidIdentity Product Guide: Legacy UI

FIDO
Decision Process

To determine whether and how a FIDO device applies to an Authentication Policy, follow this stepwise process.

  1. Does the use case require FIDO?

    1. No: Choose different Authentication Methods, Criteria, or both.

    2. Yes: Proceed to Question #2.

  2. Does the use case require FIDO to differentiate the user population?

    1. No: Use FIDO as an Authentication Method.

      1. If more than one Authentication Method is in the Authentication Policy, prioritize the Methods using the up and down arrows.

      2. Optionally allow users to defer the challenge for up to 30 days.

    2. Yes: Use FIDO as an Authentication Criterion.

      1. If the criterion applies to users with a registered device, select Enabled only.

      2. If the criterion applies to users without a registered device, select Enabled and Inverse Match.

  3. Does the use case require FIDO devices in more than one domain?

    1. No: Configure the FIDO App ID Host and Facet to be the RapidIdentity FQDN.

    2. Yes: Configure the FIDO App ID Host to match the RapidIdentity FQDN and the FIDO Facets to include the Federation and Portal FQDNs.

Configuration

FIDO App ID and Facet configuration is described here.

The FIDO authentication method requires users to insert their U2F security key into their computer to authenticate to RapidIdentity.

To enable FIDO as an authentication method, select and enable FIDO as a method and click Save.  

Auth_-_FIDO.jpg
FIDO Authentication

When users match an authentication policy criteria in which FIDO is a required method, RapidIdentity prompts users to insert their token into the device, even if the device is already inserted. 

Fido_Registration.png

To complete this authentication step, press the FIDO touch interface on the security token.

When users match an authentication policy criteria in which FIDO is a required method, RapidIdentity prompts users to insert their token into the device, even if the device is already inserted.

Users have approximately two minutes to press the touch interface before this authentication step times out. If this event occurs, users must start over from the beginning, which in this example would mean re-entering their username and password.

In this particular example, since FIDO is a second factor necessary to authenticate, users are directed to the configured landing component once touch interface is pressed.

FIDO Token

This authentication example used a Yubikey NEO token.

If the token is inserted prior to authentication, the Wi-Fi symbol appears green.

Once users arrive at the authentication step requiring FIDO, the Wi-Fi symbol flashes green.

After the authentication is complete the Wi-Fi symbol appears green.

Other U2F vendor keys may appear and function differently.

Key Security and Storage

Once authentication is complete, the FIDO token can be safely removed from the device without concern for a user being automatically logged out of RapidIdentity.

If a user's FIDO token needs to be replaced or unbound to their digital identity, the FIDO device registration bound to their identity can be deleted using either of two methods:

  1. Pressing the Delete FIDO device registrations for a User action button as shown in Configuration.

  2. Pressing the Reset FIDO action button in a configured RapidIdentity Portal delegation. This action button is made available through Delegations.