Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Set up FIDO2 authentication

Owned by Ylva Andersson
Nov 14, 2024
2 min read

This article applies to Digital Access version 6.8.0 and later versions.

This article describes how to set up FIDO2 as authentication method in Smart ID Digital Access component. The FIDO authentication method provides support for cross-platform Security Keys to be used as Authenticator Attachment allowing signing algorithms ES256, EdDSA, ES384, ES512, RS256, RS384 and RS512.

Prerequisites

Step-by-step instruction

Enable self-service for FIDO registration

  1. Log in to Digital Access Admin with an administrator account. 

  2. Go to Manage Accounts and Storage > Self Service > FIDO2 Provisioning

  3. Check the checkbox Enable FIDO2 (WebAuthn) credentials Self Service Provisioning.

When enabling, an API gets automatically added to Web Resource "api", /rest/<version>/webauthn/registration. And a web page is also added to Web Resource "Access Point" /wa/fido/fidoProfileProvisioning.html

Caution:

It is strongly recommended to protect the above resources with multi-factor authentication. This ensures strong authentication required for users to create FIDO2 Credentials via self-service.

Add FIDO2 authentication method

  1. Log in to Digital Access Admin with an administrator account. 

  2. Go to Manage System > Authentication Methods. 

  3. Click Add Authentication Method... and select FIDO. Click Next. 

  4. Enter a Display Name for authentication method. 

  5. Configure Relying Party Settings 

    1. Enter Relying Party ID as a valid domain string that identifies the WebAuthn Relying Party. When an authenticator is registered to a Relying Party, that registration is only valid for authenticating to that Relying Party.  

    An example of Relying Party ID is "login.example.com". 

    1. Enter Relying Party Name 

  1.  Configure Registration Settings (Optional) 

    1. Choose Discoverable Credentials that specifies if credential should be discovered during authentication. If Discoverable Credential (formerly known as Resident Credential or Resident Key) is set to Required then users can do username-less authentication and do not need to enter username during the authentication flow. Required is the default setting.  
      Refer to the Security Key vendor for details on supported browsers and if Resident Credential supported or not. 

    2. Choose User Verification, that specifies if user verification needed during registration. Required is the default setting.   

  2. Configure Authentication Settings (Optional) 

    1. Choose User Verification, that specifies if user verification needed during authentication. Required is the default setting.    

  3. Click Add Authentication Method Server… Select an authentication server.

  4. Click Next >, Next > and Next >.

  5. In Extended Properties add relevant properties for the authentication method.

  6. Click Next > and then Finish Wizard.

  7. Click Publish, that is marked blue, showing that updates have been done.

 

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions