WebAuthn MFA
WebAuthn (Web Authentication) is a modern authentication standard that facilitates secure and phishing-resistant login experiences. It can be used as a Multi-Factor Authentication (MFA) method by combining something you have (a hardware security key, a device with biometric sensors, or a smartphone) with another authentication factor (such as a password or PIN).
ZTAA supports three types of WebAuthn/FIDO2 authentication:
-
Windows Hello
-
Security Key
-
Pass Key
Preconditions:
-
For configuring Windows Hello, users must have set up a PIN or fingerprint on their device.
-
For Security Key authentication, users need a YubiKey. When you insert the YubiKey into your device, you will be prompted to set a one-time PIN for the YubiKey. This PIN will be required when configuring the WebAuthn device as a Security Key (YubiKey).
-
For Pass Key authentication, ensure that your Bluetooth device and Internet Connection is enabled on your mobile device and Desktop.
The below video demonstrates a WebAuthn MFA login to the InstaSafe platform with Windows Hello.
The below video demonstrates a WebAuthn passwordless login to the InstaSafe platform with FIDO2 compliant Yubikey.
The below video demonstrates a WebAuthn MFA login to the InstaSafe platform with Passkey from a mobile device.
How to Configure WebAuth from Users Profile:
Preconditions:
From Organization >> Advance Settings, 'Enable WebAuthn' option should be Enabled.
Steps to Register WebAuthn Device
- Navigate to Identity Management.
- Click on "Add Users."
- Fill in the mandatory fields and click "Add."
- Access the user profile and go to the Configure section.
- Click on the "WebAuthn" button.
- Enter the display name of your registering device.
- Choose the desired authentication method, such as Windows Hello PIN, from the Windows Security Prompt.
Registering the device for Windows PIN:
- Enter your PIN in the PIN field.
Setting Up Authentication Mode to WebAuthn:
- In the Authentication Profile, keep the Primary Auth as "password," and set the Secondary Auth to "WebAuthn."
The below video illustrates how to register Windows PIN in the ZTAA platform for WebAuthn Secondary Authentication.
WebAuthn login to the ZTAA platform with Windows PIN:
- Log in to the ZTAA Console with the username and password associated with the WebAuthn registration.
- Enter your password when prompted.
- Select your registered device as Windows PIN.
- Enter your Windows PIN.
- Once completed, you'll successfully log in.
Registering the device as Security Key:
- Select "USB Security Key" while creating a passkey.
- Follow the prompts to insert and touch the YubiKey for registration.
Setting Up Authentication Mode to WebAuthn:
- In the Authentication Profile, keep the Primary Auth as "password," and set the Secondary Auth to "WebAuthn."
The below video illustrates how to register YubiKey in the ZTAA platform for WebAuthn Secondary Authentication.
WebAuthn login to the ZTAA platform with Security Key:
- Log in to InstaSafe using the credentials of the user registered with WebAuthn.
- Enter your password when prompted.
- Plug in the token (YubiKey) when asked.
- Enter the passcode set during registration.
- Once completed, the login will be successful.
Registering the device with PassKey:
- Select "iPhone, iPad, and Android Device."
- Follow the instructions to scan the QR code through your mobile device.
The below video illustrates how to register a mobile device for passkey in the ZTAA platform for WebAuthn Secondary Authentication.
Setting Up Authentication Mode to WebAuthn:
- In the Authentication Profile, keep the Primary Auth as "password," and set the Secondary Auth to "WebAuthn."
WebAuthn login to the ZTAA platform using PassKey:
- Log in to InstaSafe using the credentials of the user registered with WebAuthn.
- Enter your password when prompted.
- Select your registered device (PassKey Device).
- Scan the QR Code from your mobile device.
- Once the passcode is entered, the login will be successful.