WebAuthn MFA
WebAuthn (Web Authentication) is a modern authentication standard that facilitates secure and phishing-resistant login experiences. It can be used as a Multi-Factor Authentication (MFA) method by combining something you have (a hardware security key, a device with biometric sensors, or a smartphone) with another authentication factor (such as a password or PIN).
ZTAA supports three types of WebAuth/FIDO2 authentication:
-
Windows Hello
-
Security Key
-
Pass Key
Preconditions:
-
For configuring Windows Hello, users must have set up a PIN or fingerprint on their device.
-
For Security Key authentication, users need a YubiKey. When you insert the YubiKey into your device, you will be prompted to set a one-time PIN for the YubiKey. This PIN will be required when configuring the WebAuthn device as a Security Key (YubiKey).
-
For Pass Key authentication, ensure that your Bluetooth device and Internet Connection is enabled on your mobile device and Desktop.
The below video demonstrates a WebAuthn MFA login to the InstaSafe platform with Windows Hello.
The below video demonstrates a WebAuthn passwordless login to the InstaSafe platform with FIDO2 compliant Yubikey.
How to Configure WebAuth from Users Profile:
Preconditions:
From Organization >> Advance Settings, 'Enable WebAuthn' option should be Enabled.
Steps to Register WebAuthn Device
- Navigate to Identity Management.
- Click on "Add Users."
- Fill in the mandatory fields and click "Add."
- Access the user profile and go to the Configure section.
- Click on the "WebAuthn" button.
- Enter the display name of your registering device.
- Choose the desired authentication method, such as Windows Hello PIN, from the Windows Security Prompt.
Registering the device for Windows PIN:
- Enter your PIN in the PIN field.
Setting Up Authentication Mode to WebAuthn:
- In the Authentication Profile, keep the Primary Auth as "password," and set the Secondary Auth to "WebAuthn."
WebAuthn login to the ZTAA platform with Windows PIN:
- Log in to the ZTAA Console with the username and password associated with the WebAuthn registration.
- Enter your password when prompted.
- Select your registered device as Windows PIN.
- Enter your Windows PIN.
- Once completed, you'll successfully log in.
Registering the device as Security Key:
- Select "USB Security Key" while creating a passkey.
- Follow the prompts to insert and touch the YubiKey for registration.
Setting Up Authentication Mode to WebAuthn:
- In the Authentication Profile, keep the Primary Auth as "password," and set the Secondary Auth to "WebAuthn."
WebAuthn login to the ZTAA platform with Security Key:
- Log in to InstaSafe using the credentials of the user registered with WebAuthn.
- Enter your password when prompted.
- Plug in the token (YubiKey) when asked.
- Enter the passcode set during registration.
- Once completed, the login will be successful.
Registering the device with PassKey:
- Select "iPhone, iPad, and Android Device."
- Follow the instructions to scan the QR code through your mobile device.
Setting Up Authentication Mode to WebAuthn:
- In the Authentication Profile, keep the Primary Auth as "password," and set the Secondary Auth to "WebAuthn."
WebAuthn login to the ZTAA platform using PassKey:
- Log in to InstaSafe using the credentials of the user registered with WebAuthn.
- Enter your password when prompted.
- Select your registered device (PassKey Device).
- Scan the QR Code from your mobile device.
- Once the passcode is entered, the login will be successful.