FIDO2 authentication provides a strong method of passwordless authentication that can be enabled in the Workspace ONE Access service. FIDO2 allows users to authenticate using external authenticators such as USB security keys, or platform authenticators such as TouchID or Windows Hello.

Note: The FIDO2 authentication method currently only supports authentication in desktop browsers.

When FIDO2 is enabled, users can self register their own authenticators. You can manage authenticators on behalf of users in the Workspace ONE Access console.

FIDO2 User Registration

To use FIDO2 passwordless authentication, users must register their authenticator. When they register, the authenticator creates a key pair. The private key is saved on the device or external piece of hardware or software, and the public key is registered in the Workspace ONE Access service.

You enable FIDO2 registration in the Workspace ONE console when you configure FIDO2 authentication. You create an access policy registration rule that requires users to register their FIDO2 authenticator before they can authenticate through Workspace ONE Access. The first time that users log in to access an app that requires FIDO2 authentication, they are asked to register their FIDO2 authenticator.

  1. Users navigates to the Hub catalog in a browser on their desktop and select a web app that requires FIDO2 authentication.
  2. If a FIDO2 authenticator is not registered for the user, the user clicks Register your FIDO2 Authenticator in the log in screen.
  3. The user is promoted to authenticate with a configured Workspace ONE Access authentication method, such as user name and password.
  4. When the user is authenticated, the browser authenticator registration screen displays and they complete the registration.

Users can register up to ten authenticators.

After users are registered, users use their authenticator, such as fingerprint sensors, facial recognition, or a FIDO2 enabled USB security key to unlock the user's private key to verify the users credentials and authenticate the user. No other authentication is required.

Managing Users FIDO2 Registration in the Workspace ONE Access Service

When users register their authenticator, the authenticator information is configured in the user profile in the User > User & Groups page in the Workspace ONE Access console. To see the FIDO2 settings, open the Two-Factor Authentication tab.

You can manage the FIDO2 authenticators, including adding and deleting authenticators.

You can block a user authenticator. If a user's authenticator is blocked, you must unblock it from the console. Users cannot unblock their authenticator.

You can also rename the authenticator type to give a more descriptive name.