How to enable phishing-resistant authentication using FIDO passkeys in ADSelfService Plus

In a world where 80-95% of all cyberattacks begin with phishing, ADSelfService Plus offers high-assurance, phishing-resistant identity protection using FIDO passkeys to eliminate the risk of a phishing attack.

Why use FIDO passkeys

An organization should consider using FIDO passkeys for several reasons, including:

• Compliance: Using FIDO passkeys can help your organization meet compliance recommendations from various standards and organizations such as the NIST, which recommends using phishing-resistant authentication methods like FIDO passkeys in its digital identity guidelines.
• Stronger security: FIDO passkeys offer stronger security compared to traditional passwords. They use public-key cryptography, making them resistant to phishing, manipulator-in-the-middle, and replay attacks.
• Elimination of passwords: FIDO passkeys can help eliminate the need for passwords entirely or reduce your organization's reliance on them, aleviating the risk of password-related vulnerabilities such as weak passwords, password reuse, and brute-force attacks.
• User convenience: FIDO passkeys are easy to use and convenient. They can be used across different devices and platforms, providing a consistent authentication experience for users.

Learn more about FIDO Passkeys here.

ADSelfService Plus currently offers FIDO passkey authentication for endpoint MFA for cloud application logins, endpoint MFA for OWA, password resets or account unlocks from the ADSelfService Plus portal, and logins to the ADSelfService Plus portal.

Types of FIDO passkeys

ADSelfService Plus supports the following types of FIDO passkeys:

• Platform authenticators: These authenticators are built into the device and are used by the platform (i.e., the OS) to verify the user's identity. Examples include Windows Hello, Android Biometrics, and Apple Touch ID/Face ID.
  • Device-bound passkeys: These are passkeys that are stored only on the device and not synced to cloud services.
  • Synced passkeys: These are passkeys that are synced across devices via the platform's cloud account (like an iCloud account for Apple devices or a Google account for Android devices), or Google Password Manager. Synced passkeys allow the sharing of a single enrollment across all devices that are synced to the cloud.
• Roaming authenticators: Roaming passkeys are portable FIDO2-compliant security keys like YubiKey, Google Titan Security Key, etc., or the inbuilt authenticator on smartphones which can be enrolled via Cross-Device Authentication (CDA).

Configuring the FIDO passkey authenticator

Prerequisites

• Users must have WebAuthn-supported devices to use this authenticator.
• ADSelfService Plus, as well as the sites FIDO passkeys authenticate to, must have HTTPS enabled.
• The access URL must be configured with a valid domain name and not an IP address.

Configuration steps

1. Log in to DSelfService Plus with admin privileges and navigate to Configuration > Self-Service > Multi-factor Authentication > FIDO Passkeys.

   

2. The Relying Party ID (RP ID) must either be the domain name or effective domain name (i.e., server name or the parent domain of the server name) used in the access URL.
3. A Username Pattern helps prevent ambiguity by associating the user account with distinct attribute values in AD. It is an easily memorable and distinct username made in this pattern for the user account that will be registered with the FIDO passkey.
4. Open Advanced Settings and select Platform from the Allowed Passkey Type(s) drop-down to permit users in your organization to enroll for the device's built-in passkeys, such as the machine's biometric authentication. Select Roaming to permit users in your organization to enroll for roaming FIDO passkeys, like YubiKey, Google Titan Security Key, or the inbuilt authenticator on smartphones, which can be enrolled via CDA.
5. If you would like to prevent passkey syncing for platform authenticators, deselect the Allow synced passkey enrollment check box.
6. From the drop-down, choose if User verification is Required, Recommended, or Discouraged for roaming authentication. User verification doubly ensures that the security key is in the possession of authorized individuals, as misplaced keys can be exploited by unauthorized users who come across them.
7. From the No. of credentials drop-down, select the maximum number of passkeys allowed per user. A user can enroll a maximum of five FIDO passkeys.
8. Click Save.

For more details on configuring FIDO passkeys using ADSelfService Plus and the full list of supported devices and browsers, click here.

Click here to learn about the user authentication process using FIDO passkeys.