How to enable phishing-resistant authentication using FIDO2 passkeys in ADSelfService Plus

In a world where 80-95% of all cyberattacks begin with phishing, ADSelfService Plus offers high-assurance, phishing-resistant identity protection using FIDO2 passkeys to eliminate the risk of a phishing attack.

Why use FIDO2 passkeys

An organization should consider using FIDO2 passkeys for several reasons, including:

• Compliance: Using FIDO2 passkeys can help your organization meet compliance recommendations from various standards and organizations such as the NIST, which recommends using phishing-resistant authentication methods like FIDO2 passkeys in its digital identity guidelines.
• Stronger security: FIDO2 passkeys offer stronger security compared to traditional passwords. They use public-key cryptography, making them resistant to phishing, manipulator-in-the-middle, and replay attacks.
• Elimination of passwords: FIDO2 passkeys can help eliminate the need for passwords entirely or reduce your organization's reliance on them, alleviating the risk of password-related vulnerabilities such as weak passwords, password reuse, and brute-force attacks.
• User convenience: FIDO2 passkeys are easy to use and convenient. They can be used across different devices and platforms, providing a consistent authentication experience for users.

Learn more about FIDO2 Passkeys here.

ADSelfService Plus currently offers FIDO2 passkey authentication for endpoint MFA for cloud application logins, endpoint MFA for OWA, password resets or account unlocks from the ADSelfService Plus portal, and logins to the ADSelfService Plus portal.

Types of FIDO2 passkeys

ADSelfService Plus supports the following types of FIDO2 passkeys:

• Security keys: Security keys are portable FIDO2-compliant keys like YubiKey, Google Titan Security Key, etc. These authenticators can be connected to a device via USB, NFC, or Bluetooth for secure authentication.
• Device passkeys: These authenticators are built into the device and are used by the platform (i.e., the OS) to verify the user's identity. Examples include Windows Hello, Android Biometrics, and Apple Touch ID/Face ID.
  • Device-bound passkeys: These are passkeys that are stored only on the device and not synced to cloud services.
  • Synced passkeys: These are passkeys that are synced across devices via the platform's cloud account (like an iCloud account for Apple devices or a Google account for Android devices), or Google Password Manager. Synced passkeys allow the sharing of a single enrollment across all devices that are synced to the cloud.

Configuring FIDO2 passkeys

Prerequisites

• Users must have WebAuthn-supported devices to use this authenticator.
• ADSelfService Plus, as well as the sites FIDO2 passkeys authenticate to, must have HTTPS enabled.
• The access URL must be configured with a valid domain name and not an IP address.

Configuration steps

1. Log in to DSelfService Plus with admin privileges and navigate to Configuration > Self-Service > Multi-factor Authentication > FIDO2 Passkeys.
2. The Relying Party ID (RP ID) must either be the domain name or effective domain name (i.e., server name or the parent domain of the server name) used in the access URL.
3. A Username Pattern helps prevent ambiguity by associating the user account with distinct attribute values in AD. It is an easily memorable and distinct username made in this pattern for the user account that will be registered with the FIDO2 passkey.
4. Open Advanced Settings and use the Allowed Passkey Types dropdown to configure the types of FIDO2 passkeys your users can enroll in.
   • Select Security Keys to permit users in your organization to enroll for passkeys like YubiKeys or Google Titan keys.
   • Select Device Passkeys to permit users in your organization to enroll for device-based passkeys that use the machine’s or phone’s built-in authentication methods, such as biometrics like fingerprint or facial recognition.
5. Enable the Deny syncable passkeys checkbox to ensure passkeys are tied to specific organizational devices and not synced across multiple devices through cloud services. This is ideal for organizations with security requirements to allow only device-bound passkeys.

   Note: Enabling the Deny syncable passkeys checkbox will prevent users from enrolling passkeys that rely on cloud syncing, such as Apple devices with iCloud accounts.From the drop-down, choose if User verification is Required, Recommended, or Discouraged for roaming authentication. User verification doubly ensures that the security key is in the possession of authorized individuals, as misplaced keys can be exploited by unauthorized users who come across them.

6. Specify the maximum number of passkeys each user can add in the No. of passkeys allowed per user field. Users can enroll up to five FIDO2 passkeys.
7. Click Save.

For more details on configuring FIDO2 passkeys using ADSelfService Plus and the full list of supported devices and browsers, click here.

Click here to learn about the user authentication process using FIDO2 passkeys.