Passkeys (FIDO2)
The platform supports the self-issuance of FIDO2 Passkeys without the verification of the PIV ID. You can
register your external security keys (connected devices) such as YubiKeys or built-in-sensors (platform
authenticators) as passkeys or both. This depends on the configuration of the Passkeys (FIDO2)
registration policies.
The Unifyia platform supports the issuance of passkeys (FIDO2) on two types of authenticators:
Platform Authenticators (built-in or
device bound) and Cross-Platform Authenticators (roaming
authenticators).
The following are the ways to register Passkeys (FIDO2):
- Platform (Built-in) Authenticator (TPM)
- Windows Hello on PC
- Register Mobile Devices as passkeys (FIDO2) using BLE (Over Bluetooth)
- External Security Key (Cross-platform authenticators)
- Smart Cards
- Yubikeys
- NFC Devices
A platform authenticator refers to an authentication system built into a specific platform, such as a
smartphone or computer. It uses device-native features like biometrics (fingerprint or facial
recognition), a PIN, Passcode, or Pattern for verification. Platform authenticators are typically more
integrated into the device and provide a seamless, secure login experience without needing third-party
applications. If you are issuing FIDO2 credential on the mobile device leverage the device-native
security features. If you are issuing a FIDO2 credential on a computer leverage the system-native
security features such as TPM or Windows Hello.
Supported Browsers and Platforms
The following are the browsers and platforms that support the FIDO2 WebAuthn.
- Web Browsers
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
- Platforms
- Windows 10
- Android and iOS platforms.
Platform Authenticator (TPM) - Windows Hello on PC
Set up Windows Hello for passwordless authentication on Windows devices. Windows Hello provides secure,
password-free authentication using biometrics (fingerprint, facial recognition) or a PIN. MacBooks also
support passwordless login, but only if they have biometric hardware (e.g., Touch ID). The setup process
is similar for both platforms. FIDO2 functionality is available on MacBooks starting with macOS 14
Sonoma.
Prerequisites
- Ensure that you are registered with the necessary privileges by an authorized operataor within
the organization with permission to issue credentials.
- Windows Hello must be configured with a PIN, fingerprint, or facial recognition. If using
biometrics, your PC must support the required hardware. Similarly, MacBooks must have biometric
capabilities.
- Ensure your Windows device has a TPM chip enabled and activated. You can check this in BIOS
settings or under Device Security in Windows Settings. On macOS, the Secure Enclave is used for securely storing cryptographic keys.
Follow the below steps to issue passkeys (FIDO2) on platform authenticators:
- Log into the Unifyia platform as a platform user or federated user.
- Navigate to Identities.
- Select + Add New.
- If more than one identity is approved for you, you are prompted to select for which workflow you
wish to issue an identity to continue.
- Next, from the listed identity device options, select FIDO2 WebAuthn.
- The system's security page appears. It should be noted that the options will be listed based on the device model and operating system. Typically, the computer will prompt you to select one option from
Face, Fingerprint, PIN, or Use another device.
- If you have chosen to register your face as your passkey, it will detect your face and save
it as your passkey.
- If you have chosen to register your Fingerprint as your passkey, it will prompt you to touch the fingerprint sensor and save
it as your passkey.
- If you have selected to register your computer's PIN, it will prompt you to enter the
PIN and save it as your passkey.
- The system will then prompt to provide a label for FIDO2 passkeys registration. Enter a label that
uniquely identifies the device where you have saved the passkeys. Select OK.
- You are all set to leverage the FIDO2 passkeys to authenticate to the platform.
Register Mobile Devices as FIDO2 Passkeys Using BLE (Bluetooth)
Ensure your PC and mobile device have Bluetooth turned on and are connected over the same internet.
- Log into the Unifyia platform as a platform user or federated user.
- Navigate to Identities.
- Select + Add New.
- If more than one identity is approved for you, you are prompted to select for which workflow you
wish to issue an identity to continue.
- Next, from the listed identity device options, select FIDO2 WebAuthn.
- The system's security page appears. The computer will prompt you to select one option from
Face, PIN, or Use another device.
- Select Use another device. It will prompt you to select where
to save the passkey. Select iPhone, iPad, or Android device. A QR code is
displayed. Make sure the PC and Mobile device are connected over Bluetooth in the same WIFI
network. Scan the QR code using either a QR Code scanner or your mobile phone camera if it
is equipped to scan QR codes. Tap Open. It will prompt you to create a
passkey. Tap Continue.
- Provide the configured screen lock credentials for verification.
- The passkey is saved. The system confirms that the passkeys are now saved on the
mobile device. Tap OK.
- In the next screen, enter a label to register the authenticator (your mobile device). Select
OK.
- Your mobile device is registered as your FIDO2 passkey.
Roaming or cross platform authenticators are portable devices that can be used across multiple platforms,
services, or devices to authenticate a user. They are part of the FIDO2/WebAuthn framework, which
provides passwordless and phishing-resistant authentication. Roaming authenticators typically
communicate with the relying party (e.g., a website or service) via standard interfaces such as USB,
NFC, or Bluetooth. Examples of Roaming Authenticators include security keys such as YubiKey 5, ZTPass on
NXP P71D600, and ID-One PIV v2.4.2 on Cosmo V8.2.
This section explains how to issue FIDO2 credential on Cross platform authenticators or roaming
authenticators.
Supported Identity Devices
A FIDO2 credential can be issued on the following identity devices:
- IDEMIA- ID-One PIV v2.4.2 on Cosmo V8.2
- ZTPass - ZTPass on NXP P71D600
- Yubico - YubiKey 5 Series
Prerequisites
- Ensure that you are registered with the necessary privileges by an authorized user within the
organization.
- You have a smart card reader to read smart cards.
- You have a FIDO-supported smart card or security key. The identity device type to be issued is at
the discretion of your organization.
- You have installed the Unifyia User Client on your system to access the connected devices.
Follow the below steps to issue passkeys (FIDO2) on connected devices:
- Log into the Unifyia platform as a platform user or federated user.
- Navigate to Identities.
- Select + Add New.
- If more than one identity is approved for you, you are prompted to select for which workflow you
wish to issue an identity to continue.
- Next, from the listed identity device options, select FIDO2 WebAuthn.
- The system's security page appears. The computer will prompt you to select one option from
Face, PIN, or Use another device.
- Select Use another device. It will prompt you to select where
to save the passkey. Select Security Key.
- Select OK to continue the setup using an external security key.
- Connect the identity device to proceed.
- If you are using a smart card, insert it into a connected card reader.
- If you are using a USB passkey, connect it to your computer. It will prompt you to touch
your security key. Touch the key.
- If you are using an NFC passkey, connect an external NFC reader to your computer. When
prompted, tap the NFC passkey on the reader to continue.
- Next, set a PIN for the passkey.
- In the next screen, enter a label for the registered authenticator (identity device).
- Select OK.
Your FIDO WebAuthn passkey is registered.