Administrator Login

On the very first login to the Unifyia Platform, it is mandatory for the Administrator to set up a passwordless authentication method using either a username or email address, along with a password provided by the Unifyia team. This establishes secure access and personalizes the account. You can register multiple credentials. This document helps you to understand two passwordless authentication modes OTP and FIDO2 Security Keys.

  1. Launch the Unifyia platform using a URL in a web browser on a computer and select Sign In page.
  2. On the sign in page, provide the username or email and select Sign In.
  3. Next, provide your password and select Sign In.
  4. The system will prompt you to change the password to proceed. This is optional. If you prefer to change your password, enter a new password, confirm it, and select Submit.
  5. To register for a passwordless authentication method, select Passwordless Authentication. You are presented with two options - OTP and FIDO2 Passkeys.

Follow the below sections to understand how to set up passwordless authentication to log in to the platform.

Passwordless Authentication

As an Administrator, you have two options for passwordless authentication - OTP and FIDO2 Passkeys. It is recommended that you register both the OTP and at least one mode of security keys as explained in the succeeding sections. Let us explore these options in detail.

Register to Login Using OTP

You can use any OTP authenticator application (Google Authenticator, Microsoft Authenticator, etc.) or the Uniyfia ID Wallet app on your mobile that can scan and provide you with a code. Follow the below steps to register the OTP authentication method:

  1. You have selected Passwordless Authentication in the previous step and are presented with two options - OTP and FIDO2 security keys.
  2. Choose OTP and select Submit.
  3. A page with a QR code appears.
  4. Open an OTP authenticator app such as the Google Authenticator app or the Unifyia ID Wallet app and scan the code. The app displays a code.
  5. Enter the code on the page.
  6. Enter a label to register your mobile device, e.g., John's Iphone. Select Submit.
  7. You are logged into the platform.
  8. The next time you login to the platform, select the label name, enter the OTP from the app, and select Submit.

Register to Login Using Passkeys (FIDO2)

Passkeys are a modern form of authentication designed to replace traditional passwords with a more secure and user-friendly approach. Passkeys enable passwordless authentication as they rely on cryptographic keys that are generated and stored securely on the user's device. They are built on the FIDO (Fast IDentity Online) standards, which promote secure, passwordless authentication across various services and platforms.

The platform supports both the registration of built-in or bound or platform authenticators (TPM) such as Windows Hello on PC and cross-platform or roaming authenticators (external security keys).

Supported Identity Devices for Passkeys (FIDO2)
  • IDEMIA ID-One PIV v2.4.1 on Cosmo V8.2
  • Yubico - YubiKey 5 Series
  • ZTPass - ZTPass on NXP P71D600

The following are the ways to register Passkeys (FIDO2):

  • Platform (Built-in) Authenticator (TPM) – Windows Hello
  • External Security Key (Cross-platform authenticators)
    • Register Mobile Devices as passkeys (FIDO2) using BLE (Over Bluetooth)
    • Connected Security Keys
      • Smart Cards
      • Yubikeys
      • NFC Devices

Platform Authenticator (TPM) - Windows Hello on PC

Set up Windows Hello for passwordless authentication on Windows devices. Windows Hello provides secure, password-free authentication using biometrics (fingerprint, facial recognition) or a PIN. MacBooks also support passwordless login, but only if they have biometric hardware (e.g., Touch ID). The setup process is similar for both platforms. FIDO2 functionality is available on MacBooks starting with macOS 14 Sonoma.

Prerequisites
  • Use a modern web browser that supports WebAuthn, such as Microsoft Edge or Google Chrome on Windows, and Safari or Google Chrome on macOS.
  • Windows Hello must be configured with a PIN, fingerprint, or facial recognition. If using biometrics, your PC must support the required hardware. Similarly, MacBooks must have biometrics (Touch ID) capability.
  • Ensure your Windows device has a TPM chip enabled and activated. You can check this in BIOS settings or under Device Security in Windows Settings. On macOS, the Secure Enclave within Keychain is used for securely storing cryptographic keys.

Follow the below steps:

  1. On the Sign In page, provide the username or email and select Sign In.
  2. Select Try Another Way.
  3. Select Password.
  4. Enter your password and select Sign In.
  5. Select Passwordless Authentication.
  6. Choose FIDO2 Passkeys and select Submit.
  7. When prompted to select how you want to create a passkey, select Window Hello or external security key.
  8. A Windows Security prompt will appear, asking you to verify using a Windows authentication PIN. Enter the PIN or if using a biometric option, verify using your fingerprint or facial recognition.
  9. The system will prompt you to save a passkey on the computer that you are using to sign in to the Unifyia platform as an admin.
  10. The passkey is saved. Select OK.

    Bound_Authenticator_Registration
    Bound_Authenticator_Registration
    Bound_Authenticator_Registration
  11. In the next screen, enter a label to register the authenticator (your PC).
  12. Select OK. You are logged into the platform.

Register External Security Keys (Cross-Platform Authenticators)

You can register a mobile device as a passkey or connect a roaming authenticator (external security key) by plugging it into the device via USB or tapping it (via NFC) to register it.

Register Mobile Devices as FIDO2 Passkeys Using BLE (Bluetooth)

Ensure your PC and Mobile devices have Bluetooth turned on and are connected over the same internet.

  1. On the Sign In page, provide the username or email and select Sign In.
  2. Select Try Another Way.
  3. Select Password.
  4. Enter your password and select Sign In.
  5. Select Passwordless Authentication.
  6. Choose FIDO2 Passkeys and select Submit.
  7. You need to choose where to save the passkey. There are two possible ways:
    1. If the Windows Security screen is displayed, select Use another device and when prompted to choose where to save the passkey, select iPhone, iPad, and Android devices.
    2. When prompted to choose where to save the passkey, select Use a different phone, tablet, or security key.
  8. A QR code is displayed.
  9. Scan the QR code using a QR code scanner on your mobile device (iPhone, iPad, and Android devices). You will be creating the passkey on this mobile device.
  10. Provide the configured screen lock credentials for verification.
  11. The passkey is saved. Select OK.
  12. In the next screen, enter a label to register the authenticator (your PC).
  13. Select OK. You are logged into the platform.

External Security Keys as Connected Devices

Required

Choose any one of the below identity devices:

  • IDEMIA ID-One PIV v2.4.1 on Cosmo V8.2
  • Yubico - YubiKey 5 Series
  • ZTPass - ZTPass on NXP P71D600

Follow the below steps to register an external security key that is connected to a PC as a passkey:

  1. On the Sign In page, provide the username or email and select Sign In.
  2. Next, provide your password and select Sign In.
  3. Select Passwordless Authentication.
  4. Choose FIDO2 Passkeys and select Submit.
  5. When prompted to choose where to save the passkey, select Security Keys.
  6. You are prompted to set up the security key to sign in as admin. Select OK to continue the setup.
  7. It will prompt you for permission to see the make and model of the security and create a credential on the security key. Select OK.
  8. Connect the identity device to proceed.
    1. If you are using a smart card, insert it into a connected card reader.
    2. If you are using a USB passkey, connect it to your computer. It may prompt you to touch your security key. Touch the key.
    3. If you are using an NFC passkey, connect an external NFC reader to your computer. When prompted, tap the NFC passkey on the reader to continue.
  9. Next, set a PIN for the passkey.
  10. In the next screen, enter a label to register the authenticator.
  11. Select OK.
  12. Your passkey (FIDO2) is registered.
  13. You are successfully logged in.

Authentication Post Initial Registration

You now have passwordless authentication credentials, OTP and FIDO2 Security Keys, with which you can authenticate to the Unifyia Platform. You can click on the button Try Another Way to switch between authentication methods. If you have registered multiple devices, then the sequence of the authentication method is displayed based on the initial access policies that are uploaded using the scripts to the database. Your organization may change this sequence later as per the set policies.

To register an additional authentication method, you must always authenticate using your username and password and then choose the passwordless authentication registration methods as described above.

Authenticate Using Windows Hello


Bound_Authenticator_Registration
Bound_Authenticator_Registration
  1. On the Sign In page, enter your email or username.
  2. Select Sign In.
  3. Select Sign In with Passkey.
  4. When prompted, use Windows Hello to verify your identity using a PIN, fingerprint, or face to log in.

Authentication on MacBook

Authentication_on_MacBook

  1. On the Sign In page, enter your email or username.
  2. Select Sign In.
  3. Select Sign In with Passkey.
  4. When prompted, provide a password or touch ID to verify identity.
  5. You are successfully logged in.

Authenticate Using OTP

  1. On the Sign In page, enter your username or email.
  2. Select Sign In.
  3. The authentication options are displayed.
  4. Select One-time Password (OTP).
  5. The OTP page appears.
  6. Open the authenticator app and enter the OTP. Select Sign In.
  7. You are logged into the platform.

Authenticate Using Registered Mobile Devices

  1. On the Sign In page, enter your email or username.
  2. A QR code is displayed.
  3. Use your phone camera that has the native capacity to scan the QR code or use a QR code scanner app to scan the QR code.
  4. Provide the configured screen lock credentials for verification.
  5. You are logged into the platform.

Authenticate Using Connected Security Keys

  1. On the Sign In page, enter your email or username.
  2. Select Sign In.
  3. The authentication options are displayed.
  4. Choose the option Security Key. The following are the possible options, based on the registered identity type you have registered.
    1. Scan QR Code:
      1. Use your phone camera that has the native capacity to scan the QR code or use a QR code scanner app to scan the QR code.
      2. Hold the smart card/USB security key flat against the NFC sweet spot on your mobile device and enter the PIN when prompted. Hold it until you see the message that the verification is complete.
      3. You are logged into the platform.
    2. Smart Card:
      1. Connect a card reader to your computer and insert the card into it.
      2. Provide the set security key PIN to continue.
      3. You will be successfully logged into the platform.
    3. NFC reader:
      1. Connect an external NFC reader to your computer to proceed.
      2. When prompted, tap the NFC passkey on the reader.
      3. Provide the set security key PIN to continue.
      4. You are logged into the platform.
    4. USB Key:
      1. Insert the USB security key into the USB slot of your computer.
      2. Enter the security key PIN.
      3. If prompted, touch the security key.
      4. You are logged into the platform.

Back Next
On this page