FIDO2/DFIDO2 Device Profile
This tutorial helps you to add a device profile so that you can handle the keys related to
FIDO2/DFIDO2 (Derived FIDO2) supported devices.
Prerequisites
- Ensure that you are logged in to the Unifyia platform with your admin credentials.
- You have the manufacturer and customer master and admin keys.
Whether you are configuring the device profile for the issuance of a FIDO2 or DFIDO2 (Derived FIDO2)
credential, the process is same expect that the category should be select based on the type of ID
being issued. The configuration involves following three steps:
- Selection of category, supplier, and product model.
- Adding general information regarding the device profile
- For direct connect mode:
- Select to save the keys either in the database or Hardware Security Module (HSM).
- Configure the device manufacturer and customer security keys.
- For WebAuthn mode, configuration of keys is not required.
The platform enables you to create a device profile for FIDO2/DFIDO2-compliant passkeys. There are two
connection modes that you can configure for - direct connect mode (cross-platform authenticators) and WebAuthn
(platform authenticators).
In the direct connect mode, you will configure the device profiles for external security keys which
can store cryptographic login credentials. These security keys, also referred to as cross-platform or
roaming authenticators, connect to the host device through various means such as USB (e.g., Yubikeys),
NFC (smart cards such as NXP JCOP 4), or smart cards connected via a smart card reader (IDEMIA cards).
For the WebAuthn mode, authentication methods that are built directly into the device or platform, are
leveraged for passwordless authentication. Examples of built-in authenticators are biometric
sensors (e.g., fingerprint, or facial recognition) and device-specific security features
(e.g., Windows Hello or Touch ID on Apple devices). These authenticators leverage the device's hardware
and software to create and store cryptographic keys used for passwordless authentication. Hence, you
just need to configure a device profile and there is no need to configure keys.
Follow the below steps to configure the device profile for FIDO2/DFIDO2 supported devices:
- Login to the Unifyia Platform.
- On the dashboard, navigate to Configuration > Device
Profile.
- Select + Add Device Profile.
- Enter the following information:
- Category: Select a device profile category.
- For issuing FIDO2 credentials, select the category as FIDO2.
- For issuing DFIDO2 credentials, select the category as DFIDO2.
- Supplier: Select Generic.
- Product Name: Select FIDO2 Passkey Authenticator.
- Select OK.
- The device profile configuration page is displayed. Follow the below sections to
understand how to configure a device profile for external security keys and
browser-based WebAuthn.
FIDO2 Passkeys - Direct Connect
This section outlines the device profile configuration for FIDO2 security keys that connect to a
computer/laptop, are accessed via NFC on smartcards, or smart cards using a reader.
General Information
- Enter a name for the device profile.
- Enter a display name for the device profile. This display name will be populated in the Device
Profile dropdown list while creating a workflow.
- Provide a brief description of the profile being created.
- Protocols: Select the protocol(s) that you would use during authentication
using the passkeys. The platform supports both FIDO 2.0 and 2.1 protocols.
- FIDO Passkeys Via: Select Direct Connect. This means that the
passkey either in the USB or smart card (over NFC or using a reader) form factor
would be connected to the computer during the authentication process.
Key Manager
In the Key Manager section, define the place to store the keys and provide the values for the Issuer
Security Domain Keys. These keys enable Unifyia platform to oversee card applications and data, as well as
facilitate
tasks such as establishing a secure channel, unlocking writing privileges, and updating application
data. Select Save.
You have to define the place to store the cryptographic keys - Database or HSM. Refer
to the below table for the typical configurations in the Key Management section based on the place
to store the keys.
Details of Issuer Security Domain Keys
Issuer Security Domain Keys enable Unifyia platform to oversee card applications and data, as
well as facilitate tasks such as establishing a secure channel, resetting the card to
Manufacturer configuration, unlocking writing privileges, and updating application data. Refer to the
table below to understand the meaning of the different keys that are present in the
FIDO2/DFIDO2 supported smart devices.
| Term |
Description |
|
Manufacturer Master Key
|
This is the default manufacturer key (Global Platform keys) and is required
to open a secure channel and also to reset the card to manufacturer settings.
|
|
Customer Master Key
|
This is the key generated by the customer and would replace the manufacturer master key.
This is used for opening a secure channel for card authentication and encryption of
the data.
|
FIDO2 Passkeys - WebAuthn
As this mode uses a FIDO2 protocol-supported browser or built-in authenticators for authentication, providing keys is not required.
General Information
- Enter a name for the device profile.
- Enter a display name for the device profile. This display name will be populated in the Device
Profile dropdown list while creating a workflow.
- Provide a brief description of the profile being created.
- Protocols: Select the protocol(s) that you would use during authentication
using the passkeys. The platform supports both FIDO 2.0, and 2.1 protocols.
- FIDO Passkeys Via: Select Webauthn. This means that a browser
(supporting FIDO2 protocols) or built-isn authenticators would be used for authenticating.
- Select Save.
You have completed the configuration of the device profiles for FIDO2 and DFIDO2.