Passkeys (FIDO2)

The Unifyia platform supports the issuance of FIDO2 Passkeys on devices by authorized operators without the need to verify the user's PIV ID. Passkeys (FIDO2) are a secure, passwordless authentication method based on the FIDO2 (Fast Identity Online) standards, which consist of two components: WebAuthn (Web Authentication) and CTAP (Client to Authenticator Protocol). Passkeys use cryptographic key pairs, eliminating the need for traditional passwords while offering enhanced security against phishing, credential theft, and other forms of cyberattacks.

The Unifyia platform supports the issuance of passkeys (FIDO2) on two types of authenticators: Platform Authenticators (built-in or device bound) and Cross-Platform Authenticators (roaming authenticators).

As the issuance of FIDO2 credentials on the platform authenticators is tied to device-specific security features, this use-case is covered under the self issuance of credentials. This tutorial covers the issuance of FIDO2 credentials on cross-platform authenticators by the the operators on behalf of the end users.

Supported Identity Devices

Passkeys (FIDO2) can be issued on the following identity devices:

  • IDEMIA- ID-One PIV v2.4.2 on Cosmo V8.2
  • ZTPass - ZTPass on NXP P71D600
  • Yubico - YubiKey 5 Series
  • Arculus AuthentiKey
  • Swissbit - Swissbit iShield Key

Passkeys (FIDO2) Issuance on Cross-Platform Authenticators

Prerequisites

  • Relevant FIDO2-supported smart cards, USBs, or NFC-enabled tokens as mentioned under Supported Identity Devices.
  • Unifyia Operator Client
  • The Passkeys policy on the Unifyia platform is configured with the option to issue cross-platform authenticators.

Follow the below steps to issue FIDO2 credentials on cross-platform authenticators (roaming devices):

  1. Log into the Unifyia platform.
  2. Navigate to Management > Users. Search the user either by name or email. Under the Actions column, select the Issue Identity icon to start the issuance process.
  3. If the user is approved for multiple identities, you will be prompted to select the workflow for which you wish to issue an identity.
    1. From the listed identity device options, select the identity device (supported authenticators such as IDEMIA smart card, ZTPass smart card, or YubiKey) on which you wish to issue the FIDO2 credentials.
    2. Connect the identity device on which the FIDO2 credentials need to be issued.
      1. If you are using a FIDO2-supported smart card, insert it into the card reader connected to your computer.
      2. If you are using a FIDO2-supported security key, insert it into the USB port. It will prompt you to touch your security key. Touch the key.
      3. If you are using an NFC passkey, connect an external NFC reader to your computer. When prompted, tap the NFC passkey on the reader to continue.
    3. The connected reader and authenticator (identity device) details are displayed on the Issue Identity Screen.
    4. Select Personalize.
    5. An email that contains the PIN is sent to the user.
    6. Issuance of the FIDO2 credential on an identity device is completed.
    7. You can issue the security key to the user.

    Back Next
On this page
Related Links