System Administrator Login

The system administrator's (System Admin) login to the Unifyia Platform is performed using system-generated credentials—either the username or email address and the password configured during deployment. Upon first login, the platform will prompt the system administrator to change the password.

After this step, it is mandatory for the system administrator to configure Passkeys (FIDO2), a second factor, passwordless authentication method. The system administrator alone has the option to login to the platform using password and account recovery codes. All other administrators created on the Unifyia platform must login based on the configured access privileges and issued credentials as per the organization's policy. The platform provides the option to generate and download Recovery Codes for use in emergency situations. These steps establish secure access and personalize the system administrator's account.

This document explains how the system administrators can set up Passkeys (FIDO2), download recovery codes, and use these credentials for secure authentication.

Follow the below sections to understand how to set up Passkeys (FIDO2) for passwordless authentication to log in to the platform.

Register to Login Using Passkeys (FIDO2)

Passkeys are a modern form of authentication designed to replace traditional passwords with a more secure and user-friendly approach. Passkeys enable passwordless authentication as they rely on cryptographic keys that are generated and stored securely on the user's device. They are built on the FIDO (Fast IDentity Online) standards, which promote secure, passwordless authentication across various services and platforms.

The platform supports both the registration of built-in or bound or platform authenticators (TPM) such as Windows Hello on PC and cross-platform or roaming authenticators (external security keys).

NOTE

As an System Administrator, you have several options for registering Passkeys (FIDO2). However, passkeys registration is a one-time process, and only one method can be selected.

The following are the ways to register Passkeys (FIDO2):

  • Platform (Built-in) Authenticator (TPM) – Windows Hello
  • Register Mobile Devices as Passkeys (FIDO2) using Bluetooth
  • External Security Key (Cross-platform authenticators)
    • Smart Cards
    • Yubikeys
    • NFC Devices

Platform Authenticator (TPM) - Windows Hello on PC

Set up Windows Hello for passwordless authentication on Windows devices. Windows Hello provides secure, password-free authentication using biometrics (fingerprint, facial recognition) or a PIN. MacBooks also support passwordless login, but only if they have biometric hardware (e.g., Touch ID). The setup process is similar for both platforms. FIDO2 functionality is available on MacBooks starting with macOS 14 Sonoma.

Prerequisites
  • Use a modern web browser that supports WebAuthn, such as Microsoft Edge or Google Chrome on Windows, and Safari or Google Chrome on macOS.
  • Windows Hello must be configured with a PIN, fingerprint, or facial recognition. If using biometrics, your PC must support the required hardware. Similarly, MacBooks must have biometrics (Touch ID) capability.
  • Ensure your Windows device has a TPM chip enabled and activated. You can check this in BIOS settings or under Device Security in Windows Settings. On macOS, the Secure Enclave within Keychain is used for securely storing cryptographic keys.

Follow the below steps:

  1. Launch the Unifyia platform using a URL in a web browser on a computer and select Sign In.
  2. On the sign in page, provide the username or email and select Sign In.
  3. Next, provide your password and select Sign In.
  4. The platform will prompt you to change the password to proceed. Enter a new password, confirm it, and select Submit.
  5. The platform will prompt to create a passkey. You need to select how you want to create a passkey. Select Window Hello or external security key.
  6. A Windows Security prompt will appear, asking you to verify using a Windows authentication PIN. Enter the PIN or if using a biometric option, verify using your fingerprint or face.
  7. The platform will prompt you to save a passkey on the computer that you are using to sign in to the Unifyia platform as an admin.
  8. The passkey is saved. Select OK.

    Bound_Authenticator_Registration
    Bound_Authenticator_Registration
    Bound_Authenticator_Registration
  9. In the next screen, enter a label to register the authenticator (your PC).
  10. Select OK. You are logged into the platform.

Register External Security Keys (Cross-Platform Authenticators)

You can register a mobile device as a passkey or connect a roaming authenticator (external security key) by plugging it into the device via USB or tapping it (via NFC) to register it.

Supported Identity Devices for Passkeys (FIDO2)
  • IDEMIA ID-One PIV v2.4.1 on Cosmo V8.2
  • Yubico - YubiKey 5 Series
  • ZTPass - ZTPass on NXP P71D600
  • Arculus AuthentiKey
  • Swissbit - Swissbit iShield Key

Register Mobile Devices as Passkeys (FIDO2) Using Bluetooth

Ensure your PC and Mobile device have Bluetooth turned on.

  1. Launch the Unifyia platform using a URL in a web browser on a computer and select Sign In.
  2. On the sign in page, provide the username or email and select Sign In.
  3. Next, provide your password and select Sign In.
  4. The platform will prompt you to change the password to proceed. Enter a new password, confirm it, and select Submit.
  5. The platform will prompt to create a passkey.
  6. You need to choose where to save the passkey. There are two possible ways:
    1. When prompted to choose where to save the passkey, select Use a different phone, tablet, or security key.
    2. If the Windows Security screen is displayed, select Use another device and when prompted to choose where to save the passkey, select iPhone, iPad, and Android devices.
  7. A QR code is displayed.
  8. Scan the QR code using a QR code scanner on your mobile device (iPhone, iPad, and Android devices). You will be creating the passkey on this mobile device.
  9. Provide the configured screen lock credentials for verification.
  10. The passkey is saved. Select OK.
  11. In the next screen, enter a label to register the authenticator (your PC).
  12. Select OK. You are logged into the platform.

External Security Keys as Connected Devices

Required

Choose any one of the below identity devices:

  • IDEMIA ID-One PIV v2.4.1 on Cosmo V8.2
  • Yubico - YubiKey 5 Series
  • ZTPass - ZTPass on NXP P71D600
  • Arculus AuthentiKey
  • Swissbit - Swissbit iShield Key

Follow the below steps to register an external security key that is connected to a PC as a passkey:

  1. Launch the Unifyia platform using a URL in a web browser on a computer and select Sign In.
  2. On the sign in page, provide the username or email and select Sign In.
  3. Next, provide your password and select Sign In.
  4. The platform will prompt you to change the password to proceed. Enter a new password, confirm it, and select Submit.
  5. To register for a passwordless authentication method, select the option Sign In With Passkey.
  6. The platform will prompt to create a passkey. You need to select how you want to create a passkey. Select Security Keys.
  7. You are prompted to set up the security key to sign in as admin. Select OK to continue the setup.
  8. It will prompt you for permission to see the make and model of the security and create a credential on the security key. Select OK.
  9. Connect the identity device to proceed.
    1. If you are using a smart card, insert it into a connected card reader.
    2. If you are using a USB passkey, connect it to your computer. It may prompt you to touch your security key. Touch the key.
    3. If you are using an NFC passkey, connect an external NFC reader to your computer. When prompted, tap the NFC passkey on the reader to continue.
  10. Next, set a PIN for the passkey. The PIN length must be 6-8 digits. If you are using a Yubikey 5 Series FIPs enabled device, it must be a 8-digit PIN.
  11. In the next screen, enter a label to register the authenticator.
  12. Select OK.
  13. Your passkey (FIDO2) is registered.
  14. You are successfully logged in.

Authentication Post Initial Registration

You now have passwordless authentication credentials, Passkeys (FIDO2), with which you can authenticate to the Unifyia Platform. Based on the chosen registration method, the authentication option is displayed.

Authenticate Using Windows Hello


Bound_Authenticator_Registration
Bound_Authenticator_Registration
  1. On the Sign In page, enter your email or username.
  2. Select Sign In.
  3. Select Multi-factor Authentication and then select Continue.
  4. Select Sign In with Passkey.
  5. When prompted, verify your identity using a PIN, fingerprint, or face.
  6. You are successfully logged in.

Authentication on MacBook

Authentication_on_MacBook

  1. On the Sign In page, enter your email or username.
  2. Select Sign In.
  3. Select Multi-factor Authentication and then select Continue.
  4. Select Sign In with Passkey.
  5. When prompted, provide a password or touch ID to verify identity.
  6. You are successfully logged in.

Authenticate Using Registered Mobile Devices

  1. On the Sign In page, enter your email or username.
  2. Select Multi-factor Authentication and then select Continue.
  3. A QR code is displayed.
  4. Use your phone camera that has the native capacity to scan the QR code or use a QR code scanner app to scan the QR code.
  5. Provide the configured screen lock credentials for verification.
  6. You are logged into the platform.

Authenticate Using Connected Security Keys

  1. On the Sign In page, enter your email or username.
  2. Select Sign In.
  3. Select Multi-factor Authentication and then select Continue.
  4. Select Sign In with Passkey.
  5. The following are the possible options:
    1. Scan QR Code: You must have a phone that supports NFC.
      1. Select the option iPhone, iPad, and Android devices.
      2. Use your phone camera that has the native capacity to scan the QR code or use a QR code scanner app to scan the QR code.
      3. Hold the smart card/USB security key flat against the NFC sweet spot on your mobile device and enter the PIN when prompted. Hold it until you see the message that the verification is complete.
      4. You are logged into the platform.
    2. Smart Card:
      1. Select the option Security Key.
      2. Connect a card reader to your computer and insert the card into it.
      3. Provide the set security key PIN to continue.
      4. You will be successfully logged into the platform.
    3. NFC reader:
      1. Choose the option Security Key.
      2. Connect an external NFC reader to your computer to proceed.
      3. When prompted, tap the NFC passkey on the reader.
      4. Provide the set security key PIN to continue.
      5. You are logged into the platform.
    4. USB Key:
      1. Choose the option Security Key.
      2. Insert the USB security key into the USB slot of your computer.
      3. Enter the security key PIN.
      4. If prompted, touch the security key.
      5. You are logged into the platform.

Authenticate Using Password

The option to login using a password is available only for the system administrator (System Admin).

  • On the Sign In page, enter your email or username.
  • Select Sign In.
  • Select Password and then select Continue.
  • Enter the password that you have reset and select Sign In
  • You are logged into the platform.

    • Account Recovery Codes

    The Unifyia platform supports login using recovery codes for emergencies where all other credentials are either lost or unavailable. This option is available for all the system administrators. On the first login using the password, the platform provides you 12 recovery codes. Once you exhaust all the codes, you can get another set of the codes. The process is same whether you login for the first time or later.

    Authentication_on_MacBook

    1. On the Sign In page, enter your email or username.
    2. Select Sign In.
    3. Next, provide your password and select Sign In.
    4. The platform will prompt you to change the password to proceed. Enter a new password, confirm it, and select Submit.
    5. The platform displays a set of recovery codes. You can either print, download, or copy them to a password manager. If you proceed without saving the codes, the recovery codes will be lost and removed from your account. You will have to restart from step 1 to get another set of recovery codes.
    6. Check the box I have saved these codes somewhere safe. The Complete Setup button is enabled. Select it to proceed.
    7. The platform prompts you to authenticate using the registered passkeys (FIDO2).
    8. Once completed, you are logged into the platform.

    Authenticate Using Account Recovery Codes

    You must have the account recovery codes that you have saved to authenticate using the recovery codes.

    1. On the Sign In page, enter your email or username.
    2. Select Sign In.
    3. Select Account Recovery Using Recovery Codes and then select Continue.
    4. The platform will prompt you to enter a specific recovery code, such as Recovery Code #1.
    5. Enter the code and select Sign In.
    6. You are successfully logged in.

    When you try to login the next time, using the option Account Recovery Using Recovery Codes, the platform will prompt you to put in the next recovery code until you expire all the codes. You can get a fresh set of codes by following the steps listed in the section Account Recovery Codes.


    Back Next
    On this page