Enabling a secure web application that is protected by App ID to use FIDO2 devices for the second factor.

Last week, I had the chance to read a blog post on how to protect cloud apps with App ID by using the IBM Cloud Identity user directory. That blog discusses how to configure IBM Cloud Identity as a SAML-based identity source for IBM Cloud App ID

Because Cloud Identity supports FIDO2 devices for second-factor authentication (2FA) as a beta feature, I wanted to test how easy it is to use my USB FIDO2 devices for securing my web apps. For that purpose, I picked the app from the solution tutorial discussing end-to-end security for an application on IBM Cloud. App ID is part of the solution architecture (see the diagram):

FIDO2: An overview

If you are not too deep into security, you might be wondering about FIDO2. FIDO2 is a joint project by the FIDO Alliance (Fast IDentity Online) and the W3C to provide strong authentication for web applications. Thus, it aims to improve security by reducing or eliminating identity theft through providing passwordless authentication. 

At the core of FIDO2 are cryptographic authenticators which can be hardware security keys connected via USB, NFC, or by being built into (e.g., smartphones). The authenticators are combined with the WebAuthn protocol that defines how web applications, the computer (client), and authenticators interact. It is important to note that the authentication itself is performed by the cryptographic authenticator (the hardware). The computer (client) utilizes the Client to Authenticator Protocol (CTAP).

For my tests I am using both FIDO2 Level 1 and Level 2 certified authenticators. One USB device has a button to press to initiate authentication, the other is a fingerprint scanner with some of my fingerprints enrolled. You can learn more about FIDO2 at the FIDO Alliance site or via links on this curated WebAuthn awesome list.

Enabling FIDO2 in IBM Cloud Identity

After signing up for IBM Cloud Identity, I contacted the beta administrator to enable FIDO2 support in my instance. I also configured Cloud Identity as a SAML-based provider in the App ID instance that I have. The app is based on the mentioned tutorial on end-to-end security

For connecting App ID and Cloud Identity, I followed the instructions from the recent blog post.

With the foundation in place, I added a new user to Cloud Identity’s Cloud Directory (i.e., its user repository). Because I enabled it, an email with a temporary password was sent to the specified email address. Utilizing Chrome with an incognito window and acting as the new user, I logged in to Cloud Identity. There, I first had to change the password and then confirm my identity with a one-time-passcode (OTP) sent by email. 

After clicking on my profile, I could add new methods for the second-factor authentication:

I picked “FIDO Device” and registered my first device, then repeated it for my second device. It is important to note that only certain browsers with a minimum software level support the registration and authentication flows.

Next, I tested the secure file storage application from the tutorial. I could log in, but the security key was needed. Something was wrong, and I found that I had to change the configuration for the App ID application within Cloud Identity. The default policy was still in place and I replaced it with “Require 2FA each session in all devices”:

FIDO2-based 2FA for IBM Cloud apps

With the changed policy in place, I logged in to my app again. After accepting my password, the login dialog presented me options for the second factor. Either OTP by email or authenticating by using one of the configured FIDO devices:

After selecting a device, I was prompted to insert the USB security key into my computer to authenticate. This meant either pressing the button on the USB dongle or touching the key with an enrolled finger. Finally, I was logged in and could upload a file to my encrypted cloud storage account (the tutorial app).

If you want to test it yourself, I recommend changing the SAML configuration for App ID in Cloud Identity. For the “Name Identifier” change it to “Email.” It allows the tutorial to work if the user name is not an email address.

In addition to tests described above, I also tried an account without a FIDO2 device. For that case, I had configured email-based OTPs as supported second factors. The sent code is valid for five minutes:


Enabling the secure web application that is protected by App ID to use FIDO2 devices for the second factor was simple. At this moment, App ID’s own cloud directory does not support FIDO2, but IBM Cloud Identity does. Cloud Identity can be used as SAML-based identity provider. With the right access policy in place, 2FA is enforced and I could use my hardware security keys for it.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn


More from Cloud

Temenos brings innovative payments capabilities to IBM Cloud to help banks transform

3 min read - The payments ecosystem is at an inflection point for transformation, and we believe now is the time for change. As banks look to modernize their payments journeys, Temenos Payments Hub has become the first dedicated payments solution to deliver innovative payments capabilities on the IBM Cloud for Financial Services®—an industry-specific platform designed to accelerate financial institutions' digital transformations with security at the forefront. This is the latest initiative in our long history together helping clients transform. With the Temenos Payments…

Foundational models at the edge

7 min read - Foundational models (FMs) are marking the beginning of a new era in machine learning (ML) and artificial intelligence (AI), which is leading to faster development of AI that can be adapted to a wide range of downstream tasks and fine-tuned for an array of applications.  With the increasing importance of processing data where work is being performed, serving AI models at the enterprise edge enables near-real-time predictions, while abiding by data sovereignty and privacy requirements. By combining the IBM watsonx data…

The next wave of payments modernization: Minimizing complexity to elevate customer experience

3 min read - The payments ecosystem is at an inflection point for transformation, especially as we see the rise of disruptive digital entrants who are introducing new payment methods, such as cryptocurrency and central bank digital currencies (CDBC). With more choices for customers, capturing share of wallet is becoming more competitive for traditional banks. This is just one of many examples that show how the payments space has evolved. At the same time, we are increasingly seeing regulators more closely monitor the industry’s…

IBM Connected Trade Platform helps power the digitization of trade and supply chain financing

4 min read - Today, we are seeing significant digital disruption in the business of trade and supply chain financing that is largely influenced by global events and geopolitics, changing regulations, compliance and control requirements, advancements in technology and innovation, and access to capital. When examining these disruptors more closely, it’s clear there are a wide variety of factors that can impact global trade and supply chain financing. These can range all the way from elevated inflation (which has the potential to cause margin…