Managing FIDO2 devices

Use this task to manage the FIDO2 devices that enable users to sign on to IBM® Security Verify and to respond to second-factor authentication events.

About this task

A FIDO2 device is a device with built-in sensor, a hardware token with support for FIDO, or a device with fingerprint or facial recognition such as Apple Touch ID and Windows Hello.
Note: For users, the term passkey is used instead of FIDO to provide a more consumer-friendly experience.

The FIDO server uses metadata to validate the authenticity of a device.

Procedure

  1. Select Authentication > FIDO settings.
  2. Add relying parties.
    1. Select Relying Parties.
      The relying parties are listed and the display names, identifiers, and devices are displayed in the table.
    2. Select Creating relying party.
    3. Provide a display name for the relying party.
    4. Toggle the Enabled button to enable or disable the relying party.
    5. Provide an identifier for the relying party.
      Typically the identifier is the site DNS domain such as example.com.
    6. Specify the device metadata that is to be included.
      Select the checkbox to include all device metadata. Otherwise, clear the checkbox to activate the Filter menu. Expand the filter and select one or more device metadata for the relying party.
    7. Select whether to check device authenticity.
      Use this option to limit the authenticator types that can be used.
    8. Specify the allowed origins.
      Specify your tenant as the URL. The URL must fall within the DNS domain that is set as the relying party identifier. If the port is not 443, you must also include the port number.
    9. Optional: Select Add URL to more base URLS where the FIDO2-based authenticators can be registered and used.
      The URL is added to the list of URLs.
    10. Click Create.
  3. Add metadata
    1. Select Device Metadata.
      The display names and tags are displayed for the devices.
    2. Select Create metadata
    3. Provide a display name for the device.
    4. Toggle the Enabled button to enable or disable the device.
    5. Provide a tag for the metadata.
    6. Upload the .json or .yubico from your FIDO2 device.
      This file contains the registration metadata for your device.
    7. Select Create.

What to do next

Enable FIDO2 for logging in. See Managing sign-in options.