Managing FIDO2 devices

Use this task to manage the FIDO2 devices that enable users to sign on to IBM® Security Verify and to respond to second-factor authentication events.

About this task

A FIDO2 device is a device with built-in sensor, a hardware token with support for FIDO, or a device with fingerprint or facial recognition such as Apple TouchID and Windows Hello.

The FIDO server uses metadata to validate the authenticity of a device.

Procedure

  1. Select Authentication > FIDO2 settings.
  2. View device metadata information.
    1. Select Device Metadata.
      The display names and tags are displayed for the devices.
  3. Add the metadata for a device.
    1. Select Device Metadata.
      The display names and tags are displayed for the devices.
    2. Select Device Metadata +
    3. Provide a display name for the device.
    4. Toggle the Enabled button to enable or disable the device.
    5. Provide a tag for the metadata.
    6. Upload the .json or .yubico from your FIDO2 device.
      This file contains the registration metadata for your device.
    7. Select Save.
  4. Change the metadata information of a device.
    1. Select Device Metadata.
      The display names and tags are displayed for the devices.
    2. Select the device metadata and select the Edit icon.
    3. Optional: Modify the metadata information for the device.
    4. Select Save.
  5. Viewing relaying parties.
    1. Select Relying Parties.
      The display names, identifiers, and devices are displayed.
  6. Adding relying parties.
    1. Select Relying Parties.
    2. Select Relying Parties +
    3. Provide a display name for the relying party.
    4. Toggle the Enabled button to enable or disable the relying party.
    5. Provide an identifier for the relying party.
    6. Specify the device metadata that is to be included.
      Select the checkbox to include all device metadata. Otherwise, clear the checkbox to activate the Filter menu. Expand the filter and select one or more device metadata for the relying party.
    7. Select whether to check device authenticity.
    8. Specify the allowed origins.
      Specify your tenant as the URN. The URN is the Uniform Resource Name. Select Add.
      The URN is added to the list of URLs.
    9. Optional: You can repeat the previous step to add more tenants.
      Select the Delete icon to remove a URL.
    10. Select Save.
  7. Change the information for a relying party.
    1. Select Relying Parties.
      The display names, identifiers, and devices are displayed for the relying parties.
    2. Select the device metadata and select the Edit icon.
    3. Optional: Modify the relying party information.
    4. Select Save.

What to do next

Enable FIDO2 for logging in. See Managing sign-in options.