U2F Migration
The WebAuthn specification includes backwards compatibility support for FIDO U2F.
To allow previously registered U2F tokens to authenticate with the FIDO2/WebAuthn mechanisms and delegates, the U2F registration data must be migrated.
IBM Verify Identity Access offers two ways to migrate data by using the U2F Migration section of the FIDO2 Configuration screen. Select .
- Manual migration in batches
- In this section, the number of unmigrated U2F registrations is displayed. An IBM Verify Identity Access administrator can choose the batch size, and whether to migrate a single batch or all batches that are available.
- Auto-migration on use
- U2F registrations will be migrated when WebAuthn authentication is attempted.
When auto-migration is enabled and a WebAuthn authentication flow is attempted, the server checks if a user has any WebAuthn registrations. If a user does not have WebAuthn registrations, the server checks if a user has any U2F registrations, and migrates any that it finds.
The server then resumes the authentication flow.
New U2F Registrations
IBM Verify Identity Access decides which HVDB table is used to store new U2F token registrations based on a number of factors. This applies only to new U2F tokens that are added by the FIDO Universal 2nd Factor mechanism.
Firstly, the mechanism checks if the registration JSON request includes a parameter called legacyMode. If the parameter is present and set to true, the new registration is stored in the U2F table.
If legacyMode is not set to true, the mechanism then checks if Auto-migration on use is enabled for U2F Migration. If enabled, the new registration is stored in the FIDO table.
This enables an administrator to have complete control over which table is used to store new registrations, while also allowing existing systems that use U2F to continue as they were.