The FIDO Universal 2nd Factor authentication mechanism prompts the user to sign a random
challenge string with a FIDO Universal 2nd Factor token provided during the authentication
flow.
Before you begin
The user must register a compatible FIDO Universal 2nd Factor token.
About this task
Configure the FIDO Universal 2nd Factor and the corresponding properties to determine the
operation of the mechanism.
Procedure
- Log in to the local management interface.
- Click Secure Access Control.
- Under Policy, click Authentication.
- Click Mechanisms.
- Click FIDO Universal 2nd Factor.
- Click Modify.
- Click the Properties tab.
- Select a property that you want to configure.
- Click Modify.
- Enter the value for that property.
- Click OK.
- Take note of the properties for the mechanism.
- Application ID
The protocol, hostname, and port that the user will use to attempt authentication.
Default value: https://webseal.com
Valid values: String, valid URL
- Attestation Type
The type of certificate attestation validation to perform. Specify None to
not perform certificate attestation validation. Specify Keystore to perform
certificate attestation validation using the keystore configured in
attestationSource. Specify JWKS to perform certificate
attestation validation using the JSON Web Key Set configured in
attestationSource.
Default value: None
Valid values: None, Keystore,
JWKS
- Attestation Source
The keystore or key set to use for certificate attestation validation. Either the name of the
keystore on the appliance, or the URL for a JSON Web Key Set.
Default value: No default value
Valid values: String
- Attestation Enforcement
The level of enforcement of certificate attestation validation. When you specify
Required, certificate attestation validation is required, and requests that
fail validation will return a validation error. When you specify Optional,
certificate attestation validation is performed, but requests that fail validation will not return
an error.
Default value: Required
Valid values: Required, Optional
- Click Save.
What to do next
When you configure the mechanism, a message indicates that changes are not deployed. Deploy
them. See
Deploying pending changes.