Use Multi-Factor Authentication (MFA) with ºÚÁϺ£½Ç91Èë¿Ú to secure user access to your organization’s resources. This guide shows you how to set up WebAuthn multi-factor authentication (MFA) for ºÚÁϺ£½Ç91Èë¿Ú users. WebAuthn MFA protects authentication to the User Portal, Single Sign On (SSO) applications, and password changes made from the User Portal. When you enable WebAuth MFA, users will see it as an option for MFA when logging into one of these resources.
Give your users secure and convenient access to their resources with Push MFA. Learn more: ºÚÁϺ£½Ç91Èë¿Ú Protect for Admins.
What is WebAuthn MFA
MFA secures access to a resource by asking a user to prove who they are with multiple factors. When MFA is enabled, a user proves who they are with something they know, like a username and password, something they have, like a security key, and something they are, like a fingerprint. When WebAuthn MFA is enabled, users authenticate to the ºÚÁϺ£½Ç91Èë¿Ú User Portal with their username and password plus a security key or a device authenticator.
WebAuthn MFA is available in the following places:
- User Portal login
- SSO applications
- Password changes from the User Portal
WebAuthn MFA Considerations
- WebAuthn MFA with security key works with ºÚÁϺ£½Ç91Èë¿Ú’s Supported Web Browsers.
WebAuthn MFA with Touch ID is only supported by Google Chrome.
- Browsers don’t support all security keys. If you experience problems registering or logging in with a security key, your security key may not be supported by the browser.
- Enrollment periods aren’t available for WebAuthn MFA.
- WebAuthn MFA doesn’t protect systems, RADIUS servers, or password changes made from systems. However, you can use TOTP MFA to protect systems, RADIUS servers, and password changes made from systems. Learn more: MFA for Admins.
Legacy Keys (WebAuthn Considerations)
Any older security keys (including device authenticators) have been renamed legacy keys. You can rename or delete these keys, but can not add a new security key to this area. We recommend re-enrolling these keys as Security Keys or Device Authenticators and then deleting the original legacy key. However, users will not be blocked from continuing to use the legacy key.
Security Key (WebAuthn) Considerations
Security keys you can use:
- ºÚÁϺ£½Ç91Èë¿Ú WebAuthn MFA supports any Universal Second Factor (U2F) compliant security key, such as YubiKey and Titan.
- You can use NFC-enabled security keys with NFC supported devices. You need to have a supported web browser on the device to use an NFC-enabled security key to log in to the User Portal.
- To use a NFC-enabled security key:
- Use a supported web browser to log in to the User Portal.
- After you enter your username and password, select Security Key.
- When the browser prompts you for the security key, move the NFC-enabled security key near the designated spot on the device.
- When the security key is authenticated, you gain access to the User Portal.
- To use a NFC-enabled security key:
- Users can have multiple security keys.
- ºÚÁϺ£½Ç91Èë¿Ú does not officially support Bluetooth Low Energy WebAuthn security keys.
TOTP Security keys can't be used as WebAuthn security keys.
Device Authenticator (WebAuthn) Considerations
- Some systems have built-in devices that can be used as a device authenticator, like a fingerprint scanner.
On Windows devices, the authenticator being enrolled as a device authenticator must already be enrolled in Windows Hello, otherwise enrollment will fail.
- If you want a user’s built-in device to work as WebAuthn, instruct the user to enroll in Device Authenticator from their User Portal.
- Apple Touch ID is only supported on Chrome; Windows Hello is supported on Chrome, Firefox, and Edge.
Preparing Your Users
- If your users use security keys with TOTP MFA, let them know TOTP MFA security keys are a different type of security key and can’t be used with WebAuthn MFA.
- If you enable security key self-registration, let users know that they will be prompted to set up a security key when they log in to the User Portal.
- If you don't enable security key self-registration, consider registering all of your users' security keys first, giving the keys to the users, and then enabling WebAuthn MFA.
- Users can find their security keys when they log in to the User Portal, then go to the Security Tab.
- This article explains how to register and user security keys with a user account: Use a Security Key or Device Authenticator with User Accounts.
Enabling WebAuthn MFA
- Log in to the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal:.
- Go to Security Management > MFA Configurations.
- In the WebAuthn section, click Enable.
- Optionally, to let your users register their security keys, select Allow security key self-registration for all users. The process for users is in Use a Security Key or Device Authenticator with User Accounts.
To add WebAuthn for a user:
- Go to Users, select a user, and go to the Details tab.
- In the Security Keys section, click Add Key.
- On the Register WebAuthn Security Key modal, enter a Display Label, then click Register Key.
- Insert the security key into your computer, then follow the browser prompts, which can differ in behavior and messaging.
- Click Register Key. A popup in the right corner of the screen will confirm that the security key has been successfully registered.
- Save User.
- Device Authenticators will be enrolled by users from the User Portal.
- To edit or delete a user's security key or device authenticator, use the pencil or trash can icons.
- Save User.
Important: If WebAuthn is the only MFA factor and an admin deletes the user’s only security key, that user will be locked out of the User Portal.
Viewing Users’ WebAuthn Enrollment Status
In the Users page, use the Columns dropdown to add the MFA: WebAuthn and MFA: User Requirement columns to confirm which users have completed WebAuthn enrollment.