Authentication Hub -> FIDO Security Key is domain dependent ?
search cancel

Authentication Hub -> FIDO Security Key is domain dependent ?


Article ID: 251012


Updated On:


VIP Authentication Hub


So we have setup a .com URL that routes to default and no other tenant. And we have the default tenant available internally. I noticed that if I register a FIDO security key on the .com URL, it no longer shows up in the .net URL as possible factor. Same thing happens if I register the security key on the .net URL, it is no longer available as a factor on the .com URL. Both URLs are using the same tenant so something weird happening here.


Release : Oct.05

Component : VIP Authentication Hub


FIDO2 authentication using Security Keys (Roaming authenticators) or Biometrics (Platform authentications) is tied to a domain, its not a limitation or a bug, it is the specification...any authenticators registered for can be used for apps with the hostnames of the format * the same cannot be used for apps with * 
FIDO2/WebAuthn works by generating a private/public key pair for each web origin which are registered in the device or security key. Since the key pair is bound to the domain, users are protected from phishing attacks. If the attacker tricks them into using WebAuthn in a different domain, the WebAuthn authenticator will not have a key pair for that domain and authentication will fail. The attacker will not get any data that can identify the user.