Symantec VIP Integration with FIDO\FIDO2

Products

VIP Service

Issue/Introduction

This article describes how to integrate FIDO-enabled authenticators into VIP. Once implemented, users can register FIDO authenticators through the MyVIP flow, and then natively authenticate using their FIDO authenticators.

Cause

FIDO authenticators

FIDO-enabled authenticators, also known as passwordless credentials, are hardware or software authenticators that meet the FIDO standard for security. The most obvious difference between a FIDO authenticator and other authenticators is that users are not prompted to enter a security code when authenticating. In these scenarios, the authenticator interacts directly with the authenticating app with minimal user interference:

Roaming FIDO authenticators (called security keys in VIP) are typically USB-based devices that are inserted into the device on which the user is authenticating. Security keys can authenticate over USB, Bluetooth Low Energy (BLE), or Near Field Communications (NFC).
Platform FIDO authenticators (called biometrics in VIP) are embedded directly in the device on which the user is authenticating. Supported platform authenticator types include Fingerprint and FaceID.

Resolution

Fido information for specific VIP integrations can be found in the Symantec VIP Documentation.

Enabling FIDO in VIP Manager
FIDO registration and sign-in user flows
FIDO login using the VIP Login flow:
Managing FIDO authenticators in VIP Manager
Viewing FIDO-based transactions in VIP Manager
Earliest Web browsers supported by authenticator types
Earliest Mobile browsers supported by authenticator types
Frequently asked questions (FAQ)

Enabling FIDO in VIP Manager

Sign in to VIP Manager and enable FIDO authenticators for your users:

From the Policies > Account page, click Edit.
Select Yes next to Enable Biometrics / Security Keys.
Click Save.

FIDO registration and sign-in user flows

Once FIDO is enabled VIP Manager, end users will have the option to register a FIDO authenticator during the sign-in process for non-RADIUS authentications. For example, when logging into O365, if they have not previously registered another authenticator, the registration flow will allow them to register a FIDO authenticator. Users with existing tokens can select the option to manage their VIP credentials and follow the same process.

Registering a FIDO authenticator looks similar to the following:
The user selects the authenticator type (Security Key or Biometrics), enters a friendly name for the authenticator to uniquely identify it, and clicks Continue.
The user is prompted to register the authenticator, depending on the authentication vendor and the platform the end-user is using. For example:
The authenticator is successfully registered:
Once your end users have registered a FIDO authenticator, your end users are prompted to authenticate with that authenticator when they sign in. Your end users still have the option of signing in using security codes and, if configured, out-of-band authentication.

FIDO login using the VIP Login flow:

Note: If you implement the sign-in process into your application with the VIP User Services Web API, the flow may vary. See Implementing FIDO in VIP User Services for details on this API.

The user signs in to a VIP Login-protected resource and enters their username:
The user enters their password:
VIP Login identifies that the user has registered a FIDO authenticator, so prompts the user to use it for second-factor authentication. The user can still fall back to security codes or, if configured, out-of-band authentication by clicking the Use another option to Sign In link.
The prompts are generated by the authenticator vendor, so vary depending upon the authenticator type and the platform the end user is using. For example:

The user is signed in to the protected resource.

Managing FIDO authenticators in VIP Manager

VIP Manager includes new search descriptors for FIDO authenticators in the User and Credential tabs. Use the following search descriptors to obtain user, credential, and report information for FIDO authenticators:

Security Key: Obtains information for roaming FIDO authenticators
Biometrics: Obtains information for platform FIDO authenticators

Viewing FIDO-based transactions in VIP Manager

The VIP Manager end-user Transaction Report includes information about transactions performed with FIDO authenticators.

The Transaction Report includes transaction and authenticator information for the following new events:

Preregister an authenticator: fidoPreRegister
Register an authenticator: addFidoCredential
Preauthenticate with an authenticator: fidoPreAuthenticate
Authenticate with an authenticator: authenticateUserWithFido
Update information about an authenticator: updateCredential
Remove an authenticator from a user: removeCredential

Earliest Web browsers supported by authenticator types

FIDO Authenticator Type (Includes Biometric and Roaming Authenticators)	Windows (Chrome, IE Edge, & Firefox)	MAC (Safari, Chrome, & Firefox)
Touch ID/Fingerprint/Face ID	Windows Hello Fingerprint ● Chrome Version 92.0.4515.107 (64-bit) ● IE Edge Version 92.0.902.55 (64-bit) ● Windows 10 Pro Version 20H2 ● Firefox 90.0.2 (64-bit) Windows Hello Face ● Chrome Version 97.0.4692.99 (64-bit) ● IE Edge Version 92.0.1072.69 (64-bit) ● Windows 10 Pro Version 20H2 ● Firefox 96.0.2 (64-bit)	Touch ID/Fingerprint ● Safari Version 14.0.3 (16610.4.3.1.7) ● Safari Version 14.1.1 (14611.2.7.1.6) ● MAC Google Chrome Version 90.0.4430.212 (x86_64) ● Not supported in Firefox Face ID ● Not Applicable
USB Security Key	● Chrome Version 90.0.4430.212 (64-bit) ● IE Edge Version 91.0.864.37 (64-bit) ● Firefox 90.0.2 (64-bit)	●MAC Google Chrome Version 92.0.4515.107 ● Firefox 90.0 (64-bit)
Bluetooth Security Key	● Chrome Version 90.0.4430.212 (64-bit) ● IE Edge Version 91.0.864.37 (64-bit) ● Firefox 90.0.2 (64-bit)	Not Certified

Earliest Mobile browsers supported by authenticator types

FIDO Authenticator Type (Includes Biometric and Roaming Authenticators)	Android-version 10 (Chrome & Firefox)	iOS (Safari & Firefox)
Touch ID/Fingerprint/Face ID	Touch ID/Fingerprint ● Chrome Version 91.0.4472.77 Note: Face ID is only supported on a device that has "app signing and payments" functionality, such as a Google Pixel 4 device	Touch ID/Fingerprint/Face ID: ● Safari 14 Touch ID/Fingerprint: ● Firefox Daylight 35.5
USB Security Key	Chrome Version 91.0.4472.77	Not Applicable
Bluetooth Security Key	Chrome Version 91.0.4472.101	Not Certified
Lightning Port	Not Applicable	Safari 13 & 14
NFC	Chrome Version 91.0.4472.77	Safari 14 Firefox Daylight 35.5

Frequently asked questions (FAQ)

Can we use FIDO authenticators in incognito mode?
No, this implementation requires a cookie to be installed in the browser during registration. Incognito mode does not support cookies.

If I register a FIDO authenticator in one browser, can I use it in another browser?
Yes, you can register a FIDO authenticator in one browser and use it in another browser, with the following exception:
The macOS registers the authenticator at the browser level rather than the operating system level. For this reason, you must register your biometric authenticator in each browser in which you intend to use it on macOS, you must register your FIDO authenticator in each browser in which you intend to use it.

Can I use any FIDO-2 compliant token?
Yes, VIP is fully compliant with FIDO-2 standard, and supports any FIDO-2 compliant authenticators.

Can I use facial recognition as a biometric for FIDO-2?
VIP relies on the feature set of the operating system for FIDO support. The iOS operating system supports FIDO-2, so you can use facial recognition with the iPhone. Most Android phones do not support facial recognition for FIDO-2, so you cannot use facial recognition with Android devices.

Can I use FIDO-2 authenticators with Microsoft Credential Provider?
VIP integration with Microsoft Credential Provider does not support FIDO-2 authenticators. It does support FIDO 1 authenticators (security keys only).