Symantec VIP Integration with FIDO\FIDO2
Article ID: 277027
Updated On:
Products
Issue/Introduction
This article describes how to integrate FIDO-enabled authenticators into VIP. Once implemented, users can register FIDO authenticators through the MyVIP flow, and then natively authenticate using their FIDO authenticators.
Cause
FIDO authenticators
FIDO-enabled authenticators, also known as passwordless credentials, are hardware or software authenticators that meet the FIDO standard for security. The most obvious difference between a FIDO authenticator and other authenticators is that users are not prompted to enter a security code when authenticating. In these scenarios, the authenticator interacts directly with the authenticating app with minimal user interference:
- Roaming FIDO authenticators (called security keys in VIP) are typically USB-based devices that are inserted into the device on which the user is authenticating. Security keys can authenticate over USB, Bluetooth Low Energy (BLE), or Near Field Communications (NFC).
- Platform FIDO authenticators (called biometrics in VIP) are embedded directly in the device on which the user is authenticating. Supported platform authenticator types include Fingerprint and FaceID.
Resolution
Fido information for specific VIP integrations can be found in the Symantec VIP Documentation.
Table of Contents
- Enabling FIDO in VIP Manager
- FIDO registration and sign-in user flows
- FIDO login using the VIP Login flow:
- Managing FIDO authenticators in VIP Manager
- Viewing FIDO-based transactions in VIP Manager
- Earliest Web browsers supported by authenticator types
- Earliest Mobile browsers supported by authenticator types
- Frequently asked questions (FAQ)
Enabling FIDO in VIP Manager
Sign in to VIP Manager and enable FIDO authenticators for your users:
- From the Policies > Account page, click Edit.
- Select Yes next to Enable Biometrics / Security Keys.
- Click Save.
FIDO registration and sign-in user flows
Once FIDO is enabled VIP Manager, end users will have the option to register a FIDO authenticator during the sign-in process for non-RADIUS authentications. For example, when logging into O365, if they have not previously registered another authenticator, the registration flow will allow them to register a FIDO authenticator. Users with existing tokens can select the option to manage their VIP credentials and follow the same process.
- Registering a FIDO authenticator looks similar to the following:
- The user selects the authenticator type (Security Key or Biometrics), enters a friendly name for the authenticator to uniquely identify it, and clicks Continue.
- The user is prompted to register the authenticator, depending on the authentication vendor and the platform the end-user is using. For example:
- The authenticator is successfully registered:
- Once your end users have registered a FIDO authenticator, your end users are prompted to authenticate with that authenticator when they sign in. Your end users still have the option of signing in using security codes and, if configured, out-of-band authentication.
FIDO login using the VIP Login flow:
Note: If you implement the sign-in process into your application with the VIP User Services Web API, the flow may vary. See Implementing FIDO in VIP User Services for details on this API.
- The user signs in to a VIP Login-protected resource and enters their username:
- The user enters their password:
- VIP Login identifies that the user has registered a FIDO authenticator, so prompts the user to use it for second-factor authentication. The user can still fall back to security codes or, if configured, out-of-band authentication by clicking the Use another option to Sign In link.
The prompts are generated by the authenticator vendor, so vary depending upon the authenticator type and the platform the end user is using. For example:
The user is signed in to the protected resource.
Managing FIDO authenticators in VIP Manager
VIP Manager includes new search descriptors for FIDO authenticators in the User and Credential tabs. Use the following search descriptors to obtain user, credential, and report information for FIDO authenticators:
- Security Key: Obtains information for roaming FIDO authenticators
- Biometrics: Obtains information for platform FIDO authenticators
Viewing FIDO-based transactions in VIP Manager
The VIP Manager end-user Transaction Report includes information about transactions performed with FIDO authenticators.
The Transaction Report includes transaction and authenticator information for the following new events:
Preregister an authenticator: fidoPreRegister
Register an authenticator: addFidoCredential
Preauthenticate with an authenticator: fidoPreAuthenticate
Authenticate with an authenticator: authenticateUserWithFido
Update information about an authenticator: updateCredential
Remove an authenticator from a user: removeCredential
Earliest Web browsers supported by authenticator types
| FIDO Authenticator Type (Includes Biometric and Roaming Authenticators) | Windows (Chrome, IE Edge, & Firefox) | MAC (Safari, Chrome, & Firefox) |
| Touch ID/Fingerprint/Face ID |
Windows Hello Fingerprint Windows Hello Face |
Touch ID/Fingerprint Face ID |
| USB Security Key | ● Chrome Version 90.0.4430.212 (64-bit) ● IE Edge Version 91.0.864.37 (64-bit) ● Firefox 90.0.2 (64-bit) |
●MAC Google Chrome Version 92.0.4515.107 ● Firefox 90.0 (64-bit) |
| Bluetooth Security Key | ● Chrome Version 90.0.4430.212 (64-bit) ● IE Edge Version 91.0.864.37 (64-bit) ● Firefox 90.0.2 (64-bit) |
Not Certified |
Earliest Mobile browsers supported by authenticator types
| FIDO Authenticator Type (Includes Biometric and Roaming Authenticators) | Android-version 10 (Chrome & Firefox) |
iOS (Safari & Firefox) |
| Touch ID/Fingerprint/Face ID |
Touch ID/Fingerprint
|
Touch ID/Fingerprint/Face ID: Touch ID/Fingerprint: |
| USB Security Key | Chrome Version 91.0.4472.77 | Not Applicable |
| Bluetooth Security Key | Chrome Version 91.0.4472.101 | Not Certified |
| Lightning Port | Not Applicable | Safari 13 & 14 |
| NFC | Chrome Version 91.0.4472.77 | Safari 14 Firefox Daylight 35.5 |
Frequently asked questions (FAQ)
Can we use FIDO authenticators in incognito mode?
No, this implementation requires a cookie to be installed in the browser during registration. Incognito mode does not support cookies.
If I register a FIDO authenticator in one browser, can I use it in another browser?
Yes, you can register a FIDO authenticator in one browser and use it in another browser, with the following exception:
The macOS registers the authenticator at the browser level rather than the operating system level. For this reason, you must register your biometric authenticator in each browser in which you intend to use it on macOS, you must register your FIDO authenticator in each browser in which you intend to use it.
Can I use any FIDO-2 compliant token?
Yes, VIP is fully compliant with FIDO-2 standard, and supports any FIDO-2 compliant authenticators.
Can I use facial recognition as a biometric for FIDO-2?
VIP relies on the feature set of the operating system for FIDO support. The iOS operating system supports FIDO-2, so you can use facial recognition with the iPhone. Most Android phones do not support facial recognition for FIDO-2, so you cannot use facial recognition with Android devices.
Can I use FIDO-2 authenticators with Microsoft Credential Provider?
VIP integration with Microsoft Credential Provider does not support FIDO-2 authenticators. It does support FIDO 1 authenticators (security keys only).
Can I use FIDO-2 authenticators with Radius?
Currently any Radius integration does not support FIDO-2 authenticators. It does support FIDO 1 authenticators (security keys only).
Feedback
