When configuring the Security Key factor (FIDO) in IDSP/VIP Authentication Hub to restrict authentication to hardware keys (e.g., YubiKey), users still see a Mobile Device/QR Code option in the browser's authentication interface.

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Modern web browsers and operating systems treat both hardware Security Keys and platform Passkeys as "roaming credentials." During the FIDO registration or authentication flow, the browser controls the user interface. Many browsers prioritize the mobile/Passkey experience (QR code) by default, even when the intended policy is restricted to a physical security key. The authenticatorAttachment parameter is not consistently enforced by all browsers when both platform and cross-platform options are available.

While the browser's native UI cannot be entirely bypassed, you can use tenant-level configuration hints and specific flags to steer the browser toward the hardware key experience.

Implementation Steps

1. Configure Registration Hints: Use the passkeyRegistrationHints tenant setting to tune down the mobile experience during registration. While not all browsers honor this, it informs the browser of the preferred authenticator type.
2. Enable skipQRCodeForSecurityKeyAuthentication: This flag can be enabled in the tenant configuration to specifically lock down the authentication flow to hardware security keys.
   • Note: While this flag effectively restricts the authentication flow to YubiKeys, browsers may still present the QR code option during the registration phase due to native OS/browser behavior.
3. Refer to Documentation: For specific JSON payload structures and API endpoints, see the official guide: Configuring Tenant Settings for Security Key, Biometric, and Passkey.

Important Considerations

• Browser Support: These settings are often "best-effort" and depend on whether the browser/OS honors the requested hints.
• User Experience: Even with the skipQRCodeForSecurityKeyAuthentication flag enabled, the presence of the QR code during registration may be confusing to users if the intent is a YubiKey-only policy.
• Testing: Verify the behavior across different browser engines (Chromium vs. WebKit) as enforcement varies.