

Configure Security Key/Biometrics (FIDO) for two-factor authentication¶

This page guides you through configuring two-factor authentication for a web application using Security Key/Biometrics (FIDO) as the second factor.

Info

WSO2 Identity Server uses the WebAuthn API to enable FIDO-based authentication for browsers that no longer support the u2f extension.
The following browser versions support the WebAuthn API by default:
- Chrome 67 and above
- Firefox 60 and above
- Edge 17723 and above
FIDO2 passwordless login with platform authenticators will NOT work on the Firefox browser in macOS Catalina, Big Sur, and Monterey due to browser limitations.
FIDO2 passwordless login with roaming authenticators will NOT work on the Firefox browser as the browser doesn't support CTAP2 (Client to Authenticator Protocol 2) with PIN.

Does your browser support your FIDO devices?

You can use the Yubico site to check the browser support for FIDO devices.

Set up Identity Server to use FIDO¶

Add the following configurations to the deployment.toml file in the <IS_HOME>/repository/conf directory.

To define the origin URLs where the WSO2 Identity Server My Account will be hosted (e.g., https://localhost:9443).
```
[fido.trusted]
origins=["https://localhost:9443"]
```
To configure the relevant server URL as the AppID if you are using a reverse proxy enabled setup.
```
[authentication.authenticator.fido.parameters]
AppID="https://hostname"
```

Save the configurations and restart the server.

This section guides you on adding FIDO as a service provider's second authentication step.

You need to set up the sample application.
You need to have a FIDO2 security key registered in IS. Learn how to register your FIDO security key.

To configure FIDO as the second authentication factor:

On the management console, go to Main > Identity > Service Providers > List.
Click Edit on the saml2-web-app-pickup-dispatch.com service provider.
Expand the Local and Outbound Authentication Configuration section and click Advanced Configuration.
Click + Add Authentication Step twice to add two authentication steps.
Select the following authentication methods from the relevant dropdowns and click + Add Authenticator.

Authentication step Local Authenticator

First step Username & Password

Second step Security Key/Biometrics
Click Update to save the configurations.

You have successfully configured FIDO as the second factor of authentication.

Access the following sample Pickup Dispatch application URL: http://localhost.com:8080/saml2-web-app-pickup-dispatch.com
Click Login and enter admin's credentials.
Depending on the FIDO biometric method configured, you will be prompted to enter a code, use the security key or use your fingerprint scanner.
Add your security key or biometrics and click Continue.

You will now be logged into the application successfully.

Authentication step	Local Authenticator
First step	`Username & Password`
Second step	`Security Key/Biometrics`