Enable FIDO2 authentication

FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

CyberArk leverages the WebAuthn API to enable passwordless authentication to CyberArk Identity using either external or on-device authenticators.

Single-factor FIDO2 authenticators are something you have. Examples are external authenticators like security keys that you plug into the device's USB port; for example, a YubiKey.

Refer to NIST 800-63b for more information about single-factor cryptographic devices.

Supported multi-factor FIDO2 authenticators are something you are. Popular examples are biometric authenticators integrated into device hardware, such as Mac Touch ID, Windows Hello, and fingerprint scanners.

Refer to NIST 800-63b for more information about multi-factor cryptographic devices.

Refer to https://webauthn.io/ and https://fidoalliance.org/fido2/ for more information about WebAuthn and FIDO2, respectively.

To enable FIDO2 authentication for users:
You can choose between security key enrollment and on-device authenticator for FIDO2 authentication as an early access feature. Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features. Contact your account representative to enable this feature.
  1. Log in to the Identity Administration portal.
  2. Click Core Services > Policies.
  3. Select a policy set or create a new one.
  4. Specify the users/roles to which this policy applies using the Policy Assignment options.

    This configuration option is particularly important if you are creating a new policy.

  5. Click User Security Policies > User Account Settings.

  6. Select Yes in the Enable FIDO2 Authentication drop-down box.

  7. Select Yes in the Enable security key enrollment drop-down box.

  8. Enter a name in the FIDO2 Security Key Display Name field.

    This name should be recognizable by your users.

  9. Choose Yes or No in the Prompt users to setup FIDO2 Authenticator on login drop-down.
  10. (Optional) Select an authentication profile to require users to provide additional authentication before they can activate and modify the FIDO2 Authenticator in the User Portal .

    See Create authentication profiles for information about authentication profiles.

  11. Click Save.

Users can now log in to User Portal and activate their FIDO2 authenticator(s). You can direct users to Manage FIDO2 Authenticators for activation instructions.