Manage FIDO2 authenticators

FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

This feature requires prior configurations by your system administrator.

Add a FIDO2 security key

  1. Log in to the User Portal.
  2. Click Account > Authentication Factors.
  3. Add a FIDO2 security key, such as a YubiKey, or an On-device authenticator.

    1. Click the Add button associated with the FIDO2 authenticator name created by your system administrator.

      In this example, the system administrator used the name "YubiKey".

    2. Click Next on the information screen.

    3. Enter a name for your security token and click Next.

      Most users will have only one token, but this name differentiates multiple tokens.

    4. Insert your FIDO2 security key into your computer and follow the instructions on the screen.

      You can now use your FIDO2 security key to authenticate to CyberArk Identity.

    Click the Add button associated with the on-device authenticator that you want to configure and follow the on-screen instructions.

    For example, the following procedures illustrate how to register a Windows Hello or Mac Touch ID authenticator. Other on-device authenticators have similar procedures.

    Windows Hello

    1. Click Add New Authenticator and click Next .

    2. Enter a name for the authenticator and click Next.

    3. Interact with the authenticator at the prompt. This could be a PIN, fingerprint, or security key. Click More choices to change how you interact with Windows Hello.

    4. Click Allow to allow CyberArk to see your security key (in this case, your fingerprint).

    5. Enter any additional authentication that your administrator has required to complete the action and click Next.

    6. Click Close on the final screen indicating that you can now use your on-device authenticator.

    Mac Touch ID

    1. Click Add New Authenticator and click Next on the following screen explaining what an on-device authenticator is.

      The lid on the Mac must be open for the browser to find the on-device authenticator.

    2. Enter a name for the authenticator and click Next.

    3. Scan your finger on the fingerprint reader at the prompt.

    4. Click Use Password... to enter your password and allow the browser to verify your identity.

    5. Enter any additional authentication that your administrator has required to complete the action and click Next.

    6. Click Close on the final screen indicating that you can now use your on-device authenticator.

    <replace with Tab3 content>

    <replace with Tab4 content>

Troubleshoot FIDO2 security keys

The table provides common issues and solutions related to the management of FIDO2 security keys.

Problems and solutions for troubleshooting FIDO2 security keys
Problem Solution

You receive the following warning message: “Your current browser does not support <admin defined name> registration. Please contact your system administrator.”

The Web Authentication APIs used by FIDO2 authenticators are only supported on specified browsers. This browser support is controlled by the W3C and the FIDO Alliance and is unrelated to CyberArk Identity. See https://fidoalliance.org/fido2/fido2-web-authentication-webauthn/ for more information.

On the Accounts page of your User Portal you see the following description for a FIDO2 key: "The current tenant URL is not the same as what the device registered with. Please delete and re-register the device with this tenant.

The security keys are associated with a URL at the time of registration; they are invalidated if your administrator changes the tenant URL or switches to a vanity URL. Delete and re-register the key.