Customize FIDO Authentication
a month ago

Customize FIDO Authentication

You can customize the authentication experience for users in the following ways:

Using Third-Party Domain

If your company developed an authentication client supporting FIDO authentication methods using the RSA Authentication API, you can configure a third-party domain, which is a domain other than securid.com. You are permitted to add one or more third-party domain(s). The RSA Authentication API Developer's Guide describes how to implement a web client for FIDO authentication methods.

Before you begin 

  • You must be a Super Admin for the Cloud Administration Console.

  • Obtain the value of the FIDO_RP_ID that is used in the FIDO web client from your web client developer.

Procedure 

  1. In the Cloud Administration Console:

    • If your company is not enabled for a custom mobile app, click Access > FIDO Authentication.

    • If your company is enabled for a custom mobile app, click Access > Custom Authentication.

  2. In the Host Name (FIDO_RP_ID) field, ensure the host name matches the client’s domain used to access and perform FIDO authentication.

  3. In the Reserved FIDO Labels field, both Tenant Base Domain and Tenant Custom Domain are displayed as FIDO labels for use by FIDO related origins.

  4. In the FIDO Relying Party Domain(s) field, click +Add to add one ore more FIDO relying party domain(s). You can click on the delete icon to remove any of the added domains.

  5. Click Save.

  6. (Optional) Click Publish Changes to activate the settings immediately.

Configuring FIDO Synced Passkey Settings

Previously, a FIDO credential (now called a passkey) usually resided only on the physical device it was created on. In 2022, the FIDO Alliance introduced a new type of FIDO credentials that is automatically synced to a cloud service and is then seamlessly available on all the computing devices (e.g., computer, mobile, or tablet) owned by a user.

Since 2023, FIDO has decided to use the term "passkey" to describe all FIDO credentials, distinguishing between two different sub-types:

  • Synced passkey: A credential that can be saved online and restored / used on multiple devices.

  • Device-bound passkey: A credential that resides only on a physical device and cannot be extracted or restored.

Synced passkeys offer convenience, but the security implications need to be fully understood before using them. Therefore, RSA recommends that customers with high security risk use cases carefully consider the security reduction and potential regulatory implications of using synced passkeys in their deployments.

By default, the registration and use of synced passkeys for authentication are disabled, and you can define the grace period during which a user can authenticate with their previously registered synced passkey(s). Hence, users will need to log in to My Page > My Authenticators and register new authentication methods before the end of the grace period.

Procedure 

  1. In the Cloud Administration Console, click Access > FIDO Authentication.

  2. If you want to allow users to register FIDO Synced Passkeys and use them for authentication, select Allow the user of FIDO synced passkeys.

  3. If the use of Synced Passkeys is not allowed, select the Grace Period for Authentication option and then the Grace Period End Date. Users can authenticate using their previously registered Synced Passkeys during the defined grace period. After the end of the grace period, a user can no longer use their registered passkey(s) for authentication.

  4. Click Save.

  5. (Optional) Click Publish Changes to activate the configuration immediately.

Don't see what you're looking for?