Search

Manage Multiple Passkey Credentials

Ellen Thoren - Versasec
Ellen Thoren - Versasec
  • Updated

Introduction

From version 7.0, using vSEC:CMS, it is possible to manage multiple passkeys on the same credential issued to different IdPs.

Using a credential management system to manage your passkeys allows you to:

  • Enforce passkey usage: Require passkeys for authentication within your environment.
  • Delegate passkey management: Offload the complexities of passkey storage, synchronization, and recovery to specialized third-party providers.
  • Centralize policy enforcement: Maintain control over authentication policies and user access through your environment.
  • Improve security: Benefit from the enhanced security of passkeys while simplifying user experience.

FIDO management - overview - white.png

FIDO2 credentials typically use HID interface for communicating with the device. If attempting to use/manage the FIDO2 credential over an RDP connection then this will not be possible as USB forwarding of HID supported devices is not possible out of the box. Therefore, when managing such credentials with vSEC:CMS you need to do this directly on a host where the device is attached.

It is required to install the RSDM service on any client where self-service FIDO2 operations are to be allowed. The RSDM service will allow for administration operations to be performed when issuing a FIDO2 credential or setting/changing the FIDO2 PIN.
Untitled.png 

This article explains how to set up your system to issue and manage passkeys from multiple IdPs. We'll demonstrate this using vSEC:CMS with two different IdPs.

Prerequisites

It is required that you have at least 2 supported IdPs configured already in your system. For instructions on how to configure these, and depending on what you use see the links below:

  • For Entra ID see here
  • For Thales STA see here
  • For Okta see here
  • For Ping see here
  • For Entrust Identity see here

Configure Credential Template for Central Issuance

From Templates - Credential Templates click the Add button.

Enter a template name and click the Detect button. Make sure that you have the FIDO2 token attached and selected from the reader drop-down list and click Ok. You should see something similar to below. 

Untitled.png

Enable the Enable FIDO2 check box and leave all other settings as is and click Ok at the bottom of the dialog.

Untitled.png

In the Issue Card section enable Assign user ID  and select the user directory that you wish to use from the drop-down list.

In the FIDO2 Options section click the Manage button. Click Add and enter a name for the template.

In the FIDO2 Configuration section the following settings can be configured:

  • Perform FIDO2 Reset Before Issuance: Reset the device's FIDO2 applet to its default state before issuance by enabling this setting. This option is only available for devices that do not require detachment and reattachment during a FIDO2 reset.
  • Always Require User Verification: User verification during authentication is optional for some IDPs. To require user verification, enable this setting. This feature is only available for devices supporting CTAP 2.1.
  • Enable BIO Enrollment: Enable this setting if the device supports FIDO2 BIO enrolment.
    • Number of Enrollments: This is the minimum number of finger prints you need to enrol.
    • Enrollment Timeout(ms): This is time (in milisecods) you have to enrol at least one finger print.
  • Enable FIDO2 PIN: A FIDO2 PIN is required. This setting is for informational purposes only and cannot be disabled.
  • Set Minimum PIN Length: If configured, this will be the device's minimum PIN length, which will be set within the FIDO2 applet extension minPinLength. This applies to CTAP 2.1 compatible devices.
  • Minimum PIN Length RP ID List: Only specify Relying Party (RP) IDs here if the minPinLength extension is supported. This parameter is strictly prohibited when the extension is not supported. For example, to put this RP ID apps.pingone.eu double click the label and enter the value. To delete an entry, right click and select Delete. To edit the RP ID double click the entry.

In the Passkey(s) to Issue section enable the check boxes for the IdPs used in your environment that you want passkeys issued to.

Click Save to save and close the dialog.

Untitled.png

Click the Edit link for Initiate Card and enable Update Credentials at FIDO2 IdP. This will push the passkey for the user to the IdP when setting the FIDO2 PIN on the credential.

Untitled.png

Click the Edit link for Revoke Card and enable Update Credentials at FIDO2 IdP. This will update the IdP when the authenticator is revoked. Additionally, enable Force FIDO2 Authenticator data deletion at IdP which will remove the authenticator at the IdP when the credential is revoked.

Untitled.png

Click Ok so save and close the configuration for the template.

Issue Passkey Credential Centrally

The credential can be issued either using the vSEC:CMS Admin or Agent applications. For either of these application refer to these articles Install Admin Application and Install Agent Application for instructions on how to set these up. 

In this guide we will use the Agent Application.

Navigate to the Life Cycle tab and with a credential attached select the Issued oval along with the template from the available drop-down list and click Execute.

Untitled.png

This will trigger the issuance flow. You will be prompted to select a user from your directory who the token will be issued to.

At the end of the issuance the token will be Issued. You can activate the token by selecting Active and setting a FIDO2 PIN that can then be used by the end used.

Alternatively, the end user can set the FIDO2 PIN using the vSEC:CMS User application. The vSEC:CMS User application needs to be online and connected to the backend vSEC:CMS service to perform setting a FIDO2 PIN.

Untitled.png

Now the user, for example, can try to login to both of their different IdPs. Select the external key option.

From the vSEC:CMS Admin console you can see details about the managed credential from Repository - Credentials by selecting a credential and clicking the Details button.

Untitled.png

If you then need to revoke the credential, for whatever reason, the credential will be revoked on the IdP. For example, from the Life Cycle tab search for a user who you wish to revoke and you can then verify that the credential is revoked on the IdP by trying to log in with the hardware credential.