Introduction
Starting from vSEC:CMS 7.3, organizations can effectively streamline the administration of SafeNet eToken Fusion BIO credentials. By leveraging the extensive management capabilities of vSEC:CMS, administrators can oversee the entire lifecycle of both PKI and FIDO2 passkey credentials through a single, unified interface.
Key Lifecycle Management Features
Unified Governance: Manage diverse credential types (PKI and FIDO2) without switching between disparate systems.
End-to-End Automation: Simplify issuance, maintenance, and revocation processes to reduce manual overhead.
Biometric Integration: Fully support the unique security requirements of the Fusion BIO series.
Please follow the detailed instructions in this guide to begin managing your token lifecycles.
Add Credential
Log into the Admin console and navigate to Options - Credentials. Attach a SafeNet eToken Fusion BIO credential. The Admin console will filter for this credential type. If the filter is empty, like below example,
then click Add - Add - Get - Ok and you should see something similar to below. Click Save to complete this step.
In this guide we will describe how you can configure a SafeNet eToken Fusion BIO credential to be used with Entra ID. Follow closely the instructions here to configure and issue passkeys where Entra ID is used as IDP.
Enroll BIO Credential
You can enroll your biometric credentials on the SafeNet eToken Fusion BIO using two different methods.
Prerequisite: Ensure you have already issued an Entra ID passkey through vSEC:CMS. Once that is complete, follow these steps to finish the enrollment:
Enroll via vSEC:CMS Agent Application
From the Agent application navigate to the FIDO2 tab, attach the credential and click the BIO Enrollment button.
The user who is going to enroll their fingerprint should enter their already set FIDO2 PIN when prompted.
Enter a name for the enrollment in the New Enrollment Name field and click the New Enrollment button.
A maximum of 2 enrollments is allowed on the token.
You will be prompted to place your finger on the sensor on the token. Follow the on-screen prompts.
You will need to touch the sensor several times to get a good match stored on the credential. On the physical token you will see a green light flash which indicates that a fingerprint is required to be scanned on the sensor.
When the enrollment complete you will see a success dialog like below. Note that you can remove the enrolled fingerprint(s) and enroll again at any time.
Enroll via vSEC:CMS User Application
From vSEC:CMS User application navigate to the FIDO2 tab, attach the credential and click the Manage BIO Enrollments button.
The user who is going to enroll their fingerprint should enter their already set FIDO2 PIN.
Enter a name for the enrollment in the New Enrollment Name field and click the New Enrollment button.
A maximum of 2 enrollments is allowed on the token.
You will be prompted to place your finger on the sensor on the token. Follow the on-screen prompts.
You will need to touch the sensor several times to get a good match stored on the credential. On the physical token you will see a green light flash which indicates that a fingerprint is required to be scanned on the sensor.
When the enrollment complete you will see a success dialog like below. Note that you can remove the enrolled fingerprint(s) and enroll again at any time.
Perform BIO Authentication
With your credential issued and your biometrics successfully enrolled on the token, you are now ready to authenticate via Entra ID.
You have three attempts to scan an enrolled fingerprint. If a scan is not recognized, the physical token will flash red. After three failed attempts, the token will require your FIDO2 PIN as a fallback. Successfully entering your PIN will reset the sensor, allowing you to use your fingerprint again for the next authentication.