Skip to main content
Skip table of contents

TrustBuilder FIDO2

FIDO2 is a modern authentication standard that enables secure login experiences. This feature integrates with the TrustBuilder platform.

Prerequisites

TrustBuilder platform version: 2024.9.0 and higher.
Starting from 2024.9.0 release, the tenants will include:

  • a system TrustBuilder FIDO2 IDP linked to the TrustBuilder FIDO2 server (OIDC-based).

  • new OAuth scopes to manage FIDO2-related operations:

Component

OAuth scope(s)

Description

TrustBuilder Admin Portal

fido_keys:read

Allows read operations on FIDO2 keys

fido_keys:write

Allows read and write operations on FIDO2 keys

fido_policies:read

Allows read operations on FIDO2 policies

fido_policies:write

Allows read and write operations on FIDO2 policies

TrustBuilder Self-Service Portal

fido:registration

Allows registration of FIDO2 key

fido_keys:self

Allows management of owned FIDO2 keys

Enable FIDO2 authentication method

To enable FIDO2 authentication method for users, you should create a new access flow (or configure an existing one).

  1. In TrustBuilder Admin portal, navigate to Access Management > Access Flows.

  2. Click on + Add Access Flow.

  3. Click on Add Authentication Scheme:

    1. Name: define a name (e.g. FIDO Authentication Scheme).

    2. Scheme Type: Select Authentication level.

    3. Click Save.

  4. Click on Add Authentication Method:

    1. Display Name: define a name (e.g. FIDO Method).

    2. OpenID Context: specify the ACR you want (e.g. phr).

    3. Link Identity Providers: select TrustBuilder FIDO2 IDP.

    4. Click Save.

  5. Once the access flow appears, click on Link Service Providers:

    1. Select a Service Provider (application) to be linked to this access flow.

    2. Click Next.

    3. Configure the following for this service provider:

      • Default Method Comparison: set to MINIMUM.

      • Default method: Select the authentication method.

    4. Click Save.

  6. Repeat step 5 for each application (service provider) to be added.

The new access flow is successfully created.

To ensure access to the Admin portal, manipulate the default schema and methods with care. If you edit an existing access flow, we recommend adding a TrustBuilder IDP to an existing configuration without making any other changes.

Edit FIDO2 Registration policy

The FIDO2 Registration policy defines which type of FIDO2 Authenticators users can register. It is mainly based on security restrictions.

Available from platform version 2025.2.0

https://youtu.be/HOb4gXMl9JQ?si=Yd3mCJiMAmSEfIQW

To edit the FIDO2 Registration Policy:

  1. Go to Authentication Management > FIDO2 registration policy.

  2. On the top right corner, click on Edit Policy.

    FIDO2 registration policy.png
  3. Edit the parameters as needed:

Parameter

Description

Default value

Registration Policy Information

Name

The name of the FIDO2 registration policy (mandatory - cannot be edited)

Initial registration policy

Description

A description of the FIDO2 registration policy (optional- cannot be edited)

-

Applies to

Defines the scope of users to whom the policy applies (cannot be edited)

All users

Registration Policy Parameters

Maximum Number of Keys

Defines how many FIDO2 security keys a user can register.
The minimum required is 1 key.

10 keys per user

User Verification

Specifies how user verification (e.g., PIN, fingerprint, facial recognition) is handled during authentication.

  • Required: Users must verify their identity before authentication proceeds.

  • Preferred: User verification is encouraged but not mandatory.

  • Discouraged: The authentication process skips user verification.

Preferred

Authentication Settings

Support of

Determines which types of authenticators can be used.

  • All: Any type of authenticator is accepted.

  • Cross-platform: External devices such as YubiKey or Google Titan Key.

  • Platform: Built-in authenticators like Windows Hello or Touch ID.

All

Attestation Requirement

Specifies whether an authenticator must be validated against an official metadata list before registration.

No

List Enforcement

Defines whether only specific authenticators are allowed or blocked.

  • Disabled: The list enforcement is currently not active. All Authenticator models are allowed.

  • Enabled

    • Whitelist: Only listed authenticators are allowed for registration.

    • Blacklist: The listed authenticators are not allowed for registration.

      Authenticator models Define the list (whitelist or blacklist) of authenticator models:

      • Click on Manage models list.
        Only the Authenticators from the official metadata list will be proposed.

      • Search for models and select them.

      • Click on Add → to a add the models to the list.

      • Click Save.

The list can be setup before Enabling List Enforcement option.

Disabled

  1. Click on Save to update the registration policy.

Testing FIDO2 authentication method

As an admin, you can test FIDO2 authentication methods with a test user.

To know more about key management by users, see TrustBuilder Self-Service Portal documentation.

Prerequisites

  • Compatible browsers:
    (tick) Chrome, Edge, Firefox (latest versions recommended).
    (error) Temporary limitation on Safari: security key registration and authentication are not working.

Step 1 - Configuration in the Admin Portal:

  1. Create a test user

  2. Configure an access flow with:

    • TrustBuilder FIDO2 as an IDP,

    • TrustBuilder Self Service Portal as a Service Provider.

Step 2 - Register a Security key

  1. Open a new window in a different web browser.

  2. Access the Self-Service Portal https://portal.[TENANT_ID].trustbuilder.io/

  3. If requested, select TrustBuilder Repository.
    Enter the test user’s username and password.

  4. Go to Security > Security keys > + Add a security key

  5. On the registration screen, follow the steps:

    1. Click on Register a key.

      image-20241121-101526.png
    2. Enter a name for the new security key.
      It should be unique within the same keyring (reusable by other users with separate keyrings), cannot contain only spaces. It is limited to 32 characters and supports any characters, including emojis or non-Latin characters.

      image-20241121-103726.png
    3. Follow the instructions in the pop-up window.
      The manipulation differs depending on the type of security key used and the operating system.

    4. Once redirected to the Self-Service portal, check that the security key now appears in the security keys list.

      Fido.png

      The security key is successfully registered. It can be used to securely sign-in to protected applications.

    5. Log out from the Self-Service Portal for the next step.

Step 3 - Sign-in with the registered Security key

  1. Access the Self-Service Portal https://portal.[TENANT_ID].trustbuilder.io/.

  2. If requested, select TrustBuilder FIDO2.

  3. Click on Sign-in.

  4. Follow the instructions in the pop-up window.
    The manipulation differs depending on the type of security key used and the operating system.

Once successfully authenticated with the security key, you should be redirected to the Self-Service Portal home page.

To know more about key management by users, see TrustBuilder Self-Service Portal documentation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.