FIDO

From version 2.8 ESET Secure Authentication (ESA) supports two-factor authentication (2FA) on devices that support FIDO2 (and FIDO U2F) authentication standards. See more information about FIDO here.

Requirements

Web browser that supports Web Authentication API

oMozilla Firefox

oGoogle Chrome

oMicrosoft Edge

For up-to-date information about supported browsers, visit https://platform-status.mozilla.org/ and search for "Web Authentication API".

Secure connection (HTTPS) (self-signed certificates can also be used)

.NET Framework 4.7.2 installed on the machine where ESA Authentication Server is installed

Supported environment

Web-based login environment protected by ESA:

oESA Web Console

oIIS

oAD FS

note

NOTE

FIDO implementation in ESET Secure Authentication has not yet been certified by the FIDO alliance.

Configuration in ESA Web Console

The configuration in Settings > FIDO is for advanced FIDO administrators; there is no need to make any changes there.

User Verification

oRequired—The FIDO-compatible authenticator must support user verification (e.g. via biometrics or PIN code). If there is no user verification, the FIDO-compatible authenticator cannot be used as second authentication factor.

oPreferred—It is preferred for the FIDO-compatible authenticator to support user verification, however it is not essential.

oDiscouraged—It does not matter if the FIDO-compatible authenticator supports user verification or not.

Authenticator Type

oPlatform (On bound)—The FIDO authenticator is a built-in solution (software, hardware) of the device where it is used as a second authentication factor.

oCross-platform (Roaming)—The FIDO authenticator is detachable and can be used with several devices.

oNot specified—Does not matter if the FIDO authenticator is detachable or not.

 

Register FIDO origin

If you are using FIDO as a second authentication factor to access the ESA Web Console available at https://my-web-console.com:8001, then https://my-web-console.com:8001 must be registered as the origin.

1.In ESA Web Console, navigate to Components > Web Console.

2.Turn on FIDO.

3.Enter the ESA Web Console URL in the FIDO Origin window. In our example, https://my-web-console.com:8001.

4.Click Apply > Save.

Activate FIDO for a user

In our example, we activated FIDO as a second factor for an administrator of ESA Web Console who wants to use a FIDO USB key as a hardware authenticator.

1.Navigate to Settings > Web Console Administrators, click the name of the administrator.

a.If you are activating FIDO for a general user, look up the user in the Users screen.

2.In the user's profile turn on FIDO.

3.Plug in the FIDO USB key into the computer where you accessed ESA Web Console.

4.Click Actions > Register FIDO credentials and then click Apply.

5.When the USB key blinks, touch the touch sensor on the FIDO USB key.

6.ESA Web Console will confirm the successful registration of FIDO credentials.

From now on, when attempting to access the ESA Web Console, the administrator will be required to approve authentication by tapping the FIDO USB key after the correct login credentials were entered.