FIDO

From version 2.8 ESET Secure Authentication (ESA) supports two-factor authentication (2FA) on devices that support FIDO2 (and FIDO U2F) authentication standards. See more information about FIDO.

Requirements

Web browser that supports Web Authentication API

oMozilla Firefox

oGoogle Chrome

oMicrosoft Edge

For up-to-date information about supported browsers, visit https://platform-status.mozilla.org/ and search for "Web Authentication API".

Secure connection (HTTPS) (self-signed certificates can also be used)

.NET Framework 4.7.2 installed on the machine where ESA Authentication Server is installed

Supported environment

Web-based login environment protected by ESA:

oESA Web Console

oIIS

oAD FS

oIdentity Provider Connector

Windows Login Protection


note

NOTE

FIDO implementation in ESET Secure Authentication has not yet been certified by the FIDO alliance.

Configuration in ESA Web Console

The configuration in Settings > FIDO is for advanced FIDO administrators; there is no need to make any changes there.

User Verification

oRequired—The FIDO-compatible authenticator must support user verification (e.g. via biometrics or PIN code). If there is no user verification, the FIDO-compatible authenticator cannot be used as second authentication factor.

oPreferred—It is preferred for the FIDO-compatible authenticator to support user verification, however it is not essential.

oDiscouraged—It does not matter if the FIDO-compatible authenticator supports user verification or not.

Authenticator Type

oPlatform (On bound)—The FIDO authenticator is a built-in solution (software, hardware) of the device where it is used as a second authentication factor.

oCross-platform (Roaming)—The FIDO authenticator is detachable and can be used with several devices.

oNot specified—Does not matter if the FIDO authenticator is detachable or not.

 

Register FIDO origin

If you want to use FIDO as a second authentication factor to access the ESA Web Console available at https://my-web-console.com:8001, then https://my-web-console.com:8001 must be registered as the origin.

1.In ESA Web Console, navigate to Components > Web Console.

2.Turn on FIDO.

3.Enter the ESA Web Console URL in the FIDO Origin window. In our example, https://my-web-console.com:8001.

4.Click Apply > Save.


note

FIDO origin

Every ESA component where FIDO will be used as a second authentication factor, has to be registered as the origin.

To use FIDO for other ESA component than ESA Web Console, self-enrollment for FIDO must be enabled, so that FIDO origin can be automatically set.

Activate FIDO for a Web Console administrator

In our example, we activate FIDO as a second factor for an administrator of ESA Web Console who wants to use a FIDO USB key as a hardware authenticator.

1.Navigate to Settings > Web Console Administrators, click the name of the administrator.

2.In the user's profile turn on FIDO.

3.Plug in the FIDO USB key into the computer where you accessed ESA Web Console.

4.Click Actions > Register FIDO credentials and then click Apply.

5.When the USB key blinks, touch the touch sensor on the FIDO USB key.

6.ESA Web Console will confirm the successful registration of FIDO credentials.

From now on, when attempting to access the ESA Web Console, the administrator will be required to approve authentication by tapping the FIDO USB key after the correct login credentials were entered.

Activate FIDO for a user

1.Navigate to Settings > Enrollment.

2.Enable FIDO, click Save.

3.Navigate to Users, select the applicable user.

4.Turn on FIDO, click Save.

5.The user will have to finish setup during self-enrollment.