MFA Guides

FIDO Method

The FIDO content area enables administrators to establish, configure, enable and maintain FIDO devices, which includes determining whether a PIN is required to logon or unlock the workstation.

method_63.png
FIDO - Profile List

By default, RapidIdentity Server has a single profile for FIDO.

The Default profile contains a default PIN Policy with these settings.

Table 33. FIDO default PIN Policy settings

Setting

Value

Require PIN

No. A value of “Yes” indicates a user must provide PIN in addition to the FIDO token to login but not to unlock a locked session.

Version

U2F_V2.

App ID

The default value is blank. This value should be the URL of RapidIdentity Server (e.g. https://server.domain.com) for which the user is authenticating. FIDO requires SSL.

Secure Logon Password (required)

No. If set to “Yes”, a user’s password will be randomized and unknown to the user upon enrollment.



Administrators can remove a profile by clicking Delete or edit a profile by clicking Edit.

FIDO - Edit Profile

After editing the Bluetooth Profile settings, click Save or Cancel to discard.

method_64.png
FIDO - PIN Policies

The FIDO PIN Policies menu only contains the Default PIN Policy.

method_65.png

To edit a PIN Policy, click Edit.

method_66.png

After updating the policy criteria, click Save or Cancel to discard.

Table 34. FIDO updating policy criteria

Field

Description

Minimum/Maximum PIN Length

Determines the length of the PIN that is used on enrollment and logging into the system. 6 and 16 are the default minimum and maximum values.

PIN Expiration Days

Determines how long the registered PIN will last before expiring.

PIN must meet complexity requirements

Determines how complex the PIN must be.

Windows Password as PIN

The user’s Active Directory password will be used as PIN.

No more than three repeated characters

PIN cannot have three repeated characters. (Example: 111, 444)

No more than three consecutive characters

PIN cannot have consecutive characters. (Example: 123, 456)

Must contain alpha and numeric characters

PIN must have both a letter and number. (Example: A1B, C2D)

Must only contain numeric characters

PIN can only have numbers. (Example: 159, 753)

Must contain special characters

PIN must have a special character. (Example: !23, @34)



FIDO - New Profile

In order to assign a new Profile to a Set, administrators must first create the new Profile.

Follow these three steps to create a new Profile.

  1. Click New Profile.

  2. Enter a Name and Description and modify the criteria as needed.

    method_67.png
    1. Choose Require a PIN for Workstation Logon if the user is to be prompted for a password when presenting their authentication method.

    2. Choose Do NOT Require PIN for Workstation Unlock when the system is locked and the user presents their authentication method. The user will NOT be asked to enter a password.

    3. Choose Secure Logon Password has a default set to No. If this is enabled, when the user presents their finger to the reader the user’s password will be randomized and unknown to the user.

  3. Click Save or Cancel to discard.

FIDO - New PIN Policy

To create a new PIN Policy, click New PIN Policy.

method_68.png

Name the new policy and adjust the criteria as necessary. When complete, click Save or Cancel to discard.

Table 35. FIDO New PIN Policy

Field

Description

Name

The name of the PIN policy.

Minimum/Maximum PIN Length

Determines the length of the PIN that is used on enrollment and logging into the system.

PIN Expiration Days

Determines how long the registered PIN will last before expiring.

PIN must meet complexity requirements

Determines how complex the PIN must be.

Windows Password as PIN

The user’s Active Directory password will be used as PIN.

No more than three repeated characters

PIN cannot have three repeated characters. (Example: 111, 444)

No more than three consecutive characters

PIN cannot have consecutive characters. (Example: 123, 456)

Must contain alpha and numeric characters

PIN must have both a letter and number. (Example: A1B, C2D)

Must only contain numeric characters

PIN can only have numbers. (Example: 159, 753)

Must contain special characters

PIN must have a special character. (Example: !23, @34)