Welcome Identity360
 

FIDO2 Passkeys

FIDO2 is an open authentication standard developed by the FIDO Alliance, that offers an enhanced level of security based on public key cryptography. It uses built-in authenticators on devices or security keys to log users into websites securely. Identity360 uses the WebAuthn API for FIDO2 passkey authentication to provide secure access to protected network resources. FIDO2 passkeys offer high assurance, phishing-resistant authentication.

Identity360 currently offers FIDO2 passkey authentication for the following:

The following information on this page will assist you in understanding and setting up FIDO2 passkeys with Identity360:

Types of FIDO2 passkeys

FIDO2 passkeys let users authenticate with two types of authenticators:

Platform authenticators

These authenticators are built into the device and are used by the platform (OS) to verify the user's identity. Examples include Windows Hello, Android biometrics, and Apple Touch ID or Face ID. Users can utilize these authenticators to verify their identity for accessing protected resources.

Platform authenticators can be either device-bound or synced across multiple devices, depending on how the vendor has implemented it.

Roaming authenticators

Roaming passkeys are portable FIDO2-compliant hardware security keys like YubiKey and Titan Security Key, that are removable and compatible with multiple platforms. These authenticators can be connected to a device via USB, NFC, or Bluetooth for secure authentication.

Roaming passkeys also support Cross-Device Authentication (CDA), allowing users to verify their identity on one device while accessing resources on another. CDA lets users use their smartphone’s built-in authenticators, such as Android biometrics or Apple Face ID, to log into Identity360 on their laptop by scanning a QR code and establishing a Bluetooth connection.

Note: Unlike platform authenticators, passkeys in hardware-based security keys are stored solely on the hardware and are not synced across devices.

Steps to configure FIDO2 passkeys

Prerequisites

Configuration steps

  1. Log into the Identity360 portal and navigate to Applications > Multi-factor Authentication > Authenticators Setup > FIDO2 Passkeys.
  2. Turn on the Enable FIDO2 Passkeys toggle to allow FIDO2 passkeys.
  3. The platform or roaming devices associate the created passkey with a specific relying party identifier (RP ID), ensuring the passkey is protected against phishing. For Identity360, the RP ID is id360.manageengine.com, and it is automatically prefilled.
  4. Open Advanced Settings, and in the Allowed Passkey Types drop-down, both platform and roaming passkey types are listed by default. Admins can modify this setting to restrict passkey enrollment and authentication for their organization as needed. This will prevent users from enrolling or using the restricted passkey type for future MFA logins. Changing this option will impact all future passkey enrollments and MFA attempts, while existing passkeys will still be allowed during MFA. You can remove them from the FIDO2 Passkeys report.
  5. Enable the Deny syncable passkeys checkbox to ensure passkeys are tied to specific organizational devices and not synced across multiple devices through cloud services. This is ideal for organizations with security requirements to allow only device-bound passkeys.

    Note: Enabling the Deny syncable passkeys checkbox will prevent users from enrolling passkeys that rely on cloud syncing, such as Apple devices with iCloud accounts.

  6. From the drop-down menu, select whether User Verification is Required, Preferred, or Discouraged for roaming authenticator. User verification, such as a PIN or additional biometrics, provides an extra layer of security, ensuring that the security key is in the possession of authorized individuals. This is important because misplaced keys could be exploited by unauthorized users who find them.
    • Required: The user will always be required to verify their identity using the in-built verification mechanism configured on the roaming authenticator after inserting it.
    • Preferred: If user verification, such as a PIN or biometrics, is configured on the roaming authenticator, users will be prompted to verify their identity when the authenticator is inserted. If no verification method is set, users will not be asked for any identification.
    • Discouraged: If your organization uses U2F-based security keys that do not support user verification, admins can select the Discouraged option. Users will not be asked for verification upon inserting their FIDO2 passkey. However, some security keys mandate verification on supported devices even when it is Discouraged. Please refer to the documentation received with your security key to ascertain this.
  7. Specify the maximum number of passkeys each user can add in the No. of passkeys allowed per user field. Users can enroll up to 5 FIDO2 passkeys.
  8. Click Save.

Supported devices

The OS and browsers that support each of the following types of passkeys are as follows:

Note: Please make sure that you are using the latest versions of the browsers. If you are using an outdated browser, you may not be able to create or use passkeys while in incognito or private modes across major browsers and operating systems.

Platform authenticators

Platform authenticators can be used via either the enrolled device (device-bound passkeys) or its synced devices (synced passkeys).

1. Device-bound passkeys:

  Windows 10+ (Windows Hello) macOS 11+ (Touch ID) Android 7+ (Android biometrics) iOS 14.5+ (Face ID)
Google Chrome Yes (73+) Yes (70+) Yes (95+) Yes (95)
Edge Yes (79+) Yes Yes Yes(95)
Safari N/A Yes (14+) N/A Yes (14.5)
Firefox Yes (66+) Yes Yes (68+) Yes (38)

2. Synced passkeys

  Windows 10+ (Windows Hello) macOS 13+ (Touch ID) Android 9+ (Android biometrics) iOS 16.5+ (Face ID)
Google Chrome No Yes (70+) Yes Yes
Edge No No Yes Yes
Safari N/A Yes (14+) N/A Yes
Firefox No Yes Yes Yes

Roaming authenticators

Roaming authenticators can be security keys such as the YubiKey and Titan Security Key, or smartphones that support Cross-Device Authentication (CDA).

1. Security keys

  Windows 10+ macOS 11+ Linux Android 7+ iOS 14.5+
Google Chrome Yes Yes Yes Yes Yes
Edge Yes Yes Yes Yes Yes
Safari N/A Yes N/A N/A Yes
Firefox Yes Yes Yes Yes Yes

2. Cross-Device Authentication (CDA) for roaming passkeys

CDA client: The CDA client in a Cross-Device Authentication flow is the device on which Identity360 is being accessed.

CDA authenticator: The CDA authenticator in a cross-device authentication flow is the device used to verify their identity.

For example, you can use a roaming authenticator on your phone to authenticate into Identity360 on your laptop. In this case, the laptop is the CDA client, and the phone acts as the CDA authenticator.

The supported CDA clients and authenticators are as follows:

  Windows 10+ (Windows Hello) macOS 13+ (Touch ID) Android 9+ (Android biometrics) iOS 17+ (Face ID)
  CDA Client support CDA Authenticator support CDA Client support CDA Authenticator support CDA Client support CDA Authenticator support CDA Authenticator support CDA Authenticator support
Google Chrome Yes (108+) No Yes (70+) No No Yes Yes Yes
Edge Yes (108+) No Yes No No Yes Yes Yes
Safari N/A N/A Yes (14+) No N/A N/A Yes Yes
Firefox No No Yes No No Yes Yes Yes

Enrolling for FIDO2 passkeys

During enrollment, users can choose their preferred passkey type based on the options provided, such as platform or roaming authenticators.

Platform authenticator: The user will complete enrollment by verifying their identity using their device’s built-in authenticator, such as Face ID, Touch ID, or PIN.

Roaming authenticator: The user will be required to authenticate using the security key’s built-in mechanism. For example, if using a YubiKey, they may need to enter a PIN or scan their fingerprint using the sensor. Security keys can be enrolled through the Identity360 web portal from a device that supports USB, near-field communication (NFC), or Bluetooth Low Energy (BLE) connections. A single security key can be enrolled as a passkey for multiple users, and multiple security keys can be enrolled for a single user account.

If a user wishes to enroll a different smartphone or tablet, they can scan the QR code displayed on the screen to start the authentication process via Bluetooth. Admins should ensure that users' devices support CDA for a smooth enrollment process. A list of supported devices is available here.

Note: Authenticators such as Android biometrics or Apple Touch ID and Face ID can be enrolled either as platform authenticators or as roaming authenticators through CDA. However, a single smartphone cannot be registered as both a platform authenticator and a roaming authenticator for the same user. Each device can only be registered as one type of authenticator per user.

You can find the step-by-step enrollment process for users here.

Verification using FIDO2 passkeys

Once enrolled, users will verify their identity using their passkeys when signing in.

Platform authenticator: The device's built-in authenticators can be used for verification on the enrolled device. If the passkey is synced across multiple devices, it can also be used on those devices.

Roaming authenticator: Users must verify the security key on their device by connecting via USB, NFC, or BLE. Once verified, the key can be used on other devices by repeating the process. This ensures secure, consistent access across all devices.

If a user needs to authenticate using a different smartphone or tablet, they can scan the QR code displayed on the screen to complete verification via Bluetooth.

You can find the detailed verification steps here.

Navigate to Previous Previous Topic Next Topic Navigate to next

On this page

Copyright © 2025, ZOHO Corp. All Rights Reserved.