Using device-bound passkey in Safewhere Identify

Continue with the Passkey authentication guide. This document explains how to use passkeys stored in a security key (Yubikey) with Safewhere Identify.

According to passkey types, device-bound passkeys are FIDO authentication credentials that stay on the device they were issued to (typically, a security key) and do not sync elsewhere. To sign in to an online service with a device-bound passkey, the user plugs in or taps the security key to the new device.

Second factor authentication on a Windows machine using a passkey in a Yubikey

In this demonstration:

  • A user accesses Safewhere Admin on a Windows machine and successfully signs in with the first factor authentication.
  • During the second factor authentication phase, the user chooses to save a passkey to a Yubikey.
  • The user logs out of Safewhere Admin.
  • The user re-accesses Safewhere Admin on a Windows machine and successfully signs in with the first factor authentication.
  • During the second factor authentication phase, the user's passkey in the Yubikey is selected to authenticate the user.
  • The user inputs the Yubikey's PIN and touches the Yubikey to complete the login.

To set up necessary connections in Identify, follow these steps:

  1. Create an OTP connection for WebAuthn as shown below. To save a passkey to a Yubikey, set the Authenticator type setting to Cross platform.

2ndfactor-WebAuthn-cross-platform.png

  1. Set the OTP connection as the second factor of another identity provider (a Username & Password identity provider is used in this demonstration).

After that, a user can log in and create a passkey:

  1. Access Safewhere Admin on a Windows machine and successfully sign in with the first factor authentication.
  2. During the second factor authentication phase, select the Security key option to save a passkey.

2ndfactor-security-key-register.png

  1. Click the OK button on the Security key setup form.

2ndfactor-security-key-set-up.png

  1. Click the OK button on the Continue setup form.

2ndfactor-security-key-continue-setup.png

  1. Insert the security key into the USB port.

2ndfactor-security-key-insert-yubikey.png

  1. Input the Yubikey PIN (if any).

2ndfactor-security-key-input-security-key-PIN.png

  1. Touch the Yubikey.

2ndfactor-security-key-touch-security-key.png

  1. The passkey is successfully saved to the Yubikey.

2ndfactor-security-key-passkey-saved.png

The user can now log in using the newly created passkey:

  1. Re-access Safewhere Admin on a Windows machine and successfully sign in with the first factor authentication.

  2. During the second factor authentication phase, select the Security key option to use the passkey in the Yubikey.

2ndfactor-security-key-authenticate.png

  1. Insert the security key into the USB port.

2ndfactor-security-key-authenticate-insert-key.png

  1. Touch the Yubikey to complete the login.

2ndfactor-security-key-authenticate-touch-security-key.png