Skip to main content

FIDO2 Settings

Along with support for all FIDO2 compliant passkeys, the Identity Portal now gives you the ability to set global overrides for your FIDO2 enrollment or authentication transactions.

These settings can be found under the Settings > FIDO2 blade in the Identity Portal. Below is a screenshot showing the options available to override:

Override Global Default

Overrides settings for each FIDO2 transaction. Required if you wish to change the defaults.

User Enrollment

The following settings apply to FIDO2 enrollment transactions.

Allowed Authenticator Type

  • All: Tells the browser to allow any authenticator type. When this options is enabled the user should be able to enroll platform authenticators using the native device, e.g. phone or desktop, or cross-platform authenticators such as external security keys.
  • Platform: Tells the browser to only allow the enrollment of a platform authenticator.
  • Cross-platform: Tells the browser to only allow the enrollment of a external authenticator.

User Attestation

  • None: The FIDO server will not request meta data attestation from the authenticator.
  • Direct: Convey the authenticator's AAGUID and attestation statement, unaltered, to the Relying Party.
  • Indirect: The client MAY replace the AAGUID and attestation statement with a more privacy-friendly and/or more easily verifiable version of the same data (for example, by employing an Anonymization CA).

User Verification

These values today are ignored by most devices and despite what the server says, will get overridden to required. The only time these really apply is for custom CTAP clients.

Register with Resident Key

  • Not Required: The authenticator will generate a non-resident key.
  • Required: The authenticator will generate a resident key. Generally when this is enabled you do not need to ask for a username.

User Authentication

The following settings apply to FIDO2 authentication transactions.

User Verification

These values today are ignored by most devices and despite what the server says, will get overridden to required. The only time these really apply is for custom CTAP clients.

Relying Party ID

This is domain that users will register their FIDO2 passkeys with. This domain must match the location where the transaction is being hosted. For example, if you are hosting the FIDO2 enrollment on example.com, you must set the relying party ID to that value. Be sure to include the protocol, e.x. HTTPS.