Overview

OpenOTP supports the FIDO2 standard from the FIDO Alliance for user authentication, as well as Passkeys from Google and Apple. If you plan to use OpenOTP with FIDO2 or Passkeys, please refer to this document for instructions on how to enable and use these features with your integrations.

FIDO2

FIDO2 allows users to authenticate to online services using common devices in both mobile and desktop environments. The FIDO2 specifications include the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) and the FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).

FIDO2 cryptographic login credentials are unique for each website, remain on the user’s device, and are never stored on a server. This model mitigates risks such as phishing, password theft, and replay attacks.

Users can unlock their cryptographic credentials using built-in methods like fingerprint readers or cameras on their devices, or by using FIDO security keys. Consumers can choose the device that best suits their needs.

Since FIDO cryptographic keys are unique to each site, they cannot be used to track users across sites. Additionally, biometric data, when used, remains on the user’s device.

Websites can enable FIDO2 with a simple JavaScript API call, supported across leading browsers and billions of devices.

Read more about FIDO on the FIDO Alliance website.

U2F APIs are now deprecated in favor of FIDO2.

As of WebADM v2.2, U2F support has been removed from OpenOTP Security Suite. You can no longer register new U2F devices, but previously registered devices will still work. OpenOTP now supports enrolling deprecated U2F devices in FIDO2 mode, allowing you to transition to FIDO2 technology without needing to purchase new security keys. This feature is enabled automatically and managed by WebADM.

Passkeys

Passkeys, also known as Web Authentication (WebAuthn), are an advanced technology designed to replace passwords as the primary method of online authentication. They offer several advantages over traditional passwords:

  • Enhanced Security: Passkeys use cryptography and are resistant to phishing attacks that can steal passwords.
  • Ease of Use: Stored on your device, passkeys can be accessed using your fingerprint, face ID, or a PIN, eliminating the need to remember multiple passwords.
  • Cross-Platform Compatibility: Supported by major web browsers and operating systems, passkeys allow you to sign in to websites and apps across your computer, phone, and tablet with the same set of credentials.
  • Privacy: Passkeys do not share personal information with websites or apps, providing a more privacy-friendly authentication method.

Key benefits of using passkeys include:

  • Improved Security: More difficult to hack than passwords due to their cryptographic nature and lack of storage on websites or apps.
  • Reduced Password Fatigue: Eliminates the need to remember and manage multiple passwords, saving time and reducing frustration.
  • Increased Productivity: Simplifies the sign-in process, making it faster and more efficient.
  • Reduced Risk of Phishing: Resistant to phishing attacks, minimizing the risk of password theft.
  • Enhanced User Experience: Offers a more seamless and secure sign-in experience.

For more information about passkeys and their support across devices, visit the Apple Passkeys and Google Passkeys websites.

Integrations Supported by RCDevs Solutions

FIDO2 Technology (security keys)

RCDevs supports FIDO2 authentication with the following integrations:

  • RCDevs Identity Provider (OpenID/SAML IDP)
  • OpenOTP Credential Provider for Windows
  • OpenOTP Credential Provider for macOS
  • MFAVPN with Viscosity VPN client
  • OpenOTP Plugin for Nextcloud
  • OpenOTP Plugin for ADFS
  • OpenOTP Plugin for RDWeb
  • Spankey SSH key authentication (second factor)
  • Authentication on RCDevs web applications, such as Selfdesk, SelfReg, and Helpdesk

Please note that FIDO2 challenges are not supported through Remote Desktop Protocol (RDP). However, FIDO2 keys can be used for offline logins on the integrations mentioned.

FIDO2 is designed to work with a single origin, and the public key registered during the enrollment process is associated with that origin. To use FIDO2 across multiple origins, the key must be registered separately for each origin.

Passkey Technology

RCDevs supports Passkey authentication with the following integrations:

  • RCDevs Identity Provider (OpenID/SAML IDP)
  • Authentication on RCDevs web applications, such as Selfdesk, SelfReg, and Helpdesk
  • OpenOTP Plugin for Nextcloud
  • OpenOTP Plugin for ADFS
  • OpenOTP Plugin for RDWeb

Passkey device registration with RCDevs solutions is managed through FIDO2 token registration, available via the WebADM Admin Portal or other self-service portals offered by RCDevs, accessible under the FIDO tab.

FIDO Configuration in OpenOTP

To enable FIDO2 or Passkey authentication with RCDevs solutions, follow these steps:

  1. Edit your OpenOTP configuration under the Applications tab in WebADM.
  2. Scroll down to the FIDO Devices section.

You need to configure the FIDO origin or AppID setting to match the base DNS name of your domain. For example, if rcdevs.com is your domain name, it should be configured as the FIDO origin. Proper configuration of this setting is crucial for the feature to function correctly.

If your organization's domain name changes (e.g., from rcdevs.com to rcdevs.eu), you will need to re-register all FIDO2 devices with the new origin. Changing the origin used during enrollment will disrupt authentication for FIDO2 devices registered with the old origin or domain.

fido

Other settings allow you to limit the number of devices that can be registered per user. You can also optionally require FIDO User Verification by the FIDO2 device during the authentication process.

Additionally, you can specify which Trusted Devices are allowed within your organization. For Passkeys, this option should not be enabled.

If you change your domain, you must re-register the tokens and update the domain in the FIDO Origin setting. Otherwise, you may encounter the following warning:
The DNS domain in the FIDO Origin does not match the current URL domain. Please use an enrollment URL under the configured FIDO Origin.

Register FIDO2 Security Keys

From WebADM Admininistrator Portal

FIDO2 keys must undergo a registration process before they can be utilized for authentication. Select the desired user account and in Application Actions box, select MFA Authentication Server

Activated User

Now click on Register / Unregister FIDO Devices

fido

You are now on the FIDO/Passkey registration page.

fido

Click on the red message which is blinking to start the registration process. Follow instruction prompted on your web browser. At some point you are then invited to press your FIDO2 device and allow the site to access your security key:

fido
fido

Once done, the registration is performed, click Ok and you have an overview of registered device:

fido

From Self-Services (SelfDesk & SelfReg) and Helpdesk

Refer to User Self-Services Desk, User Self-Registration and Helpdesk documentations for instructions on how to register FIDO2 devices and PassKeys.

Register Passkeys

There are multiple ways to register a passkey:

  • Store the Passkey in your iCloud Keychain from a compatible Apple device. This enables you to use the Passkey across all devices connected to the same iCloud account.
  • Use an iPhone, iPad, or Android device. This method allows you to register and use the passkey from a device with a camera.
  • Use a security key. This is typically the way to register a FIDO2 key.
  • From Google Chrome, you have the option to register a Passkey in your Chrome profile.

Select the method that best suits your preferences and aligns with the prerequisites set by Apple/Google and your company. Follow the provided instructions to complete the enrollment process.

The enrollments demonstrated below are conducted through the WebADM Admin GUI. It's important to note that the same enrollment options are available through various self-service web applications provided by RCDevs under the FIDO tab. Users can access these enrollment features from different self-service portals for a seamless and consistent experience.

Passkeys must undergo a registration process before they can be utilized for authentication. Let's proceed with the registration, select the user account you want to register a passkeys and in Application Actions box, select MFA Authentication Server:

Activated User

Now click on Register/Unregister FIDO Devices

Register FIDO

The FIDO/Passkeys registration page is prompted:

FIDO Enrollment

Click on the blinking red message, and you will be prompted to proceed with the enrollment process

From Safari and Apple Devices

After clicking on the blinking red message, the following appears:

PassKeys Enrollment

I can directly provide my fingerprint for enrollment, and the passkey will be stored in my iCloud Keychain.

PassKeys Enrollment
PassKeys Enrollment

If I click on the "Other Options" button, I have the following possibilities that we explained before:

PassKeys Enrollment

Passkey stored on local device only

PassKeys Enrollment

If I click Continue button, it is going to register my MacOS device as a Passkey:

PassKeys Enrollment

I am invited to provide my fingerprint to finish the enrollment and then my Macbook is registered.

PassKeys Enrollment

Passkey stored in Chrome Profile

If on the previous screen, I click Use a different passkey, then I would have the following behavior:

PassKeys Enrollment

Here, I have the choice to register my Chrome profile as a Passkey or another device.

If I choose my Chrome profile I would have the following behavior:

PassKeys Enrollment

Click on Continue button and you are invited to provide your Fingerprint. Your passkey is registered.

Passkey from a device with a camera

iOS device

The last option is through the Use a phone, tablet or security key method. Click on it and then the following is prompted:

PassKeys Enrollment

I'm going to use my iPhone to scan it. Open your camera, scan the QRCode, and click on the link once the QRCode has been parsed by your phone.

PassKeys Enrollment

Once you have scanned the QRCode, the following message will appear on your web browser page:

PassKeys Enrollment

On the mobile side, you have the following screens after cliking the link provided through the QRCode:

PassKeys Enrollment

Click Continue button and you are invited to provide your FaceID:

PassKeys Enrollment

Once FaceID has been validated on your phone, then the enrollment should be done on WebADM side. If a confirmation is requested by the web browser, click Allow to finish the enrollment.

PassKeys Enrollment

You will be invited to use your enrolled Passkey during authentication with OpenOTP.

Android device

The last option is through the Use a phone, tablet or security key method. Click on it and then the following is prompted:

PassKeys Enrollment

I'm going to use my Android phone to scan it. Open your camera, scan the QRCode and click on the link once the QRCode has been parsed by your phone.
Once you scanned the QRCode, on your web browser page, the following message appears:

PassKeys Enrollment

On the mobile side, you have the following screen for a second after cliking the link:

PassKeys Enrollment

You are then invited to provide your fingerprint or passcode. Here we provided the fingerprint.

PassKeys Enrollment

At this step, the enrollment shoud be done.

You can start using your Passkeys on compatible integrations.