FIDO2

FIDO2 is a phishing-resistant authentication method that uses public key cryptography and hardware-based authenticators, such as security keys or biometric devices. With FIDO2, user identity is verified without relying on passwords or shared secrets.

How FIDO2 authentication works

FIDO2 authentication begins with a registration process. When users set up an account or sign in for the first time, they are prompted to create a passkey on their device. During registration, a secure cryptographic key pair is generated on the device:

Private key: stored on the device
Public key: sent to the authentication server

When the user signs in again, the device proves possession of the private key without transmitting it. This proof is typically provided through biometric verification, such as a fingerprint or facial scan. The authentication server validates the proof using the public key to confirm the user's identity. After successful verification, the user gains access.

Admin configuration

To enable FIDO2 as a multi-factor authentication (MFA) provider, select Security Administration > Settings > General Settings > MFA Configuration.

After you enable FIDO2 as an MFA option, no additional administrator configuration is required. After activation, users are prompted during their next sign-in to register their authentication device.