Workspace ONE Access has been an ever evolving platform since transitioning from VMware Identity Manager awhile back. We have seen some major advancements like their DUO API Integration. This past week, another huge step forward in VMware’s Identity Provider with the introduction of FIDO2. We’re going to discuss what exactly is FIDO2, configuring FIDO2 in Workspace ONE Access with a nice little demo, and a demo of the user experience as a whole.
What is FIDO2?
The FIDO (Fast Identity Online) alliance has created FIDO2, which is a term they coined for their latest set of specifications, which enables organizations to leverage external hardware or FIDO2 certified technologies e.g. Touch ID or Windows Hello. Let’s take a look at the different components that make up FIDO2.
Web Authentication or WebAuthn is a standard web-based API that bridges online services to FIDO authentication, which is commonly built into browsers and their infrastructure. WebAuthn has been a web standard for 2 years and is available on Windows 10, Android, Chrome, Firefox, Edge, and Safari.
As you can see below, WebAuthn simplies the process for a web service to implement strong authentication using a variety of biometrics, external authenticators, and trusted parties. WebAuthn was developed by W3C with Yubico, Microsoft, and Google as major contributors to its development. Some of the additional benefits of WebAuthn are asymmetric (public-key) crypto with phishing protection integrated directly into the browser for registration and authentication.
Client to Authenticator Protocol (CTAP)
CTAP is a protocol that lets external devices and/or FIDO security keys operate with browsers using WebAuthn. Simply, CTAP is how the browser or application establishes the communication to the provider whether its an Yubikey, Windows Hello, Touch ID, or other mechanism.
If interested, below is a very interesting video on the FIDO2 Project from Google and Microsoft:
Setting up FIDO2 in Workspace ONE Access
The setup process for FIDO2 is relatively easy, but it is VERY confusing. What I found is that everything we know about setting up policy in Workspace ONE Access is basically flipped on its head when you setup FIDO2.
The area that will be fairly confusing to many people is how you add additional policy rules to your default policy to enable the registration and login process of FIDO2, which you wouldn’t think works, but it works really well from my initial testing. I would say the one issue that I have is when using Windows Hello there are certain challenges, but nothing insurmountable.
FIDO2 Experience on Windows 10 Powered by Workspace ONE Access
Below, you can catch a short demo of the user experience that takes you through the FIDO2 registration, signing in with FIDO, and managing the FIDO identities once registered.
Final Thoughts on FIDO2 on Workspace ONE Access
This article is heavily focused on videos, because that’s how you can really see what value FIDO2 provides. It’s great to see VMware catch up to Ping and Okta on FIDO2, which is becoming more popular. After a single registration, you are now delivering password-free authentication to apps as you see fit.
I do have a few issues with the FIDO2 implementation with the first being a lack of integration between FIDO2 and device compliance. VMware is telling a strong story around “Zero Trust” and their entire portfolio is building around it as we saw at VMworld this past year. They will need to do two things for FIDO2 to have true value:
- Integrate FIDO2 with device compliance
- Bring FIDO2 support to MacOS and iOS/Android quickly
One of the challenges that sometimes happens with certain technologies is follow-through. It’s great that we are starting with Windows 10, but we need to get this to be cross-platform very quickly. The true UX story is cross-platform synergy, which is needed for anything to be a staple in an enterprise environment.