Fortinet black logo

Admin Guide

Home FortiToken Cloud Admin Guide

Use passkeys

Use passkeys

Support for passkeys has been implemented in FTC using Webauth. According to FIDOalliance.org ,Web Authentication (WebAuthn), a core component of FIDO Alliance’s FIDO2 set of specifications, is a web-based API that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

Passkeys are becoming the norm for enhanced protection in many sites. With passkey support, customers will be able to meet higher security standards and protect their organizations from threats like phishing.

Use Case

For example, there are two users John and Todd in Company A. Bob is the FTC Admin for the organization. The company would like to enforce all end-users in their company to use passkeys using either the FortiToken 410 USB key or their mobile phones.

To add the FortiToken 410 USB key as the passkey for John, the following must done:

1. Bob as the FTC admin will set a PIN for the FortiToken 410 USB key..

2. Bob will then navigate to Users , search for John and then choose Manage Passkeys .

3. Bob will add the FortiToken 410 USB key to John's profile.

4. John will then get the registered FortiToken 410 USB key from Bob and Bob will share the PIN with him.

5. John will change the PIN for the FortiToken 410 through Security key management in his computer.

6. John can now choose to use 'Login with Registered Passkey' for any SP configured with FTC's IDP Proxy and use FortiToken 410 USB as Passkey.

To add a SmartPhone as passkey for Todd, the following must be done:

1. Todd will need to take his phone to Bob

2. Bob as the FTC admin will navigate to Users , search for Todd and then choose Manage Passkeys

3. Bob will choose a iPhone or android device to save the Passkey and a QR code will be generated

4. Todd will then scan the QR code generated to his phone and then add the passkey to his device

5. If Todd is a new employee who gets a company provided phone, Bob can scan the QR code in Todd's company prvoided phone and give it to Todd.

Note

For this release, end-users are not able to provision their passkeys by themselves. It must be done by the FTC admin. To register their SmartPhones, end-users must bring their phones to the FTC admin who can scan the QR code generated to their phones.

Register FortiToken 410 USB key in Windows devices

Before registering a USB key, a PIN has to be first set up for the key. The following are the sample steps to set up the PIN for a Fortitoken 410 key in Windows 11 machine.

In the use case above, Bob , the FTC admin, needs to set a PIN for the FortiToken 410 USB key to be used by John, using the following steps:

1. After inserting the FortiToken 410 key in a USB slot in the Windows machine, search for 'Setup Security Key' in the Windows taskbar search. Then choose 'Security Key > Sign in to apps with Security key > Manage.

2. Choose 'Security Key PIN' and set up a PIN for the key.

Steps to register a USB passkey for an end-user:

For FortiToken 410 USB key to be added as Passkey for John, the FTC admin (Bob in this case) must do the following:

1. Navigate to Users > search for user ', example John' in this case.

2. Click the 3 vertical dots on the right end of the row and choose 'Manage Passkey'.

3. Provide a name for the Passkey (e.g., ftk-410 in the example shown in the following screen shot).

4. Choose Security Key in the Windows Prompt,

5. Provide the PIN for the FortiToken 410 configured in the section "Register ForiToken 410 USB key in Windows devices" (at the beginning of this section).

6. Once the PIN is authenticated, the system will prompt you to touch the security key. Press the button in the FortiToken 410 key.

7. Once the key is successfully registered, the key appears on the screen, as illustrated in the following image.

Authenticate with the USB passkey in IDP proxy

1. Before trying to authenticate with any SP, user John will first change the PIN shared by Bob for the FortiToken 410 key. After inserting the FortiToken 410 key in a USB slot in the machine, John should search for 'Setup Security Key' in the Windows taskbar search. Then choose 'Security Key > Sign in to apps with Security key > Manage. Provide the existing PIN that Bob shared and then update the PIN to a new one.

2. After successfully changing the PIN, open any SP configured with FTC's IDP proxy,

3. After successfully authenticated with the external identity provider to access a service provider, the user (John in this case) will be presented with the auth.fortinet.com page from FTC for MFA. Choose 'Login with Registered Passkey'.

Choose 'Security key' to use the Fortitoken-410 USB pass key.

Provide the PIN for the fortitoken 410 Passkey.

After the PIN is validated, please follow the instructions and touch the Fortitoken 410 Passkey.

After that successful step, the user will be logged in.

Steps to Register phone Passkeys for a Enduser:

1. For a phone to be added as Passkey for user Todd the following are the steps in the GUI followed by FTC admin Bob:

2. Navigate to Users > search for user ', example Todd in this case and choose 'Manage Passkeys'

3. Provide a name for the passkey, 'android' in the following screenshot

4. Choose 'Iphone, Ipad or Android device' from the windows prompt

5. Ensure Bluetooth is enabled in both your computer and the phone and scan the QR code . In this case , user Todd's phone will be used to scan the QR code.

6. The phone will automatically prompt to provide your screenlock or other protection mechanism configured in your phone. Follow the instructions in your phone to add the passkey.

8. Once the phone is successfully added, the following confirmation will appear on the FTC portal screen to admin Bob.

9. Once the phone is successfully added, the following confirmation will appear on the FTC portal screen to admin Bob.

Authentication with a Phone Passkey in IDP proxy

1. After successfuly authentication with the external identity provider in his computer for a configured service provider, user (Todd in this case) will be presented with the auth.fortinet.com page from FTC for MFA. Choose 'Login with Registered Passkey'.

2. As the phone is used for the first time after provisioning,a QR code will popup. Todd will scan the QR code.

3. Follow the instruction on the phone to provide screenlock or other authentication mechanisms in the phone and it will register the phone successfully

4. After the steps in the phone are completed successfully, Todd will be able to login to the service provider successfully.

5. Now that the android phone is registered with Todd's computer, when Todd tried to login the next time, his phone will be listed as one of the choices. (moto gstylus 5G (2022) in the following screenshot).

6. Clicking on the phone as the choice will send a notificationto the phone and the user will then have to provide the screenlock or other authentication mechanisms configured in the phone to authenticate..

Logs for Passkeys

Management Logs:

The FTC admin can view all the management logs bynavigating to Logs >Management . In the Filter option, Passkey logs can be filtered by choosing the resource as 'Passkey'.

Detailed logs from each row can be viewed by clicking on the Details icon

Authentication Logs

The FTC admin can view all the management logs bynavigating to Logs >Management. In the filter option choose 'verify passkey auth reponse' against Action to narrow the search to passkey auth responses.

Click on details icon on any row to view details log information.

Delete PassKey

There are two ways to delete passskeys. The following are the options

Delete from User Management

1. Navigate to users , search for the user and click 'Manage Passkeys'. Click on the 'X' againse the passkey and you will get a confirmation prompt.

2. Click on 'Yes' and the Passkey will be deleted.

Delete from Passkey Management

1. Navigate to 'Token > Passkey' . choose the Passkey to be deleted and click on 'Delete'. Click on 'Yes' in the confirmation prompt to have the passkey deleted.

Previous
Next

Use passkeys

Support for passkeys has been implemented in FTC using Webauth. According to FIDOalliance.org ,Web Authentication (WebAuthn), a core component of FIDO Alliance’s FIDO2 set of specifications, is a web-based API that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

Passkeys are becoming the norm for enhanced protection in many sites. With passkey support, customers will be able to meet higher security standards and protect their organizations from threats like phishing.

Use Case

For example, there are two users John and Todd in Company A. Bob is the FTC Admin for the organization. The company would like to enforce all end-users in their company to use passkeys using either the FortiToken 410 USB key or their mobile phones.

To add the FortiToken 410 USB key as the passkey for John, the following must done:

1. Bob as the FTC admin will set a PIN for the FortiToken 410 USB key..

2. Bob will then navigate to Users , search for John and then choose Manage Passkeys .

3. Bob will add the FortiToken 410 USB key to John's profile.

4. John will then get the registered FortiToken 410 USB key from Bob and Bob will share the PIN with him.

5. John will change the PIN for the FortiToken 410 through Security key management in his computer.

6. John can now choose to use 'Login with Registered Passkey' for any SP configured with FTC's IDP Proxy and use FortiToken 410 USB as Passkey.

To add a SmartPhone as passkey for Todd, the following must be done:

1. Todd will need to take his phone to Bob

2. Bob as the FTC admin will navigate to Users , search for Todd and then choose Manage Passkeys

3. Bob will choose a iPhone or android device to save the Passkey and a QR code will be generated

4. Todd will then scan the QR code generated to his phone and then add the passkey to his device

5. If Todd is a new employee who gets a company provided phone, Bob can scan the QR code in Todd's company prvoided phone and give it to Todd.

Note

For this release, end-users are not able to provision their passkeys by themselves. It must be done by the FTC admin. To register their SmartPhones, end-users must bring their phones to the FTC admin who can scan the QR code generated to their phones.

Register FortiToken 410 USB key in Windows devices

Before registering a USB key, a PIN has to be first set up for the key. The following are the sample steps to set up the PIN for a Fortitoken 410 key in Windows 11 machine.

In the use case above, Bob , the FTC admin, needs to set a PIN for the FortiToken 410 USB key to be used by John, using the following steps:

1. After inserting the FortiToken 410 key in a USB slot in the Windows machine, search for 'Setup Security Key' in the Windows taskbar search. Then choose 'Security Key > Sign in to apps with Security key > Manage.

2. Choose 'Security Key PIN' and set up a PIN for the key.

Steps to register a USB passkey for an end-user:

For FortiToken 410 USB key to be added as Passkey for John, the FTC admin (Bob in this case) must do the following:

1. Navigate to Users > search for user ', example John' in this case.

2. Click the 3 vertical dots on the right end of the row and choose 'Manage Passkey'.

3. Provide a name for the Passkey (e.g., ftk-410 in the example shown in the following screen shot).

4. Choose Security Key in the Windows Prompt,

5. Provide the PIN for the FortiToken 410 configured in the section "Register ForiToken 410 USB key in Windows devices" (at the beginning of this section).

6. Once the PIN is authenticated, the system will prompt you to touch the security key. Press the button in the FortiToken 410 key.

7. Once the key is successfully registered, the key appears on the screen, as illustrated in the following image.

Authenticate with the USB passkey in IDP proxy

1. Before trying to authenticate with any SP, user John will first change the PIN shared by Bob for the FortiToken 410 key. After inserting the FortiToken 410 key in a USB slot in the machine, John should search for 'Setup Security Key' in the Windows taskbar search. Then choose 'Security Key > Sign in to apps with Security key > Manage. Provide the existing PIN that Bob shared and then update the PIN to a new one.

2. After successfully changing the PIN, open any SP configured with FTC's IDP proxy,

3. After successfully authenticated with the external identity provider to access a service provider, the user (John in this case) will be presented with the auth.fortinet.com page from FTC for MFA. Choose 'Login with Registered Passkey'.

Choose 'Security key' to use the Fortitoken-410 USB pass key.

Provide the PIN for the fortitoken 410 Passkey.

After the PIN is validated, please follow the instructions and touch the Fortitoken 410 Passkey.

After that successful step, the user will be logged in.

Steps to Register phone Passkeys for a Enduser:

1. For a phone to be added as Passkey for user Todd the following are the steps in the GUI followed by FTC admin Bob:

2. Navigate to Users > search for user ', example Todd in this case and choose 'Manage Passkeys'

3. Provide a name for the passkey, 'android' in the following screenshot

4. Choose 'Iphone, Ipad or Android device' from the windows prompt

5. Ensure Bluetooth is enabled in both your computer and the phone and scan the QR code . In this case , user Todd's phone will be used to scan the QR code.

6. The phone will automatically prompt to provide your screenlock or other protection mechanism configured in your phone. Follow the instructions in your phone to add the passkey.

8. Once the phone is successfully added, the following confirmation will appear on the FTC portal screen to admin Bob.

9. Once the phone is successfully added, the following confirmation will appear on the FTC portal screen to admin Bob.

Authentication with a Phone Passkey in IDP proxy

1. After successfuly authentication with the external identity provider in his computer for a configured service provider, user (Todd in this case) will be presented with the auth.fortinet.com page from FTC for MFA. Choose 'Login with Registered Passkey'.

2. As the phone is used for the first time after provisioning,a QR code will popup. Todd will scan the QR code.

3. Follow the instruction on the phone to provide screenlock or other authentication mechanisms in the phone and it will register the phone successfully

4. After the steps in the phone are completed successfully, Todd will be able to login to the service provider successfully.

5. Now that the android phone is registered with Todd's computer, when Todd tried to login the next time, his phone will be listed as one of the choices. (moto gstylus 5G (2022) in the following screenshot).

6. Clicking on the phone as the choice will send a notificationto the phone and the user will then have to provide the screenlock or other authentication mechanisms configured in the phone to authenticate..

Logs for Passkeys

Management Logs:

The FTC admin can view all the management logs bynavigating to Logs >Management . In the Filter option, Passkey logs can be filtered by choosing the resource as 'Passkey'.

Detailed logs from each row can be viewed by clicking on the Details icon

Authentication Logs

The FTC admin can view all the management logs bynavigating to Logs >Management. In the filter option choose 'verify passkey auth reponse' against Action to narrow the search to passkey auth responses.

Click on details icon on any row to view details log information.

Delete PassKey

There are two ways to delete passskeys. The following are the options

Delete from User Management

1. Navigate to users , search for the user and click 'Manage Passkeys'. Click on the 'X' againse the passkey and you will get a confirmation prompt.

2. Click on 'Yes' and the Passkey will be deleted.

Delete from Passkey Management

1. Navigate to 'Token > Passkey' . choose the Passkey to be deleted and click on 'Delete'. Click on 'Yes' in the confirmation prompt to have the passkey deleted.

Previous
Next