mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
8f05846e21
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
75 lines
2.9 KiB
Markdown
75 lines
2.9 KiB
Markdown
---
|
|
layout: default
|
|
title: Security Keys
|
|
nav_order: 2
|
|
parent: Second Factor
|
|
grand_parent: Features
|
|
---
|
|
|
|
# Security Keys
|
|
|
|
**Authelia** supports hardware-based second factors leveraging [FIDO2] [Webauthn] compatible security keys like
|
|
[YubiKey]'s.
|
|
|
|
Security keys are among the most secure second factor. This method is already supported by many major applications and
|
|
platforms like Google, Facebook, GitHub, some banks, and much more.
|
|
|
|
<p align="center">
|
|
<img src="../../images/yubikey.jpg" width="150">
|
|
</p>
|
|
|
|
Normally, the protocol requires your security key to be enrolled on each site before being able to authenticate with it.
|
|
Since Authelia provides Single Sign-On, your users will need to enroll their device only once to get access to all your
|
|
applications.
|
|
|
|
<p align="center">
|
|
<img src="../../images/REGISTER-U2F.png" width="400">
|
|
</p>
|
|
|
|
After having successfully passed the first factor, select *Security Key* method and click on *Register device* link.
|
|
This will send you an email to verify your identity.
|
|
|
|
*NOTE: This e-mail has likely been sent to the mailbox at https://mail.example.com:8080/ if you're testing Authelia.*
|
|
|
|
Confirm your identity by clicking on **Register** and you'll be asked to touch the token of your security key to
|
|
complete the enrollment.
|
|
|
|
Upon successful enrollment, you can authenticate using your security key by simply touching the token again when
|
|
requested:
|
|
|
|
<p align="center">
|
|
<img src="../../images/2FA-U2F.png" width="400">
|
|
</p>
|
|
|
|
Easy, right?!
|
|
|
|
## FAQ
|
|
|
|
### Can I register multiple FIDO2 Webauthn devices?
|
|
|
|
At present this is not possible in the frontend. However the backend technically supports it. We plan to add this to the
|
|
frontend in the near future. Subscribe to [this issue](https://github.com/authelia/authelia/issues/275) for updates.
|
|
|
|
### Can I perform a passwordless login?
|
|
|
|
Not at this time. We will tackle this at a later date.
|
|
|
|
### Why don't I have access to the *Security Key* option?
|
|
|
|
The [Webauthn] protocol is a new protocol that is only supported by modern browsers. Please ensure your browser is up to
|
|
date, supports [Webauthn], and that the feature is not disabled if the option is not available to you in **Authelia**.
|
|
|
|
### Can my FIDO U2F device operate with Authelia?
|
|
|
|
At the present time there is no plan to support [FIDO U2F] within Authelia. We do implement a backwards compatible appid
|
|
extension within **Authelia** however this only works for devices registered before the upgrade to the [FIDO2] [Webauthn]
|
|
protocol.
|
|
|
|
If there was sufficient interest in supporting registration of old U2F / FIDO devices in **Authelia** we would consider
|
|
adding support for this after or at the same time of the multi-device enhancements.
|
|
|
|
[FIDO U2F]: https://www.yubico.com/authentication-standards/fido-u2f/
|
|
[FIDO2]: https://www.yubico.com/authentication-standards/fido2/
|
|
[Webauthn]: https://www.yubico.com/authentication-standards/webauthn/
|
|
[YubiKey]: https://www.yubico.com/products/yubikey-5-overview/
|