2.7 Configuring MyID for FIDO logon
If you want to allow people to log on to your MyID system using their registered FIDO authenticators, you can configure MyID to allow this feature.
Configuring FIDO logon requires the following:
-
Setting up global configuration options for FIDO logon.
-
Configuring individual roles for FIDO logon.
Note: You are recommended to restrict logon to multi-factor authenticators; MyID allows you to differentiate between Basic assurance authenticators and High assurance authenticators. If you allow logon for Basic assurance authenticators, you are recommended to allow those users access only to read-only features with limited scope.
2.7.1 Setting the FIDO logon configuration options
You can enable or disable FIDO logon globally using the configuration options.
To enable or disable FIDO logon:
-
Log on to MyID Desktop as an administrator.
-
From the Configuration category, select Security Settings.
-
On the Logon Mechanisms tab, set the following options:
-
FIDO Basic Assurance Logon – set this option to Yes to enable logon to MyID with a FIDO authenticator that has been issued with a credential profile where the Assurance Level is set to Basic.
-
FIDO High Assurance Logon – set this option to Yes to enable logon to MyID with a FIDO authenticator that has been issued with a credential profile where the Assurance Level is set to High.
-
-
Click Save changes.
2.7.2 Setting up FIDO logon mechanisms
For each role in MyID, you can decide whether people who have been assigned that role can log on to MyID using their registered FIDO authenticator and access the features that are configured for that role.
Note: If a person has multiple roles, but has a FIDO logon mechanism configured for only some of them, when they log on to MyID using their FIDO authenticator they can access only those features that are configured for the roles that have the FIDO logon mechanism configured. For example, if Susan has a Cardholder role with access to View Person, and Reporter role with access to Management Information Reports, if only the Cardholder role has a FIDO logon mechanism configured, when she logs on to MyID using her FIDO authenticator, she can access only View Person; to access her reports, she must log on with a smart card.
-
Log on to MyID Desktop as an administrator.
-
From the Configuration category, select Edit Roles.
-
Click Logon Methods.
The Logon Mechanisms screen appears.
-
For each role you want to be able to log on to MyID using FIDO, select one of the following options:
-
FIDO Basic Assurance – access to the features configured for this role is allowed when logging on with a FIDO authenticator that has been issued with a credential profile where the Assurance Level is set to Basic.
-
FIDO High Assurance – access to the features configured for this role is allowed when logging on with a FIDO authenticator that has been issued with a credential profile where the Assurance Level is set to High.
-
-
Click OK.
-
Click Save Changes.
MyID is now configured for logon using FIDO authenticators. For information on using FIDO authenticators to log on, see section 3.4, Logging on to MyID with FIDO authenticators.