5.1 Setting up a passkey credential profile for the MyID Operator Client

To set up a credential profile for passkeys that you can use for requests made in the MyID Operator Client:

  1. Log on to MyID Desktop as an administrator.

  2. From the Configuration category, select Credential Profiles.

  3. Click New.

  4. In the Card Encoding list, select FIDO Authenticator (Only).

    Note: Most other options are disabled. The Derived Credential option is not disabled; however, it is used only for requests made through the Self-Service Request Portal. See section 5.2, Setting up a passkey credential profile for the Self-Service Request Portal.

  5. In the Services section, you can set the following:

    • MyID Logon – select this option if you want to be able to log on to MyID with the authenticator.

    Note: The MyID Encryption option is disabled. You cannot use a passkey to store an encryption certificate.

  6. In the Issuance Settings section, the following options are available:

    • Validate Issuance

    • Validate Cancellation – do not select this option. Validating cancellation is not supported with passkeys, and setting this option may result in being unable to cancel the device.

    • Lifetime

    • Credential Group

    • Block Multiple Requests for Credential Group

    • Cancel Previously Issued Device

    • Enforce Photo at Issuance – do not select this option. Request checks are performed for passkeys, but issuance checks are not; instead of standard MyID issuance, authenticators use a FIDO-specific registration process.

    • Notification Scheme

    • Require user data to be approved

    See the Working with credential profiles section in the Administration Guide for details of these options.

    You must also set the following option:

    • Generate Code on Request – set this to one of the following options:

      • Simple Logon Code – the FIDO registration code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option on the Auth Code tab of the Security Settings workflow.

        By default, this is 12-12N, which means a 12-digit number.

      • Complex Logon Code – the FIDO registration code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option on the Auth Code tab of the Security Settings workflow.

        By default, this is 12-12ULSN[BGIlOQDSZ], which means a 12-character code containing upper case, lower case, special characters, and numbers, and a set of commonly-confused characters excluded.

      Important: Do not select None. MyID must generate a FIDO registration code to be used in the passkey registration process.

      For more information about the format of these codes, see the Setting up logon codes section in the Administration Guide.

  7. In the FIDO Settings section, set the following:

    • Assurance Level – select one of the following options:

      • Basic – the passkey uses single factor authentication, and is suitable for use with some external systems, but not for access to crucial systems.

      • High – the passkey uses multi-factor authentication, and is suitable for use with secure systems, such as logging on to MyID.

        You are recommended to set Assurance Level to High only when you have also set the User Verification to Required.

      MyID differentiates between passkeys that have been issued with a credential profile where the Assurance Level is set to Basic or High – for example, you can enable logon to MyID for FIDO High Assurance, but disable logon for FIDO Basic Assurance. See section 2.6, Configuring MyID for logon with passkeys for details.

    • User Verification – select one of the following options:

      • Required – the passkey supports two-factor authentication. If the authenticator does not support two-factor authentication, it cannot be registered.

      • Preferred – the passkey will use two-factor authentication if the authenticator supports that feature, but will still be registered if it supports only one-factor authentication.

      • Discouraged – the passkey will use single-factor authentication, unless the authenticator cannot work without multi-factor authentication.

    • Authenticator Type – select one of the following options:

      • Internal – you can issue this credential profile to internal passkeys; for example, authenticators included in mobile devices such as cell phones.

      • Removable – you can issue this credential profile to external removable authenticators; for example, USB tokens or smart cards.

      • Internal or Removable – you can issue this credential profile to internal or removable passkeys.

    • Require Client Side Discoverable Key – select this option to ensure that the passkey supports Resident Keys. If you select this option, and the passkey supports client side discoverable keys, you can choose not to provide the username manually when using the passkey to log on to MyID; see section 6.5, Signing in to MyID CMS with a passkey.

    • Require Attestation – select the level of attestation check to carry out during the registration process:

      • None – do not carry out any attestation checks.

      • Basic – carry out an attestation check during the registration process.

      • Basic (Restricted) – carry out an attestation check during the registration process, using only a local metadata repository (either MDSCacheDirPath or MDSCacheDirPathEnterprise).

        See section 2.3.1, Setting up a local metadata repository for details.

      • Enterprise – carry out an enterprise attestation check during the registration process.

        MyID attempts to extract an enterprise attestation serial number from the attestation certificate. If it cannot obtain a serial number, it uses the data from a local metadata repository that is configured using the MDSCacheDirPathEnterprise path for the attestation check.

        See section 4, Enterprise attestation for details of enterprise attestation.

      • Enterprise (Restricted) – carry out an enterprise attestation check during the registration process, using only the data from a local metadata repository that is configured using the MDSCacheDirPathEnterprise path for the attestation check.

      Note: In previous releases, this was a single option labeled Enforce Authenticator Attestation Check. If you upgrade from a system that used this option, any credential profiles that did not have this option selected are set to None, and those that did have this option selected are set to Basic.

    • Immediate registration via Self-Service Request Portal – used only for requests made through the Self-Service Request Portal. See section 5.2, Setting up a passkey credential profile for the Self-Service Request Portal.

    • Authentication Server – select the authentication server for your passkeys.

      By default, this is set to MyID CMS, which means that you use MyID as the authentication server for your FIDO devices.

      If you are using an external authentication server for your passkeys (for example, Entra), select the name of the external system you created from the drop-down list.

    • Automatically Revoke at Expiry – if you have selected an Authentication Server other than MyID CMS, you can specify that you want the passkey to be revoked automatically when it expires. At the credential expiry time, MyID cancels the credential in both MyID and on the external authentication server.

      Note: The expiry cancellation job runs every 30 minutes, so there may be a delay between the expiry time and the actual revocation.

  8. In the Requisite User Data section, set any user attributes that you want to require for the people who will request passkeys.

    For example, as the FIDO notification is sent as an email, you are recommended to select Email in the Required for Request column.

    If you have configured your system to send the registration code in an SMS, you are recommended to select Mobile in the Required for Request column.

    For more information about this features, see the Requisite User Data section in the Administration Guide.

  9. Click Next.

  10. In the Select Roles screen, select the roles you want to be able to receive, request, or validate FIDO registrations.

    • Make sure that people who will receive the passkey have a role that is selected in the Can Receive list.

    • Make sure that operators who will request passkeys have a role that is selected in the Can Request list.

    • If you have selected the Validate Issuance option, make sure that operators who will approve requests for passkeys have a role that is selected in the Can Validate list.

    Note: You do not need to select any roles in the Can Collect list. Collecting passkeys is carried out by the person who is receiving the authenticator using a self-service registration process.

  11. Click Next.

  12. Type your Comments, then click Next to save the credential profile and complete the workflow.