5.2 Setting up a passkey credential profile for the Self-Service Request Portal

To set up a credential profile for FIDO authenticators that you can use for requests made in the Self-Service Request Portal:

  1. Log on to MyID Desktop as an administrator.

  2. From the Configuration category, select Credential Profiles.

  3. Click New.

  4. Type a Name and Description for the credential profile.

  5. Optionally, type a Device Friendly Name.

    For Entra passkeys, If the credential profile has a device friendly name, it is used as the device name in Entra, truncated to 30 characters (which is a limitation of Entra). If the credential profile does not have a device friendly name, the name in Entra is set to MyID Passkey.

  6. In the Card Encoding list, select the following:

    • Derived Credential

    • FIDO Authenticator (Only)

    Note: The other options are disabled.

  7. In the Services section, you can set the following:

    • MyID Logon – select this option if you want to be able to log on to MyID with the authenticator.

    Note: The MyID Encryption option is disabled. You cannot use a FIDO Authenticator to store an encryption certificate.

  8. In the Issuance Settings section, the following options are available:

    • Validate Issuance

    • Validate Cancellation – do not select this option. Validating cancellation is not supported with FIDO authenticators, and setting this option may result in being unable to cancel the device.

    • Lifetime

    • Credential Group

    • Block Multiple Requests for Credential Group

    • Cancel Previously Issued Device

    • Enforce Photo at Issuance – do not select this option. Request checks are performed for FIDO authenticators, but issuance checks are not; instead of standard MyID issuance, authenticators use a FIDO-specific registration process.

    • Notification Scheme

    • Require user data to be approved

    See the Working with credential profiles section in the Administration Guide for details of these options.

    You must also set the following option:

    • Generate Code on Request – set this to one of the following options:

      • Simple Logon Code – the FIDO registration code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option on the Logon tab of the Security Settings workflow.

        By default, this is 12-12N, which means a 12-digit number.

      • Complex Logon Code – the FIDO registration code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option on the Auth Code tab of the Security Settings workflow.

        By default, this is 12-12ULSN[BGIlOQDSZ], which means a 12-character code containing upper case, lower case, special characters, and numbers, and a set of commonly-confused characters excluded.

      Important: Do not select None. MyID must generate a FIDO registration code to be used in the FIDO authenticator registration process.

      For more information about the format of these codes, see the Setting up logon codes section in the Administration Guide.

  9. In the FIDO Settings section, set the following:

    • Assurance Level – select one of the following options:

      • Basic – the FIDO authenticator uses single factor authentication, and is suitable for use with some external systems, but not for access to crucial systems.

      • High – the FIDO authenticator uses multi-factor authentication, and is suitable for use with secure systems, such as logging on to MyID.

        You are recommended to set Assurance Level to High only when you have also set the User Verification to Required.

      MyID differentiates between FIDO authenticators that have been issued with a credential profile where the Assurance Level is set to Basic or High – for example, you can enable logon to MyID for FIDO High Assurance, but disable logon for FIDO Basic Assurance. See section 2.6, Configuring MyID for logon with passkeys for details.

    • User Verification – select one of the following options:

      • Required – the FIDO authenticator supports two-factor authentication. If the authenticator does not support two-factor authentication, it cannot be registered.

      • Preferred – the FIDO authenticator will use two-factor authentication if the authenticator supports that feature, but will still be registered if it supports only one-factor authentication.

      • Discouraged – the FIDO authenticator will use single-factor authentication, unless the authenticator cannot work without multi-factor authentication.

    • Authenticator Type – select one of the following options:

      • Internal – you can issue this credential profile to internal FIDO authenticators; for example, authenticators included in mobile devices such as cell phones.

      • Removable – you can issue this credential profile to external removable authenticators; for example, USB tokens or smart cards.

      • Internal or Removable – you can issue this credential profile to internal or removable FIDO authenticators.

    • Require Client Side Discoverable Key – select this option to ensure that the FIDO authenticator supports Resident Keys. If you select this option, and the FIDO authenticator supports client side discoverable keys, you can choose not to provide the username manually when using the FIDO authenticator to log on to MyID; see section 6.5, Signing in to MyID CMS with a passkey.

    • Require Attestation – select the level of attestation check to carry out during the registration process:

      • None – do not carry out any attestation checks.

      • Basic – carry out an attestation check during the registration process.

      • Basic (Restricted) – carry out an attestation check during the registration process, using only a local metadata repository (either MDSCacheDirPath or MDSCacheDirPathEnterprise).

        See section 2.3.1, Setting up a local metadata repository for details.

      • Enterprise – carry out an enterprise attestation check during the registration process.

        See section 4, Enterprise attestation for details of enterprise attestation.

      • Enterprise (Restricted) – carry out an enterprise attestation check during the registration process, using only a local metadata repository that is configured using the MDSCacheDirPathEnterprise path.

      Note: In previous releases, this was a single option labeled Enforce Authenticator Attestation Check. If you upgrade from a system that used this option, any credential profiles that did not have this option selected are set to None, and those that did have this option selected are set to Basic.

    • Immediate registration via Self-Service Request Portal – select this option if you want to register the authenticator immediately when the cardholder makes the request in the Self-Service Request Portal. If you do not select this option, MyID sends the standard registration messages, and the person can register their authenticator later.

      Important: If you are using Entra for authentication for your passkeys, you must select this option; If you do not set this option, instead of registering the device immediately, SSRP displays a message that a request has been created and sends an email notification.

    • Authentication Server – select the authentication server for your passkeys.

      By default, this is set to MyID CMS, which means that you use MyID as the authentication server for your FIDO devices.

      If you are using an external authentication server for your passkeys (for example, Entra), select the name of the external system you created from the drop-down list.

    • Automatically Revoke at Expiry – if you have selected an Authentication Server other than MyID CMS, you can specify that you want the passkey to be revoked automatically when it expires. At the credential expiry time, MyID cancels the credential in both MyID and on the external authentication server.

      Note: The expiry cancellation job runs every 30 minutes, so there may be a delay between the expiry time and the actual revocation.

  10. In the Requisite User Data section, set any user attributes that you want to require for the people who will request FIDO authenticators.

    For example, if you are not using immediate registration, as the FIDO notification is sent as an email, you are recommended to select Email in the Required for Request column.

    If you have configured your system to send the registration code in an SMS, you are recommended to select Mobile in the Required for Request column.

    For more information about this features, see the Requisite User Data section in the Administration Guide.

  11. Click Next.

  12. In the Select Roles screen, select the Derived Credential Owner role for each of the following:

    • Can Receive

    • Can Request

    • Can Collect

    Note: You do not need to select any of the roles held by the person who will receive the FIDO registration request.

  13. Click Next.

  14. Type your Comments, then click Next to save the credential profile and complete the workflow.