Passkey Login Options and Setup

Quick Links

1. (Optional) Acquire Needed Hardware Components

1. (Optional) Understand Biometric Devices and Operating System Options

2. Enable Hardware Two-Factor Authentication

3. Users Register Their Devices

4. Users Get Backup Codes If Needed

Administrator's User Control Options

Introduction

In addition to the traditional email (user name) and password login option, Provet Cloud also offers various passkey login options. These features use the WebAuthn system.

The hardware login option means using physical tokens (keys) with an NFC reader connected to a computer. Users only need to use the key and enter a 4-digit pin code to access Provet Cloud in the simplest configuration. The tokens and NFC readers are not provided by Provet Cloud but need to be bought separately. This is best suited for shared workstations in the clinic. The clinic can buy one NFC reader for each shared workstation and security keys for all employees who need access.

With the biometric login option, users can leverage biometric devices that may already be connected or integrated into devices, such as a fingerprint reader on a laptop computer. Apple's Face ID and Touch ID are supported, as well as similar features on Windows 10 devices. Users only need to use the biometric method and enter a 4-digit pin code to access Provet Cloud, in the simplest configuration. This is recommended if users have personal devices that support biometric authentication.

NOTE: Passkey login options have been tested with the Chrome browser on macOS and Windows 10. The options might not work correctly with other browser and operating system combinations.

1. (Optional) Acquire Needed Hardware Components

If you choose to set up the hardware security key options, you will need compatible NFC devices and security keys that can be purchased directly from manufacturers or well-equipped webshops. In theory, built in NFC-readers should work too. The readers should be connected with workstations that need the functionality.

NFC Readers

Feitian R502-CL - The Recommended Reader

The Feitian R502-CL is a smartcard/NFC reader that has been found to be compatible with contactless WebAuthn verification on Windows 10 devices. It has been tested with both Feitian and Yubico Security Key NFC devices.

The Feitian reader is recommended because it has:

  • Lower price (approx. 27 € vs 40 €, excl. VAT)
  • Longer cord
  • Lack of built-in speakers (doesn't make sounds when cards/keys are read)
TIP: We recommend purchasing directly from Feitian for the lowest possible cost.

ACS ACR1252U - The Alternative Reader

The ACS ACR1252U is an NFC reader that has been found to be suitable for contactless authentication using Windows 10. The ACR1252U (Amazon link) device should be available from various e-shops and local electronics stores. The reader needs to be connected to the computer using a USB connection.

Security Keys

The authentication happens when a physical security key is read by the NFC reader. All users who would need the functionality, would need their own key.

Security Key by Yubico - The Recommended Key

The Security Key NFC by Yubico is the recommended option for this workflow. The key supports both two-factor verification and passwordless logins. The NFC variants can also be used with compatible NFC readers when using Windows 10, or with NFC-enabled smart devices such as iPhones or newer Android phones.

Yubico offers a software called YubiKey Manager that allows users to reset the hardware PIN code, reset the entire device or change which interfaces the security key works on (you could for example disable NFC).

Note that there have been many versions of Security Keys, with the oldest devices lacking FIDO2 support and thus cannot be used for passwordless authentication.

Feitian A4B, K9 and BioPass K26/K27 - The Alternative Keys

The company who produces the recommended NFC-reader also builds suitable security keys. The Yubico key is recommended here because it provides better usability - it logs in almost immediately after the PIN code is given, while the Feitian keys have a 4-second delay.

1. (Optional) Understand Biometric Devices and Operating System Options

If you choose the biometric option, make sure to understand the functions and limitations by device.

Windows 10

Windows 10 computers can be used for two-factor verification or passwordless passkey login using Windows Hello that supports PIN codes, facial recognition and fingerprint reading. This can be done either through integrated hardware (e.g. built-in readers in laptop computers) or external accessories (e.g. webcams with Windows Hello support).

Windows Hello is not recommended to be used with shared Windows user accounts. Using a shared computer with separate Windows user accounts is fine.

The passkey settings can be managed in Settings > Accounts > Sign-in options. This allows users to set up or change their PIN code, manage stored fingerprints, view saved credentials (for passwordless authentication), manage Windows Hello functions and other features.

Kensington VeriMark Pro Key (K64704)

The VeriMark Pro Key is advertised as FIDO2 compatible fingerprint reader. It works as a Windows Hello authenticator. As such, it is compatible with Windows 10 devices only.

Fingerprints must be first added to a Windows account and only then can they be used for Provet Cloud login. It is not possible to use different fingerprints to log into different Provet Cloud accounts from a single Windows user account. Instead, each user on a computer must have their own Windows account which they need to use for login.

This device is recommended if you want to implement Windows Hello login on computers with no built-in fingerprint reader or compatible webcam for facial recognition. It should not be purchased as a portable biometric security key - the upcoming YubiKey Bio would be a better candidate for this type of implementation. YubiKey Bio is currently available only through a closed preview program.

Apple Devices

Apple's Face ID and Touch ID features are available for passkey login, providing facial recognition and fingerprints options respectively. Refer to your device manual to see which features are supported.

Google Chrome on Apple Devices allows users to manage their web authenticators in Settings > Privacy and security > Security > Manage security keys.

This allows users to set up or change their PIN code, manage stored fingerprints, view saved credentials (for passwordless authentication) and completely reset the device if needed.

2. Enable Hardware Two-Factor Authentication

The main control area can be accessed from Settings > Users > Password settings. There are two relevant settings there, with several modes to choose from. These settings apply to the whole organisation.

chrome_2G94bd36CR.png

Enable hardware two-factor authentication (Web Authentication) - This setting enables both hardware and biometric passkey login options.

Web Authentication mode - This allows you to select between the login options described below.

Two-factor verification only - In this mode, the users need to enter their email (user name) and password normally for login, AND verify with one of the passkey methods available for them.

Two-factor verification and passwordless login - In this mode, the users can either use their email (user name) and password login method normally WITH additional verification required OR login using the authenticator only (passkey method available for them).

Passwordless login only - In this mode, the user can log in with the email (user name) and password normally, OR use just the authenticator (passkey method available for them).

Mode Email and password login Authenticator login
Two-factor only (default) Possible, authenticator required Not possible
Two-factor and passwordless Possible, authenticator required Possible
Passwordless only Possible, authenticator not required Possible

3. Users Register Their Devices

Once the two-factor authentication has been enabled as described above, users can register new devices and manage existing ones from their user profile page that can be accessed from the top-right, by selecting the menu that opens from their user name.

On the user profile page, there is a section called 'Multi-factor authentication'. They can see the registered devices there or add a new device using the 'Register device' button.

They can also remove or edit any existing authenticators, but deleting a passkey authenticator will not remove it from the authenticator's memory - other, device-dependent methods must be used to delete the credentials from the device if desired.

Screenshot_2021-04-20_at_14.20.27.png

Password - Once they opt to register a new device, a new dialogue comes up. To add a new device, they must first confirm their existing Provet Cloud user password to be able to register a device.

Passwordless option - Next, they can decide if the login will be passwordless or not. This is recommended for ease of use, but it might not work with all devices. Note that if the passwordless option is enabled, it cannot be disabled without removing and registering the device again.

Authenticator type - Finally, they can choose whether they are adding a portable authenticator like the YubiKey+NFC reader mentioned above, or an on-device authenticator like a fingerprint reader or Face ID. As the info text says, a portable authenticator can be moved between computers, but an on-device authenticator's data will be stored on the device itself (Windows Hello, Apple's Touch ID).

Nickname - Note that a nickname can also be given to the device, but only by editing the device after the initial registration.

chrome_bBvRBJBreo.png

4. Users Get Backup Codes If Needed

In order to help users in cases where they are locked out from their account if the authentication fails for some reason, a backup code function is provided. Backup codes are a set of 10 case-sensitive, 8-character alphanumerical codes that can be used to bypass the authentication system after entering their email (user name) and password correctly.

Backup codes can be generated from the user's profile page. A button for this appears next to the device registration button once at least one device has been added.

A dialogue shows the codes and also allows generating new codes if the codes are all used or compromised. The backup codes should be stored externally, in a safe but easily accessible place for the user.

NOTE: The backup code option is not visible on the user profile page if the passwordless-only option is used as users can log in normally with their email (user name) and password if the device is not available or does not work.

Screenshot_2021-05-05_at_9.05.17.png

Administrator's User Control Options

Administrators with user management rights can check and control users' multi-factor authenticators by opening a user's profile from Settings > Users.

By selecting the 'Reset the two-step authentication information' option and saving, all of the user's devices are removed and they can start restoring their setup by logging in normally with their email (user name) and password.

 

chrome_41Zl31g21k.png

See Also

Two-Factor Authentication Setup and Management

 

Updated

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.