Centrally Manage FIDO2 Authenticators

Versasec FIDO2 Enterprise enables organizations to centrally manage FIDO2 hardware-device-bound passkeys and provide a friendly self-service experience.

Deploy FIDO2 passwordless authenticators (smart cards and security keys) seamlessly, scalable and with complete control.

Challenges

  • As users increasingly log in to web applications, passwords are becoming a leading cause of identity theft and security breaches.
  • To address this, FIDO2 security devices offer passwordless, phishing-resistant authentication. This helps prevent account takeovers and unauthorized access to sensitive resources, such as web applications and Windows endpoints.
  • However, in the workplace, mass deployment and management of FIDO2 devices and passkeys present challenges.
  • Organizations require control over their devices, including tracking status and visibility into deployment coverage.
  • Additionally, they need recovery options, centralized revocation, user issuance, and comprehensive lifecycle management.
  • Finally, they seek streamlined self-service capabilities, including PIN management.

Solution

Versasec developed FIDO2 Enterprise Features partnering with leading FIDO2 security device manufacturers, creating a leading solution in the market. Now organizations can:

  • Allow only enterprise-approved authenticators or security devices.
  • Enjoy strong temporary replacement authentication for misplaced FIDO authenticators.
  • Ensure credential reuse and recovery with user-friendly PIN changes.
  • Prevent denial of service (remote or local attack) with restricted resets. Employees or attackers cannot reset authenticators.
  • Enable role-based and department-specific credential management, allowing each role or department to manage only their designated tasks and users.
  • Establish IT desk clear best practices and repeatable workflows.
  • Confidently manage remote office devices.
  • Maintain audit trails and become compliant with industry regulations.
Download

Free Evaluation

Isn’t it time to start managing your organization’s security effectively? Download a free evaluation version of our powerful vSEC:CMS and see how quickly and easily you can keep your company safe. Register to download Versasec software.

Read more
Book now

Schedule a Demo

Talk to our experts about your business requirements, current ecosystem, and plans for the future. Let us walk alongside your IT business priorities, and make the most out of your IAM investments.

Schedule
Versasec Fido2 Enterprise
Versasec Fido2 Enterprise

Versasec FIDO2 Enterprise

Set Up (Installation and Configuration)

  • FIDO2 device stock inventory
  • Multiple IdP (identity provider) passkey management.
  • Overview of FIDO2 device and passkey status in a single pane of glass.
  • Allow List – define with RP/sites the FIDO2 device can be used. The Allow List is stored on the device and can securely be managed by the system administrator.

Issuance

  • Basic issuance by user.
  • Remote pre-registration of passkey of admin, ready for user to activate.
  • Issuance by admin (on behalf of user), for remote user and in-person.
  • Require the user to change the PIN on first use.
  • FIDO2 device configuration (set minimum PIN length, block reset, allow list, and more)

Automation

  • Set quick workflows (example: set PIN policy, generate passkey, and update IdP in one flow).
  • Batch issuance and revocation on behalf of users.
  • Set up customized self-service for users to start the process with one click on a link.
  • Advanced – combine enrollment with physical access, PKI, and other use cases.
  • FIDO2 smart card printing.

Self-Service

  • Issuance and revocation.
  • Change PIN.
  • Unblock PIN to instantly restore device functionality, without needing to reset the FIDO device. All existing device credentials and configurations remain intact.
  • Self-service tasks performed from Windows login screen.
  • Advanced – combine enrollment to physical access, PKI, and other use cases.

Security

  • Set a FIDO2 device PIN.
  • Set the FIDO2 device minimum PIN length.
  • Set FIDO2 device to always require PIN verification (even when not required by relying party).
  • On-behalf of user passkey management (view and delete all available passkey, not only in identity provider (IdP).
  • Delete passkey in IdP (identity provider).
  • Perform FIDO2 device reset to reuse device to assign to a different employee (settings, passkeys, and PIN).
  • Disable FIDO2 reset – prevent users and attackers from resetting devices and erasing enterprise configuration.
  • Remotely unblock the PIN for the user.
  • List where the FIDO2 device is enrolled for authentication.
  • List all available passkeys for one specific relying party.

vSEC:CMS

Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.

Start here

Free Product Trial

Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.

Job Openings

We are always looking for new exceptional persons to join our team! Find out more about our job openings.

New to credential management?

SCMS = Smart Card Management Systems
CMS = Credential Management System
Have a look at the Wikipedia definition of a ‘Smart Card Management System’.

disable reset

Disable FIDO2 Reset

Prevent users or attackers from resetting devices and erasing enterprise configuration. This is often requested as it can be seen as a denial of service attack vector to allow for unauthorized device reset.

set min pin

Set Minimum PIN Length

Establish a FIDO2 PIN policy by setting a minimum PIN length.

pin-unblock

PIN Unblock

Remotely unblock the PIN to instantly restore device functionality, without needing to reset the FIDO device. All existing device credentials remain intact. Available for the user and admin.

retrieve list

Retrieve RP ID List

List the relying parties (RPs) associated with the passkeys stored on the device to see which sites the device is registered with.

Versasec Supported Credentials & Passwordless Authenticators

Versasec strives to support as many credential types as possible in all of Versasec’s products. Below are phishing-resistant credentials we support. We hope one fits your enterprise, users, and devices. Not all multi-factors are created equal. Customize based on your organizational needs and goals. We support PIV, PKI, Virtual, Physical Access, Logical Access, and combined FIDO+PIV, and FIDO-only credentials. Versasec does not lock you in to one provider, we are credential-agnostic. The number of supported credential types is continuously increasing with every new product version. If you want to manage a different credential, currently not on our list, please contact us at info@versasec.com.

* Tokens and smart cards with FIDO2

supported credentials logo banner

*Tokens and smart cards with FIDO2

Read about our award-winning credential management software

FAQs

We’re glad you asked! FIDO tokens and smartcards are being added to our supported credentials page monthly. Please contact your Versasec representative for the latest updates and what is coming in the future. If you have any preferences, we’d love to know!

The paradox between FIDO and PKI comes down to the organization’s goals, users, budget, and systems in place. If you’re asking this question, you’re on the right track. Consider using one of our consulting partners in your region if you need further guidance, or our professional services team, specialized in FIDO enterprise orchestration.

You do not have to choose you can have both as vSEC:CMS can manage PKI and FIDO combined credentials to solve all authentication and PKI use cases. For more information, watch our FIDO webinar, PIV and FIDO: Defense Against Cyber Threats.

According to the “Recommended Best Practices for Administrators on Identity and Access Management” by the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), “Authentication systems are the front doors to enterprise networks, applications and data. As such, attackers are highly focused on finding and exploiting authentication vulnerabilities.” 

They present a chart ranking the weakest to strongest types of multi-factor authentication. In the weakest, they place SMS or voice MFA. In the middle, app-based MFA, including OTP and mobile-push notifications. At the strongest, phishing-resistant MFA, including public-key infrastructure (PKI) and FIDO. To read more in detail about their conclusions and their advice, read the full article here.

Versasec offers many migration paths (wizard) from other credential management systems (CMS or SCMS). We also provide pre-built paths for:

To migrate to vSEC:CLOUD, customers do not need to be on vSEC:CMS, but can migrate directly from any other CMS/SCMS.

vSEC:CMS Migration Paths

vSEC:CLOUD is a service of our credential management software vSEC:CMS. Fully subscription based and deployed in a virtual private cloud, Versasec will manage server hosting and upgrades for customers of all sizes.

Deploying with Versasec Credential Management

Versasec’s state-of-the-art system is helping enterprises worldwide adopt secure authentication technology for web and app authentication devices in today’s cyber world. Enterprises are saying goodbye to confusion and manual siloed systems and welcoming efficient, simple, and cost-effective core solutions.

Versasec Core Connections

Versasec Ecosystem

Versasec performs at the security core of organizations.

The Core of Identity & Access Management blog post explores the most popular connections facilitated by our innovative systems. Discover how it can revolutionize your enterprise orchestration journey and enhance security within your organization.

Find out more about vSEC:CMS

Implement Highly Secure Identity Management with Versasec and Microsoft Entra ID

Passwords and traditional multifactor authentication (MFA) are no longer sufficient for keeping identities secure. Many businesses want to upgrade to stronger credential strategies but are not sure where to start.

Luckily, adopting phishing-resistant MFA doesn’t have to be complicated.

versasec-ebook-square

Effortlessly deploy and manage passwordless identity security across your organization with Versasec’s Credential Management System, vSEC:CMS, and Microsoft Entra ID. In our eBook, The Next Evolution in Credential Security, we explore how organizations can:

  • Implement highly secure identity management with ease.
  • Streamline the deployment of FIDO2 passkeys.
  • Integrate your access security ecosystem.

Comprehensive identity management has never been easier to achieve.

Get Your Copy

Download the eBook to learn more.

Versasec Support

Versasec customers with an existing support and maintenance contract can access the Versasec Support Portal, offering extensive professional support and maintenance services. The Versasec Support Portal offers a variety of services, allowing for customers and any site visitor to communicate directly with support engineers.

Visit Support

Company Blog

Our blog addresses the latest security trends and stories. The posts discuss how identity and access management are playing a larger role in keeping corporate data safe as well as brand reputations intact.

Visit our Blog