Deploy FIDO2 passwordless authenticators (smart cards and security keys) seamlessly, scalable and with complete control.

Challenges

• As users increasingly log in to web applications, passwords are becoming a leading cause of identity theft and security breaches.
• To address this, FIDO2 security devices offer passwordless, phishing-resistant authentication. This helps prevent account takeovers and unauthorized access to sensitive resources, such as web applications and Windows endpoints.
• However, in the workplace, mass deployment and management of FIDO2 devices and passkeys present challenges.
• Organizations require control over their devices, including tracking status and visibility into deployment coverage.
• Additionally, they need recovery options, centralized revocation, user issuance, and comprehensive lifecycle management.
• Finally, they seek streamlined self-service capabilities, including PIN management.

Solution

Versasec developed FIDO2 Enterprise Features partnering with leading FIDO2 security device manufacturers, creating a leading solution in the market. Now organizations can:

• Allow only enterprise-approved authenticators or security devices.
• Enjoy strong temporary replacement authentication for misplaced FIDO authenticators.
• Ensure credential reuse and recovery with user-friendly PIN changes.
• Prevent denial of service (remote or local attack) with restricted resets. Employees or attackers cannot reset authenticators.
• Enable role-based and department-specific credential management, allowing each role or department to manage only their designated tasks and users.
• Establish IT desk clear best practices and repeatable workflows.
• Confidently manage remote office devices.
• Maintain audit trails and become compliant with industry regulations.

Versasec FIDO2 Enterprise

Set Up (Installation and Configuration)

• FIDO2 device stock inventory
• Multiple IdP (identity provider) passkey management.
• Overview of FIDO2 device and passkey status in a single pane of glass.
• Allow List – define with RP/sites the FIDO2 device can be used. The Allow List is stored on the device and can securely be managed by the system administrator.

Issuance

• Basic issuance by user.
• Remote pre-registration of passkey of admin, ready for user to activate.
• Issuance by admin (on behalf of user), for remote user and in-person.
• Require the user to change the PIN on first use.
• FIDO2 device configuration (set minimum PIN length, block reset, allow list, and more)

Automation

• Set quick workflows (example: set PIN policy, generate passkey, and update IdP in one flow).
• Batch issuance and revocation on behalf of users.
• Set up customized self-service for users to start the process with one click on a link.
• Advanced – combine enrollment with physical access, PKI, and other use cases.
• FIDO2 smart card printing.

Self-Service

• Issuance and revocation.
• Change PIN.
• Unblock PIN to instantly restore device functionality, without needing to reset the FIDO device. All existing device credentials and configurations remain intact.
• Self-service tasks performed from Windows login screen.
• Advanced – combine enrollment to physical access, PKI, and other use cases.

Security

• Set a FIDO2 device PIN.
• Set the FIDO2 device minimum PIN length.
• Set FIDO2 device to always require PIN verification (even when not required by relying party).
• On-behalf of user passkey management (view and delete all available passkey, not only in identity provider (IdP).
• Delete passkey in IdP (identity provider).
• Perform FIDO2 device reset to reuse device to assign to a different employee (settings, passkeys, and PIN).
• Disable FIDO2 reset – prevent users and attackers from resetting devices and erasing enterprise configuration.
• Remotely unblock the PIN for the user.
• List where the FIDO2 device is enrolled for authentication.
• List all available passkeys for one specific relying party.