Centrally Manage FIDO2 Authenticators
Versasec FIDO2 Enterprise enables organizations to centrally manage FIDO2 hardware-device-bound passkeys and provide a friendly self-service experience.
Deploy FIDO2 passwordless authenticators (smart cards and security keys) seamlessly, scalable and with complete control.
Challenges
- As users increasingly log in to web applications, passwords are becoming a leading cause of identity theft and security breaches.
- To address this, FIDO2 security devices offer passwordless, phishing-resistant authentication. This helps prevent account takeovers and unauthorized access to sensitive resources, such as web applications and Windows endpoints.
- However, in the workplace, mass deployment and management of FIDO2 devices and passkeys present challenges.
- Organizations require control over their devices, including tracking status and visibility into deployment coverage.
- Additionally, they need recovery options, centralized revocation, user issuance, and comprehensive lifecycle management.
- Finally, they seek streamlined self-service capabilities, including PIN management.
Solution
Versasec developed FIDO2 Enterprise Features partnering with leading FIDO2 security device manufacturers, creating a leading solution in the market. Now organizations can:
- Allow only enterprise-approved authenticators or security devices.
- Enjoy strong temporary replacement authentication for misplaced FIDO authenticators.
- Ensure credential reuse and recovery with user-friendly PIN changes.
- Prevent denial of service (remote or local attack) with restricted resets. Employees or attackers cannot reset authenticators.
- Enable role-based and department-specific credential management, allowing each role or department to manage only their designated tasks and users.
- Establish IT desk clear best practices and repeatable workflows.
- Confidently manage remote office devices.
- Maintain audit trails and become compliant with industry regulations.
Download
Free Evaluation
Isn’t it time to start managing your organization’s security effectively? Download a free evaluation version of our powerful vSEC:CMS and see how quickly and easily you can keep your company safe. Register to download Versasec software.
Book now
Schedule a Demo
Talk to our experts about your business requirements, current ecosystem, and plans for the future. Let us walk alongside your IT business priorities, and make the most out of your IAM investments.
Versasec FIDO2 Enterprise
Set Up (Installation and Configuration)
- FIDO2 device stock inventory
- Multiple IdP (identity provider) passkey management.
- Overview of FIDO2 device and passkey status in a single pane of glass.
- Allow List – define with RP/sites the FIDO2 device can be used. The Allow List is stored on the device and can securely be managed by the system administrator.
Issuance
- Basic issuance by user.
- Remote pre-registration of passkey of admin, ready for user to activate.
- Issuance by admin (on behalf of user), for remote user and in-person.
- Require the user to change the PIN on first use.
- FIDO2 device configuration (set minimum PIN length, block reset, allow list, and more)
Automation
- Set quick workflows (example: set PIN policy, generate passkey, and update IdP in one flow).
- Batch issuance and revocation on behalf of users.
- Set up customized self-service for users to start the process with one click on a link.
- Advanced – combine enrollment with physical access, PKI, and other use cases.
- FIDO2 smart card printing.
Self-Service
- Issuance and revocation.
- Change PIN.
- Unblock PIN to instantly restore device functionality, without needing to reset the FIDO device. All existing device credentials and configurations remain intact.
- Self-service tasks performed from Windows login screen.
- Advanced – combine enrollment to physical access, PKI, and other use cases.
Security
- Set a FIDO2 device PIN.
- Set the FIDO2 device minimum PIN length.
- Set FIDO2 device to always require PIN verification (even when not required by relying party).
- On-behalf of user passkey management (view and delete all available passkey, not only in identity provider (IdP).
- Delete passkey in IdP (identity provider).
- Perform FIDO2 device reset to reuse device to assign to a different employee (settings, passkeys, and PIN).
- Disable FIDO2 reset – prevent users and attackers from resetting devices and erasing enterprise configuration.
- Remotely unblock the PIN for the user.
- List where the FIDO2 device is enrolled for authentication.
- List all available passkeys for one specific relying party.
vSEC:CMS
Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.
Free Product Trial
Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.
Job Openings
We are always looking for new exceptional persons to join our team! Find out more about our job openings.
New to credential management?
SCMS = Smart Card Management Systems
CMS = Credential Management System
Have a look at the Wikipedia definition of a ‘Smart Card Management System’.
Disable FIDO2 Reset
Prevent users or attackers from resetting devices and erasing enterprise configuration. This is often requested as it can be seen as a denial of service attack vector to allow for unauthorized device reset.
Set Minimum PIN Length
Establish a FIDO2 PIN policy by setting a minimum PIN length.
PIN Unblock
Remotely unblock the PIN to instantly restore device functionality, without needing to reset the FIDO device. All existing device credentials remain intact. Available for the user and admin.
Retrieve RP ID List
List the relying parties (RPs) associated with the passkeys stored on the device to see which sites the device is registered with.
Versasec Supported Credentials & Passwordless Authenticators
Versasec strives to support as many credential types as possible in all of Versasec’s products. Below are phishing-resistant credentials we support. We hope one fits your enterprise, users, and devices. Not all multi-factors are created equal. Customize based on your organizational needs and goals. We support PIV, PKI, Virtual, Physical Access, Logical Access, and combined FIDO+PIV, and FIDO-only credentials. Versasec does not lock you in to one provider, we are credential-agnostic. The number of supported credential types is continuously increasing with every new product version. If you want to manage a different credential, currently not on our list, please contact us at info@versasec.com.
* Tokens and smart cards with FIDO2
ACS
Atos
Ensurity
Feitian
Open FIPS
Safe Trust
Swissbit
Taglio
TCOS
Thales IDPrime .NET 5500
Thales IDPrime MD 830
Thales IDPrime MD 840
Thales IDPrime MD 930
Thales IDPrime MD 940/940C/940 CC
Thales IDPrime MD 3810
Thales IDPrime MD 3840
Thales IDPrime MD 3930
Thales IDPrime MD 3940
Thales IDPrime MD 3940 FIDO *
Thales IDPrime PIV 2.1
Thales IDPrime PIV 3.0
Thales IDPrime Virtual
Thales MultiApp ID
Thales SafeNet eToken 5100, 5110 FIPS, 5110+ FIPS, 5110+ CC
Thales Safenet eToken 5300
Thales SafeNet eToken FIDO*
Thales SafeNet eToken Fusion/CC *
Thales SafeNet eToken Fusion FIPS*
Thales SafeNet eToken Fusion NFC PIV*
Thales SafeNet IDCore 3121 FIDO*
*Tokens and smart cards with FIDO2
FAQs
We’re glad you asked! FIDO tokens and smartcards are being added to our supported credentials page monthly. Please contact your Versasec representative for the latest updates and what is coming in the future. If you have any preferences, we’d love to know!
The paradox between FIDO and PKI comes down to the organization’s goals, users, budget, and systems in place. If you’re asking this question, you’re on the right track. Consider using one of our consulting partners in your region if you need further guidance, or our professional services team, specialized in FIDO enterprise orchestration.
You do not have to choose you can have both as vSEC:CMS can manage PKI and FIDO combined credentials to solve all authentication and PKI use cases. For more information, watch our FIDO webinar, PIV and FIDO: Defense Against Cyber Threats.
According to the “Recommended Best Practices for Administrators on Identity and Access Management” by the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), “Authentication systems are the front doors to enterprise networks, applications and data. As such, attackers are highly focused on finding and exploiting authentication vulnerabilities.”
They present a chart ranking the weakest to strongest types of multi-factor authentication. In the weakest, they place SMS or voice MFA. In the middle, app-based MFA, including OTP and mobile-push notifications. At the strongest, phishing-resistant MFA, including public-key infrastructure (PKI) and FIDO. To read more in detail about their conclusions and their advice, read the full article here.
Versasec offers many migration paths (wizard) from other credential management systems (CMS or SCMS). We also provide pre-built paths for:
- Microsoft MIM/FIM migrations
- Thales SafeNet Authentication Manager (SAM) identity and access card management system
- Gemalto DAS / IDAdmin 100 smart card management tool
To migrate to vSEC:CLOUD, customers do not need to be on vSEC:CMS, but can migrate directly from any other CMS/SCMS.
vSEC:CLOUD is a service of our credential management software vSEC:CMS. Fully subscription based and deployed in a virtual private cloud, Versasec will manage server hosting and upgrades for customers of all sizes.
Deploying with Versasec Credential Management
Versasec’s state-of-the-art system is helping enterprises worldwide adopt secure authentication technology for web and app authentication devices in today’s cyber world. Enterprises are saying goodbye to confusion and manual siloed systems and welcoming efficient, simple, and cost-effective core solutions.
Versasec Ecosystem
Versasec performs at the security core of organizations.
The Core of Identity & Access Management blog post explores the most popular connections facilitated by our innovative systems. Discover how it can revolutionize your enterprise orchestration journey and enhance security within your organization.
Implement Highly Secure Identity Management with Versasec and Microsoft Entra ID
Passwords and traditional multifactor authentication (MFA) are no longer sufficient for keeping identities secure. Many businesses want to upgrade to stronger credential strategies but are not sure where to start.
Luckily, adopting phishing-resistant MFA doesn’t have to be complicated.
Effortlessly deploy and manage passwordless identity security across your organization with Versasec’s Credential Management System, vSEC:CMS, and Microsoft Entra ID. In our eBook, The Next Evolution in Credential Security, we explore how organizations can:
- Implement highly secure identity management with ease.
- Streamline the deployment of FIDO2 passkeys.
- Integrate your access security ecosystem.
Comprehensive identity management has never been easier to achieve.
Get Your Copy
Versasec Support
Versasec customers with an existing support and maintenance contract can access the Versasec Support Portal, offering extensive professional support and maintenance services. The Versasec Support Portal offers a variety of services, allowing for customers and any site visitor to communicate directly with support engineers.
Company Blog
Our blog addresses the latest security trends and stories. The posts discuss how identity and access management are playing a larger role in keeping corporate data safe as well as brand reputations intact.