Versasec FIDO2 Enterprise | Thales Enterprise Features
Versasec FIDO2 Enterprise enables organizations to centrally manage the lifecycle of FIDO2 hardware-device-bound passkeys and provide a friendly self-service experience.
Deploy FIDO2 passwordless authenticators (smart cards and security keys) seamlessly, scalable and with complete control.
Our current technology partner whose hardware tokens and smart cards support the Versasec FIDO2 Features is Thales. To see which Thales tokens and smart cards we have integrated in our product, visit our portfolio page of supported authenticators.
What is FIDO?
Short for Fast Identity Online, FIDO is a global authentication standard developed by the FIDO Alliance to eliminate the world’s reliance on passwords. FIDO leverages public-key cryptography to provide a secure, phishing-resistant framework. This architecture ensures user identities are verified through hardware-bound credentials rather than easily compromised shared secrets. Today, FIDO2 represents the latest evolution of this standard, while it is specifically optimized for modern web authentication.
Why Choose FIDO2 for the Enterprise?
FIDO2 (Fast Identity Online) is a leading industry standard for modern authentication. By utilizing strong asymmetric cryptography, FIDO2 eliminates the risks associated with shared secrets.
- Asymmetric Cryptography: Every authentication is backed by a private key that never leaves the secure enclave of the hardware (USB key or Smart Card).
- Phishing Immunity: The protocol is origin-bound, meaning the hardware will only respond to the legitimate, registered domain, effectively neutralizing adversary-in-the-middle attacks.
User Verification: Multi-factor security is built-in, requiring a local gesture (PIN or Biometric) to authorize the cryptographic sign-off.
Challenges of Passwords & FIDO2 Out Of The Box
As users increasingly log in to web applications, passwords are becoming a leading cause of identity theft and security breaches. To address this, FIDO2 security devices offer passwordless, phishing-resistant authentication. This helps prevent account takeovers and unauthorized access to sensitive resources, such as web applications and Windows endpoints.
However, in the workplace, mass deployment and management of FIDO2 devices and passkeys present challenges:
- Organizations require control over their devices, including tracking status and visibility into deployment coverage.
- Additionally, they need recovery options, centralized revocation, user issuance, and comprehensive lifecycle management.
- Finally, they seek streamlined self-service capabilities, including PIN management.
Solution for FIDO2 in The Enterprise
Versasec developed FIDO2 Enterprise Features partnering with leading FIDO2 security device manufacturers, creating a leading solution in the market. Now organizations can:
- Allow only enterprise-approved authenticators.
- Strong temporary replacement authentication for misplaced authenticators.
- Ensure credential reuse with user-driven PIN changes.
- Prevent denial of service (remote or local attacks) with restricted reset. Employees or attackers cannot reset authenticators.
- Enable role-based and department-specific credential management, allowing each role or department to manage only their designated tasks and users.
- Establish IT desk clear best practices and repeatable workflows.
- Confidently manage remote office devices.
- Maintain audit trails and become compliant with industry regulations.
Organizations Using Versasec
Organizations worldwide have upgraded their identity management, left behind passwords, and are focusing on other IT priorities.
- 37% Tech & Services
- 29% Government
- 11% Financial
- 23% Others
What Our Customers Are Saying
- “I looked at Versasec and at the end of the day, it wasn’t a product. The way that Paul worked with us and continues to work with us today, it’s a true partnership and I know I can lean on them and make that call, shoot that email, and get a response. It’s a true partnership and it’s really nice to be able to have that, as opposed to a traditional ‘this is my piece of software, call support and have a good day.’” – Head of IT, Air Hydro Power. | Product: vSEC:CMS for PKI + FIDO. | Read Case Study.
- “Two of the primary reasons that Versasec got our business: one, the on-premises feature. We’re not resisting the cloud, but if we can keep it on-premise, we manage our hardware and virtual environment. Two – perpetual licenses. We pay for support, but the licenses are there and will always be. We know that Versasec would be responsive if we need more licenses. Overall – the experience has been exactly what we were looking for.”
– Aron Gann, System Administrator, Brookshire Brothers. | Product: vSEC:CMS on-prem for YubiKeys. | Read Case Study. - “Our team wants to focus on delivering business value. Updating software and servers, while important, is low value. By using a managed solution, we can focus on business objectives.”
– Head of Engineering and Cybersecurity | Product: vSEC:CLOUD.
Get Started
Getting started is easy. Schedule a 30 min demo with an identity expert to see if Versasec is a good fit for your organization.
Capabilities
Set Up (Installation and Configuration)
- FIDO2 device stock inventory
- Multiple IdP (identity provider) passkey management.
- Overview of FIDO2 device and passkey status in a single pane of glass.
- Allow List – define with RP/sites the FIDO2 device can be used. The Allow List is stored on the device and can securely be managed by the system administrator.
Issuance
- Basic issuance by user.
- Remote pre-registration of passkey of admin, ready for user to activate.
- Issuance by admin (on behalf of user), for remote user and in-person.
- Require the user to change the PIN on first use.
- FIDO2 device configuration (set minimum PIN length, block reset, allow list, and more)
Automation
- Set quick workflows (example: set PIN policy, generate passkey, and update IdP in one flow).
- Batch issuance and revocation on behalf of users.
- Set up customized self-service for users to start the process with one click on a link.
- Advanced – combine enrollment with physical access, PKI, and other use cases.
- FIDO2 smart card printing.
Self-Service
- Issuance and revocation.
- Change PIN.
- Unblock PIN to instantly restore device functionality, without needing to reset the FIDO device.
- All existing device credentials and configurations remain intact.
- Self-service tasks performed from Windows login screen.
- Advanced – combine enrollment to physical access, PKI, and other use cases.
Security
- Set a FIDO2 device PIN.
- Set the FIDO2 device minimum PIN length.
- Set FIDO2 device to always require PIN verification (even when not required by relying party).
- On-behalf of user passkey management (view and delete all available passkey, not only in identity provider (IdP).
- Delete passkey in IdP (identity provider).
- Perform FIDO2 device reset to reuse device to assign to a different employee (settings, passkeys, and PIN).
- Disable FIDO2 reset – prevent users and attackers from resetting devices and erasing enterprise configuration.
- Remotely unblock the PIN for the user.
- List where the FIDO2 device is enrolled for authentication.
- List all available passkeys for one specific relying party.
Key Features
PIN Unblock*
Remotely unblock the PIN to instantly restore device functionality, without needing to reset the FIDO device. All existing device credentials remain intact. Available for the user and admin.
Retrieve RP ID List*
List the relying parties (RPs) associated with the passkeys stored on the device to see which sites the device is registered with.
Disable Reset*
Prevent anyone, especially malicious actors (or employees’ manual error) from resetting the device. Resetting the device can lead to a denial of service attack.
Allow List*
Define for where the FIDO2 device can be used.
Exclude: Facebook.
Allow: Gmail.
Enforce User Verification
Require a PIN/biometric match for device activation and every login.
Device Passkey Management
Manage passkeys on authenticators and identity provider(s).
Set Minimum PIN Length
Apply company policy of a required minimum length for PIN.
Force PIN Change on First Use
User will be required to change the PIN after activation, for increased security and best practices.
See it in Action
Manage the Complete Thales #SafeNet eToken Fusion Bio (#PKI + #FIDO + Enterprise)
FAQs
We’re glad you asked! FIDO tokens and smartcards are being added to our supported credentials page monthly. Please contact your Versasec representative for the latest updates and what is coming in the future. If you have any preferences, we’d love to know!
The paradox between FIDO and PKI comes down to the organization’s goals, users, budget, and systems in place. If you’re asking this question, you’re on the right track. Consider using one of our consulting partners in your region if you need further guidance, or our professional services team, specialized in FIDO enterprise orchestration.
You do not have to choose you can have both as vSEC:CMS can manage PKI and FIDO combined credentials to solve all authentication and PKI use cases. For more information, watch our FIDO webinar, PIV and FIDO: Defense Against Cyber Threats.
According to the “Recommended Best Practices for Administrators on Identity and Access Management” by the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), “Authentication systems are the front doors to enterprise networks, applications and data. As such, attackers are highly focused on finding and exploiting authentication vulnerabilities.”
They present a chart ranking the weakest to strongest types of multi-factor authentication. In the weakest, they place SMS or voice MFA. In the middle, app-based MFA, including OTP and mobile-push notifications. At the strongest, phishing-resistant MFA, including public-key infrastructure (PKI) and FIDO. To read more in detail about their conclusions and their advice, read the full article here.
Versasec offers many migration paths (wizard) from other credential management systems (CMS or SCMS). We also provide pre-built paths for:
- Microsoft MIM/FIM migrations
- Thales SafeNet Authentication Manager (SAM) identity and access card management system
- Gemalto DAS / IDAdmin 100 smart card management tool
To migrate to vSEC:CLOUD, customers do not need to be on vSEC:CMS, but can migrate directly from any other CMS/SCMS.
vSEC:CLOUD is a service of our credential management software vSEC:CMS. Fully subscription based and deployed in a virtual private cloud, Versasec will manage server hosting and upgrades for customers of all sizes.
Deploying with Versasec Credential Management
Versasec’s state-of-the-art system is helping enterprises worldwide adopt secure authentication technology for web and app authentication devices in today’s cyber world. Enterprises are saying goodbye to confusion and manual siloed systems and welcoming efficient, simple, and cost-effective core solutions.
Versasec Ecosystem
Versasec performs at the security core of organizations.
The Core of Identity & Access Management blog post explores the most popular connections facilitated by our innovative systems. Discover how it can revolutionize your enterprise orchestration journey and enhance security within your organization.
Schedule a call with an identity management expert at Versasec. Choose your language and region.
Versasec Support
Versasec customers with an existing support and maintenance contract can access the Versasec Support Portal, offering extensive professional support and maintenance services. The Versasec Support Portal offers a variety of services, allowing for customers and any site visitor to communicate directly with support engineers.
Company Blog
Our blog addresses the latest security trends and stories. The posts discuss how identity and access management are playing a larger role in keeping corporate data safe as well as brand reputations intact.