Modify Passkey/FIDO2 authenticator settings

Use this page to configure tenant-level Passkey/FIDO2 authenticator settings, including policy, timeout, and custom app origins.

Configure a resource rule

Before you begin, configure a resource rule to allow Passkey/FIDO2 authentication.

1. Edit or add a resource rule to allow Passkey/FIDO2 token authentication. See Create and manage resource rules.
2. Optional. Reorder the authenticators in the resource rule so that the primary authenticator is listed first.

Configure the Passkey/FIDO2 policy settings

To configure Passkey/FIDO2 policy settings:

1. Click > Policies >Authenticators.

2. Select Passkey/FIDO2. The Passkey/FIDO2 page appears.

3. In the Timeout field, enter the duration (in seconds) that the Passkey/FIDO2 authenticator waits for a response.

   If authentication does not occur within the timeout period, the user receives an error message and must reattempt authentication.

4. Select the Authentication API minimum authentication level. The minimum authentication sets the minimum authentication strength a user must have already achieved in their current session before they can self-manage their passkeys. If the user's session level is lower than the configured value, the request is rejected.

   The default is LEVEL30 (hardware token level).

   Level	Description
   LEVEL0	No authentication required
   LEVEL10	Password or external/IdP only
   LEVEL20	OTP
   LEVEL30	Hardware token (default)
   LEVEL45	FIDO authentication
   LEVEL85	Password/IdP plus FIDO
   LEVEL90	Password/IdP and Mobile Smart Credential or User Certificate

   note

   This setting only applies to applications that use the Authentication API with passkey self-service enabled.

5. Set the Passkey/FIDO2 Registration Policy to configure how passkeys are registered and validated.

   • User Verification
   • Resident Key (User ID)
   note

   Entrust recommends setting the following policies to Required for passwordless authentication:

6. Select whether the token must perform User Verification.

   • Discouraged: Avoids verification, if possible.
   • Preferred: Performs verification, if possible.
   • Required: Must perform verification.

7. Select the Resident Key (User ID) to set whether the user's identity is stored on the Passkey/FIDO2 token.

   • Discouraged: Avoids storing the User ID, if possible.
   • Preferred: Stores the user ID, if possible.
   • Required: Must store the user ID.

8. Select the Attestation Preference to set how much attestation information is requested during registration.

   • None: No attestation information is requested. The authenticator registers without device verification details.
   • Indirect: The server requests attestation but does not validate the certificate chain. This is the default setting and balances security with user privacy.
     • If the authenticator is not found in the FIDO MDS blob, IDaaS falls back to a community-maintained list to retrieve the authenticator name and icon.
     • If the authenticator is not found in either source, registration still proceeds and the token is stored using its AAGUID, the authenticator name is recorded as Unknown, and the authenticator is marked as unverified.
   • Direct: The server validates the full certificate chain against the FIDO MDS blob. Use this setting when your organization requires that only certified, hardware-backed authenticators can be enrolled. - If the authenticator is not found in the FIDO MDS blob, or its certificates do not match the MDS entry, the registration is strictly rejected. - Authenticators sourced only from community-maintained lists are also rejected.
   note

   For more information on attestation preferences and the behavior of each option, see the table, Attestation preferences.

9. Select Authenticator Attachment to set whether the token is device-bound or external.

   • Either: Embeds the token both on the device and stores it externally.
   • Platform: Embeds the token on the device, for example, a Mac.
   • Required: Stores the token externally, for example, on a Yubikey or phone.

10. Select User Present Check to perform a backend check that confirms the user is physically present with their device during registration and authentication.

11. Select Backup Eligible Check to block synced passkeys that are stored in the cloud and prevent them from being used for registration and authentication.

12. Select Enable Passkeys from Custom Web or Native Apps. Use this setting when you need to add a custom Web or native app for a hostname other than the current hostname.

    1. Click Add. The Add Relying Party Configuration dialog box appears.

    2. Enter a Relying Party ID.

    3. Optionally select Allow Subdomain.

    4. Configure domain matching, as follows:

       • If Allow Subdomain is selected, registration origins can be subdomains of the relying party ID.
       • If Allow Subdomain is not selected, the registration origin must exactly match the relying party ID.
       • The closest parent domain with Allow Subdomain selected is used as the registration relying party.

    5. In Android Origin, click Add, then enter Package Name and Fingerprint.

       • Fingerprint is the SHA-256 hash of your Android app signing certificate used to verify app authenticity.
       • You can add up to 5 fingerprints for the same app.

    6. In iOS Origin, enter App Identifier Prefix and Bundle Identifier.

    7. Optional: Click Sync with Association Files to fetch association files for the provided relying party ID and auto-populate values in the Android Origin and iOS Origin sections.

    8. Click Add to add the Relying Party Configuration dialog box and return to the Passkey/FIDO2 page.

13. Click Save.

Attestation preferences

Behavior	Indirect	Direct
Certificate chain validation	Not performed	Required — must match the FIDO MDS entry
FIDO MDS blob lookup	Performed when available	Required
Community list fallback	Used for authenticator name and icon	Not permitted
Authenticator not in FIDO MDS or community list	Stored with AAGUID, name as Unknown, authenticator marked as unverified	Registration rejected