Navigate to the Policy Editor

To create or edit a policy, we need to open the policy editor window first.

Select "Administration | Policies" on the side panel,


To create a new policy, click the "CREATE" button on the toolbar to open the policy editor window.


In the policy editor, firstly select FIDO2 from the Category drop-down list

Policy Bindings

Enter or select the following policy bindings:
Holder:

The policy holder defines the scope of the policy. 

Name:An unique name that describe this policy
Applications:

Optionally, you can bind the policy to a specific applicaiton or a list of applications. To specify the application(s),  select the field: Apply policy to these applications

If the field Apply policy to these applications is left empty, then the policy will be applied to all applications. 

Policy Options

Device Registration

Device RegistrationThis value enables or disables device registration of FIDO2 devices.
Registration TimeoutThis value defines the maximum waiting time in the registration process of a FIDO2 security key

User Verification

User verification serves to ensure that the person using the FIDO2 security key is in fact who they say they are. In other words, User verification ensures that the person is the true owner of the device. In comparison to user authentication that is carried out remotely by an MFA server or service, user verification is carried out locally by the security device itself and/or by a local client application. 

User verification can take various forms, such as PIN, fingerprint etc. 

There are 3 options for user verification

Not Required

This value indicates that user verification is not required or is discouraged when initiating registration or authentication. 
PreferredThis value indicates that the service prefers user verification for the operation if possible, but will not fail if user verification is not enabled. 
RequiredThis value indicates that the service requires user verification for the operation and will fail the operation if user verification is not enabled or was not carried out successfully

Note that:

  • When User Verification is set to No Required, this doesn’t mean that User Verification is never performed. For instance, when registering a FIDO2 security key that has PIN set, user verification might be required depending on the application. 

  • When User Verification is Preferred, the user experience depends on whether or not a PIN is set or a fingerprint is enrolled on the user’s security key. To achieve a uniform user experience, explicitly set User Verification to either Not Required or Required according to your specific use case.

  • When User Verification is Required, keep in mind that registration or authentication will fail in the following cases:

    1. the user has not set a PIN or enrolled a fingerprint on his or her security key. Some browsers will ask the user to set a PIN or enroll a fingerprint during registration, but others don’t.  So, the behaviour cannot in general be relied on.

    2. the user is using a security key that does not support user verification (for instance, a U2F key)

    3. the user is using a browser that does not support user verification (for instance, browsers that implement CTAP1 only)


In this article, the following acronyms are used
UVUser Verification
DACDualShield Admin Console
SSODualShield Single Sign-On

User Verification is Not Required

ChromeSecurity Key has not set PIN or FingerprintSecurity Key has PIN set or Fingerprint enrolled
Use DAC  register a FIDO2 keyUV is not promptedUV is prompted
Use SSO to enroll a FIDO2 keyUV is not promptedUV is prompted
Use SSO to log in with a FIDO2 keyUV is not promptedUV is not prompted

User Verification is Preferred

ChromeSecurity Key has not set PIN or FingerprintSecurity Key has PIN set or Fingerprint enrolled
Use DAC  register a FIDO2 keyUV is not promptedUV is prompted
Use SSO to enroll a FIDO2 key

You'll be prompted to set PIN or enroll fingerprint

UV is prompted
Use SSO to log in with a FIDO2 keyUV is not promptedUV is prompted

User Verification is Required

ChromeSecurity Key has not set PIN or FingerprintSecurity Key has PIN set or Fingerprint enrolled
Use DAC  register a FIDO2 key

You'll be prompted to set PIN or enroll fingerprint

UV is prompted
Use SSO to enroll a FIDO2 key

You'll be prompted to set PIN or enroll fingerprint

UV is prompted
Use SSO to log in with a FIDO2 key

This security key can't be used

UV is prompted

User Verification is Not Required

Computer LogonSecurity Key has not set PIN or FingerprintSecurity Key has PIN set or Fingerprint enrolled
Registering a FIDO2 keyUV is not promptedUV is prompted & must be performed
Authenticating with a FIDO2 Key (Online)UV is not prompted

UV is prompted. However, the user can skip UV

Authenticating with a FIDO2 Key (Offline)UV is not promptedUV is prompted. However, the user can skip UV

User Verification is Preferred

Computer LogonSecurity Key has not set PIN or FingerprintSecurity Key has PIN set or Fingerprint enrolled
Registering a FIDO2 keyUV is not promptedUV is prompted & must be performed
Authenticating with a FIDO2 Key (Online)UV is not prompted

UV is prompted. However, the user can skip UV

Authenticating with a FIDO2 Key (Offline)UV is not promptedUV is prompted. However, the user can skip UV

User Verification is Required

Computer LogonSecurity Key has not set PIN or FingerprintSecurity Key has PIN set or Fingerprint enrolled
Registering a FIDO2 keyYou'll prompted to set PIN or enroll fingerprintUV is prompted & must be performed
Authenticating with a FIDO2 Key (Online)You'll prompted to set PIN or enroll fingerprint

UV is prompted & must be performed

Authenticating with a FIDO2 Key (Offline)
UV is prompted & must be performed

  • No labels