Please note that the user experience of the enrollment process is primarily determined by the User Verification option in the FIDO2 policy
User verification serves to ensure that the person using the FIDO2 security key is in fact who they say they are. In other words, User verification ensures that the person is the true owner of the device. In comparison to user authentication that is carried out remotely by an MFA server or service, user verification is carried out locally by the security device itself and/or by a local client application.
User verification can take various forms, such as PIN, fingerprint etc.
There are 3 options for user verification
Not Required
This value indicates that user verification is not required or is discouraged when initiating registration or authentication.
Preferred
This value indicates that the service prefers user verification for the operation if possible, but will not fail if user verification is not enabled.
Required
This value indicates that the service requires user verification for the operation and will fail the operation if user verification is not enabled or was not carried out successfully
Note that:
WhenUser Verificationis set toNo Required, this doesn’t mean that User Verification is never performed. For instance, when registering a FIDO2 security key that has PIN set, user verification might be required depending on the application.
WhenUser VerificationisPreferred, the user experience depends on whether or not a PIN is set or a fingerprint is enrolled on the user’s security key. To achieve a uniform user experience, explicitly setUser Verificationto eitherNot RequiredorRequiredaccording to your specific use case.
WhenUser VerificationisRequired, keep in mind that registration or authentication will fail in the following cases:
the user has not set a PIN or enrolled a fingerprint on his or her security key. Some browsers will ask the user to set a PIN or enroll a fingerprint during registration, but others don’t. So, the behaviour cannot in general be relied on.
the user is using a security key that does not support user verification (for instance, a U2F key)
the user is using a browser that does not support user verification (for instance, browsers that implement CTAP1 only)
In this article, the following acronyms are used
UV
User Verification
DAC
DualShield Admin Console
SSO
DualShield Single Sign-On
User Verification is Not Required
Chrome
Security Key has not set PIN or Fingerprint
Security Key has PIN set or Fingerprint enrolled
Use DAC register a FIDO2 key
UV is not prompted
UV is prompted
Use SSO to enroll a FIDO2 key
UV is not prompted
UV is prompted
Use SSO to log in with a FIDO2 key
UV is not prompted
UV is not prompted
User Verification is Preferred
Chrome
Security Key has not set PIN or Fingerprint
Security Key has PIN set or Fingerprint enrolled
Use DAC register a FIDO2 key
UV is not prompted
UV is prompted
Use SSO to enroll a FIDO2 key
You'll be prompted to set PIN or enroll fingerprint
UV is prompted
Use SSO to log in with a FIDO2 key
UV is not prompted
UV is prompted
User Verification is Required
Chrome
Security Key has not set PIN or Fingerprint
Security Key has PIN set or Fingerprint enrolled
Use DAC register a FIDO2 key
You'll be prompted to set PIN or enroll fingerprint
UV is prompted
Use SSO to enroll a FIDO2 key
You'll be prompted to set PIN or enroll fingerprint