Overview

Using Fast Identity Online (FIDO2) secure authentication protocols, Ivanti extends the Zero Sign-on solution to third-party managed devices. FIDO2 is the industry standard that replaces passwords with a login experience that is passwordless, fast, and secure across websites and apps.

For information about the FIDO2 standard, see https://fidoalliance.org.

Key features

  • FIDO2 standard provides Secure, Phishing-proof, and convenient methods of authentication.

  • Users never need to enter username.

  • Users never need to enter passwords.

  • FIDO2 uses biometric authentication.

  • FIDO2 has standard around no username authentication too.

Use cases

FIDO2 is supported on desktops managed by Ivanti Neurons for MDM, Jamf and SCCM.

Zero Sign-on with FIDO2 solution is for managed desktops only and not for mobiles. Authenticate must be installed on your desktop for this solution to function.

Deployment use cases

The following use cases are supported for FIDO2 or Zero Sign-on solution:

Table 23.  use cases

Deployment Use cases

Notifications

Interaction Use case

Passwordless login to cloud services from cloud managed desktops
  • Biometrics on the desktop, or

  • Push notifications to a managed device or a Auth-only device.

User verification (Step Up Authentication) is disabled for 3rd party managed UEM desktops along with device authentication

  • only device authentication is done using FIDO2 client on desktop

Block unmanaged traffic from unmanaged devices which are not 3rd party UEM managed

  • block the access if FIDO2 authentication cannot be performed

Block 3rd party UEM managed desktops which are non compliant where device posture is not correct

Passwordless login to cloud services from Jamf managed desktops
  • Biometrics on the desktop, or

  • Push notifications to a managed device or a Auth-only device.

  • Allow 3rd party UEM managed desktops which are non compliant where device posture is not correct

  • Allow 3rd party UEM managed desktops which are non compliant where device posture is not correct

  • User verification is enabled for 3rd party managed UEM desktops along with device authentication

    • Along with device authentication, user verification mus be done which can be performed either using biometrics of desktops or mobile devices or using username or password authentication with original IdP.

Passwordless login to cloud services from SCCM managed desktops

  • Biometrics on the desktop, or

  • Push notifications to a managed device or a Auth-only device.

  • Allow 3rd party UEM managed desktops which are non compliant where device posture is not correct

  • Allow 3rd party UEM managed desktops which are non compliant where device posture is not correct

Passwordless login to a desktop

  • Push notifications to a managed device or a Auth-only device

User verification is disabled for 3rd party managed UEM desktops along with device authentication

  • only device authentication is done using Authenticate on desktop

Passwordless login from unmanaged devices

  • QR code

  • Push notifications to a managed device or a Auth-only device

  • administrator mandates compliance check to be performed for these devices and block if they are non compliant

  • Allow unmanaged traffic from unmanaged devices which are not 3rd party UEM managed.

  • Block unmanaged traffic from unmanaged devices which are not 3rd party UEM managed

Required components

  • Ivanti Access
  • Ivanti Neurons for MDM deployment
  • Authenticate for macOS and Windows 10
  • If FIDO2 is not enabled, then the following components are required in an Ivanti Access deployment:
    • Ivanti Tunnel configuration with Ivanti Access enabled.

    • Ivanti Tunnel deployed to devices.

Ivanti Tunnel only works with managed desktops and does not work for other 3rd party managed devices.

Supported devices

  • macOS devices managed by Ivanti Neurons for MDM
  • Windows 10 devices managed by Ivanti Neurons for MDM

Supported browsers

  • macOS: Safari, Chrome
  • Windows 10: Edge, Chrome, Firefox

Authentication flow types

The following flow types lists the authentication workflow in a FIDO2 solution:

  • Managed flow

  • Unmanaged flow

  • Other managed flow