What users see for FIDO2
FIDO2 is a feature available with the UEM client. The UEM clients are: Go or Mobile@Work, and Authenticate.
If FIDO2 solution is configured, users can authenticate and access enterprise cloud services from third party managed devices with Authenticate installed.
When a user tries to log in, a push notification is sent to all active devices. When the user allows push notification on any appropriate device, access is granted for the session. However, on all other devices, the sessions become invalid and deactivating on this device does not deactivate on other devices.
The following provide information about the user experience with FIDO2:
Workflow for registered browsers
A browser that launches after a successful Authenticate registration, is a registered browser.
For a registered browser, when user tries to open the service provider, Ivanti Access automatically invokes Authenticate and authenticates the user using FIDO2.
If step up authentication is configured, user is prompted to either present biometrics or approve a push notification sent to registered mobile device.
The following provides an example of the authentication workflow with a registered browser:
>>
>>
>>
Workflow for non-registered browsers
Non-registered browser are browsers that are not default browsers and other browsers that are not registered with Authenticate.
The non-registered browsers must authenticate using either Authenticate, QR Code, or with Passwords.
The following provides an example to login using Authenticate:
>>
>>>>
The following provides an example to login using QR Code:
>>>>
>>
>>
The following provides an example to login using username and password credentials:
>>>>>>
Workflow on Android devices
This section provides information for the various end user interactions on Android devices.
Unlocking a desktop on Android devices
To unlock a FIDO2 windows or mac desktop, you must authenticate from your device.
Unlocking a Windows desktop
The following provides an example to authenticate on a device using Go, when a user tries to unlock his FIDO2 enabled Windows desktop:
>>
>>
>>
Unlocking a Mac desktop
The following provides an example to authenticate on a device using Go, when a user tries to unlock his FIDO2 enabled Mac desktop:
>>
>>
>>
Activating a password-less sign-in on Android device
To activate a FIDO2 Android device, (If it is not already done during enrollment) go to Go > Menu > Settings > Authenticate and turn on the toggle button. Follow authentication as shown below:
>>
Deactivating a password-less sign-in on Android device
To deactivate an Android FIDO2 device, turn off the toggle button in Go > Menu > Settings > Authenticate.
>>
Ending a browser session
You can end a browser session from Go > Menu > Settings > Authenticate > End Browser Session. Ending a browser session automatically signs you out of the company websites on the browsers.
This option is available only if the user has active browser sessions running.
>>
>>
Workflow on iOS devices
This section provides information for the various end user interactions on iOS devices.
Unlocking a desktop on iOS devices
To unlock a desktop on an unlocked mobile , go to Go > Menu> Settings > Authenticate.
>>
>>
>>
To unlock a desktop on a locked mobile, go to Go > Menu > Settings > Authenticate.
>>
>>
>>
Activating password-less sign-in on iOS device
To activate a FIDO2 iOS device, go to Go > Menu> Settings > Authenticate and turn on the toggle button. Follow authentication as shown below:
>>
>>
>>
Deactivating password-less sign-in on iOS device
To deactivate an iOS FIDO2 device, turn off the toggle button in Go > Menu > Settings > Authenticate.
>>
>>
Ending a browser session on an iOS device
You can end a browser session from Go > Menu > Settings > Authenticate > End Browser Session. Ending a browser session automatically signs you out of the company websites on the browsers.
>>
>>
>>
Workflow for Desktop login
You must login to a desktop and approve the push notification on your mobile device.
>>
>>
>>