Overview

Using Fast Identity Online (FIDO2) secure authentication protocols, Ivanti extends the Zero Sign-on solution to third-party managed devices. FIDO2 is the industry standard that replaces passwords with a login experience that is passwordless, fast, and secure across websites and apps.

For information about the FIDO2 standard, see https://fidoalliance.org.

Key features

FIDO2 standard provides Secure, Phishing-proof, and convenient methods of authentication.
Users never need to enter username.
Users never need to enter passwords.
FIDO2 uses biometric authentication.
FIDO2 has standard around no username authentication too.

Use cases

FIDO2 is supported on desktops managed by Ivanti Neurons for MDM, Jamf and SCCM.

Zero Sign-on with FIDO2 solution is for managed desktops only and not for mobiles. Authenticate must be installed on your desktop for this solution to function.

Deployment use cases

The following use cases are supported for FIDO2 or Zero Sign-on solution:

**Table 24.** use cases
Deployment Use cases	Notifications	Interaction Use case
Passwordless login to cloud services from cloud managed desktops	Biometrics on the desktop, or Push notifications to a managed device or a Auth-only device.	User verification (Step Up Authentication) is disabled for 3rd party managed UEM desktops along with device authentication only device authentication is done using FIDO2 client on desktop Block unmanaged traffic from unmanaged devices which are not 3rd party UEM managed block the access if FIDO2 authentication cannot be performed Block 3rd party UEM managed desktops which are non compliant where device posture is not correct
Passwordless login to cloud services from Jamf managed desktops	Biometrics on the desktop, or Push notifications to a managed device or a Auth-only device.	Allow 3rd party UEM managed desktops which are non compliant where device posture is not correct Allow 3rd party UEM managed desktops which are non compliant where device posture is not correct User verification is enabled for 3rd party managed UEM desktops along with device authentication Along with device authentication, user verification mus be done which can be performed either using biometrics of desktops or mobile devices or using username or password authentication with original IdP.
Passwordless login to cloud services from SCCM managed desktops	Biometrics on the desktop, or Push notifications to a managed device or a Auth-only device.	Allow 3rd party UEM managed desktops which are non compliant where device posture is not correct Allow 3rd party UEM managed desktops which are non compliant where device posture is not correct
Passwordless login to a desktop	Push notifications to a managed device or a Auth-only device	User verification is disabled for 3rd party managed UEM desktops along with device authentication only device authentication is done using Authenticate on desktop
Passwordless login from unmanaged devices	QR code Push notifications to a managed device or a Auth-only device administrator mandates compliance check to be performed for these devices and block if they are non compliant	Allow unmanaged traffic from unmanaged devices which are not 3rd party UEM managed. Block unmanaged traffic from unmanaged devices which are not 3rd party UEM managed

Required components

Ivanti Access
Ivanti Neurons for MDM deployment
Authenticate for macOS and Windows 10
If FIDO2 is not enabled, then the following components are required in an Ivanti Access deployment:
- Ivanti Tunnel configuration with Ivanti Access enabled.
- Ivanti Tunnel deployed to devices.

Ivanti Tunnel only works with managed desktops and does not work for other 3rd party managed devices.

Supported devices

macOS devices managed by Ivanti Neurons for MDM
Windows 10 devices managed by Ivanti Neurons for MDM

Supported browsers

macOS: Safari, Chrome
Windows 10: Edge, Chrome, Firefox

Authentication flow types

The following flow types lists the authentication workflow in a FIDO2 solution:

Managed flow
Unmanaged flow
Other managed flow