The Virtual Appliance provides two configurable methods of Multi-Factor Authentication;
-
Time-based one-time passwords (TOTP) - Register a secret and generate codes using an Authenticator Application, e.g. Google Authenticator.
-
Device Authenticators - Register devices that have built-in device authenticators, e.g. Biometrics including Windows Hello, Fingerprint readers, etc, or Security Keys.
If you have configured a Device Authenticator (named “Security Key / Biometric device” in the UI), and it supports PassKeys (FIDO 2), they can also be used as a Single Factor for UI login by using the “Secure Login” feature - this will allow you to login without entering a username or password.
Please note the requirements for using Device Authenticators:
You MUST use a browser that supports the WebAuthn specification, these include but are not limited to; Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari and Android web browsers.
The UI browser connection must be secure. This requires that the SSL/TLS certificate is valid and the certificate authority must be trusted by your device. If the browser connection is not secure you MUST either import a trusted certificate so that the VA Web Server provides trusted material, or import the VA generated self-signed certificate to your Root Certificate trust store.
You MUST use the VA fully-qualified domain name (FQDN). The FQDN must be included in the SSL/TLS certificate Common Name (CN) or Subject Alternative Name. If you are using the VA self-signed certificate, you can regenerate them to include the current hostname and FQDN, if not already included, by running the CLI command
generate_certificates.