Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSU Recommendation

WSU only recommends WebAuthn (FIDO2 or biometrics) as an authenticator in specific controlled situations.

...

  • (tick) MFA does not use any network
  • (tick) Very good Phishing resistance
  • (tick) Does not require second device to be online during authentication
  • (tick) Does not require separate purchase (when using biometric login)
  • (error) Requires a physical device (for FIDO2 tokens)
  • (error) Support for FIDO2/WebAuthn is not universal overall browsers and apps
  • (error) Each browser on a device must be registered separately for each domain (login.wsu.edu and wsu.okta.com)

Anchor
Supported FIDO2 Hardware
Supported FIDO2 Hardware
How to Get a hardware FIDO2 token

Okta maintains a list of 126+ compatible tokens. Choose a token from the list of ITS supported hardware below, or confirm with ITS that a token is on the recognized list before making a purchase.

ITS supported FIDO2 hardware:

  • YubiKey 5 Series with NFC
  • YubiKey 5 Series
  • Security Key NFC by Yubico
  • Google Titan Security Key v2
  • Feitan BIoPass FIDO2 Plus Authenticator

Purchase the token from any commercial source.

How to Set Up a hardware FIDO2 token

  1. Activate or log in to your account (how?)
  2. From login.wsu.edu, click your name then settings
  3. Select "Security Key or Biometric Authenticator" and click Set Up. If you already have one "Security Key or Biometric Authenticator", click Set up Another
  4. When prompted, insert the key and register it with Okta
  5. Log in to wsu.okta.com, click your name, then settings.
  6. Repeat steps 3 and 4.

How to Set up Biometric WebAuthn

Note

Every web browser you use may require independent registration. You should assume that setting up Chrome and Firefox requires you to set up biometric authentication 2 separate times.

...

  1. Activate or log in to your account (how?)
  2. From login.wsu.edu, click your name then settings
  3. Select "Security Key or Biometric Authenticator" and click Set Up. If you already have one "Security Key or Biometric Authenticator", click Set up Another
  4. When prompted, Follow your browser's wizard to set up Touch-ID, Face-ID, Windows Hello, or similar biometric login.
  5. Log in to wsu.okta.com, click your name, then settings.
  6. Repeat steps 3 and 4.

How to Use

  1. Enter your username to login in to login.wsu.edu
  2. Enter your password when prompted*
  3. When prompted to verify your account, if "Security Key or Biometric Authenticator" isn't presented, choose "Select another Auth..."
  4. Choose "Security Key or Biometric Authenticator"
  5. Click the blue "Verify" box
  6. When prompted, verify with your token or biometric identity data.

Further Reading

https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-webauthn.htm

...