WSU Recommendation
WSU only recommends WebAuthn (FIDO2 or biometrics) as an authenticator in specific controlled situations.
Support for WebAuthn is not universal. WebAuthn support is not available when using embedded browsers (such as Outlook). This limited support makes FIDO2 challenging to support for general use. However, FIDO2 provides very good security, so for specific applications, WSU does recommend FIDO2 as a supplemental authenticator.
Biometric login is a subclass of FIDO2 that uses the security of your phone or computer rather than an external token. Because the biometric authentication uses WebAuthn, it is subject to the same limitations as a FIDO2 token.
- MFA does not use any network
- Very good Phishing resistance
- Does not require second device to be online during authentication
- Does not require separate purchase (when using biometric login)
- Requires a physical device (for FIDO2 tokens)
- Support for FIDO2/WebAuthn is not universal overall browsers and apps
- Each browser on a device must be registered separately for each domain (login.wsu.edu and wsu.okta.com)
How to Get a hardware FIDO2 token
Okta maintains a list of 126+ compatible tokens. Choose a token from the list of ITS supported hardware below, or confirm with ITS that a token is on the recognized list before making a purchase.
ITS supported FIDO2 hardware:
- YubiKey 5 Series with NFC
- YubiKey 5 Series
- Security Key NFC by Yubico
- Google Titan Security Key v2
- Feitan BIoPass FIDO2 Plus Authenticator
Purchase the token from any commercial source.
How to Set Up a hardware FIDO2 token
- Activate or log in to your account (how?)
- From login.wsu.edu, click your name then settings
- Select "Security Key or Biometric Authenticator" and click Set Up. If you already have one "Security Key or Biometric Authenticator", click Set up Another
- When prompted, insert the key and register it with Okta
- Log in to wsu.okta.com, click your name, then settings.
- Repeat steps 3 and 4.
How to Set up Biometric WebAuthn
Every web browser you use may require independent registration. You should assume that setting up Chrome and Firefox requires you to set up biometric authentication 2 separate times.
- Activate or log in to your account (how?)
- From login.wsu.edu, click your name then settings
- Select "Security Key or Biometric Authenticator" and click Set Up. If you already have one "Security Key or Biometric Authenticator", click Set up Another
- When prompted, Follow your browser's wizard to set up Touch-ID, Face-ID, Windows Hello, or similar biometric login.
- Log in to wsu.okta.com, click your name, then settings.
- Repeat steps 3 and 4.
How to Use
- Enter your username to login in to login.wsu.edu
- Enter your password when prompted*
- When prompted to verify your account, if "Security Key or Biometric Authenticator" isn't presented, choose "Select another Auth..."
- Choose "Security Key or Biometric Authenticator"
- Click the blue "Verify" box
- When prompted, verify with your token or biometric identity data.
Further Reading
https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-webauthn.htm
https://help.okta.com/oie/en-us/content/topics/security/mfa/webauthn-compatibility.htm