Configure FIDO2 with Ezeelogin

651 Nesvin KN January 29, 2024 Security Features 206

How to enable/disable FIDO2 authentication with Ezeelogin?

FIDO2, shorthand for Fast Identity Online, comprises open standards designed for secure and convenient authentication. By diminishing dependence on passwords and incorporating robust authentication methods such as biometrics and hardware tokens, FIDO2 seeks to enhance the overall security of online accounts and services.

This feature is available from Ezeelogin version 7.37.0. How to upgrade the Ezeelogin version to the latest?

1. Login to Ezeelogin GUI and navigate to Settings -> General -> Two Factor Authentication -> Enable FIDO2.

2. Enable the Authenticator Types and Save the settings.

3. Navigate to Accounts -> Fido2 Keys -> Add new. Click on OK to continue setup to add FIDO2 keys.

4. Continue with your fingerprint, PIN, security key, or Android device to complete the setup, and the new FIDO2 ID will appear in the FIDO2 keys tab.

5. If registration is successful, the user can see the message 'Success: Registration success.' More registration details can be seen using the view button.

6. Log out and log back into the GUI to confirm that FIDO2 authentication is working correctly with the method chosen in the above step.

7. Log in to the backend (ezsh) and confirm that FIDO2 authentication works there as well. Copy the link to the browser, use the authentication method, and press any key in the shell to authenticate to ezsh.

How to disable FIDO2 2FA (Two-factor Authentication) from the backend?

Run the below commands to disable FIDO2.

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings set value='N' where(name='enable_fido2')"

Run the below commands to clear all FIDO2 registrations of all gateway users.

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "truncate table prefix_user_fido2"

No Two-factor Authentication enabled

This error happens when we enforce Two-Factor authentication without enabling any of the Two-Factor authentications. Run the following command to disable Force Two Factor Authentication.

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings SET value = 0 WHERE name = 'two_factor_auth'"
root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php  "update prefix_usergroups SET force_tfa = 'N'"

Common errors while setting up and authenticating with FIDO2 authenticator.

1. Error: HTTPS is required

Ezeelogin needs to be accessed with a valid certificate to enable FIDO2 authentication, and self-signed certificates will not work.

2. Error: This is an invalid domain.

Ezeelogin needs to be accessed with a domain name to enable FIDO2 authentication, and accessing it via an IP address will not work.

3. Error: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.

This error usually occurs when you cancel the setup of FIDO2 authentication. Try to re-setup and complete the FIDO2 authentication setup.

4. The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.

This error usually occurs when you cancel the authentication prompt while trying to log in to the GUI. Refresh the browser tab or access Ezeelogin within a new tab to resolve the issue.

Did you find this article helpful?