Foldr server update 4.18 (December 2020) enables support for WebAuthn. WebAuthn allows a user to sign in with a physical security key (USB Yubikey etc), and also supports biometic (macOS TouchID, Windows Hello) &/or PIN entry to log into the web or Windows desktop app. Password sign-in can optionally be disabled for these apps once a user has one or more WebAuthn security devices registered.
More information about WebAuthn can be found here:
https://en.wikipedia.org/wiki/WebAuthn
App Compatibility
Signing in with a security key is supported in the Foldr web and Windows desktop app. macOS users can use WebAuthn in the Foldr web app only.
Enabling Security Key Sign-In for Users
WebAuthn is disabled by default and can be configured for users/groups as required. To enable WebAuthn:
1. Sign into Foldr Settings and browse to the Security > WebAuthn tab.
2. Enable WebAuthn by toggling on ‘Allow users to sign in with security keys‘
3. Create a WebAuthn profile and assign it to users/groups. Click + Add New
4. Give the Profile a suitable name
5. Decide if users should be forced (Required) to register a security device when they next sign into Foldr, or if they can add a device later at a time of their choosing (Optional).
6. Click the Users & Groups tab
7. Search for the User or Group that you wish to assign the profile. In the example below an Active Directory group ‘Marketing’ is being used.
8. Click the Update button
9. This will return you to the main WebAuthn screen. Click Save Changes to commit changes or add another profile if required.
The setup process is complete. Users will now see a ‘sign in with a security key’ button at the bottom of the web sign-in dialog:
User Experience – Registering a Device (WebAuthn Optional)
If a user signs in and their WebAuthn profile is set as optional, they can enable/register their security key or Windows Hello/macOS TouchID within the Me menu in the Foldr web app.
Within the ME screen, click + Register New Device.
If Windows Hello (Pin, Face or Fingerprint) is enabled in Windows or TouchID is enabled in macOS you will be prompted to register at this point.
Otherwise, the user is prompted to enter a compatible WebAuthn/FIDO2 physical security key (typically USB Type-A or Type-C) and the PIN for the device will be requested.
Once the PIN has been entered, the user will be prompted to touch the security key to complete the registration.
The device will now show within the user’s Me tab > WebAuthn section with the date/time also shown when registered.
Multiple devices may be registered as required (Windows Hello may be registered, along with physical USB devices)
User Experience – Signing in with a Security Key
On the web app sign-in screen, click the Sign-In with a security key button
The stanard Windows/macOS dialog will be shown to provide the security key/provide PIN or biometric input. In the example below the Windows Hello Face prompt appears and the web app will sign in etc.
If a physical USB device is being used, you are prompted to provide the PIN
The user is then prompted to touch the device.
The app will then sign in.
Windows/macOS App Sign-In Process
Requirements:
Web sign-in must be enabled for the Windows desktop app in order to support WebAuthn Security Key sign-in. This is configured on the server in Foldr Settings >> Devices & Clients > Windows. Note – Web sign-in is enabled by default.
The process to sign in to the desktop apps is very similar to the web app (above), however, the user must provide their username first. If the user doesn’t provide their username, they will see the following prompt.
Managing Security Keys
A user can manage their registered security keys in the web app’s Me menu screen.
Foldr administrators can search for and view/remove user’s registered security keys in Foldr Settings > Security > WebAuthn > Active Users.