Versions Compared

Old Version 9

changes.mady.by.user Martin Kuba

Saved on

compared with

New Version Current

changes.mady.by.user Martin Kuba

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When accessing a service which requires Multi-Factor Authentication, the e-INFRA CZ AAI will forward the request to your home organization. If you can perform MFA there, you will do so. Otherwise, if you have registered for MFA in e-INFRA CZ AAI MFA, you will be prompted to perform MFA in the e-INFRA CZ AAI context (or will be displayed an error message if you cannot fulfil this requirement).

...

Expand
titleMore information ...

You may know this method by different names, including “FIDO2”, “U2F”, “security key verification”, “universal second factor” or simply “security key”.

The advantage of this method is its simplicity - you do not need to grab your smartphone, open an app and type in a code, you just confirm the authentication e.g. by pressing a button or using your thumb for fingerprint. You may register various devices and use a different method of authentication in each one depending on the device’s capabilities.

In order to use WebAuthn, you need to use one of the supported web browsers together with the operating system capability, an app or a physical authenticator (e.g. a YubiKey).

If you want to learn more, check out webauthn.io and webauthn.me.

Operating systems with WebAuthn built in

  • Windows 10+ (Windows Hello)

  • macOS 10.15+ (only some browsers depending on version)

  • Android 7+ (a screen lock has to be set - e.g. a fingerprint or face recognition))

  • iOS 14.5+ (Touch ID, Face ID)

  • For Linux, you can try Rust U2F or tpm-fido.

WebAuthn on MS Windows

Use Windows Hello using a PIN, facial recognition, or fingerprint. Windows 10 build 1903 or later is required.

WebAuthn on Android

The screen lock functionality that uses a PIN, pattern, password, fingerprint or facial recognition can be used for MFA.

Alternatively a NFC or USB connected hardware token like Yubikey can be used.

WebAuth on MacOS

The Touch ID feature can be used.

WebAuthN on Linux PC with FIDO2-compatible hardware token

USB hardware tokens that support FIDO2, like Yubikey, can be used.

WebAuthN on Linux PC with Android phone used for the second factor

This use case requires a rather specific setup. The Linux PC must have Bluetooth enabled, Google Chrome browser must be used on the PC, and an Android phone with enabled Bluetooth and installed Chrome browser must be physically near the PC (so near that the PC and the phone can communicate over Bluetooth).

If the Chrome browser on the Android phone contains authenticated Google Account, the ways for unlocking screen lock will be used for second factor.

If the Chrome browser on the Android phone does not contain authenticated Google Account, scanning of a one-time QR code by the phone from the screen of the PC can be used.

Support

In case of any problem please let us know at login@e-infra.cz.

...