Strengthening Security with FIDO2 WebAuthn Support for Workspace ONE Access + Horizon

Workspace ONE Access will soon offer support FIDO2 Web Authentication( WebAuthN) on Windows 10 and MacOS devices. This means when logging into your Horizon Resources or any SAAS application that uses Workspace ONE Access, you can leverage Windows Hello, Touch ID, or Yubikey for authentication.

Logging into Workspace ONE Access using Windows Hello

With this upcoming release, end users can self register their FIDO2 Authenticator (security keys or built-in platform authenticators) with Workspace ONE Access. Administrators can control the required level of authentication in order to register a FIDO2 Based Authenticator, such as Certificate + Device Compliance or Password + MFA. Once your FIDO2 Authenticator is registered, this can be used as either a primary or secondary factor.

Note: This is currently only supported in SAAS ONLY.

Using the Horizon Client with Workspace ONE Access and Touch ID

VMware is officially supporting the following Authenticators:

Once you’ve enabled FIDO2 in Workspace ONE Access (along with True SSO) , you can provide a seamless user experience into your Horizon Desktop.

Enabling the Authenticator

  1. In Workspace ONE Access, go to Identity & Access Management-> Authentication Methods
  2. Enable the FIDO2 Authenticator
  1. Click Save
  2. In Identity & Access Management -> Identity Providers, click on your Built-in IDP
  3. Select the FIDO2 Authentication Method to associate it with your Built-in IDP
  1. Click Save

Setting up your Policies

In this section, we will walk through configuring the default policy for both registration and authentication. In your environment, you may have application policies in addition to the default policy. You may want to split out the registration of your FIDO2 Authenticator to the default policy and provide FIDO2 as an authentication method in your application policies. Note: The registration of your FIDO2 authenticator can only be on your default access policy.

  1. In the Workspace ONE Access admin console, go to Identity & Access Management -> Policies
  2. Select the “default access policy set” and click Edit.
Adding the Registration Policy Rule
  1. Click Add Policy Rule (You might have to scroll down if you have a lot of policy rules).
  2. Select All Ranges
  3. Select All Device Types. Note: Since this policy rule is for registration only, its easier to just make it available to all devices types. Alternatively, we can create two separate policy rules for Windows 10 and MacOS but I think its unnecessary. This policy is only triggered when someone clicks on “Register your FIDO2 Authenticator” from the sign-on screen that will only be displayed on MacOS & Windows 10.
  4. Select the slider for “and the user is registering FIDO2 Authenticator” to YES
  1. Select the Authentication Methods that you want your users to use when registering their FIDO2 Authenticator. In my environment, I’m using Password + MFA in order to register a FIDO2 Authenticator. Note: If you don’t want to allow System Domain users, do not provide an option for Password (Local Directory) as this will allow system domain users to register a FIDO2 Authenticator.
  2. Click Save
Adding the Authentication Policy Rule
  1. Click Add Policy Rule (You might have to scroll down if you have a lot of policy rules).
  2. Select All Ranges
  3. Select MacOS
  4. Make sure the slider for “and the user is registering FIDO2 Authenticator” is set to NO.
  5. Select Fido2 for the first authentication method
  6. Select a fallback back Authentication Method in case Fido2 is not available. Users can chose this method by clicking on “Sign in another way” from the login Screen. In my example, I’m using Password + MFA.
  7. Click Save.
  1. Repeat these steps for Windows 10. In my example, I’m using Certificate Authentication as an alternative method of signing in.
  1. As alternate option, you can include both FIDO2 and Certificate Authentication with a Device Compliance Check
Ordering your Policy Rules

Ordering your policy rules is extremely important to make sure that everything works properly. The policy rule for registration needs to be before your Windows 10 and MacOS policy rules. You can see in my screenshot below that my registration rule (indicated by the device type ANY) is near the top:

The MacOS and Windows10 policies can be anywhere below the registration policy.

Note: Chromium-based browsers have varying support for FIDO2 using incognito mode. In these cases, users will have to use the fallback authentication

Administrative Management

Administrators can pre-add USB FIDO2 Authenticators (ie. Yubikey) into the system and maintain full life-cycle of the authenticators as well.

Using the Workspace ONE Access Admin Console, in a user profile, an admin can Add, Delete, Rename, Block or Unblock the USB Security Keys.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s