Cape Koi Admin supports a range of hardware and biometric security keys as additional, or replacement authentication methods. The exact form factor of a "security key" depends on your browser and device capabilities. Typically these include hardware authentication tokens such as a YubiKey, or a fingerprint that's enrolled on your device.
To use a hardware security key, you must first sign in regularly, and register the security token.
Due to the very personal nature of multi-factor authentication (MFA), the interface for key enrollment is only available to your own account, under "Account Settings":
To set up a security key, go to Account Settings by clicking on the user icon on the top right corner of the app. Then check the box that says "enable hardware security keys and screen lock":
Although the flow of adding a physical authentication method is the same for a FIDO2 key, a FIDO/U2F key and a screen lock, the end results might be either convenience or added security. There is unfortunately a tradeoff.
Luckily, Cape Koi Admin allows flexible configuration of keys, so that it's up to the user to deploy suitable strategies.
FIDO2 and FIDO/U2F are interfaces that may be supported by the same hardware key. The Universal 2nd Factor (U2F) is intended as an added security rather than replacing passwords. One can argue that a stolen key should not be sufficient to gain access to a critical system. FIDO2 was created to require an additional PIN. The difference in hardware interfaces translates to one extra step in the user interface: can a key be simply tapped to log in, or an extra PIN must be entered first?
There is one more difference. When a FIDO2 key is configured to run in U2F-only mode, the said key cannot be enrolled in Cape Koi Admin. You will see the following error:
Cape Koi Admin allows very flexible security policy settings. Not all keys are the same. We can have one key that's PIN protected, and another for expediency. The combination of "security keys are optional" on the account level, and "password-less" on the key level allows the following scenarios:
On the login screen, the username must be provided to enable the Hardware Key option. If the user has no security token configured, a link to this help page is provided instead.
If an individual user is locked out due to the loss or inaccessibility to a hardware token, another user with the User Management privilege (a "Manager") may initiate a password reset for the locked-out user. Even though the Manager cannot see, or provision a hardware key on behalf of another user, the Manager can revoke any MFA elements through a password reset.