Using Hardware/Biometric Keys

Cape Koi Admin supports a range of hardware and biometric security keys as additional, or replacement authentication methods. The exact form factor of a "security key" depends on your browser and device capabilities. Typically these include hardware authentication tokens such as a YubiKey, or a fingerprint that's enrolled on your device.

Enrollment

To use a hardware security key, you must first sign in regularly, and register the security token.

Due to the very personal nature of multi-factor authentication (MFA), the interface for key enrollment is only available to your own account, under "Account Settings":

To set up a security key, go to Account Settings by clicking on the user icon on the top right corner of the app. Then check the box that says "enable hardware security keys and screen lock":



You can enroll multiple keys and test the keys separately or at the same time. The "Test All" button is useful for identifying which device is picked as a primary authentication method by the system. In fact, one can plug in multiple keys and see which profile matches:



You will be asked to touch the key first before going through the typical key registration steps.

In a browser that supports FIDO2, you will be asked to set up a PIN during the first time of using a security key. The PIN is then required before further verification:



Afterward, you will be prompted to touch the key:



On a mobile device, you might be presented with additional options:



If a finger print is enrolled in the mobile device, it is then supported by the screen lock method. A NFC-enabled security key can also be tapped against the back of the device without selecting the "use security key with NFC" option first.

Striking a Balance between Convenience and Security

Although the flow of adding a physical authentication method is the same for a FIDO2 key, a FIDO/U2F key and a screen lock, the end results might be either convenience or added security. There is unfortunately a tradeoff. Luckily, Cape Koi Admin allows flexible configuration of keys, so that it's up to the user to deploy suitable strategies.

FIDO2 and FIDO/U2F are interfaces that may be supported by the same hardware key. The Universal 2nd Factor (U2F) is intended as an added security rather than replacing passwords. One can argue that a stolen key should not be sufficient to gain access to a critical system. FIDO2 was created to require an additional PIN. The difference in hardware interfaces translates to one extra step in the user interface: can a key be simply tapped to log in, or an extra PIN must be entered first? There is one more difference. When a FIDO2 key is configured to run in U2F-only mode, the said key cannot be enrolled in Cape Koi Admin. You will see the following error:

"user must be present and verified"
The same error is given when enrolling a key through an NFC touch. This is by design.

To add an NFC key to an account, use a laptop to enroll the key first. Similarly, a FIDO2 key can be enrolled before switching it to U2F-only mode:


Enforcement Options

Cape Koi Admin allows very flexible security policy settings. Not all keys are the same. We can have one key that's PIN protected, and another for expediency. The combination of "security keys are optional" on the account level, and "password-less" on the key level allows the following scenarios:

Furthermore, when additional 2FA methods such as SMS verification or Google authenticator code are enabled, they will be gathered prior to touching the security key.

Signing In

On the login screen, the username must be provided to enable the Hardware Key option. If the user has no security token configured, a link to this help page is provided instead.



If the user signs in with a hardware key, the user's login is remembered for future sessions. A strict username-password sign-on would remove such memory.

If the use of a hardware key is not optional, clicking on the "Sign In" button will automatically trigger the Security Key (USB) icon.

Recovery

If an individual user is locked out due to the loss or inaccessibility to a hardware token, another user with the User Management privilege (a "Manager") may initiate a password reset for the locked-out user. Even though the Manager cannot see, or provision a hardware key on behalf of another user, the Manager can revoke any MFA elements through a password reset.