Passkeys are a phishing-resistant alternative to conventional passwords. You authenticate yourself either with a PIN or biometric data (fingerprint, facial recognition, etc.) with your local “passkey provider”. The provider then checks whether they have a token for the system you want to log in to and finally logs you in.
Specific hardware tokens (such as YubiKeys), Windows devices with Windows Hello support, most Android and iOS mobile devices and also many password managers work as passkey providers.
1) Visit mfa.th-ab.de
After the login with Shibboleth, you can log in to eduMFA with your university ID:
2) Create a Passkey
Select “Enroll Token” in the menu (1), select the token type “WebAuthn: Enroll a Web Authentication token.” in the drop-down menu (2).
In
the Description field, you can enter a description for the token so
that you can trace in future which device saved the token.
As soon as you click on the “Enroll Token” button, you will be taken to the next step.
3. Follow the instructions of your operating system or web browser:
Follow the instructions of your operating system or web browser:
On Android, for example, a pop-up of the registered passkey provider should now be displayed.
On Windows with a hardware token
First you will be given the choice of whether the key should be saved on a security key or on a mobile device.
Select “Security key” here (these can also be used via NFC on a smartphone).
Using a hardware token for the first time
To use a hardware token such as a YubiKey, it is important that it is protected with a PIN, otherwise the required functionality will be blocked.
If you are using a Windows system, you will be prompted to set this PIN the first time you use a YubiKey.
Enrollment of a Hardwaretoken
As soon as you roll out a WebAuthn token, your system will first ask you to set the PIN for your hardware token. After successful entry, your hardware token should flash and a physical confirmation should be expected. In most cases, the silver or gold surface will also flash.
[Insert Pin Screenshot]
Depending on the system, you may be asked whether part of the data should be transmitted anonymously (this removes features of the hardware token such as serial number, manufacturer). The tokens also work if you do not consent to the transfer of this data.
4. Using a Passkey
Passkeys are currently only supported as a login option in Shibboleth, other systems will follow over time.