WebAuthn Passwordless Policy

Under the WebAuthn Passwordless Policy, you can establish guidelines for Passwordless WebAuthn Authentication.

These policies are applied to both the WebAuthn Register Passwordless required action and the WebAuthn Passwordless Authenticator.

This setup is commonly utilized when WebAuthn serves as the initial authentication factor. If both the WebAuthn Policy and WebAuthn Passwordless Policy are configured within the same realm, it enables the use of WebAuthn for both first-factor and second-factor authentication within that realm.

Relying Party Entity Name

It refers to the Human-readable server name for a WebAuthn Relying Party.

This is a mandatory field and required for registering the WebAuthn authenticator.

The default setting is Keycloak.

Signature Algorithms

This algorithm tells the WebAuthn authenticator which signature algorithm has to be used for Public Key Credential.

ZTrust relies on Public Key Credentials for signing and verifying Authentication Assertions.

You can choose the desired option from the dropdown menu.

If no specific algorithms are specified, the default ES256 algorithm is used.

It is an optional configuration item while applying to the registration of WebAuthn authenticators.

Relying Party ID

It refers to the ID of a WebAuthn Relying Party, which defines the scope of Public Key Credentials.

It should correspond to the effective domain of the origin.

This is an optional configuration that is applied during the registration of WebAuthn Authenticators.

Attestation Conveyance Preference

This setting specifies the preference for generating an attestation statement to the authenticator.

You can choose the desired option from the dropdown menu.

It is an optional configuration field while applying to the registration of the WebAuthn authenticator.

Authenticator Attachment

This indicates an acceptable attachment pattern to the authenticator.

You can select your preference between platform or cross-platform patterns from the dropdown menu.

It is an optional configuration item while applying to the registration of WebAuthn Authenticator.

Require Resident Key

It instructs an authenticator whether to create a public key credential as a resident key or not.

It is an optional configuration item while applying to the registration of WebAuthn Authenticator.

User Verification Requirement

This setting communicates the authenticator to confirm the verification of a user.

It's an optional configuration applied during the registration and authentication processes of a WebAuthn authenticator.

You can select your preferred option from the available choices in the dropdown menu.

If left unselected, it defaults to the behavior same as having preferred option.

Timeout

This value determines the timeout duration for registering a WebAuthn authenticator and authenticating the user with it.

If set to 0, the timeout option is not adapted, and it relies on the implementation behavior of the WebAuthn authenticator.

Avoid Same Authenticator Registration

This is a toggle button, When activated (toggled ON), ZTrust prevents the re-registration of an already registered WebAuthn authenticator.

If deactivated (toggled OFF), an already registered WebAuthn authenticator can be registered again.

Acceptable AAGUIDs

It mentions the white list of AAGUIDs (Authenticator Attestation Global Unique Identifier) of which an authenticator can be registered.

This indicates the whitelist of AAGUIDs that a WebAuthn authenticator needs to register against.