Friday, October 18, 2019

My passwordless app on IBM Cloud thanks to FIDO2

Passwordless login for cloud app
In my recent post I discussed how I could use a FIDO2 dongle as second factor for an app on IBM Cloud. Today, I want to give you an update because I managed to go passwordless. With the latest October update Cloud Identity started to offer passwordless login with either FIDO2 or QR code (using the IBM Verify app). I put that to a quick test for my secure file storage app. Here is what I did to go passwordless.

What happened before...

In my quest to go passwordless I am using the secure-file-storage app which is part of the tutorial on end-to-end security for a cloud app. The tutorial uses IBM App ID to authenticate users. App ID can be configured with different identity providers, from social IDs like Google or Facebook to federated IDs based on SAML. Another product is IBM Cloud Identity (CI). CI provides identity-as-a-service (IDaaS) for employees, including SSO, multifactor authentication, and user lifecycle management and it offers FIDO2 support. I configured Cloud Identity as identity provider to App ID.

Going passwordless

With the recently added FIDO2 support in Cloud Identity and the new option to enable passwordless logins, going passwordless for the app was merely finding and activating the right options. As CI administrator, I navigated to the security settings and the new tab "Sign-in options". There, I could enable FIDO2 support for users of the integrated Cloud Directory (user management):

PIN or fingerprint instead of password

After enabling the support, I tested the app. There, I was offered to sign in without a password (see first screenshot). Next, I was prompted to insert and touch the security key. Once done, when using a device without fingerprint scanner, I needed to enter the PIN for the USB dongle:

With that the FIDO2 key could provide my identity and Cloud Identity prompted me to confirm my user name:
One more click and I was logged into my secure file storage app, all without providing any password. In summary, it was relatively easy to passwordless. It still feels unreal, but I am looking forward to see and actually use it more often - not just on my IBM Cloud app, but with more and more applications, platforms and services.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.