FIDO2 platform authenticator

Question

FIDO2 platform authenticator

testuser7 286

Hello,

We know that

CTAP2 and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. Any interoperable client (such as a native app or browser) running on a given “client device” can use a standardized method to interact with any interoperable authenticator – which could mean a platform authenticator that is built into the client device or a roaming authenticator that is connected to the client device through USB, BLE, or NFC

My question is, as per FIDO2 spec. is following possible ?

Can a platform authenticator on one client-device serve as roaming authenticator for another client device ??

So for eg., we know that iPhone's TouchID is a platform-authenticator.

I want to use it as roaming authenticator because my client device is win10 box where I have opened browser and want to complete the FIDO2 authentication using TouchID

Thanks.

Accepted answer

2 additional answers

Your answer

Answer 1

Brian Zarb 1,685

Hey, to be completely honest, I've never encountered any issues with using a platform authenticator as a roaming authenticator, but I get why you're curious about it—it's an interesting question!

So, here's the deal: According to FIDO2 specs, platform authenticators like iPhone's Touch ID are really meant to stay on the device they're built into. They're not designed to roam from device to device like a YubiKey or other security keys would.

That being said, there are some creative workarounds. For example, some software solutions act as a bridge between devices, but that's kind of bending the rules and could raise some security eyebrows. Some manufacturers might also offer their own ways to do this, but again, that's not a standard FIDO2 thing; it's more of a special feature they offer.

In a nutshell, it's not a straightforward "yes, you can do it," but more of a "technically possible, but not recommended or standard." Hope that clears things up a bit!

Spadaro Federico 0 Reputation points

2024-01-04T16:08:48.16+00:00
One Question,

what if I develop a corporate internal mobile app and I want to distribute to my users and the must install it but they refuse or don't want to install the microsoft authenticator as MFA generator.

would it be possible via FIDO2(webauthn) to get the 2fa when need it using the faceid, fingerprint or code already in place on the phone, at least the first time and it enrolled the device in as authentication mechanism.

OKTA does it and is very useful, I'm investigating if Microsoft can do so or not.

FIDO2 (WebAuthn)

Once this factor is configured, additional verification will be required when users sign in to Okta.

If the user selects ‘Security key or biometric authenticator’, they will be prompted to register an authenticator via Web Authentication in order to sign in to Okta successfully. Users can follow the on-screen prompts for browser or OS instructions in order to gain access. Learn more in documentation .

Web Authentication supports two authentication methods:

Security keys such as YubiKeys or Google Titan

Biometric authenticators such as Windows Hello or Apple Touch ID

thank you the patience.

/F

Answer 2

testuser7 286

Thanks @Brian Zarb Makes sense. So keeping platform authenticator like TouchID for the device they are in (iPhone) is the recommended approach.

One follow up question if you have enrolled FIDO2 TouchID credential (public-key) in Azure-AD.

Did AAD force you to register the device (iPhone) in AAD while provisioning this credential in any user-profile ??

Thanks.

Brian Zarb 1,685 Reputation points

2023-09-26T15:46:06.2866667+00:00

yes absolutely, keeping platform authenticators like TouchID tied to the device they're built into is the recommended way to go. It aligns best with the security guidelines and intended usage.

Regarding your follow-up question about Azure AD and TouchID, generally speaking, Azure AD doesn't necessarily force device registration when enrolling FIDO2 credentials. However, the exact behavior can depend on your organization's policies. Some organizations might set up their Azure AD to require device registration as an additional layer of security, especially when using features like Conditional Access.

So, if you're finding that Azure AD is prompting for device registration, it could be a policy set by your IT dept rather than a hard requirement from Azure AD itself.

Hope that helps clarify things for you, if it does kindly mark as answered and consider following!
thank you, Bz
testuser7 286 Reputation points

2023-09-26T16:00:41.84+00:00

Thanks @Brian Zarb

I totally understand the enforcement of device registration through CA-policy. But that is not what I am talking here.

Just like in case of WHfB device-reg is mandatory, is it mandatory for TouchID registration ??

The reason this came in my mind is both are Platform-authenticators.

If I am enrolling yubikey then obviously there is no need to register the device I am enrolling from.
Brian Zarb 1,685 Reputation points

2023-09-26T16:07:21.7+00:00

Ah, I see, to directly answer your question: No, Azure AD does not inherently require device registration when you're setting up a platform authenticator like TouchID, unlike the mandatory requirement you might see with WHfB. The FIDO2 specification allows for platform authenticators to be used without device registration, and Azure AD typically adheres to that.

You're correct in noting that when you're using a roaming authenticator like a YubiKey, there's obviously no need for device registration since the authenticator itself is portable. With platform authenticators, the device-bound nature is a function of the authenticator itself, rather than a requirement of Azure AD.

bottom line no, you wouldn't typically be forced to register your iPhone in Azure AD just for setting up a TouchID credential, unless your organization's specific policies dictate otherwise.
testuser7 286 Reputation points

2023-09-26T16:11:35.6233333+00:00

Got it.. Thanks @Brian Zarb It helps.

I am assuming you have provisioned TouchID in Azure-AD

If yes, did you use mysigins.microsotf.com (our CSIR portal) to do that ??
Brian Zarb 1,685 Reputation points

2023-09-26T16:14:42.9866667+00:00

haven't directly implemented this myself, but I've co-implemented such setups with others. Yes, mysignins.microsoft.com is generally the go-to portal for setting up authentication methods like TouchID in Azure AD. Regards, Bz
testuser7 286 Reputation points

2023-09-26T16:25:11.1733333+00:00

Sounds good.. Thanks @Brian Zarb
Brian Zarb 1,685 Reputation points

2023-09-26T16:28:46.58+00:00

You are welcome, Kindly mark this as the answer so others can find it as helpful as you did!

Answer 3

As of May 2025, the answer is "yes, you can do it".

As far as I understand, it works out of the box with Windows 10-11 and iOS 14+.

Pair Windows and iOS using a normal Bluetooth pairing.
Go to webauthn.io
Select Registration > Attachment > Cross-platform
Click Register
A QR-code is displayed
On a scan, Windows connects to iOS using Bluetooth. This can be validated by disabling Bluetooth. The entire protocol is CaBLE if I understand correctly.
iOS Passwords apps asks to add a passkey
The same flow works with authentication
PROFIT!!!111

Share via

FIDO2 platform authenticator

2 additional answers

Your answer