Today, we are excited to announce the availability of two important new features in VMware Workspace ONE Access: Support for FIDO2 passwordless authentication and Login Risk Score.
We first announced these features just a few short months ago at VMworld 2020, and they join our recently released support for multifactor authentication integrated directly into Intelligent Hub.
Together, all of these features are part of our comprehensive set of conditional access capabilities, which also includes device compliance.
We all know just how important access and authentication are. According to the 2020 Verizon Data Breach Investigations Report, stolen or brute forced credentials are involved in more than 80% of breaches classified as hacking. This threat has become much more common and dangerous with the rise of work from home and the increased time that employees are spending at their computers. Clearly, the time is right to implement stronger authentication and access control features.
Login Risk Score
Using Workspace ONE Intelligence, Workspace ONE Access can now evaluate a user’s location based on IP Address and assess the risk based on the impossible travel or “Superman” scenario.
Essentially, this policy compares the location of the user’s previous login to the new login, and assigns a risk score based on change of location. This is incorporated into the access policy along with other factors such as device risk and compliance. If the login is assessed to be risky, a second form of step-up authentication can be required, or access can be denied.
As of this release, Login Risk Score is available for Workspace ONE Access SaaS customers. Learn more in the Access Release Notes.
FIDO2 Passwordless Authentication
Support for FIDO2 (WebAuthn/CTAP2) in Workspace ONE Access enables the use of authenticators such as YubiKey, Touch ID, or Windows Hello to authenticate into Workspace ONE securely and conveniently.
There are three key benefits in utilizing FIDO2 as an authentication method:
- Security: FIDO2 authenticators store separate, encrypted credentials for each and every account that the key is associated with. This greatly reduces the risk of phishing, password theft and replay attacks being successful.
- Ease of Use: Users are prompted for a one-click authentication, which is the same whether they are using a platform authenticator (Touch ID, Windows Hello) or an external authenticator (YubiKey, etc.). Setup and configuration for administrators is also simple and easy, as there are just three steps to get your tenant up and running with FIDO2.
- Flexibility: Not only is FIDO2 secure and easy to use, but it is also incredibly flexible. Customers have the option of allowing their users to authenticate using simple built-in methods like Touch ID or Windows Hello, or easy-to-use FIDO2 security keys like YubiKey.
As of our January release, FIDO2 support is available in desktop browsers for Workspace ONE Access SaaS customers.
How to set up FIDO2 in Workspace ONE Access
There are three steps to setting up FIDO2 as an authentication method.
First, you will have to enable FIDO2 as from within the Access administration console.
Second, you will need to set up the end-user registration policy within the policy engine. This will set the type of authentication you want the end user to complete before being allowed to register a FIDO2 authenticator to their account. In this screenshot below, it is configured such that the end user will need to enter their username and password before registering their FIDO2 authenticator.
Lastly, you will need to create a policy that sets FIDO2 as an authentication method. In the screen shot below, it is configured such that FIDO2 is the primary authentication method with username and password as a fallback method.
Get started on Workspace ONE Access
If you haven’t enabled Workspace ONE Access as part of your Workspace ONE deployment, there has never been a better time. Workspace ONE Access enables many great security and experience benefits, as well as economic benefits. To learn more, check out the Digital Workspace Tech Zone page for Mastering Workspace ONE Access, the full Access documentation, and this ESG report on the economic benefits of the Workspace ONE Access cloud-hosted option.