Research Center for Advanced Computing Infrastructure: FIDO2

FIDO2

FIDO2 is a passwordless authentication standard established by the FIDO Alliance.

It defines an authentication protocol between "authentication device", "web browser" and "RP server", and is provided as a general-purpose mechanism that does not use a password when authenticating a web application.

This system uses the FIDO2 authentication method for the OpenAM authentication chain to realize user authentication using the FIDO2 authentication device.

Device used for FIDO2 authentication

・Windows Hello compatible PC

・FIDO2 compatible Yubikey device

・Google Titan device

URL for FIDO2 registration

Access one of the following URLs that meet the required authentication conditions and register the FIDO2 authentication device.

※ You can register multiple FIDO2 authentication devices.

Registration from the campus network environment (including VPN connection)
https://auth.jaist.ac.jp/sso/XUI/#login/&service=RegFIDO2withCampus

Registration from off-campus network environment
1. Password and TOTP authentication
        https://auth.jaist.ac.jp/sso/XUI/#login/&service=RegFIDO2withTOTP
2. FIDO2 authentication
        https://auth.jaist.ac.jp/sso/XUI/#login/&service=RegFIDO2withFIDO2
3. Password and certificate (Applied for issuance before 8/25/2023 16:00) authentication
        https://auth.jaist.ac.jp/sso/XUI/#login/&service=RegFIDO2withCert
4. Password and certificate (Applied for issuance after 8/25/2023 16:00) authentication
        https://auth.jaist.ac.jp/sso/XUI/#login/&service=RegFIDO2withCert2023

FIDO2 usage procedure

Initial setting procedure

1. Set up the application used for FIDO2 authentication.

2. Access one of the registration URLs that meets the required authentication conditions.

3. Enter your user name and click Login.

4. Please follow the instructions on the screen to complete the login process.

5. The authentication screen set up in step 1 will be displayed. Authenticate and click "OK".

6. Enter the identification name of the authenticated device and click Next.

7. Confirm that the device is displayed with the identification name set in the registration status of the FIDO2 authentication device.

Use of services using multi-step authentication (FIDO2)

When you access a service that authenticates with an integrated authentication infrastructure system such as Webmail, the login screen shown in the figure is displayed.

Here, enter your JAIST user name to log in.

※ Please note that if you enter your e-mail address (xxxxx(at)jaist.ac.jp), authentication will fail.

Next, the authentication screen of the app set by FIDO2 authentication is displayed.

Pass the authentication with the set authentication method and click "OK".

Login authentication passes and the service screen opens.