Návody FIT
Jdi na navigaci

FIDO2 – Keychain

Settings

As a keychain we recommend using YubiKey 5C NFC or GoTrust IdemKey.

Varování:

To set up the keychain, the user must have the MFA method activated via Microsoft Authenticator, TOTP or have a temporary access pass (TAP). You can request a temporary access pass using form on ICT Helpdesk.

Windows

  1. To set a PIN on the keychain, go to the settings in the menu section: Accounts[Access Options], select the option Security Key, click on the btn: [Manage] and set a PIN code.

    wh 4 en
  2. Continue to settings common to all systems.

Linux

Set a PIN on the keychain.

  • YubiKey

    Console
    1. Depending on the distribution, you need to install the link: YubiKey Manager.
      Arch Linux
      sudo pacman -S yubikey-manager
sudo systemctl enable pcscd.socket
      Debian / Ubuntu
      sudo apt-add-repository ppa:yubico/stable
sudo apt update
sudo apt install yubikey-manager
      Fedora
      sudo dnf install yubikey-manager

    2. After installing and connecting the YubiKey to your computer, you need to check that the YubiKey device is recognized.

      ykman information

    3. Sample of successful reading:

      Device type: YubiKey 5 NFC
Serial number: 4200689
Firmware version: 5.7.1
Format: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transfer is enabled
USB NFC application
Yubico OTP enabled enabled
FIDO U2F enabled enabled
FIDO2 enabled enabled
OATH enabled enabled
PIV enabled Enabled
OpenPGP enabled enabled
YubiHSM Auth Enabled Enabled

    4. Finally, set the PIN code.

      ykman fido access change-pin

  • GoTrust IdemKey

    Web browser

    1. In the *Google Chrome/Chromium web browser, you need to open the address chrome://settings/securityKeys.

      go trust 1

    2. Open the tab Create PIN.

      go trust 2

    3. Connect the key fob to the device.

      go trust 3

    4. After inserting the key fob, you can create a PIN and click Save.

      go trust 4

Common

  1. On your computer, open the page https://mysignins.microsoft.com/security-info and log in using your university account username@cvut.cz and CTU passwords.

  2. Click Add login method.

    yk web 1

  3. Select Security Key.

    yk web 2

  4. Select USB Device.

    yk web 3

  5. Prepare the key and click Next.

    yk web 4

  6. Plug the key into the computer and wait for the user to be redirected to the next page.

    yk web 5

  7. After the redirection, enter the PIN code that was created in step 1.

    yk web 6

  8. Touch the key.

    yk web 7

  9. Click Enable.

    yk web 8

  10. Name your key and click Next.

    yk web 10

  11. The key has been successfully added.

    yk web 9
Varování:

If adding a FIDO2 keychain fails with an unknown error, the user needs to check that they have set the PIN correctly on the keychain. A keychain without a PIN code cannot be used for MFA registration.

Login

  1. On the login screen, select Sign-in options:

    login entra ooptions.en

  2. Choose Face, fingerprint, PIN or security key:

    login entra options fido.en

  3. Choose Security key:

    login entra fido.en

  4. Enter your PIN.
  5. After the key fob flashes, touch the gold-plated surface.
  6. Done, you’re signed-in.