Later this year, we will be providing users with the ability to register and use additional device types for Multi-Factor Authentication (MFA) when logging in natively to Genesys Cloud. At present, users can register time-based generators / Authenticator Apps (e.g. Microsoft Authenticator or Google Authenticator) which are installed on their mobile phone and use the codes provided by these apps to satisfy the MFA requirement. Based on the feedback we have received, we know that Authenticator Apps can't be used in all environments, so we are expanding the range of device types to include biometrics (e.g. fingerprint readers) and physical security tokens (e.g. Yubikey).
To achieve this, we are going to leverage the WebAuthn Framework (more on this below) and there will be some client UI changes, both when registering an MFA device and then subsequently when logging in using MFA. There are no Admin UI changes associated with this enhancement, at this stage. There is also no impact on MFA devices already registered. These will continue to operate normally.
This post describes the UI changes that will result from this enhancement.
Register a new MFA device - current UI workflow
Select My Account tile from Logon Splash Screen to access MFA settings. Note that if the administrator has enabled the setting to Require Multi-Factor Authentication, this step will be skipped.
Select "Add MFA Device" to register a new device
Add a name for the new MFA device
Install an Authenticator App on your mobile phone, scan the QR code using this App and enter the code provided via the App to complete the registration
The device/app is now registered and will be available for use on next login
Register a new MFA device - updated UI workflow
On the "Add Name" screen, in addition to adding a name for the device, the user will now be provided with a choice between adding a time-based generator (i.e. the existing Authenticator App option) or creating a passkey.
If the user selects the time-based generator, the registration continues as per the current UI workflow. If the user selects the create passkey option, they are then presented with options for adding a passkey, which will vary depending on parameters such as the user's operating system (e.g. Windows OS or macOS) and the available hardware options (e.g. if fingerprint reader is available). The following is an example for Windows OS:
In this example, selecting "Windows Hello or external security key" results in a Windows Hello confirmation dialog being presented, such as the following:
Alternatively, selecting "Use a phone, tablet, or security key" would result in a request to scan a QR code with a camera on the device to be used for MFA, such as the following:
Once the user completes these steps, their device is then registered and can be used to satisfy the MFA requirement when logging in.
MFA login experience - current UI workflow
Login natively to Genesys Cloud via the login screen
If the user has registered an MFA device (Authenticator App), they are presented with a dialog requesting the user to enter a one-time code from their registered app. Once they enter the code provided, the login process completes.
MFA login experience - updated UI workflow
Once the user has entered their credentials on the login screen, they will then be presented with a challenge which aligns with the MFA device they have registered. In the following example, the user previously registered using Windows Hello. Once the user scans their fingerprint on the fingerprint reader, the login process completes.
So, in summary, this enhancement will provide more MFA options, including support for biometric scanners and physical security keys. We are leveraging the WebAuthn framework to deliver this enhancement. There is no impact to users logging in via Single Sign-On (SSO). This enhancement applies to native logins only and is incremental to existing MFA capabilities. In other words, if users have already registered MFA devices, these can still be used to complete the MFA login process. Finally, there are no Admin UI changes associated with this enhancement. This is client-side only.
What is WebAuthn?
WebAuthn is a credential management API built into modern web browsers allowing web applications to strongly authenticate users. It is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public key cryptography instead of a password. WebAuthn allows servers to integrate with the strong authenticators now built into devices, like Windows Hello or Apple's Touch ID. Instead of a password, a private-public keypair (known as a credential) is created for a website. The private key is stored securely on the user's device; a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user's identity. WebAuthn credentials are referred to as passkeys.
For more information refer to the Guide to Web Authentication.
#Roadmap/NewFeatures
#Security
------------------------------
David Murray
Principal Product Manager
Genesys Cloud
------------------------------