0

In a corporate setting there are Windows Group Policies restricting the use of FIDO Platform authenticators (e.g. Windows Hello (for Business) on Microsoft Windows devices)

Using the PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() method in a browser results in false (https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/isUserVerifyingPlatformAuthenticatorAvailable_static).

Is there any clear approach on which Windows Group Policy settings need to be enabled/set exactly to get a true response?

Second, which policies would be required to make the FIDO/WebAuthN platform authenticator work, if that would be different/further policies.

If possible, we don't need users to rollout for Windows Hello for Business or have that active, but they should be able to pair their device as a FIDO Platform authenticator for other online services/platforms, where that is a possible authentication method.

Yes I can try it out but maybe there is a good explanation or somebody else already faced this issue (possibly in a corporate context with restricted/managed devices).

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
kmindi
  • 1,461
  • 1
  • 11
  • 18
  • `which policies would be required to make the FIDO/WebAuthN platform authenticator work?` Work? You need to be specific. Do you need it for logging on to the endpoint or to use with a web application? – Greg Askew Aug 03 '23 at 11:14
  • First to get a `true` response from `PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()` (doesn't matter which of the mechanisms like biometrics/PIN/... are used, but to make any of them available to the browser as platform authenticator. – kmindi Aug 03 '23 at 11:45
  • Can you provide the Windows versions you tested this on with a fresh install and it worked as expected? And not joined to a domain. (Group Policy only applies to a domain member). – Greg Askew Aug 03 '23 at 11:55
  • A fresh install might work fine, I only have devices were it does not work. Those are corporate managed devies with group policies, I'd need to check which policies are set/not set. But that is the questions, which policies are interesting here ;) – kmindi Aug 03 '23 at 11:57
  • A test on a fresh install not domain joined should be the first step. Then the other variations. Fresh install, and domain joined. Existing endpoint switched to workgroup. – Greg Askew Aug 03 '23 at 12:07
  • Yes that would be the approach to figure it out by trial and error until I have the policies identified. But I was hoping for someone already having that knowledge or better documentation. Anyway, if I figure it out I'll post it as answer. – kmindi Aug 03 '23 at 12:10
  • 1
    I've seen several questions about this on Stack Overflow, may want to try there. Probably more usage there than a corporate environment, given the prevalence of other authenticators. – Greg Askew Aug 03 '23 at 12:17

0 Answers0