Operation procedures
This is the general procedure for using YubiOn FIDO Logon in your organization.
Introduction scenario
- The administrator registers and configures YubiOn FIDO Logon on the PCs of multiple end users in the organization to enhance security.
Introduction flow
- Customer Registration
- Group Policy Settings
- Software Installation
- Authenticator Registration
Note on the introduction scenario
- End-user operations This procedure assumes that the overall configuration is done by the administrator, while some operations such as software installation and authenticator registration are done by the end user.
This is because it becomes difficult for the administrator to perform all the settings when the scale of installation becomes large.
If you do not want end users to configure the settings, but want administrators to do so, please be aware that there are physical restrictions on the settings.
Please consider who will perform which operations according to your deployment scale and operational policy, and determine the best deployment scenario.
Software installation and registration code registration operations can be performed in batches by Active Directory functions or other software management services.
See Advanced Settings for more information.If you want to ensure that end users register their authenticators
In the Group Policy “Logon to authenticator-less account”, you can make authenticator registration mandatory for Windows logon by applying “Logon with password only the first time and enforce authenticator registration”.
If you want to ensure that end users register their authenticators, please consider using this policy.
| procedures | administrators | end users | remarks |
|---|---|---|---|
| Customer Registration | ○ | - | Administrator Only |
| Group Policy Settings | ○ | - | Administrator Only |
| Software installation | ○ | ○ | * Operation requires a PC at hand. |
| Authenticator registration | △ Register on web administration screen Not available for biometric devices |
○ Register on PC’s configuration tool / logon screen |
*The operation requires an authenticator at hand. |
- About authenticators
The specifications and operation methods of authenticators differ depending on the type.
Please refer to the vendor’s manual for the authenticator’s operating instructions.
For FIDO2 compatible authenticators, PIN and biometric enrollment (fingerprint, etc.) settings are required at the time of registration.
The PIN can also be set on the FIDO Logon software when the authenticator is registered.
However, fingerprint registration must be done separately after PIN registration.
The PIN and biometric enrollment settings need to be made by the end user using the authenticator.
Even if you assume a scenario where the administrator performs the enrollment, please consider in advance that the end user will have to reset the PIN and biometric enrollment settings.