Watchguard Needs to Support Passkey(Passwordless) for Mobile VPN SSL

ThomasGV

Watchguard Needs to Support Passkey(Passwordless) for Mobile VPN SSL. Our organization is phasing out passwords, we want be passwordless. We want to stop the use of password because they are known to getting compromised.

This will be improved Security of old Two Factor Authentication.

[removed all the links to other sites, JC.]

james.carson

Hi @ThomasGV

I've removed your links to the other sites, as we can't control what gets placed on those. Suffice to say you'd like FIDO2 supported.

In it's current state, AuthPoint does not support FIDO2, but instead supports many of the same features via the AuthPoint mobile app. For customers that prefer to use hardware tokens, both WatchGuard branded and 3rd party TOTP 6 digit style tokens are supported.

AuthPoint does currently support passwordless authentication for some authentication types, specifically via SAML 2.0. If the resource is set up with other factors, password can be removed. Most customers choose to include passwords as well, but it is not always required.

There is a feature request open to support FIDO2, which is AAAS-12937. If you'd like to follow that request, please open a support case and mention AAAS-12937 in your case -- the technician assigned the case.

If you're using an authentication service other than AuthPoint, you may be able to use a FIDO2 keyfob provided the string it provides via the firebox to RADIUS is not excessively long (this is currently capped at 48 characters to keep the RADIUS packet from being excessively large. What is acceptable for the password field (be it keyfob data, password, or a mix,) can't exceed that length.)) If the password is removable on the 3rd party service or not is controlled by that company/service, and not WatchGuard.