Configuring MFA with Passkeys

Passkeys can be used to verify identity by prompting to enter biometric information such as a fingerprint, face scan or a PIN only known to the person possessing the registered endpoint.

In order to enable MFA with Passkeys, you will need to create a new Radius Policy.

Step 1 - Create a new Radius Policy

  1. Navigate to Policy in the top panel

  2. In the left window, click on Radius Policy

  3. Click on Tasks and select Create

  4. Enter Name for Radius Policy

  5. Under the Conditions section, select the criteria to match on

  6. Click Add

  7. Scroll down to the Policy Section

  8. Set Access Policy to 'Continue' (this allows for the MFA challenge)

  9. Set 2-Step Authentication to 'Passkeys'

  10. Click Create

Note

Status can be left in 'Disabled' mode until you are ready to test.

Note

In order for MFA using Passkeys to function, ensure the Windows Hello options are configured on your PC (PIN, Fingerprint, Face, etc).

Step 2 - Test / Validate

  1. Connect using the Genian NAC 6.0 Connection manager

  2. Right-click on the tray icon

  3. Select Network Access and then site name to connect

  4. Sign in with user ID/password

  5. A Windows Hello window should display

  6. Enter the appropriate method to verify your identity (PIN, Fingerprint, Face)

Note

If you are not presented with an option to choose from, this may be due to limitations of the endpoint you are connecting with. Check Windows Hello and/or Sign On options as applicable to confirm the capabilities of your specific endpoint/OS.

  1. You will be prompted to register once and then prompted a second time to verify

  2. Once verified, NAC 6.0 Connection Manager should update that you are now connected