AUTHENTREND FIDO2 Fingerprint Passkey User Guide

AUTHENTREND FIDO2 Fingerprint Passkey

Product Information

Specifications

• Fingerprint enabled FIDO2 card type authenticator
• Built-in NFC interface
• No battery required
• Supports FIDO2/U2F authentication on multiple OS platforms
• Allows Windows login via AuthenTrend Software
• Enables physical access control via UUID

Product Usage Instructions

Bio-tap to Login
ATKey.Card NFC is a fingerprint enabled FIDO2 card type authenticator with a built-in NFC interface w/o battery, it can do FIDO2/U2F authentication on multiple OS platform, plus Windows login via AuthenTrend Software and Physical access control via UUID.

It can perform FIDO2/U2F authentication on multiple OS platforms, including:

NFC FIDO authenticator can work on:

• Windows (Edge, Chrome, Firefox)
• Mac (Safari)
• iOS (Safari)
• Android (Chrome)

Windows Password less login can work on

• Windows 10/11 joined Entra ID (Azure AD) PC
• Windows 10/11 PC with ATKey.Login

Recommended Fingerprints enrollment (2x fingerprints):

• If you are using iPhone and Windows/Mac: enroll “right-thumb” and “left-thumb”, and always press fingerprint sensor to Tap the reader as below gesture

• If you are using Android Phone and Windows/Mac: enroll “right-thumb” and “right-index” finger, press fingerprint sensor to Tap the reader, or card tap to Phone then put fingerprint on

To use the NFC FIDO authenticator for Windows passwordless login, follow these steps:
3 Steps for “Bio-tap to login”:

1. Enroll fingerprint
2. Register Card to the Services or device
3. Login via fingerprint matching-on-card

Enroll Fingerprint

• Go to Windows Settings => Accounts => Sign-in options.
• Under Sign-in options, click on Security key and then click Manage.
• Tap the card (without fingerprint) to set it up.
• A Windows 10 (build 1903+) or Windows 11 PC
• Contactless NFC card reader (USB-to-PC) or 7816 contact card reader (USB-to-PC)
• Check video here: https://youtu.be/fQtmNml3Dfw

Enroll fingerprint from Windows Settings
From Windows Settings => Accounts => Sign-in options

Sign-in options => Security key, click “Manage”

Tap card (w/o fingerprint) to setup

Add “PIN” to Security key – Type-in PIN code (4~8 digits) This is default settings from Windows (FIDO2 spec.), but for ATKey.Card NFC, this PIN is only for “fingerprint”, not fingerprint replacement to login Service via PIN code (some other fingerprint FIDO2 authenticator may allow PIN code for authentication if fingerprint failed).

Enroll fingerprint – click “Add another”, type-in PIN code, put card on reader, touch finger to enroll.

• We will recommend to enroll below fingers (as Page2):

  • You are using iPhone and Windows/Mac: enroll “right-thumb” and “left-thumb”, and always press fingerprint sensor to Tap the reader as below gesture
  • You are using Android Phone and Windows/Mac: enroll “right-thumb” and “right-index” finger, press fingerprint sensor to Tap the reader, or card tap to Phone then put fingerprint on

• Enroll fingerprint 4 times for one finger

• We allow 2x fingerprints only

• “Remove” will remove all enrolled fingerprints

Reset Security Key – reset to factory default for a new user Click “Reset”, following screen hint, tape twice to reset

Enroll fingerprint from Phone app – “SecurityKey NFC” (under development, provide later when it ready to download)

Web Registration and Authentication

• Windows (Chrome, Edge, Firefox), Mac (Safari) via NFC card reader or smart card reader

Check video here: https://youtu.be/0YRswg96_CM

• iOS (Safari) and Android (Chrome)

• iPhone: put on top of Phone as below picture, there is the NFC antenna area inside iPhone

• Android Phone: since every brand or SKU may design different their NFC Antenna in different location, so we will recommend you to find the proper location first (from your Android Phone manual), and 2 gestures are possible:

  • Press enrolled finger on fingerprint sensor, then tap to Phone (back-side, NFC Antenna area)
  • Tap card on back of Phone (NFC antenna area), then enrolled finger on fingerprint sensor
  • Android still has some constrained to support NFC authenticator, like Passwordless is not ready (MFA is fine), and some web services may just allow USB security key (not open for NFC yet); but iPhone has no such issue.

• “Bio-tap to login”: press enrolled fingerprint on card and tap card to NFC reader or Smart Phone NFC sensing area, stay for a while until PC/Browser or Phone/NFC response and confirmed, then remove card from reader.

• here are some reference SaaS with FIDO2/Passkeys enabled:

  • How to register/login key to Microsoft365

  • Sign in your Microsoft account, register ATKey to account, login via ATKey

  • Check https://authentrend.com/download/ATKey_for_Microsoft365.pdf for the detail

  • How to register/login to Azure AD

  • If your company/organization applied Azure AD, and your PC joined the company domain (Azure AD), then you can do Passwordless login to your Windows and also Microsoft company/organization account https://authentrend.com/download/ATKey_for_MSFT_AzureAD_guide.pdf

  • Note: ATKey.Card NFC submitted to Microsoft Azure AD team on 2023 Nov., waiting for the confirmation to upload to Azure AD allow list; before it, you can adjust “Enforce attenstation” to “No” from your Azure Portal, then ATKey.Card NFC can work.

  • How to register/login key to Google.

  • Security key for Google account is 2FA/MFA (not Passwordless), you need to register ATKey to your Google account, then it will be 2nd factor to login

  • Check here: https://support.google.com/accounts/answer/6103523?hl=En for the detail

  • How to register/login key to Salesforce.

  • Salesforce must enable MFA for account login

  • Enable from your account: https://help.salesforce.com/s/articleView?id=sf.security_u2f_enable.htm&type=5

  • Register ATKey to your account:
    https://help.salesforce.com/s/articleView?id=sf.mfa_supported_verification_methods_securitykey.htm&type=5

  • How to register/login key to Github, Gitlab, Dropbox and more …

  • Go to https://authentrend.com/compatible-with-atkeys/

Note: The PIN code used in this default Windows settings is only for fingerprint enrollment and not for replacing fingerprint authentication with PIN code.

Register Card to Services or Device
To register the card for web services or devices, follow thespecific instructions provided by the service or device provider.

For example

• To register/login the key to Google, follow the instructions provided in this link.
• To register/login the key to Salesforce, make sure MFA (Multi-Factor Authentication) is enabled for your account. Follow the instructions provided in this link to enable MFA and this link to register ATKey to your account.
• For other services like Github, Gitlab, Dropbox, and more, visit this link for compatibility information.

Bio-tap to Windows Login

• If your organization is subscribed to Azure AD (joined Azure AD domain), and your Windows 10 or Windows 11 PC is joined to Azure AD (Entra ID) domain, you can perform Windows passwordless login via ATKey.Card NFC. Refer to the user guide here for detailed instructions (replace ATKey.Pro with ATKey.Card NFC).

Please check user guide here, but using ATKey.Card NFC instead of ATKey.Pro (USB) https://authentrend.com/download/ATKey_for_MSFT_AzureAD_guide.pdf

Windows 10 or Windows 11 via ATKey.Login

1. ATKey.Login is AuthenTrend developed software with SaaS to let user can login their Windows PC/Account by FIDO2 key

2. Visit https://atkeylogin.authentrend.com/ to sign up by user email

   • “Sign up” by user email (any email they want)
   • Receive “verification code” from email and type in to continue
   • Register ATKey as login authenticator
   • Please share is the email, we can create activation code for your account to activate it
   • Download “ATKey. Login for Windows” app from the download link

3. Install the downloaded “ATKey.Login for Windows” under the user account (the account you want to enable companioned for ATKey Passwordless login

   • Companioned current user account and ATKey
   • 1st login, after Bio-tap, it needs to type-in “password” (encrypted by FIDO2 Hmac-secret extension and store locally); from 2nd time, just Bio-tap to login Windows, for both online and offline.
     FIDO certificate

4. Physical Door Access (w/o fingerprint)

   • ISO14443 Mifare TypeA 13.56MHz reader
   • Register the ATKey. Card NFC to Door access reader (by UUID)
   • Authorized Card taps to reader to open the door (w/o fingerprint matching)

FAQ

1. Q: How many fingerprints can be enrolled?
   A: You can enroll up to 2 fingerprints.

2. Q: How many times should I enroll a fingerprint?
   A: Enroll each finger 4 times.

3. Q: What happens if I remove an enrolled fingerprint?
   A: Removing an enrolled fingerprint will remove all enrolled fingerprints.

References

• ATKey.Login
• Help And Training Community
• Help And Training Community
• Help And Training Community

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>