The FIDO2 specification relies on public-key cryptography. When registering your FIDO2 USB token, a key pair is created: the private key is retained on the USB token and the public key is registered with the Futurex HSM. In order to authenticate the user, the USB token must prove possession of the private key through signing a challenge. The token is only able to act in this challenge if the user presence is verified by pressing a button on the token itself.
- Login: Administrator logs in to the Futurex HSM with their username and password. This can be performed either through the Excrypt Manager application, the Excrypt Touch remote access tablet, or the HSM’s web configuration panel.
- Multi-Factor Authentication Request: The HSM responds with a challenge request to the multi-factor authentication token. The holder of the FIDO2 U2F USB token presses a button on the token.
- Verification: The response message is passed to the HSM. The HSM processes the request and determines if the message is correct. If the response authenticates, the USB token is confirmed to have the private key and allows the login process to complete.
