After spending some time playing with a couple of self-hosted Identity Providers solutions like Authentik and Keycloak for use with vCenter Server Identity Federation, I was curious about their Multi-Factor Authentication (MFA) support. Specifically, I was interested in their WebAuthn capabilities, which should allow me to use the popular Yubico YubiKey for passwordless authentication into my VMware environment. 😊
It is also important to mention, today vCenter Server Identity Federation officially supports the following IdPs listed below, all of which have support for the YubiKey (linked below is the official Yubico documentation for each IdP from Yubico's website):
If you are already consuming one of these IdPs, you already have the ability to to use a YubiKey or other supported WebAuthn device for passwordless login! For VMware Cloud Foundation (VCF) customers, Identity Federation is also supported with the same IdPs as it relies on the VCF Management Domain vCenter Server, so this would allow you to login to SDDC Manager using YubiKey as an example.
I have never used a YubiKey before, so this was going to be a new adventure for me as well as playing with the WebAuthn protocol which is also new for me. I really like the UX of Authentik, which provides a seamless experience and with built-in support for SCIM, the choice was easy for the IdP I would choose for this experiment.
Step 1 - Setup your Authentik IdP with vCenter Server as outlined in this blog post HERE.
Step 2 - To verify that your WebAuthn device (YubiKey, Apple Face ID, etc) can be successfully configured with your Authentik IdP, manually enroll your device before changing the Authentik login flow. Start off by logging into the Authentik IdP with a user you wish to associate a WebAuthn device to. Once logged into the Authentik homepage, at the top of the page click on the gears icon (Settings) and then go to MFA Devices and then select Enroll with WebAuthn device as the option.
By default, it may ask to create a passkey but you can just click on Other Options and you will then be presented with additional WebAuthn options including Security Key for those looking to use a YubiKey.
Note: As a new user of YubiKey, I did not know you had to physically press the button to activate the device so that the registration process can start. I was stuck her for a few days until I tried out the Yubico Demo App which allows you to validate a WebAuthn flow and it explicitly mentioned the need to press the button which gave me a hint during he Authentik device registration workflow.
If you have a PIN configured for you YubiKey, you will first need to enter the PIN before it is unlocked to complete the device registration.
As you can see from the screenshot below, I have registered both my YubiKey as well as my iPhone with Apple Face ID to login.
Step 3 - Next, log into your Authentik IdP as an admin so we can now modify the default login flow to enable the passwordless experience.
Note: While researching this topic, there was not a lot of good step by step instructions for setting up Authentik and the required flows for use with WebAuthn devices. I thought this blog post from Josh Stock and Youtuber Cooperian had some good info that help me get things setup after a bit of trial and error.
Since Josh provided an export of his passwordless flow, I decided to just use what he had created, which you can download the YAML file by searching for passwordless-authentication.yaml in his blog post. Navigate to Flows and Stages and then click on the Import button to import the flow which should show up as passwordless-authentication.
Step 4 - We now need to modify the default identification binding to use the new passwordless-authentication flow. Under Flows and Stages->Flows click on the default-authentication-flow and click on the Stage Bindings tab and then select default-authentication-identification stage and then click on Edit Stage.
Expand the Flow Settings section towards the bottom of the wizard and under Passwordless flow, select the passwordless-authentication flow that we had just imported from Step 3 and click on Update button to save.
Step 5 - While in the default-authentication-flow click on the default-authentication-mfa-validation stage and then click on Edit Stage.
Modify the Not configured action to Force the user to configure an authenticator (or some other desired action) and under the Configuration Stages select default-authenticator-webauthn-setup (WebAuthn Setup Stage) and make sure you hit the single arrow to move that into the Selected Stages and then click Update button to save.
Step 6 - Finally, open a new incognito browser window and login to your vCenter Server which should automatically redirect you the Authentik IdP and you should now see an additional login option Use a security key as shown in the screenshot below.
Once a valid user has been verified, you will then be prompted to login using either passkey (e.g. Face ID) or click on "Other Sign In Options" to select your YubiKey device.
Select the Security key option and then insert your YubiKey device and either provide your PIN (if you have configured one) or simply press the physical button of the YubiKey device to activate the logon process and you should now be successfully logged into your vCenter Server or VCF environment without entering a password!
Here is a screenshot of using my iPhone to login using Apple Face ID, definitely beats typing in a password! 😄
Thanks for the comment!