Password less Registration and Login process with SAP CDC – Part 2
Welcome to the second part of the Passwordless authentication process with SAP CDC series.
This blog series mainly focuses on how we implement the passwordless authentication using SAP CDC. This is a continuation to the Part 1 which explains how to implement one of the SAP CDC passwords less authentication which is Phone Number Login. Part 2 will cover the next password authentication type of SAP CDC that is FIDO Authentication.
If you haven’t already, please also check out Part 1 of the series.
Part 1: Phone Number Login
Part 2: FIDO Authentication (Passkey) (Current)
Part 3: Email OTP and Magic Link
Part 4: Push Authentication
SAP CDC supports FIDO (Fast Identity Online) which is aimed to eliminate the passwords using an open, standardized authentication protocols. Using FIDO, we reduce the average login time by 50% when compared to using Passwords. The FIDO is supported on all types of devices like Mobile or Web browsers. It supports single device credential or cross device credential or passkey to authenticate to the site.
Passkeys are an evolution of Fido2 and webAuthN used to provide frictionless authentication to the user. It has following features:
- Ability to sync Passkeys across devices with E2E encryption.
- Cross device Authentication
- Conditional Authenticaiton
Passkeys are supported in major operating systems and browsers like :
- In macOS, iOS or iPadOS with Apple ID
- Android with Google Account
- Windows with device credentials (faceID, fingerprint, password, etc.)
- FIDO is only supported on sites using SSL (HTTPS)
- Include RP Domain in your sites Trusted site URLs.
- If using FIDO in a site group, all members of the group must be configured. They can all use a different RP Domain.
- The Login Identifier field must be Email.
The Passkey login can be enabled using login and registration flows in SAP CDC.
Available Passkey widgets are:
- Register using Passkey (Add Passkey) to initiate registration flow. It is available in Passwordless Login screenset under Passwordless Registration and Auth Methods screens.Based on existing or new user the appropriate the login or registration screen with Auth Methods will be initiated.
- Login Passkey to initiate the Login Flow. It is available Passwordless Login screen (Passwordless Login screenset), Re-authentication screen (Re-authentication screenset), and Login (Registration screenset)
- Passkey Manager is used to list and manage all the devices in which the user registered. This widget is available in Update profile, Change Password, Privacy, Communication, Passkey Manager screens of Profile Update screenset, Registration Completion, Mandatory Password change screens of Registration screenset and SMS subscription confirmation, SMS subscription full screens of Subscriptions screenset.
- Enable the FIO Authentication type under Identity > Security > Authentication.
- Configure the RP Domain with your site domain, provider the RP Name. Set the Authenticator Attachment as Platform or Cross Platform or Unspecified. Unspecified means FIDO implementation supports both platform and cross platform authenticators.
- User Verification Requirement parameter is used to verify the Replying Party with users verification for their login operation. Set the User Verification Requirement parameter with Required if user verification is mandatory, preferred if the user verification is optional, and discouraged if user verification is not required.
- Add the RP domain into Site trusted URLs list
- In the RegistrationLogin > Registration screen, set Email as mandatory field
- In the RegistrationLogin > Registration Completion screen, add the “Add Passkey” widget.If the new user Registers to the site using Passwordless registration screen, he will be redirected to Auth Methods screen with Register using Passkey widget.
- Setup auto complete login process by configuring the autocomplete option for Username/email and Password fields in the Login Screen of Registration screenset. Set Auto complete as “password webauthn” for Password field and set Auto complete as “username webauthn” for email or username field.
- The Passkey Manager in the Registration Completion screen so the users can manage all their registered devices.
- Also add the same Passkey Manager widget in the Profile update screen so the users can view and manage the registered devices after login.
Testing the end user flow with Passkey:
Click on the Login with Passkey button, a popup opens to select the passkey via Windows or use barcode from phone or tablet.
Then you are successfully logged.
Please proceed to Part 3 of this blog series to know more about Email OTP and Magic Link Authentication