Welcome to the second part of the Passwordless authentication process with SAP CDC series.

This blog series mainly focuses on how we implement the passwordless authentication using SAP CDC. This is a continuation to the Part 1 which explains how to implement one of the SAP CDC passwords less authentication which is Phone Number Login. Part 2 will cover the next password authentication type of SAP CDC that is FIDO Authentication.

 

If you haven’t already, please also check out Part 1  of the series.

Part 1:  Phone Number Login 

Part 2:  FIDO Authentication (Passkey) (Current)

Part 3:  Email OTP and Magic Link

Part 4:  Push Authentication

 

FIDO Authentication:

SAP CDC supports FIDO (Fast Identity Online) which is aimed to eliminate the passwords using an open, standardized authentication protocols. Using FIDO, we reduce the average login time by 50% when compared to using Passwords. The FIDO is supported on all types of devices like Mobile or Web browsers. It supports single device credential or cross device credential or passkey to authenticate to the site.

 

Passkeys are an evolution of Fido2 and webAuthN used to provide frictionless authentication to the user. It has following features:

1. Ability to sync Passkeys across devices with E2E encryption.


2. Cross device Authentication


3. Conditional Authenticaiton

Passkeys are supported in major operating systems and browsers like :

1. In macOS, iOS or iPadOS with Apple ID


2. Android with Google Account


3. Windows with device credentials (faceID, fingerprint, password, etc.)

 

Pre-requisites:

• FIDO is only supported on sites using SSL (HTTPS)


• Include RP Domain in your sites Trusted site URLs.


• If using FIDO in a site group, all members of the group must be configured. They can all use a different RP Domain.


• The Login Identifier field must be Email.

 

The Passkey login can be enabled using login and registration flows in SAP CDC.

Available Passkey widgets are:

• Register using Passkey (Add Passkey) to initiate registration flow. It is available in Passwordless Login screenset under Passwordless Registration and Auth Methods screens.Based on existing or new user the appropriate the login or registration screen with Auth Methods will be initiated.


• Login Passkey to initiate the Login Flow. It is available Passwordless Login screen (Passwordless Login screenset), Re-authentication screen (Re-authentication screenset), and Login (Registration screenset)


• Passkey Manager is used to list and manage all the devices in which the user registered. This widget is available in Update profile, Change Password, Privacy, Communication, Passkey Manager screens of Profile Update screenset, Registration Completion, Mandatory Password change screens of Registration screenset and SMS subscription confirmation, SMS subscription full screens of Subscriptions screenset.

Configuration:

1. Enable the FIO Authentication type under Identity > Security > Authentication.


2. Configure the RP Domain with your site domain, provider the RP Name. Set the Authenticator Attachment as Platform or Cross Platform or Unspecified. Unspecified means FIDO implementation supports both platform and cross platform authenticators.


3. User Verification Requirement parameter is used to verify the Replying Party with users verification for their login operation. Set the User Verification Requirement parameter with Required if user verification is mandatory, preferred if the user verification is optional, and discouraged if user verification is not required.


4. Add the RP domain into Site trusted URLs list


5. In the RegistrationLogin > Registration screen, set Email as mandatory field


6. In the RegistrationLogin > Registration Completion screen, add the “Add Passkey” widget.If the new user Registers to the site using Passwordless registration screen, he will be redirected to Auth Methods screen with Register using Passkey widget.
   

   If the registered user with passkey, submits the email, he will be redirected to Auth Methods screen with Login with Passkey widget.

   
   


7. Setup auto complete login process by configuring the autocomplete option for Username/email and Password fields in the Login Screen of Registration screenset. Set Auto complete as “password webauthn” for Password field and set Auto complete as “username webauthn” for email or username field.


8. The Passkey Manager in the Registration Completion screen so the users can manage all their registered devices.


9. Also add the same Passkey Manager widget in the Profile update screen so the users can view and manage the registered devices after login.

 

Testing the end user flow with Passkey:

The user is registered by providing the required fields to using Register to create an Account from Passwordless login:

 

Now, register with the email account.

 

Now, Auth Methods screen will be displayed to register using Passkey. Click on Register with Passkey button:

 

Windows Hello security will open if you are logging in from a Windows computer. Select the appropriate choice of authentication and click ok.

Once the Windows verification is complete, you will be navigated to the email verification screen to complete the registration:

User is created under profiles in CDC:

 

 

Login to the account for the using passwordless login screen by providing the email and submit.

You will be navigated to Auth Methods screen to login with Passkey.

 

Click on the Login with Passkey button, a popup opens to select the passkey via Windows or use barcode from phone or tablet.

Select Windows Hello key:

 

Then you are successfully logged.

 

User can login from Login screen of Registration screenset as well using Login with Passkey button:

Once you login the site, you can manage the registered devices using Passkey manger from Profile update screen as below:

 

Please proceed to Part 3 of this blog series to know more about Email OTP and Magic Link Authentication