USB security keys

Overview

This article shows how two-factor enrolment works for an end user when using a USB security key. We assume that the user is logging in to Jira with password authentication as the primary factor. Users logging in with SAML or Kerberos on other Atlassian applications should expect a very similar user experience.

The examples shown here assume that an administrator has already added a multifactor policy which requires that users enrol in extra verification. The details on how policies may be configured is out of scope for this article.

Enrolment

When Windows users are required to enrol in extra verification, they will see screen informing them that enrolment is required, and get to choose which kind of second factor to register:

• Windows Hello, a platform authenticator in FIDO terminology
• A security key, typically attached to their device via USB or NFC 
• A legacy security key which does not support user verification with PIN or fingerprint
• A one-time code app on their phone

The user selects to set up extra verification using a security key.

The user interface for registering security keys varies somewhat across browsers and operating systems, but is in principle very similar. If PIN codes are supported, the user is first asked to enter their PIN code. If the Security Key does not have a PIN code is set, the user is asked to set one.

Finally, the user confirms registration by touching a blinking button on the the security key. 

Naming the registration

After registering the USB Security Key, the user is asked to give their registration a name. This makes it easier to remember which device was registered in the future.

Use case summary

The final step in the registration process lists the different ways the user may use the additional verification factor:

• Extra verification
• Password-less login
• WebSudo verification

Once this step is completed, the enrolment of the extra verification factor is complete, and the user can get back to work.

See it in action

See how enrolment works from an end user perspective using a PIN enabled USB security key. 

Next steps

• See how to log in without password
• See how to log in with extra verification
• Learn how to configure a multifactor policy