Imprivata Documentation | Imprivata Enterprise Access Management (Confirm ID) 24.3 | Topic updated: February 27, 2025

Configuring FIDO Security Key Authentication

Imprivata supports FIDO security key authentication as a single factor, and combined with password, Imprivata PIN (as an alternative to a password), or finger biometrics as second factors to provide strong two-factor authentication. Enable security key authentication in User Policy.

FIDO Security Key Authentication Overview

Hardware Requirements

Each FIDO security key user needs a physical FIDO2-capable security key, and each computer that supports FIDO security key authentication requires a FIDO2-enabled reader. For a complete list of supported security key readers, see Enterprise Access Management with SSO Supported Components or Enterprise Access Management with MFA Supported Components .

Two-Factor Authentication with FIDO Security Keys

FIDO security keys are configured within User Policies in the Imprivata Admin Console. For two-factor authentication, you can enable security keys to be used with a network password, Imprivata PIN, or fingerprint authentication for some or all users via Imprivata user policies. First and second factors of authentication are specified on the Authentication tab of a user policy.

Monitoring and Reporting FIDO Security Key Authentications

You can get real-time notifications of many network events, including enrollment for security keys. See Configuring Event Notifications.

Enrolling Multiple FIDO Security Keys

Configure user policy to allow users to enroll multiple security keys. You can select between 1 - 15 keys, or unlimited keys. Setting this value does not affect the user's previously enrolled security keys.

You can also allow users to enroll a replacement security key; enrolling a replacement key will remove previously enrolled security keys.

FIDO Security Key Grace Period

You can set a grace period for the second authentication factor after successful security key authentication, up to 24 hours 59 minutes.

IMP-80/82-FIDO Readers

Program IMP-80-FIDO and IMP-82-FIDO readers with a configuration that enables the FIDO card to be read appropriately.

In the Imprivata Admin Console > Computers > Computer policies, select a computer policy for computers with an attached IMP-80/82-FIDO reader.
In the section Card Readers, ensure that FIDO2 is enabled as one of the configuration options.
At the top or bottom of the page, click Save when you're done.

Delete FIDO Security Key Enrollment

If a security key is lost, damaged, stolen, or must be taken out of circulation for any other reason, you can delete an enrollment from its enrolled user via the user’s user record.

Enrolling Users for FIDO Security Key Authentication to Imprivata OneSign

Each user's security key must be enrolled before it can be used to authenticate to Enterprise Access Management.

When a user tries to authenticate to Enterprise Access Management with an unrecognized security key, Enterprise Access Management shows the security key enrollment screen.