More companies are shifting employees from traditional computers to Chrome OS devices to help improve their security posture. Beyond Identity uses hardware-backed passkeys on Chrome OS to protect your SSO applications.
This is an early access feature. There will be some limitations until additional Chrome OS features are finalized.
Before you begin
- Currently, only 1 credential per tenant, per user is supported.
- Chromebooks must be managed.
- Chrome Desktop Login is not supported at this time with Beyond Identity hardware-backed passkeys so managed Chromebooks will need to be configured.
Configuring Chrome OS authentication
In order for Beyond Identity to support passwordless MFA on Chrome OS, configure the following.
- Configure SSO with a third-party identity provider (See Set up SSO via a third-party Identity provider in Google Workspace Admin Help).
- Enable SAML-based logins on Chromebooks, see Configure SAML single sign-on for Chrome OS devices in Google Workspace Admin Help.
-
Contact support@beyondidentity.com and request that Beyond Identity:
- Enable hardware keys for Chrome OS web authentication.
- Enable an Optimizely feature flag for Chrome OS.
Once configured, the user will use a Web Authenticator to register a hardware-backed passkey.
End-user experience
The following steps and videos use a Google Enterprise-managed Chromebook federated to Okta SSO.
Out-of-the-box configuration
This section describes opening the Chromebook for the first time and logging into a Google account that has been federated to Okta. Note that Google does not route to the SSO for authentication and instead reverts to the Google Workspace Account Password.
- Power on the Chromebook. The Welcome page appears
- Click Next. The Google terms of service page appears.
- Click Accept and continue. The Who’s using this Chromebook page appears.
- Click You, and then click Next. The Sign in to your Chromebook page appears.
- Enter your corporate email address and click Next.
- Enter your password and click Next. The Sync your Chromebook page appears.
- Click Accept and continue. The Chromebook desktop screen appears.
-
Open the Chrome browser and enter the URL for Okta. The Sign In dialog appears.
- Enter your corporate email address and click Next. The Password dialog appears.
- Open your corporate Gmail inbox and locate the Welcome to Beyond Identity, a new sign-in experience email.
- In the email, click the Register a Passkey button.
Unlocking a Chromebook
This section describes logging into the local user account from a lock screen after signing out, locking, or restarting the Chromebook. The password used is the Google password. It can also be a PIN set by the user. This password is not synchronized with Okta / the SSO.
To unlock a Chromebook:
- On the Chromebook login screen, enter the Google password or PIN.
Enrolling using a FIDO2 authenticator
This section describes the user experience when enrolling a FIDO2 Authenticator (local device password).
Watch the interactive video: End-user login to WebSSO - Username and Password + FIDO2 Enrollment
Or follow the steps below:
-
Open the Chome web browser. The Beyond Identity Sign In dialog appears.
-
Enter your Beyond Identity username in the Username field and click Next. The Verify with your password dialog appears.
-
Enter your Beyond Identity password in the Password field and click Verify. A Set up security methods dialog appears.
-
Click Set up. A Set up security key or biometric authenticator dialog appears.
-
Click Set up again. A Verify your identity dialog appears.
-
Select This device. You will be prompted to verify your identity.
-
Enter your password. A Set up security methods dialog appears.
-
Click Set up under Google Authenticator. You will now have access to your corporate applications.
Logging in using a FIDO2 authenticator
This section describes the user experience when logging into Chrome with the username and password + FIDO2 Authenticator (in this case the local device password, this is the Google Workspace password).
Watch the interactive video: End-user login to WebSSO - Username and Password + FIDO2 Authenticator
Or follow the steps below:
-
Open the Chome web browser. The Beyond Identity Sign In dialog appears.
-
Enter your Beyond Identity username in the Username field and click Next. The Verify with your password dialog appears.
-
Enter your Beyond Identity password in the Password field and click Verify. You will be prompted to verify your identity.
-
Enter your Beyond Identity password. You will now have access to your corporate applications.
Removing a passkey
When logging into Beyond Identity a dialog similar to the following appears.
Click Remove passkeys.
Comments
0 comments
Please sign in to leave a comment.