Instructions: CH-LOGIN - Adding a FIDO security key as Second Factor

Picture showing two Yubico security keys, one with a USB-A and the other with a USB-C connector.
FIDO security key
Type: YubiKey 5C NFC
Type: Yubico YubiKey 5C

FIDO security key are data carriers, e.g. in the form of a USB stick, which contain cryptographic material. The FIDO security key must be procured by the end users themselves. The target system that requests a credential and accepts FIDO security key for it verifies the cryptographic material of the FIDO security key.

Important:
The FIDO security key is intended for use in the eGOV context (CH-LOGIN). FIDO security key are not intended to be used in the Enterprise context and, depending on the regulation, may not be connected to a federal client as it is private hardware.

eIAM supports the same types of FIDO2 security keys as AGOV for CH-LOGIN.
Info link: Security keys (FIDO2)

Windows Hello (fingerprint, facial recognition or PIN) can also be used as a security key. Please note that you can only log in with a Windows Hello security key on the device that you used during registration. Passkeys cannot be copied or moved from one computer to another. If you replace your device, all passkeys stored on the hardware of the device will be lost. For security reasons, only Windows Hello passkeys for which your Windows installation stores the Windows Hello passkeys on the hardware of the device in a so-called TPM (Trusted Platform Module) are accepted. Windows versions older than Windows 11 allowed the use of a software solution for Windows Hello. When upgrading the Windows installation from Windows 10 to Windows 11, the software solution is usually continued to be used and newly created passkeys are also managed by the software solution.

Registration FIDO security key

Log in to MyAccount with CH-LOGIN.

Click on the image to enlarge

Select Register under Login & Security in the 2FA administration to register FIDO security key as a second factor.


Select Passkey (FIDO) and press Next.


Please enter your Password and press Continue.

If you have not yet entered your security questions, you will be asked to enter them here in an additional intermediate step.


To manage multiple FIDO security keys, give the FIDO security key you are registering a name and press Continue.

Note: You can then add up to 3 additional FIDO security keys.


To register your FIDO security key, press Start.

Please note the information regarding Windows Hello support as a FIDO security key.

The following screenshots are based on a yubico hardware FIDO security key.


Depending on the browser you have selected, you will now receive a message to set up the security key, press OK.


Plug the FIDO security key into your device (e.g. notebook).

You will now be asked to enter a PIN as a security key. Then press OK.


Now press the button (flashing) on your FIDO security key.


A green pop-up message confirms the successful registration of the FIDO security key.


Under the 2FA Management you will see the registered device FIDO security key, where you can also remove it if necessary.


When logging in for the first time with the FIDO security key, you will receive this explanation, which you can hide for future Logins with this browser.


To log in successfully, please press the button on your FIDO security key.


Important:
After these steps, your second factor still does not correspond to the trust level "Verified". To reach this higher thrust level (LOA3/QoA50), you must have your second factor checked using CH-LOGIN - Video identification (VIPS) for FIDO security key.