Optional passkey configurations

Define additional configurations for passkey authentication.

Disabling last logged in time updates

By default, Domino will always update the last logged in time for a passkey credential in passkey.nsf after that credential has been used to authenticate successfully. This may negatively impact performance on a heavily trafficked server. Setting PASSKEY_ALWAYS_UPDATE_LAST_LOGIN=0 in the server's notes.ini will disable this functionality and cause Domino to only update the credential's last logged in time if the authenticator sent a non-zero counter during authentication. This will improve performance, but will result in inconsistent last login times in passkey.nsf.

Note: Replication delays may result in different replicas of passkey.nsf having different last login times for a given credential.

Disabling attestation requests

Attestation statements can improve the security of passkey registration during an actively compromised login session and encourage authenticators to send identifying information to relying parties.

By default, Domino will ask authenticators to provide a "direct" attestation statement during passkey registration in order to populate the "Authenticator name" field in passkey.nsf. This may result in some browser/platform combinations asking the user for permission to give information that could compromise the user's privacy, and may result in passkey registration failing in incognito browser windows. Domino 14.0 is capable of validating "None" and "Self" attestations and will do so upon receipt of those types. Other attestation types require external metadata to validate and will not be validated.

If PASSKEY_REQUEST_DIRECT_ATTSTMT=0 is set in the Domino server's notes.ini, then Domino will request an attestation type of "none". This will cause most authenticators to register an AAGUID of all zeroes, which will correspond to a blank "Authenticator name" field in passkey.nsf.

Removing passkey registration limit

Each user is normally limited to registering one passkey per authenticator for each relying party to prevent confusion. If you wish to remove that restriction, possibly for testing purposes, set PASSKEY_ALLOW_REPEATED_REGISTRATION=1 in the server's notes.ini.

Requiring user verification

Authenticators will always check for user presence before using a passkey. By default, an authenticator will request user verification if it can, but will not require it if it cannot. For example, some older Yubikey devices only have a button to press to signify user presence, but lack a fingerprint reader or PIN to verify the identity of the user with the device. Similarly, some laptops will allow passkey authentication when the laptop lid is closed and the fingerprint reader is not currently active. Administrators can require user verification by setting PASSKEY_REQUIRE_USER_VERIFICATION=1 in the Domino server's notes.ini. This is likely to adversely impact users with FIDO2 devices lacking biometrics that were configured without a PIN, and users with closed and "docked" laptops, but can be used to strictly enforce multi-factor authentication.