Release notes
Enable WebAuthn MFA for ONTAP System Manager users or groups
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
As an ONTAP administrator, you can enable WebAuthn MFA for a System Manager user or group by either adding a new user or group with the WebAuthn MFA option enabled or enabling the option for an existing user or group.
|
After you enable WebAuthn MFA as the second authentication method for a user or group, the user (or all users in that group) will be asked to register a hardware FIDO2 device upon the next login to System Manager. This registration is handled by the user's local operating system, and usually consists of inserting the security key, creating a passkey, and touching the security key (if supported). |
Enable WebAuthn MFA when creating a new user or group
You can create a new user or group with WebAuthn MFA enabled using either System Manager or the ONTAP CLI.
-
Select Cluster > Settings.
-
Select the arrow icon next to Users and Roles.
-
Select Add under Users.
-
Specify a user or group name and select a role in the drop-down menu for Role.
-
Specify a login method and password for the user or group.
WebAuthn MFA supports login methods of "password", "domain", or "nsswitch" for users, and "domain" or "nsswitch" for groups.
-
In the MFA for HTTP column, select Enabled.
-
Select Save.
-
Create a new user or group with WebAuthn MFA enabled.
In the following example, WebAuthn MFA is enabled by choosing "publickey" for the second authentication method:
security login create -user-or-group-name <user_or_group_name> \ -authentication-method domain \ -second-authentication-method publickey \ -application http \ -role adminConsole
Enable WebAuthn MFA for an existing user or group
You can enable WebAuthn MFA for an existing user or group.
-
Select Cluster > Settings.
-
Select the arrow icon next to Users and Roles.
-
In the list of users and groups, select the option menu for the user or group you want to edit.
WebAuthn MFA supports login methods of "password", "domain", or "nsswitch" for users, and "domain" or "nsswitch" for groups.
-
In the MFA for HTTP column for that user, select Enabled.
-
Select Save.
-
Modify an existing user or group to enable WebAuthn MFA for that user or group.
In the following example, WebAuthn MFA is enabled by choosing "publickey" for the second authentication method:
security login modify -user-or-group-name <user_or_group_name> \ -authentication-method domain \ -second-authentication-method publickey \ -application http \ -role adminConsole
Learn more about security login create and security login modify in the ONTAP command reference.
