Skip to main content

View ONTAP WebAuthn MFA settings and manage credentials

Contributors netapp-mwallis netapp-dbagwell
PDFs

As an ONTAP administrator, you can view cluster-wide WebAuthn MFA settings and manage user and group credentials for WebAuthn MFA.

View cluster settings for WebAuthn MFA

You can view the cluster settings for WebAuthn MFA using the ONTAP CLI.

Steps

  1. View the cluster settings for WebAuthn MFA. You can optionally specify a storage VM using the vserver argument:

    security webauthn show -vserver <storage_vm_name>

View supported public key WebAuthn MFA algorithms

You can view the supported public key algorithms for WebAuthn MFA for a storage VM or for a cluster.

Steps

  1. List the supported public key WebAuthn MFA algorithms. You can optionally specify a storage VM using the vserver argument:

    security webauthn supported-algorithms show -vserver <storage_vm_name>

View the registered WebAuthn MFA credentials

As an ONTAP administrator, you can view the registered WebAuthn credentials for all users. Non-administrator users that use this procedure can only view their own registered WebAuthn credentials.

Steps

  1. View the registered WebAuthn MFA credentials:

    security webauthn credentials show

Remove a registered WebAuthn MFA credential

You can remove a registered WebAuthn MFA credential. This is useful when a user's hardware key was lost, stolen, or is no longer in use. You can also remove a registered credential when the user still has the original hardware authenticator, but wants to replace it with a new one. After removing the credential, the user will be prompted to register the replacement authenticator.

Note Removing a registered credential for a user doesn't disable WebAuthn MFA for the user. If a user loses a hardware authenticator and needs to log in before replacing it, you need to remove the credential using these steps and also Disable WebAuthn MFA for the user.
System Manager

  1. Select Cluster > Settings.

  2. Select the arrow icon next to Users and Roles.

  3. In the list of users and groups, select the option menu for the user or group whose credentials you want to remove.

  4. Select Remove MFA for HTTP credentials.

  5. Select Remove.

CLI

  1. Delete the registered credentials. Note the following:

    • You can optionally specify a storage VM of the user. If omitted, the credential is removed at the cluster level.

    • You can optionally specify a username of the user for whom you are deleting the credential. If omitted, the credential is removed for the current user.

      security webauthn credentials delete -vserver <storage_vm_name> -username <username>

Learn more

Visit the ONTAP manual pages for these commands: