Skip to main content

WebAuthn multi-factor authentication overview

Contributors netapp-mwallis netapp-dbagwell
PDFs

Beginning with ONTAP 9.16.1, administrators can enable WebAuthn multi-factor authentication (MFA) for users that log in to System Manager. This enables System Manager logins using a FIDO2 key (such as a YubiKey) as a second form of authentication. By default, WebAuthn MFA is disabled for new and existing ONTAP users.

WebAuthn MFA is supported for users and groups that use the following types of authentication for the first authentication method:

  • Users: password, domain, or nsswitch

  • Groups: domain or nsswitch

After you enable WebAuthn MFA as the second authentication method for a user, the user is asked to register a hardware authenticator upon logging in to System Manager. After registration, the private key is stored in the authenticator, and the public key is stored in ONTAP.

ONTAP supports one WebAuthn credential per user. If a user loses an authenticator and needs to have it replaced, the ONTAP administrator needs to delete the WebAuthn credential for the user so that the user can register a new authenticator upon the next login.

Note Users that have WebAuthn MFA enabled as a second authentication method need to use the FQDN (for example, "https://myontap.example.com") instead of the IP address (for example, "https://192.168.100.200") to access System Manager. For users with WebAuthn MFA enabled, attempts to log in to the System Manager using the IP address are rejected.