Login via FIDO2 or FIDO U2F (U2F can be disabled in configuration). Authentication is done by using a username and a pre-enrolled FIDO token.


Name Description Default value Mandatory
pipeID Id of the pipe to run after succesful FIDO authentication N/A Yes
loginTemplate UI template used for rendering enduser UI fido2.template No
userVerificationRequirement The user verification requirement setting. Allowed values are 'required', 'preferred', 'discouraged'. If 'required', FIDO U2F will not work as those keys do not require user verification. preferred No
unverifiedRequestParameter A parameter that will be set on the request if user has performed a FIDO authentication without user verification (FIDO U2F). This is set so that you may configure additional authentication steps to ensure MFA. fidoUserUnverified No

Clarification regarding user verification

The "userVerificationRequirement" parameter can be used to enforce that no "one-factor" authentication is possible (a FIDO U2F token with no pin code or biometric authentication) by setting the value to 'required'. However, if you wish to support the legacy method FIDO U2F you may do so, and a method has been added such that you can enforce MFA in other ways via the 'unverifiedRequestParameter' configuration property. You may set this property to anything you wish, but by default the request parameter 'fidoUserUnverified' will be added to the request if no additional user verification has been done during the token authentication. You may want to set up a SequenceAuthenticator that prompts for a password after Fido2Agnostic has been run and set the 'fidoUserUnverified' parameter, or something similar. This property can be accessed within the Fido2Agnostic pipe via {{request.fidoUserUnverified}} or whatever you set the configuration property to be.

Example Configuration

    "alias": "fidoauth",
    "name": "Fido2Agnostic",
    "configuration": {


User must have at least one FIDO token enrolled.