FIDO2 mechanism support

[walidhammad]

My organization would like to force use of FIDO2 keys. Please implement the support for that

$psversionTable

Name                           Value
----                           -----
PSVersion                      7.5.0
PSEdition                      Core
GitCommitId                    7.5.0
OS                             Darwin 24.3.0 Darwin Kernel Version 24.3.0: Thu Jan  2 20:24:16 PST 2025; root:xnu-11215.81.4~3/RELEASE_ARM64_T6000
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

get-module IdentityCommand,pspas -ListAvailable

    Directory: /path/to/modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Script     0.2.58                IdentityCommand                     Desk      {New-IDSession, Close-IDSession, Clear-IDUserSession, Get-IDSession…}
Script     6.4.85                psPAS                               Desk      {New-PASSession, Close-PASSession, Add-PASPublicSSHKey, Get-PASPublicSSHKey…}

New-PASSession -Credential $pascreds -IdentityTenantURL https://xyz.cyberark.cloud -PrivilegeCloudURL https://abc.privilegecloud.cyberark.cloud -IdentityUser 

Challenge Mechanisms
Select Mechanism
[M] Mobile Authenticator  [E] Email... @abc.com [F] FIDO2 Security Key  []   [Q] QR Code  [?] Help (default is "M"): F
Exception:
Line |
 134 |  …             throw "Support for $PSItem mechanism not yet implemented  …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Support for U2F mechanism not yet implemented in the module

[pspete]

@walidhammad This would indeed be a great addition, but is also completely new ground so will take time to understand how to implement.

Any help on this topic will be gratefully received.

[walidhammad]

What can I provide you to help with this?

[pspete]

Any help at all, using PowerShell with WebAuthn authentication is not something we've done before.

[aaearon]

I'm not sure the best way to tackle this.

There seems to be an existing repository -- https://github.com/MichaelGrafnetter/webauthn-interop -- that can be used to handle answering the FIDO2 challenge via PowerShell but it isn't clear to me what would need to be done for it to work with CyberArk Identity as there are Okta and Entra specific code. This also doesn't address other platforms and I don't know if you would want to go down the path of having to handling it one way for Windows vs Linux vs macOS.

The official CyberArk python SDK also doesn't handle U2F as a mechanism (and it is where I discovered the undocumented out of band authentication mechanism for external IdPs) so there may not be a good way to do this yet.