FIDO2 Passkeys Report

The FIDO2 Passkeys Report displays details of every FIDO2 passkey registered to users under a domain, such as the user it belongs to, the time it was last used, the type of passkey, the time of enrollment, and the endpoint type from where the FIDO authentication was last attempted.

How it works

When users enroll a FIDO2 Passkey in ADSelfService Plus, enrollment information and passkey metadata is stored in the ADSelfService Plus database. This report queries the ADSelfService Plus database to retrieve comprehensive information about all registered FIDO2 passkeys across the organization, and presents it in a structured and searchable format.

Prerequisite: You must have administrator or technician-level access to the ADSelfService Plus portal to generate and view reports.

Generating the FIDO2 Passkeys Report

Log in to the ADSelfService Plus admin portal with administrator or operator privileges.
Navigate to Reports > MFA Reports > FIDO2 Passkeys Report.
Specify the domain in which to search using the Select Domain option.
Specify OUs (if necessary) using the Select OUs option.
Click Generate to generate the report.

Managing FIDO2 Passkeys

Disenrollment

You can disenroll specific FIDO credentials by selecting the respective row(s) in the report and clicking on the Disenroll button that appears at the top of the report.

Customizing the FIDO Passkeys Report

Advanced filtering

Once the report is generated, the entries can be narrowed down based on the following parameters by clicking the Advanced Filter [ ] icon at the far-right side of the report page.

FIDO2 Passkeys report in ADSelfService Plus

Username: This option lets you narrow down the report entries by username. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.

Passkey Type: This option allows you to filter entries by specifying if the passkey Is or Is Not a Device Passkey or a Security Key.

Sync Status: This option allows you to filter entries by specifying if the type of synchronization Is or Is Not Device-bound or Cloud-synced.

Sorting

Click on any of the column headers to view the report's entries in ascending or descending order.

Searching

Click on the search icon [ ] in order to search for specific data in the report.
Specific users can be searched for using their username.
Searching happens using the criteria ' contains '. For example, if the username column is searched for the word " jack " , then all usernames containing the sequence " jack " will be displayed as a result.

Automating the FIDO2 Passkeys Report

The Schedule Reports option can be used to schedule the generation of reports at specified intervals, and automatically email them to administrators or specific email addresses. Learn to schedule reports here.

Exporting the FIDO2 Passkeys Report

The Export As option at the right corner of the page helps export the report in CSV, PDF, XLS, XLSX, HTML and CSVDE formats.

Tips

The More option at the right corner of the page lists the Printable View, Send Mail, and Export Settings options.
- The Printable View option can be used to preview and print the report.
- The Send Mail option can be used to mail the report to the desired email addresses.
- Additionally, you can configure custom Export Settings, such as a personalized title for the report and a header logo that you may wish to display on each page.
Respond to lost or stolen devices: When users report lost smartphones, laptops, or hardware security keys, immediately search for their username in the report and disenroll all passkeys associated with the compromised device to prevent unauthorized access if the device falls into the wrong hands.
Coordinate disenrollment with offboarding: When employees leave the organization or change roles, generate a report filtered by their OU to identify and disenroll all their FIDO2 passkeys, ensuring former employees or role-changers can't access systems using previously enrolled authentication credentials.