Enrolling FIDO2 Security Keys for AGOV: A Guide to Secure and Convenient Authentication with Token2 Security Keys

AGOV is the public service login for Switzerland, used not only in federal settings but also when dealing with cantonal and communal authorities, such as completing tax returns. We recommend using FIDO2 security keys with this service because they are phishing-resistant, meaning they provide a higher level of protection against phishing attacks compared to traditional methods. This makes them an ideal choice for securing user accounts and sensitive information.

AGOV Lists Token2 Security as a Successfully Tested FIDO Security Key

AGOV maintains its list of successfully tested FIDO security keys, and Token2 has been included in the list. Token2 is recognized as a provider of FIDO security keys that meet the standards and requirements for secure authentication with AGOV. For more information and the full list of successfully tested FIDO security keys, please visit the AGOV security page.

How FIDO2 Keys Enhance Security

FIDO2 security keys use public-key cryptography to provide a secure and private authentication method. When a user logs in using a FIDO2 security key, a cryptographic challenge-response mechanism is used to verify the user's identity without transmitting any sensitive information over the network. This makes FIDO2 keys highly resistant to various forms of attacks, including phishing, man-in-the-middle, and replay attacks.

Prerequisites

Before enrolling a FIDO2 security key with AGOV, users need to ensure they have a compatible security key and an AGOV account. Any of Token2 FIDO2 keys can be used with AGOV accounts; we have successfully tested every model we have available. The key must have a PIN code set.

Register your AGOV account

Go to the website to which you want to log in. This could be a federal, cantonal, or communal portal, or the test website. In this guide, we will use the test website - https://agov.ch/me

Click on the "Register Now" button to start the process.

On the next step, ignore the instructions given under Option 1 and do not install any of the apps recommended. We will go with Option 2.
Click on "Start" to continue the registration process.

On the first step, enter your email address and agree with the privacy statement by clicking on the checkbox.

After you click "Continue," the system will send a six-digit verification code to your email address. Enter the digits and click on "Verify" to continue.

Upon successful email verification, the form asking for your details will appear:

Fill the form with your data and click on "Continue" to proceed to the next step.

On the next step, choose the "Security Key" option:

Have your FIDO2 key ready, then click on "Confirm Selection".

Plug your FIDO2 key and click on the "Start key registration" button to continue. This will invoke the current browser to start the FIDO2 Security key registration process. The windows given below just as an example (Chrome under Windows) and may look differently with other browsers and/or operating systems.

Please note that to use our FIDO2 keys, you have to select "External Security Keys" or "Security Key" options when prompted (and please note that this option is not always set as default, so please pay attention to that). Selecting a different option may lead to having your built-in authenticator (TPM on a PC motherboard or Touch ID on a macOS laptop) enrolled instead of the standalone security key. Also, note that the system may ask to choose the authenticator option more than once (in case multiple platform authenticators are present). Make sure you always select the "Security Key" option.

On the next step, the browser will ask you to allow the website to create a new resident credential (passkey) on your FIDO2 key. Then, it will ask you to enter your security key's PIN code (if you don't have a PIN code set on the key, you will be prompted to create it). Finally, it will ask to press a button (or tap in the case of NFC or swipe a finger in the case of a biometric FIDO2 key) to complete the process.

On the next step, the system will ask to give this key a name (for you to distinguish it later, as you will have to enroll more than one key for redundancy):

On the next step, the system will give the option of saving or printing out a recovery code.

This code will be used in cases if you lose access to your primary login method (security key). Handle this with care and make sure it is stored securely as anyone having access to this code can compromise your account. Click on "Reveal Code," then print out the PDF or the screenshot. Clicking "Continue" will complete the registration process.

Logging in to AGOV with your security key

Navigate to the site again and on the login form, choose "Security Key," then click on "Start security key login":

On the next page, the system will ask you to enter your email address and click on "Login":

Please note that AGOV has implemented only passwordless login (and not usernameless), therefore you have to enter your email address for identification.

After clicking "Login," the system will show some short instructions, which you can set to be skipped on your next login.

On this page, click on "Continue" and have your FIDO2 key ready. The browser will ask which type of passkey you want to use. Make sure you choose "External security key," similar to what was chosen during the registration process.

On the next step, the browser will prompt to plug your security key in. If already done, it will ask for your PIN code right away, following by the request to touch the button.

  This will complete the login process.

---

Additional security keys

It is strongly advised to enroll multiple security keys for enhanced security. To do this, follow these steps:

• Go to "Login factors" in your account settings.
• Click on "Add security key" to begin the enrollment process for an additional security key.

By having multiple security keys enrolled, you ensure that you have backup options in case one key is lost or unavailable, enhancing the overall security of your account.