FIDO2 WebAuthn Multifactor Authentication

WebAuthn is an API that makes it very easy for a relying party, such as a web service, to integrate strong authentication into applications using support built in to all leading browsers and platforms. This means that web services can now easily offer their users strong authentication with a choice of authenticators such as security keys or built-in platform authenticators such as biometric readers.

Support is enabled by including the following module in the WAR overlay:

implementation "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
dependencyManagement {
  imports {
    mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"

dependencies {  
  implementation "org.apereo.cas:cas-server-support-webauthn"

The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

  • cas.authn.mfa.web-authn.core.trusted-device-metadata.location=
  • The location of the resource. Resources can be URLS, or files found either on the classpath or outside somewhere in the file system.

    In the event the configured resource is a Groovy script, specially if the script set to reload on changes, you may need to adjust the total number of inotify instances. On Linux, you may need to add the following line to /etc/sysctl.conf: fs.inotify.max_user_instances = 256.

    You can check the current value via cat /proc/sys/fs/inotify/max_user_instances.


  • cas.authn.mfa.web-authn.core.application-id=
  • The extension input to set for the appid extension when initiating authentication operations. If this member is set, starting an assertion op will automatically set the appid extension input, and finish assertion op will adjust its verification logic to also accept this AppID as an alternative to the RP ID. By default, this is not set.

  • cas.authn.mfa.web-authn.core.relying-party-id=
  • The id that will be set as the rp parameter when initiating registration operations, and which id hash will be compared against. This is a required parameter. A successful registration or authentication operation requires rp id hash to exactly equal the SHA-256 hash of this id member. Alternatively, it may instead equal the SHA-256 hash of application id if the latter is present.

  • cas.authn.mfa.web-authn.core.relying-party-name=
  • The human-palatable name of the Relaying Party.

  • cas.authn.mfa.web-authn.crypto.encryption.key=
  • The encryption key is a JWT whose length is defined by the encryption key size setting.


  • cas.authn.mfa.web-authn.crypto.signing.key=
  • The signing key is a JWT whose length is defined by the signing key size setting.