Provisioning FIDO Devices

Based on your provisioning requirements, you can select one of the following provisioning modes:

  • Manual - an operator follows FIDO Provisioning application prompts to manually provision a device to each user in the request

  • Automatic - the devices are loaded into a supported printer and the FIDO Provisioning application automatically provisions a device to each user in the request

Prerequisites:  You have:

  • A valid license for the FIDO Provisioning service

    • To purchase new licenses or renew existing ones, contact your HID Account Manager.

  • The Administrator or Device Service Administrator role, or at least the Create Request privilege

Install the FIDO Provisioning Application

Prerequisites:

  • You have

    • The Administrator, Device Service Administrator or View Only role, or at least the Downloads privilege

    • Administrator privileges to install the application on the workstation

  • If required, restrict access to the FIDO Provisioning service on the workstation to a specific local group by adding the following registry key:

    • Location - HKEY_LOCAL_MACHINE\SOFTWARE\HID Global\FIDO Provisioning

  1. Sign in to Customer Central.

  2. Select Downloads downloads icon in the left menu.

    Passkey Management Downloads

  3. Click DOWNLOAD for the FIDO Provisioning application.

  4. Double-click the .exe file to launch the setup.

    FIDO Provisioning app admin credentials

  5. If prompted, enter your administrator username and password and allow the setup to make changes on the workstation.

    Install FIDO Provisioning app

  6. Click Install.

    Alternatively, if the setup detects an older version of the application is already installed, click either Upgrade to replace it with the new version, or Uninstall to remove the existing version.

    FIDO Provisioning app ready

    Note: The application is installed / upgraded for all the workstation's users, including non-administrators.

  7. Launch the application to test it is installed correctly.

    The following message is displayed.

    FIDO Provisioning app operation not supported

    Note: On first launch, the application might require several seconds to complete the initial setup.

  8. Close the application.

As an administrator, run one of the following commands:

Copy 
 "HID FIDO Provisioning Setup.exe" --install

or

Copy 
 "HID FIDO Provisioning Setup.exe" -i

Alternatively, use an application management service such as Microsoft Intune®.

Use one of the following methods according to your requirements:

  • Uninstall the application for the user currently logged on to the workstation:

    1. Launch the application and right-click on the app icon.

    2. Click Uninstall.

    Or

    1. Go to the workstation's Settings, select Apps and then Installed apps.

    2. Locate FIDO Provisioning and click Uninstall from the app menu.

    Note: The application is uninstalled for this user only. The application’s service remains available on the workstation for other users.

  • Uninstall the application and its service for all the workstation's users:

    1. Double-click the .exe file to launch the setup.

    2. Click Uninstall.

    FIDO Provisioning app uninstallation

  • Uninstall the application and its service silently for all the workstation's users:

    As an administrator, run one of the following commands:

    Copy 
    "HID FIDO Provisioning Setup.exe" --uninstall

    or

    Copy 
    "HID FIDO Provisioning Setup.exe"  -u

Provision the FIDO Devices for Your Users

Prerequisites: Before creating a provisioning request, you must:

  • Configure the connection to your user directory

  • Have the Administrator or Device Service Administrator role, or at least the Create Request privilege

  • Install the FIDO Provisioning application if you intend to enroll the FIDO devices for your users immediately after creating the request

  • For manual provisioning, you have:

    • The devices available for provisioning

    • Connected a smart card reader to the workstation

  • For automatic provisioning, you have:

    • Set up the printer

    • Loaded the cards into the printer's hopper, making sure there are enough cards to provision all the users in the request

      Note: Depending on the printer's capacity, you might need to reload the hopper during the provisioning process.

If these conditions are not met, you cannot create a request and provision devices.

  1. Sign in to Customer Central.

  2. Expand Passkey Management Passkey Management icon in the left menu and select Provisioning.

    Passkey Management prerequisites

  3. Click NEW REQUEST.

    Passkey Management Create request

  4. Enter a name for the request.

  5. Select the Directory configuration from the drop-down list.

    Create provisioning request directory configuration

  6. For PingOne directories only, select the required authentication policy.

  7. Click CONTINUE.

    Passkey Management Add request users

  8. Select the users required for the request by moving them from the Available to Selected list using the arrow.

    You can also filter the list by searching for users by name.

  9. Click CONTINUE.

    Passkey Management request PIN mode

  10. Select the PIN configuration and click CONTINUE:

    • Random - a random 6-digit PIN will be generated for each device

    • Static - enter a PIN that will be assigned to all the devices

      Passkey Management request static PIN

      The PIN must meet the following conditions:

      • Minimum length - 6 alphanumeric characters

      • Maximum length - 63 alphanumeric characters

    Passkey Management request summary

  11. Review the request details and click Edit to modify the section settings if necessary.

  12. Click Provision Now to create the request.

    Passkey Management request creation progress

    Passkey Management request creation ok

  1. When prompted, click Open FIDO Provisioning to launch the application and enroll devices for your users.

    Note: If the prompt does not display, verify that the application is correctly installed and then Provision a Pending Request.

    Passkey Management provisioning modes

  2. Select the mode and click CONTINUE:

Note: If required, you can switch modes during provisioning.

Provision Devices Manually

The application loads the required user information and displays the details of the first user detected in the request.

Passkey Management provision user

  1. Insert the FIDO device into the workstation's USB port or place/insert the FIDO smart card into the reader.

    The application detects the device and displays the information.

    Note: The application only manages one device at a time (the last device detected) even if multiple devices are connected.

    Provisioning details

  2. Verify that the provisioning information is correct for the user and device.

    If necessary, you can also:

    • Click SKIP USER to proceed to the next user in the provisioning request

    • Remove the device from the reader or USB port and select another device for the currently selected user

  3. Click PROVISION.

    Provisioning successful message

    Note: If you are provisioning a Crescendo Key in USB mode, press the button (flashing orange) to validate the operation.

  4. If the application detects that the device is already provisioned, click one of the following options:

    Device is in the Customer Central inventory

    • NEXT USER - proceed to the next user in the provisioning request

    • TRY NEW DEVICE - select another device to provision to the currently selected user

    • RESET AND PROVISION - reset the device and provision it to the currently selected user

      Important:

      • Before resetting the device, confirm that any stored credentials are no longer needed, as they will be permanently deleted

      • You cannot reset a FIDO device if its PIN is locked

      • If the reset does not work, remove device from the reader and then re-insert or tap again

      • You can only reset a Crescendo Key in USB mode and you must press the button (flashing orange) to validate the reset and provisioning operations

        Reset is not supported in contactless mode.

  5. After the success message is displayed, remove the device from the reader or USB port.

    The application proceeds to the provisioning for the next user in the request.

  6. Repeat the above steps for all the users.

    When the final user is provisioned, the completed message is displayed.

    Provisioning completed message

  7. Click VIEW SUMMARY to review the request details.

    Provisioning user summary

    Category Description

    Failed

    The provisioning attempt failed due to an error during this session

    1. Download the report for the provisioning request and review the reason for the failure.

    2. If required, create a new provisioning request for the pending users.

    Skipped

    The provisioning attempt was not made as the user was skipped

    Run the provisioning request again.

  8. Then click CLOSE APPLICATION.

Provision Devices Automatically

The application displays the details of the detected printers:

Provisioning automatic printer selection

  1. Select the required printer.

    Provisioning automatic encoder selection

  2. Select the Encoder mode:

    • Contact

    • Contactless

    Note: The available encoder options depend on the configuration of the detected printer. If you are unsure which mode to use, select Contact.

    For further information, refer to the corresponding user guide for the printer available from the HID Document Library.

    Provisioning printer ready

  3. Click CONTINUE.

    The application loads the required user information and displays the details of the first user detected in the request.

    Provisioning automatic user

  4. Verify that the provisioning information is correct for the user.

  5. Click START PROVISIONING.

    Important: Do not connect any other devices to your workstation during the provisioning to avoid process interruptions or failures.

    The application displays the status of the device provisioning for the user before proceeding to the next user in the request.

    Provisioning automatic next user

    Note: If an error occurs, a notification is displayed. For example:

    Provisioning automatic error message

    For further details and resolution suggestions, see Troubleshooting.

    When the final user is provisioned, the completed message is displayed.

    Provisioning request automatic completed

    The provisioned card is ejected by the printer.

  1. Click VIEW SUMMARY to review the request details.

    Provisioning automatic summary

    Category Description
    Total Users The total number of users from the Provisioning Request
    Successfully Provisioned The number of users successfully provisioned during this session

    Failed

    The number of users that were attempted but failed to provision due to an error during this session

    1. Download the report for the provisioning request and review the reason for the failure.

    2. If required, create a new provisioning request for the remaining users.

    Pending

    The total number of users not yet provisioned because the job was halted due to an error

    Unlike failed provisioning, these user accounts have not been attempted

    Run the provisioning request again. If the error persists, contact HID Technical Support.

  2. Then click CLOSE APPLICATION.

Verify the Device Enrollment

Microsoft Entra ID Users

  1. Log on to the Microsoft Entra admin center (https://entra.microsoft.com/#home) and, if necessary, switch to the required directory.

  2. Expand Identity in the left menu and select Applications.

  3. Select Enterprise applications and then your Passkey Management application.

  4. Under Manage, select Users and groups.

  5. Search for the users or groups for which you provisioned the devices and verify that the FIDO device is correctly registered as a credential.

    For example:

    Entra ID user with passkey

PingOne Users

  1. Log on to the PingIdentity console as an administrator for your PingOne environment.

  2. Expand Directory in the left menu and select Users.

  3. Search for the users or groups for which you provisioned the devices.

  4. Select a user and from the Services drop-down menu, select Authentication.

  5. Verify that the FIDO device is correctly registered as a credential.

    For example:

    Ping user with passkey