Enrolling FIDO2 Security Keys
for AGOV: A Guide to Secure
and Convenient Authentication
with Token2 Security Keys

Read This article also:

Detailed Instruction

AGOV is the public service login for Switzerland, used not only in federal settings but also when dealing with cantonal and communal authorities, such as completing tax returns. We recommend using FIDO2 security keys with this service because they are phishing-resistant, meaning they provide a higher level of protection against phishing attacks compared to traditional methods. This makes them an ideal choice for securing user accounts and sensitive information.

AGOV Lists Token2 Security as a Successfully Tested FIDO Security Key

AGOV maintains its list of successfully tested FIDO security keys, and Token2 has been included in the list. Token2 is recognized as a provider of FIDO security keys that meet the standards and requirements for secure authentication with AGOV. For more information and the full list of successfully tested FIDO security keys, please visit the AGOV security page

How FIDO2 Keys Enhance Security

FIDO2 security keys use public-key cryptography to provide a secure and private authentication method. When a user logs in using a FIDO2 security key, a cryptographic challenge-response mechanism is used to verify the user's identity without transmitting any sensitive information over the network. This makes FIDO2 keys highly resistant to various forms of attacks, including phishing, man-in-the-middle, and replay attacks.

Prerequisites

Before enrolling a FIDO2 security key with AGOV, users need to ensure they have a compatible security key and an AGOV account. Any of Token2 FIDO2 keys can be used with AGOV accounts; we have successfully tested every model we have available. 

The key must have a PIN code set before starting the registration process. A key without a PIN will fail to meet AGOV's security standards.

PIN on Windows

Use the Windows 10/11 built-in tool to set up and manage your FIDO2 key:

  • Insert the FIDO2 key into your computer.
  • Open Settings > Accounts > Sign-in options > Security Key.
  • Click Manage and follow the prompts to set or change your PIN.
PIN on macOS

Safari does not support managing FIDO2 keys.

Install and use Google Chrome instead:

  • Open Chrome and type chrome://settings/securityKeys in the address bar.
  • Insert the FIDO2 key into your computer.
  • Follow the prompts to set or change your PIN.

Step-by-Step Register agov.ch/me

Register your AGOV account

Go to the website to which you want to log in. This could be a federal, cantonal, or
communal portal, or the test website. In this guide, we will use the test website -
https://agov.ch/me

Click on the "Register Now" button to start the process

Registration Process

On the next step, ignore the instructions given under Option 1 and do not install any of the apps recommended.
We will go with Option 2.

Click on "Start" to continue the registration process.

Registration Process

On the first step, enter your email address and agree with the privacy statement by clicking on the checkbox.

After you click "Continue" the system will send a six-digit verification code to your email address.
Enter the digits and click on "Verify" to continue.

Registration Process

Upon successful email verification, the form asking for your details will appear:

Fill the form with your data and click on "Continue" to proceed to the next step

Registration Process

On the next step, choose the "Security Key" option:

Have your FIDO2 key ready, then click on "Confirm Selection".

Registration Process

Plug your FIDO2 key and click on the "Start key registration" button to continue.
This will invoke the current browser to start the FIDO2 Security key registration process.
Note: The windows given below just as an example (Chrome under Windows) and may look differently with other browsers and/or operating systems.

Please note that to use our FIDO2 keys, you have to select "External Security Keys" or "Security Key" options when prompted (and please note that this option is not always set as default, so please pay attention to that). Selecting a different option may lead to having your built-in authenticator (TPM on a PC motherboard or Touch ID on a macOS laptop) enrolled instead of the standalone security key.
Also, note that the system may ask to choose the authenticator option more than once (in case multiple platform authenticators are present). Make sure you always select the "Security Key" option.

Registration Process

On the next step, the browser will ask you to allow the website to create a new resident credential (passkey) on your FIDO2 key. Then, it will ask you to enter your security key's PIN code (if you don't have a PIN code set on the key, you will be prompted to create it).

Finally, it will ask to press a button (or tap in the case of NFC or swipe a finger in the
case of a biometric FIDO2 key) to complete the process.

Registration Process

On the next step, the system will ask to give this key a name (for you to distinguish it later, as you will have to enroll more than one key for redundancy) and the system will give the option of saving or printing out a recovery code.
This code will be used in cases if you lose access to your primary login method (security key). Handle this with care and make sure it is stored securely as anyone having access to this code can compromise your account. Click on "Reveal Code," then print out the PDF or the screenshot.

Clicking "Continue" will complete the registration process.

Logging in to AGOV with your security key

Navigate to the site again and on the login form, choose "Security Key," then click on "Start security key login":

The system will ask you to enter your email address and click on "Login":

Note: AGOV has implemented only passwordless login (and not usernameless), therefore you have to enter your email address for identification.

Logging in to AGOV with your security key

After clicking "Login," the system will show some short instructions, which you can set to be skipped on your next login.

On this page, click on "Continue" and have your FIDO2 key ready. 

Logging in to AGOV with your security key

The browser will ask which type of passkey you want to use.
Make sure you choose "External security key," similar to what was chosen during the registration process.

Logging in to AGOV with your security key

The browser will prompt to plug your security key in. If already done, it will ask for your PIN code right away, following by the request to touch the button.

  This will complete the login process.

Additional security keys

It is strongly advised to enroll multiple security keys for enhanced security.

To do this, follow these steps:

  • Go to "Login factors" in your account settings.
  • Click on "Add security key" to begin the enrollment process for an additional security key.

By having multiple security keys enrolled, you ensure that you have backup options in case one key is lost or unavailable, enhancing the overall security of your account.

AGOV and FIDO2 Security Keys FAQ

  • 1. Which FIDO2 keys can be used with AGOV?

    Any FIDO2 security key available on our website is compatible with AGOV. Visit our
    shop to explore the range of keys we offer.

  • 2. What does the error "Key does not meet our security requirements" mean?

    This error typically indicates that the key does not have a PIN set. AGOV requires a
    PIN to meet its security standards. Once the PIN is set, you can use the key with AGOV.