MENU
    Login
      Login
      Contents x
      FIDO2-Based Authentication and Registration (FIDO2 Policy)
      • 22 Oct 2024
      • 1 Minute to read
      • Print
      • Dark
      • PDF
      Contents

      FIDO2-Based Authentication and Registration (FIDO2 Policy)

      • Updated on 22 Oct 2024
      • 1 Minute to read
      • Print
      • Dark
      • PDF
      Article summary

      • Parent policy: N.A.

      FIDO2 match criteria fields lists the match criteria fields used in this policy; for descriptions of valid values, refer to the FIDO Registry.

      FIDO2 policy configuration fields

      Field

      Type

      Description

      allowSelfAttestation

      boolean

      Attestation is used to cryptographically prove that a user has a specific device model at registration time. It is a keypair burned into the device at manufacturing time that is specific to a device model. During registration, the generated credentials are signed with the attestation private key and the service that registers the user can verify that the credentials came from the device.

      The allowSelfAttestation flag controls whether the RelyingParty accepts self-signed certificates at registration instead of an attestation certificate that chains back to some root certificate.

      FIDO2 match criteria fields

      Field

      Type

      Description

      aaguid

      Array of strings

      Each FIDO2 authenticator model has an attestation ID (AAGUID) that uniquely identifies the type of authenticator.

      Valid values: UUIDv4 format

      Example:

      ["7a98c250-6808-11cf-b73b-00aa00b677a7"]

      attestationCertificateKeyIdentifier

      Array of strings

      FIDO U2F authenticators do not support AAGUID, however they use attestation certificates to uniquely identify the authenticator model.

      Valid values: Hex string, Format: [0-9a-f]+

      Example:

      ["1434d2f277fe479c35ddf6aa4d08a07cbce99dd7"]

      userVerification

      Array of strings

      Describes the methods and capabilities of a FIDO2 authenticator for locally verifying a user.

      Valid values:

      • PRESENCE_INTERNAL

      • FINGERPRINT_INTERNAL

      • PASSCODE_INTERNAL

      • VOICEPRINT_INTERNAL

      • FACEPRINT_INTERNAL

      • LOCATION_INTERNAL

      • EYEPRINT_INTERNAL

      • PATTERN_INTERNAL

      • HANDPRINT_INTERNAL

      • PASSCODE_EXTERNAL

      • PATTERN_EXTERNAL

      • NONE

      Example:

      ["FINGERPRINT_INTERNAL", "PASSCODE_INTERNAL", "PASSCODE_EXTERNAL"]

      keyProtection

      Array of strings

      Describes the method an authenticator uses to protect the private key.

      Valid values:

      • SOFTWARE

      • HARDWARE

      • TEE

      • SECURE_ELEMENT

      • REMOTE_HANDLE

      Example:

      ["SOFTWARE"]

      authCertLevel

      Array of strings

      Describes the level of Certification. (For more information, refer to the FIDO documentation on authenticator certification levels.)

      Valid values:

      • NOT_FIDO_CERTIFIED

      • FIDO_CERTIFIED

      • FIDO_CERTIFIED_L1

      • FIDO_CERTIFIED_L1_PLUS

      • FIDO_CERTIFIED_L2

      • FIDO_CERTIFIED_L3

      • FIDO_CERTIFIED_L3_PLUS

      Example:

      ["FIDO_CERTIFIED_L1"]

      minAuthenticatorVersion

      Integer

      Describes the minimum version of the authenticator.

      Example:

      2

      Was this article helpful?
      What's Next
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout
      ESC

      Ozzy, our interactive help assistant