Login
    Contenu x
    Sample FIDO2 Policies
    • 22 Oct 2024
    • 1 Minute à lire
    • Sombre
      Lumière
    Contenu

    Sample FIDO2 Policies

    • Mis à jour le 22 Oct 2024
    • 1 Minute à lire
    • Sombre
      Lumière
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    The following sample policies demonstrate how you can configure FIDO2 policies to meet your organization's security needs.

    Example 1: Allow all authenticators

    {
  "name": "Allow All",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}]
     },
     "u2f": {
      "accepted": [{}]
     }
  }
}

    Example 2: Do not allow any authenticators

    {
  "name": "Don't allow any",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": []
     },
     "u2f": {
      "accepted": []
     }
  }
}

    Example 3: Allow only FIDO2 authenticators, but not U2F authenticators

    {
  "name": "Allow all fido2",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}]
     },
     "u2f": {
      "accepted": []
     }
  }
}

    Example 4: Allow all FIDO-certified authenticators

    {
  "name": "Default Policy",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     },
     "u2f": {
      "accepted": [{}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     }
  }
}

    Example 5: Allow only a specific FIDO2 authenticator model

    {
  "name": "Allow only OneSpan Fido Touch",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"aaguid": ["30b5035e-d297-4fc1-b00b-addc96ba6a97"]}]
     },
     "u2f": {
      "accepted": []
     }
  }
}

    Example 6: Allow only a specific U2F authenticator model

    {
  "name": "Allow only YubiKey Bio Series",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": []
     },
     "u2f": {
      "accepted": [{"attestationCertificateKeyIdentifier": ["786544772ecc9d3e85049222ae33226345b59c69"]}]
     }
  }
}

    Example 7: Allow FIDO-certified authenticators that support only internal user verification methods

    {
  "name": "Allow certified authenticators that support only internal user verification methods",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"userVerification": ["PRESENCE_INTERNAL","FINGERPRINT_INTERNAL","PASSCODE_INTERNAL","VOICEPRINT_INTERNAL","FACEPRINT_INTERNAL","LOCATION_INTERNAL","EYEPRINT_INTERNAL","PATTERN_INTERNAL","HANDPRINT_INTERNAL"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}, {"userVerification":["PASSCODE_EXTERNAL","PATTERN_EXTERNAL"]}]
     },
     "u2f": {
      "accepted": [{"userVerification": ["PRESENCE_INTERNAL","FINGERPRINT_INTERNAL","PASSCODE_INTERNAL","VOICEPRINT_INTERNAL","FACEPRINT_INTERNAL","LOCATION_INTERNAL","EYEPRINT_INTERNAL","PATTERN_INTERNAL","HANDPRINT_INTERNAL"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}, {"userVerification":["PASSCODE_EXTERNAL","PATTERN_EXTERNAL"]}]
     }
  }
}

    Example 8: Allow FIDO-certified authenticators above level 1

    {
  "name": "Allow certified authenticators above level 1",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"authCertLevel":["FIDO_CERTIFIED_L2","FIDO_CERTIFIED_L3","FIDO_CERTIFIED_L3_PLUS"]}]
     },
     "u2f": {
      "accepted": [{"authCertLevel":["FIDO_CERTIFIED_L2","FIDO_CERTIFIED_L3","FIDO_CERTIFIED_L3_PLUS"]}]
     }
  }
}

    Example 9: Allow FIDO-certified authenticators that use hardware key protection

    {
  "name": "Allow certified authenticators that use hardware key protection",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"keyProtection": ["HARDWARE"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     },
     "u2f": {
      "accepted": [{"keyProtection": ["HARDWARE"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     }
  }
}

    Example 10: Disallow authenticators that use software key protection

    {
  "name": "Disallow authenticators that use software key protection",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}],
      "disallowed": [{"keyProtection": ["SOFTWARE"]}]
     },
     "u2f": {
      "accepted": [{}],
      "disallowed": [{"keyProtection": ["SOFTWARE"]}]
     }
  }
}

    Example 11: Allow authenticators that support fingerprint or faceprint user verfication and are L1 certified or that support passcode user verification and are L2 certified

    {
  "name": "Allow authenticators that support fingerprint or faceprint user verfication and are L1 certified or that support passcode user verification and are L2 certified",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"userVerification":["FINGERPRINT_INTERNAL","FACEPRINT_INTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L1"]},
                   {"userVerification":["PASSCODE_INTERNAL","PASSCODE_EXTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L2"]}]
     },
     "u2f": {
      "accepted": [{"userVerification":["FINGERPRINT_INTERNAL","FACEPRINT_INTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L1"]},
                   {"userVerification":["PASSCODE_INTERNAL","PASSCODE_EXTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L2"]}]
     }
  }
}

    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle