UAF Policy

Policy is a structure composed of two fields:

• accepted, type MatchCriteria[][]
• disallowed, type MatchCriteria[]

The Accepted field is a list of match criteria sets. For information on how to create a valid match criteria structure, refer to the FIDO Alliance documentation on the UAF 1.1 protocol at https://fidoalliance.org/specs. To accept any FIDO operation, the FIDO server must match at least one entire set from the provided list of sets. This means that even if only one element of the accepted list is fully valid, the FIDO server will match the policy (unless any of the authenticators from that set are present on the list of disallowed fields).

A valid policy must have at least one set of authenticators on the list of accepted match criteria.

The Disallowed field describes authenticators which are excluded from the operation, even if it overlaps with any authenticator on the accepted list (i.e. mandatory fields for both elements are equal).

In the FIDO UAF SDK, a third field was added to the Policy structure, appId. With this, you can create different policies for different application IDs.

To construct the policy, follow the examples provided in the FIDO documentation at https://fidoalliance.org/specs.

Sample FIDO UAF policies

The following sample policies demonstrate how you can configure FIDO UAF policies to meet your organization's security needs.

Either FPS or face recognition—based authenticator

This policy matches either an FPS or a face recognition—based authenticator.

{
  "accepted": [
    [{ "userVerification": 2, "authenticationAlgorithms": [1, 2, 5, 6], "assertionSchemes": [ "UAFV1TLV"]}],
    [{ "userVerification": 16, "authenticationAlgorithms": [1, 2, 5, 6], "assertionSchemes": [ "UAFV1TLV" ]}]
  ]
}

FPS and face recognition as alternative combination

This policy matches authenticators implementing FPS and face recognition as alternative combination of user verification methods.

{
  "accepted": [
    [{ "userVerification": 18, "authenticationAlgorithms": [1, 2, 5, 6], "assertionSchemes": [ "UAFV1TLV" ]}]
  ]
}

Combining these two bit-flags and the flag USER_VERIFY_ALL (USER_VERIFY_ALL = 1024) into a single userVerification value would match authenticators implementing FPS and face recognition as a mandatory combination of user verifications methods.

FPS and face recognition as mandatory combination

This policy matches authenticators implementing FPS and face recognition as mandatory combination of user verification methods.

{
  "accepted": [
    [{ "userVerification": 1042, "authenticationAlgorithms": [1, 2, 5, 6], "assertionSchemes": [ "UAFV1TLV" ]}]
  ]
}

Combination of an FPS-based and a face recognition—based authenticator

This policy matches the combination of an FPS-based and a face recognition—based authenticator. It requires two authenticators to be used.

{
  "accepted": [
    [
      { "userVerification": 2, "authenticationAlgorithms": [1, 2, 5, 6], "assertionSchemes": [ "UAFV1TLV" ]},
      { "userVerification": 16, "authenticationAlgorithms": [1, 2, 5, 6], "assertionSchemes": [ "UAFV1TLV" ]}
    ]
  ]
}

Other criteria can be specified in addition to userVerification.

Combination of a bound FPS-based and a bound face recognition—based authenticator

This policy require the combination of a bound FPS-based and a bound face recognition—based authenticator.

{
  "accepted": [
    [
      { "userVerification": 2, "attachmentHint": 1, "authenticationAlgorithms": [1, 2, 5, 6], "assertionSchemes": [ "UAFV1TLV" ]},
      { "userVerification": 16, "attachmentHint": 1, "authenticationAlgorithms": [1, 2, 5, 6], "assertionSchemes": [ "UAFV1TLV" ]}
    ]
  ]
}