FIDO2-Based Authentication and Registration (FIDO2 Policy)
  • 18 Oct 2024
  • 1 Minute to read
  • Dark
    Light
  • PDF

FIDO2-Based Authentication and Registration (FIDO2 Policy)

  • Dark
    Light
  • PDF

Article summary

  • Parent policy: N.A.

FIDO2 match criteria fields lists the match criteria fields used in this policy; for descriptions of valid values, refer to the FIDO Registry.

FIDO2 policy configuration fields

Field

Type

Description

allowSelfAttestation

boolean

Attestation is used to cryptographically prove that a user has a specific device model at registration time. It is a keypair burned into the device at manufacturing time that is specific to a device model. During registration, the generated credentials are signed with the attestation private key and the service that registers the user can verify that the credentials came from the device.

The allowSelfAttestation flag controls whether the RelyingParty accepts self-signed certificates at registration instead of an attestation certificate that chains back to some root certificate.

FIDO2 match criteria fields

Field

Type

Description

aaguid

Array of strings

Each FIDO2 authenticator model has an attestation ID (AAGUID) that uniquely identifies the type of authenticator.

Valid values: UUIDv4 format

Example:

["7a98c250-6808-11cf-b73b-00aa00b677a7"]

attestationCertificateKeyIdentifier

Array of strings

FIDO U2F authenticators do not support AAGUID, however they use attestation certificates to uniquely identify the authenticator model.

Valid values: Hex string, Format: [0-9a-f]+

Example:

["1434d2f277fe479c35ddf6aa4d08a07cbce99dd7"]

userVerification

Array of strings

Describes the methods and capabilities of a FIDO2 authenticator for locally verifying a user.

Valid values:

  • PRESENCE_INTERNAL

  • FINGERPRINT_INTERNAL

  • PASSCODE_INTERNAL

  • VOICEPRINT_INTERNAL

  • FACEPRINT_INTERNAL

  • LOCATION_INTERNAL

  • EYEPRINT_INTERNAL

  • PATTERN_INTERNAL

  • HANDPRINT_INTERNAL

  • PASSCODE_EXTERNAL

  • PATTERN_EXTERNAL

  • NONE

Example:

["FINGERPRINT_INTERNAL", "PASSCODE_INTERNAL", "PASSCODE_EXTERNAL"]

keyProtection

Array of strings

Describes the method an authenticator uses to protect the private key.

Valid values:

  • SOFTWARE

  • HARDWARE

  • TEE

  • SECURE_ELEMENT

  • REMOTE_HANDLE

Example:

["SOFTWARE"]

authCertLevel

Array of strings

Describes the level of Certification. (For more information, refer to the FIDO documentation on authenticator certification levels.)

Valid values:

  • NOT_FIDO_CERTIFIED

  • FIDO_CERTIFIED

  • FIDO_CERTIFIED_L1

  • FIDO_CERTIFIED_L1_PLUS

  • FIDO_CERTIFIED_L2

  • FIDO_CERTIFIED_L3

  • FIDO_CERTIFIED_L3_PLUS

Example:

["FIDO_CERTIFIED_L1"]

minAuthenticatorVersion

Integer

Describes the minimum version of the authenticator.

Example:

2


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant