Login
    Contents x
    FIDO2-Based Authentication and Registration (FIDO2 Policy)
    • 22 Oct 2024
    • 1 Minute to read
    • Dark
      Light
    Contents

    FIDO2-Based Authentication and Registration (FIDO2 Policy)

    • Updated on 22 Oct 2024
    • 1 Minute to read
    • Dark
      Light
    Article summary

    • Parent policy: N.A.

    FIDO2 match criteria fields lists the match criteria fields used in this policy; for descriptions of valid values, refer to the FIDO Registry.

    FIDO2 policy configuration fields

    Field

    Type

    Description

    allowSelfAttestation

    boolean

    Attestation is used to cryptographically prove that a user has a specific device model at registration time. It is a keypair burned into the device at manufacturing time that is specific to a device model. During registration, the generated credentials are signed with the attestation private key and the service that registers the user can verify that the credentials came from the device.

    The allowSelfAttestation flag controls whether the RelyingParty accepts self-signed certificates at registration instead of an attestation certificate that chains back to some root certificate.

    FIDO2 match criteria fields

    Field

    Type

    Description

    aaguid

    Array of strings

    Each FIDO2 authenticator model has an attestation ID (AAGUID) that uniquely identifies the type of authenticator.

    Valid values: UUIDv4 format

    Example:

    ["7a98c250-6808-11cf-b73b-00aa00b677a7"]

    attestationCertificateKeyIdentifier

    Array of strings

    FIDO U2F authenticators do not support AAGUID, however they use attestation certificates to uniquely identify the authenticator model.

    Valid values: Hex string, Format: [0-9a-f]+

    Example:

    ["1434d2f277fe479c35ddf6aa4d08a07cbce99dd7"]

    userVerification

    Array of strings

    Describes the methods and capabilities of a FIDO2 authenticator for locally verifying a user.

    Valid values:

    • PRESENCE_INTERNAL

    • FINGERPRINT_INTERNAL

    • PASSCODE_INTERNAL

    • VOICEPRINT_INTERNAL

    • FACEPRINT_INTERNAL

    • LOCATION_INTERNAL

    • EYEPRINT_INTERNAL

    • PATTERN_INTERNAL

    • HANDPRINT_INTERNAL

    • PASSCODE_EXTERNAL

    • PATTERN_EXTERNAL

    • NONE

    Example:

    ["FINGERPRINT_INTERNAL", "PASSCODE_INTERNAL", "PASSCODE_EXTERNAL"]

    keyProtection

    Array of strings

    Describes the method an authenticator uses to protect the private key.

    Valid values:

    • SOFTWARE

    • HARDWARE

    • TEE

    • SECURE_ELEMENT

    • REMOTE_HANDLE

    Example:

    ["SOFTWARE"]

    authCertLevel

    Array of strings

    Describes the level of Certification. (For more information, refer to the FIDO documentation on authenticator certification levels.)

    Valid values:

    • NOT_FIDO_CERTIFIED

    • FIDO_CERTIFIED

    • FIDO_CERTIFIED_L1

    • FIDO_CERTIFIED_L1_PLUS

    • FIDO_CERTIFIED_L2

    • FIDO_CERTIFIED_L3

    • FIDO_CERTIFIED_L3_PLUS

    Example:

    ["FIDO_CERTIFIED_L1"]

    minAuthenticatorVersion

    Integer

    Describes the minimum version of the authenticator.

    Example:

    2

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, our interactive help assistant