Sample FIDO2 Policies
  • 25 Oct 2024
  • 2 Minutes à lire
  • Sombre
    Lumière

Sample FIDO2 Policies

  • Sombre
    Lumière

The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article

The following sample policies demonstrate how you can configure FIDO2 policies to meet your organization's security needs.

Example 1: Allow all authenticators

{
  "name": "Allow All",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}]
     },
     "u2f": {
      "accepted": [{}]
     }
  }
}

Example 2: Do not allow any authenticators

{
  "name": "Don't allow any",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": []
     },
     "u2f": {
      "accepted": []
     }
  }
}

Example 3: Allow only FIDO2 authenticators, but not U2F authenticators

{
  "name": "Allow all fido2",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}]
     },
     "u2f": {
      "accepted": []
     }
  }
}

Example 4: Allow all FIDO-certified authenticators

{
  "name": "Default Policy",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     },
     "u2f": {
      "accepted": [{}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     }
  }
}

Example 5: Allow only a specific FIDO2 authenticator model

{
  "name": "Allow only OneSpan Fido Touch",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"aaguid": ["30b5035e-d297-4fc1-b00b-addc96ba6a97"]}]
     },
     "u2f": {
      "accepted": []
     }
  }
}

Example 6: Allow only a specific U2F authenticator model

{
  "name": "Allow only YubiKey Bio Series",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": []
     },
     "u2f": {
      "accepted": [{"attestationCertificateKeyIdentifier": ["786544772ecc9d3e85049222ae33226345b59c69"]}]
     }
  }
}

Example 7: Allow FIDO-certified authenticators that support only internal user verification methods

{
  "name": "Allow certified authenticators that support only internal user verification methods",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"userVerification": ["PRESENCE_INTERNAL","FINGERPRINT_INTERNAL","PASSCODE_INTERNAL","VOICEPRINT_INTERNAL","FACEPRINT_INTERNAL","LOCATION_INTERNAL","EYEPRINT_INTERNAL","PATTERN_INTERNAL","HANDPRINT_INTERNAL"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}, {"userVerification":["PASSCODE_EXTERNAL","PATTERN_EXTERNAL"]}]
     },
     "u2f": {
      "accepted": [{"userVerification": ["PRESENCE_INTERNAL","FINGERPRINT_INTERNAL","PASSCODE_INTERNAL","VOICEPRINT_INTERNAL","FACEPRINT_INTERNAL","LOCATION_INTERNAL","EYEPRINT_INTERNAL","PATTERN_INTERNAL","HANDPRINT_INTERNAL"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}, {"userVerification":["PASSCODE_EXTERNAL","PATTERN_EXTERNAL"]}]
     }
  }
}

Example 8: Allow FIDO-certified authenticators above level 1

{
  "name": "Allow certified authenticators above level 1",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"authCertLevel":["FIDO_CERTIFIED_L2","FIDO_CERTIFIED_L3","FIDO_CERTIFIED_L3_PLUS"]}]
     },
     "u2f": {
      "accepted": [{"authCertLevel":["FIDO_CERTIFIED_L2","FIDO_CERTIFIED_L3","FIDO_CERTIFIED_L3_PLUS"]}]
     }
  }
}

Example 9: Allow FIDO-certified authenticators that use hardware key protection

{
  "name": "Allow certified authenticators that use hardware key protection",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"keyProtection": ["HARDWARE"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     },
     "u2f": {
      "accepted": [{"keyProtection": ["HARDWARE"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     }
  }
}

Example 10: Disallow authenticators that use software key protection

{
  "name": "Disallow authenticators that use software key protection",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}],
      "disallowed": [{"keyProtection": ["SOFTWARE"]}]
     },
     "u2f": {
      "accepted": [{}],
      "disallowed": [{"keyProtection": ["SOFTWARE"]}]
     }
  }
}

Example 11: Allow authenticators that support fingerprint or faceprint user verfication and are L1 certified or that support passcode user verification and are L2 certified

{
  "name": "Allow authenticators that support fingerprint or faceprint user verfication and are L1 certified or that support passcode user verification and are L2 certified",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"userVerification":["FINGERPRINT_INTERNAL","FACEPRINT_INTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L1"]},
                   {"userVerification":["PASSCODE_INTERNAL","PASSCODE_EXTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L2"]}]
     },
     "u2f": {
      "accepted": [{"userVerification":["FINGERPRINT_INTERNAL","FACEPRINT_INTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L1"]},
                   {"userVerification":["PASSCODE_INTERNAL","PASSCODE_EXTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L2"]}]
     }
  }
}


Cet article vous a-t-il été utile ?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle