Sample FIDO2 policies
The following sample policies demonstrate how you can configure FIDO2 policies to meet your organization's security needs.
Example 1: Allow all authenticators
{
"name": "Allow All",
"fido": {
"fido2": {
"allowSelfAttestation":true,
"accepted": [{}]
},
"u2f": {
"accepted": [{}]
}
}
}
Example 2: Do not allow any authenticators
{
"name": "Don't allow any",
"fido": {
"fido2": {
"allowSelfAttestation":true,
"accepted": []
},
"u2f": {
"accepted": []
}
}
}
Example 3: Allow only FIDO2 authenticators, but not U2F authenticators
{
"name": "Allow all fido2",
"fido": {
"fido2": {
"allowSelfAttestation":true,
"accepted": [{}]
},
"u2f": {
"accepted": []
}
}
}
Example 4: Allow all FIDO-certified authenticators
{
"name": "Default Policy",
"fido": {
"fido2": {
"allowSelfAttestation":true,
"accepted": [{}],
"disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
},
"u2f": {
"accepted": [{}],
"disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
}
}
}
Example 5: Allow only a specific FIDO2 authenticator model
{
"name": "Allow only OneSpan Fido Touch",
"fido": {
"fido2": {
"allowSelfAttestation":true,
"accepted": [{"aaguid": ["30b5035e-d297-4fc1-b00b-addc96ba6a97"]}]
},
"u2f": {
"accepted": []
}
}
}
Example 6: Allow only a specific U2F authenticator model
{
"name": "Allow only YubiKey Bio Series",
"fido": {
"fido2": {
"allowSelfAttestation":true,
"accepted": []
},
"u2f": {
"accepted": [{"attestationCertificateKeyIdentifier": ["786544772ecc9d3e85049222ae33226345b59c69"]}]
}
}
}
Example 7: Allow FIDO-certified authenticators that support only internal user verification methods
{
"name": "Allow certified authenticators that support only internal user verification methods",
"fido": {
"fido2": {
"allowSelfAttestation":true,
"accepted": [{"userVerification": ["PRESENCE_INTERNAL","FINGERPRINT_INTERNAL","PASSCODE_INTERNAL","VOICEPRINT_INTERNAL","FACEPRINT_INTERNAL","LOCATION_INTERNAL","EYEPRINT_INTERNAL","PATTERN_INTERNAL","HANDPRINT_INTERNAL"]}],
"disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}, {"userVerification":["PASSCODE_EXTERNAL","PATTERN_EXTERNAL"]}]
},
"u2f": {
"accepted": [{"userVerification": ["PRESENCE_INTERNAL","FINGERPRINT_INTERNAL","PASSCODE_INTERNAL","VOICEPRINT_INTERNAL","FACEPRINT_INTERNAL","LOCATION_INTERNAL","EYEPRINT_INTERNAL","PATTERN_INTERNAL","HANDPRINT_INTERNAL"]}],
"disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}, {"userVerification":["PASSCODE_EXTERNAL","PATTERN_EXTERNAL"]}]
}
}
}
Example 8: Allow FIDO-certified authenticators above level 1
{
"name": "Allow certified authenticators above level 1",
"fido": {
"fido2": {
"allowSelfAttestation":true,
"accepted": [{"authCertLevel":["FIDO_CERTIFIED_L2","FIDO_CERTIFIED_L3","FIDO_CERTIFIED_L3_PLUS"]}]
},
"u2f": {
"accepted": [{"authCertLevel":["FIDO_CERTIFIED_L2","FIDO_CERTIFIED_L3","FIDO_CERTIFIED_L3_PLUS"]}]
}
}
}
Example 9: Allow FIDO-certified authenticators that use hardware key protection
{
"name": "Allow certified authenticators that use hardware key protection",
"fido": {
"fido2": {
"allowSelfAttestation":true,
"accepted": [{"keyProtection": ["HARDWARE"]}],
"disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
},
"u2f": {
"accepted": [{"keyProtection": ["HARDWARE"]}],
"disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
}
}
}
Example 10: Disallow authenticators that use software key protection
{
"name": "Disallow authenticators that use software key protection",
"fido": {
"fido2": {
"allowSelfAttestation":true,
"accepted": [{}],
"disallowed": [{"keyProtection": ["SOFTWARE"]}]
},
"u2f": {
"accepted": [{}],
"disallowed": [{"keyProtection": ["SOFTWARE"]}]
}
}
}
Example 11: Allow authenticators that support fingerprint or faceprint user verfication and are L1 certified or that support passcode user verification and are L2 certified
{
"name": "Allow authenticators that support fingerprint or faceprint user verfication and are L1 certified or that support passcode user verification and are L2 certified",
"fido": {
"fido2": {
"allowSelfAttestation":true,
"accepted": [{"userVerification":["FINGERPRINT_INTERNAL","FACEPRINT_INTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L1"]},
{"userVerification":["PASSCODE_INTERNAL","PASSCODE_EXTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L2"]}]
},
"u2f": {
"accepted": [{"userVerification":["FINGERPRINT_INTERNAL","FACEPRINT_INTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L1"]},
{"userVerification":["PASSCODE_INTERNAL","PASSCODE_EXTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L2"]}]
}
}
}