FIDO2-Based Authentication and Registration (FIDO2 Policy)
- Parent policy: N.A.
FIDO2 match criteria fields lists the match criteria fields used in this policy; for descriptions of valid values, refer to the FIDO Registry.
Field | Type | Description |
---|---|---|
allowSelfAttestation | boolean |
Attestation is used to cryptographically prove that a user has a specific device model at registration time. It is a keypair burned into the device at manufacturing time that is specific to a device model. During registration, the generated credentials are signed with the attestation private key and the service that registers the user can verify that the credentials came from the device. The allowSelfAttestation flag controls whether the RelyingParty accepts self-signed certificates at registration instead of an attestation certificate that chains back to some root certificate. |
Field | Type | Description |
---|---|---|
aaguid | Array of strings |
Each FIDO2 authenticator model has an attestation ID (AAGUID) that uniquely identifies the type of authenticator. Valid values: UUIDv4 format Example: ["7a98c250-6808-11cf-b73b-00aa00b677a7"] |
attestationCertificateKeyIdentifier | Array of strings |
FIDO U2F authenticators do not support AAGUID, however they use attestation certificates to uniquely identify the authenticator model. Valid values: Hex string, Format: [0-9a-f]+ Example: ["1434d2f277fe479c35ddf6aa4d08a07cbce99dd7"] |
userVerification | Array of strings |
Describes the methods and capabilities of a FIDO2 authenticator for locally verifying a user. Valid values:
Example: ["FINGERPRINT_INTERNAL", "PASSCODE_INTERNAL", "PASSCODE_EXTERNAL"] |
keyProtection | Array of strings |
Describes the method an authenticator uses to protect the private key. Valid values:
Example: ["SOFTWARE"] |
authCertLevel | Array of strings |
Describes the level of Certification. (For more information, refer to the FIDO documentation on authenticator certification levels.) Valid values:
Example: ["FIDO_CERTIFIED_L1"] |
minAuthenticatorVersion | Integer |
Describes the minimum version of the authenticator. Example: 2 |