FIDO2-Based Authentication and Registration (FIDO2 Policy)

  • Parent policy: N.A.

FIDO2 match criteria fields lists the match criteria fields used in this policy; for descriptions of valid values, refer to the FIDO Registry.

FIDO2 policy configuration fields
Field Type Description
allowSelfAttestation boolean

Attestation is used to cryptographically prove that a user has a specific device model at registration time. It is a keypair burned into the device at manufacturing time that is specific to a device model. During registration, the generated credentials are signed with the attestation private key and the service that registers the user can verify that the credentials came from the device.

The allowSelfAttestation flag controls whether the RelyingParty accepts self-signed certificates at registration instead of an attestation certificate that chains back to some root certificate.

FIDO2 match criteria fields
Field Type Description
aaguid Array of strings

Each FIDO2 authenticator model has an attestation ID (AAGUID) that uniquely identifies the type of authenticator.

Valid values: UUIDv4 format

Example:

["7a98c250-6808-11cf-b73b-00aa00b677a7"]

attestationCertificateKeyIdentifier Array of strings

FIDO U2F authenticators do not support AAGUID, however they use attestation certificates to uniquely identify the authenticator model.

Valid values: Hex string, Format: [0-9a-f]+

Example:

["1434d2f277fe479c35ddf6aa4d08a07cbce99dd7"]

userVerification Array of strings

Describes the methods and capabilities of a FIDO2 authenticator for locally verifying a user.

Valid values:

  • PRESENCE_INTERNAL
  • FINGERPRINT_INTERNAL
  • PASSCODE_INTERNAL
  • VOICEPRINT_INTERNAL
  • FACEPRINT_INTERNAL
  • LOCATION_INTERNAL
  • EYEPRINT_INTERNAL
  • PATTERN_INTERNAL
  • HANDPRINT_INTERNAL
  • PASSCODE_EXTERNAL
  • PATTERN_EXTERNAL
  • NONE

Example:

["FINGERPRINT_INTERNAL", "PASSCODE_INTERNAL", "PASSCODE_EXTERNAL"]

keyProtection Array of strings

Describes the method an authenticator uses to protect the private key.

Valid values:

  • SOFTWARE
  • HARDWARE
  • TEE
  • SECURE_ELEMENT
  • REMOTE_HANDLE

Example:

["SOFTWARE"]

authCertLevel Array of strings

Describes the level of Certification. (For more information, refer to the FIDO documentation on authenticator certification levels.)

Valid values:

  • NOT_FIDO_CERTIFIED
  • FIDO_CERTIFIED
  • FIDO_CERTIFIED_L1
  • FIDO_CERTIFIED_L1_PLUS
  • FIDO_CERTIFIED_L2
  • FIDO_CERTIFIED_L3
  • FIDO_CERTIFIED_L3_PLUS

Example:

["FIDO_CERTIFIED_L1"]

minAuthenticatorVersion Integer

Describes the minimum version of the authenticator.

Example:

2