Sample FIDO2 policies

The following sample policies demonstrate how you can configure FIDO2 policies to meet your organization's security needs.

Example 1: Allow all authenticators

{
  "name": "Allow All",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}]
     },
     "u2f": {
      "accepted": [{}]
     }
  }
}

Example 2: Do not allow any authenticators

{
  "name": "Don't allow any",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": []
     },
     "u2f": {
      "accepted": []
     }
  }
}

Example 3: Allow only FIDO2 authenticators, but not U2F authenticators

{
  "name": "Allow all fido2",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}]
     },
     "u2f": {
      "accepted": []
     }
  }
}

Example 4: Allow all FIDO-certified authenticators

{
  "name": "Default Policy",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     },
     "u2f": {
      "accepted": [{}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     }
  }
}

Example 5: Allow only a specific FIDO2 authenticator model

{
  "name": "Allow only OneSpan Fido Touch",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"aaguid": ["30b5035e-d297-4fc1-b00b-addc96ba6a97"]}]
     },
     "u2f": {
      "accepted": []
     }
  }
}

Example 6: Allow only a specific U2F authenticator model

{
  "name": "Allow only YubiKey Bio Series",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": []
     },
     "u2f": {
      "accepted": [{"attestationCertificateKeyIdentifier": ["786544772ecc9d3e85049222ae33226345b59c69"]}]
     }
  }
}

Example 7: Allow FIDO-certified authenticators that support only internal user verification methods

{
  "name": "Allow certified authenticators that support only internal user verification methods",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"userVerification": ["PRESENCE_INTERNAL","FINGERPRINT_INTERNAL","PASSCODE_INTERNAL","VOICEPRINT_INTERNAL","FACEPRINT_INTERNAL","LOCATION_INTERNAL","EYEPRINT_INTERNAL","PATTERN_INTERNAL","HANDPRINT_INTERNAL"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}, {"userVerification":["PASSCODE_EXTERNAL","PATTERN_EXTERNAL"]}]
     },
     "u2f": {
      "accepted": [{"userVerification": ["PRESENCE_INTERNAL","FINGERPRINT_INTERNAL","PASSCODE_INTERNAL","VOICEPRINT_INTERNAL","FACEPRINT_INTERNAL","LOCATION_INTERNAL","EYEPRINT_INTERNAL","PATTERN_INTERNAL","HANDPRINT_INTERNAL"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}, {"userVerification":["PASSCODE_EXTERNAL","PATTERN_EXTERNAL"]}]
     }
  }
}

Example 8: Allow FIDO-certified authenticators above level 1

{
  "name": "Allow certified authenticators above level 1",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"authCertLevel":["FIDO_CERTIFIED_L2","FIDO_CERTIFIED_L3","FIDO_CERTIFIED_L3_PLUS"]}]
     },
     "u2f": {
      "accepted": [{"authCertLevel":["FIDO_CERTIFIED_L2","FIDO_CERTIFIED_L3","FIDO_CERTIFIED_L3_PLUS"]}]
     }
  }
}

Example 9: Allow FIDO-certified authenticators that use hardware key protection

{
  "name": "Allow certified authenticators that use hardware key protection",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"keyProtection": ["HARDWARE"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     },
     "u2f": {
      "accepted": [{"keyProtection": ["HARDWARE"]}],
      "disallowed": [{"authCertLevel":["NOT_FIDO_CERTIFIED"]}]
     }
  }
}

Example 10: Disallow authenticators that use software key protection

{
  "name": "Disallow authenticators that use software key protection",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{}],
      "disallowed": [{"keyProtection": ["SOFTWARE"]}]
     },
     "u2f": {
      "accepted": [{}],
      "disallowed": [{"keyProtection": ["SOFTWARE"]}]
     }
  }
}

Example 11: Allow authenticators that support fingerprint or faceprint user verfication and are L1 certified or that support passcode user verification and are L2 certified

{
  "name": "Allow authenticators that support fingerprint or faceprint user verfication and are L1 certified or that support passcode user verification and are L2 certified",
  "fido": {
    "fido2": {
      "allowSelfAttestation":true,
      "accepted": [{"userVerification":["FINGERPRINT_INTERNAL","FACEPRINT_INTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L1"]},
                   {"userVerification":["PASSCODE_INTERNAL","PASSCODE_EXTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L2"]}]
     },
     "u2f": {
      "accepted": [{"userVerification":["FINGERPRINT_INTERNAL","FACEPRINT_INTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L1"]},
                   {"userVerification":["PASSCODE_INTERNAL","PASSCODE_EXTERNAL"],"authCertLevel":["FIDO_CERTIFIED_L2"]}]
     }
  }
}