Product Documentation
A very secure policy:
- Requires Windows 10+
- Requires Windows Hello to be enabled
- Requires user verification: biometrics, PIN
- Uses TPM attestation
- Uses RSA or ECDSA (based on the TPM version)
Please follow this link to learn more about the FIDO Policy definitions.
{
"FidoPolicy": {
"name": "RestrictedSKFSPolicy-TPM",
"copyright": "StrongAuth, Inc. (DBA StrongKey) All Rights Reserved",
"version": "2.0",
"startDate": "1695937015",
"endDate": "1760103870871",
"system": {
"did": 5,
"requireCounter": "mandatory",
"integritySignatures": true,
"userVerification": ["required"],
"userPresenceTimeout": 30,
"allowedAaguids": ["08987058-cadc-4b81-b6e1-30de50dcbe96"],
"transport": ["usb", "internal"]
},
"crossOrigin": {
"enabled": false,
"allowedOrigins": []
},
"algorithms": {
"curves": ["secp256r1", "secp384r1", "secp521r1", "curve25519"],
"rsa": ["RS256", "RS384", "RS512", "PS256", "PS384", "PS512"],
"signatures": ["ES256", "ES384", "ES512", "EdDSA", "ES256K"]
},
"attestation": {
"conveyance": ["direct"],
"formats": ["tpm"]
},
"registration": {
"displayName": "required",
"attachment": ["platform"],
"discoverableCredential": ["required"],
"excludeCredentials": "enabled"
},
"authentication": {
"allowCredentials": "enabled"
},
"authorization": {
"maxdataLength": 256,
"preserve": true
},
"rp": {
"id": "strongkey.com",
"name": "FIDOServer"
},
"extensions": {},
"mds": {
"authenticatorStatusReport": [{
"status": "FIDO_CERTIFIED_L1",
"priority": "1",
"decision": "IGNORE"
}, {
"status": "FIDO_CERTIFIED_L2",
"priority": "1",
"decision": "ACCEPT"
}, {
"status": "UPDATE_AVAILABLE",
"priority": "5",
"decision": "IGNORE"
}, {
"status": "REVOKED",
"priority": "10",
"decision": "DENY"
}]
},
"jwt": {
"algorithms": ["ES256", "ES384", "ES521"],
"duration": 30,
"required": ["rpid", "iat", "exp", "cip", "uname", "agent"]
},
"signcerts": {
"rootca": {
"subjectdn": "CN=StrongKey FIDO Server RootCA,OU=DID 5,O=StrongKey",
"serialnumber": "457757928",
"pemcert": "-----BEGIN CERTIFICATE-----MIICVTCCAbWgAwIBAgIEG0jU6DAMBggqhkjOPQQDBAUAMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjMwOTI2MTg1ODA5WhcNMjQwOTI1MTg1ODA5WjBLMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MSUwIwYDVQQDExxTdHJvbmdLZXkgRklETyBTZXJ2ZXIgUm9vdENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBq/LFwKrPzm5jQ1+EDVpsoV3MY3sNfRH5c1cyA7Q/kVGdeoDvV+qFrx8IR8egF6L9RejgkhK6RgRlzEDq7C58E7UBnc3UCMdi70AYo5n0pdz2dAaoe5yhSG5ZBJjKr9ZGRFyydSltDi4xlyPe/e5fyeJJN2upWSM1G8RiY/3Z2VhSs7CjQjBAMB0GA1UdDgQWBBRoBBScB4q6+XiHrmfchRk1iyOXVDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAMBggqhkjOPQQDBAUAA4GLADCBhwJBPYZ/he/jZYgMp/yMmh8F8ezsoWPBtTm+rhB5/IRenYtOUaJiGY4GpHmS43O348eGbBqFueSEIsim+twXRK+gFKsCQgEJq7eiMDHWg6K00TlyaNFhG/mKUgLMAP9T8WSx3Bbl6UCTQJGOgdeYYTdwKHsYl9AkYZwLhL/gkeWcQS46nuFRpQ==-----END CERTIFICATE-----",
"jwtcerts": {
"default": [{
"subjectdn": "CN=SKFS JWT Signer 1,OU=DID 5,O=StrongKey",
"serialnumber": "1044059111",
"pemcert": "-----BEGIN CERTIFICATE-----MIICCDCCAWegAwIBAgIEPjsT5zAMBggqhkjOPQQDBAUAMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjMwOTI2MTg1ODIwWhcNMjQwOTI1MTg1ODIwWjBAMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRowGAYDVQQDExFTS0ZTIEpXVCBTaWduZXIgMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEsBwSyn342AWfvQwHjrB9q+IiUc7xMe0A2QtPftbj7ZIOGSIMd7SyL2OuKmPpYCuDyz4E9gHwMH1BuNWscDEb6jQjBAMB0GA1UdDgQWBBTr2rOW922MgkRU40p2ybgj6y8O2TAfBgNVHSMEGDAWgBRoBBScB4q6+XiHrmfchRk1iyOXVDAMBggqhkjOPQQDBAUAA4GMADCBiAJCAI5lyCZGxtvUaitSxkA2JtBW58sBVB7YaogQD0bNBabRjHQarPPzeEMb1Bc/o9yDiVh5/BjsyqOO74s/y34UGrlCAkIBip/ZsH4VmwG7cuS4jHAuYqYxFcRGZ9UJDTzlWnSqCi0/9/cI/pBeMX1fl93ql58yODl0qHISRK5Skn22QA4EoXo=-----END CERTIFICATE-----"
}, {
"subjectdn": "CN=SKFS JWT Signer 2,OU=DID 5,O=StrongKey",
"serialnumber": "54975275",
"pemcert": "-----BEGIN CERTIFICATE-----MIICBzCCAWegAwIBAgIEA0bbKzAMBggqhkjOPQQDBAUAMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjMwOTI2MTg1ODM3WhcNMjQwOTI1MTg1ODM3WjBAMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRowGAYDVQQDExFTS0ZTIEpXVCBTaWduZXIgMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKSPUen5yJWzM+rFj8jinO3zfApo4YT/aPWPmFNn4F94sfTglUK59JXdl9XkxA/ZuNxOEkkJePvO2MnmySDPDbOjQjBAMB0GA1UdDgQWBBTUGwByu4BbFhCb8zZC2KxQ8ZmS0jAfBgNVHSMEGDAWgBRoBBScB4q6+XiHrmfchRk1iyOXVDAMBggqhkjOPQQDBAUAA4GLADCBhwJBJpEWu2ZL9n6Q1Awjtv3Nf9zLXcLLgZv1BXjKIsLSvzssUsT5ZyMr06cdnCl5uIYdK6SoYa3YI1U2eXJb6fRT7zICQgHbGaiVwkwlOfd72+O9MyFy/2ihvP8lCpO1BBDCqw7F6c8mS/hWrdWmXLW+cFnpwD468oqT5N/HkVr07FK6etFeHQ==-----END CERTIFICATE-----"
}, {
"subjectdn": "CN=SKFS JWT Signer 3,OU=DID 5,O=StrongKey",
"serialnumber": "1887482710",
"pemcert": "-----BEGIN CERTIFICATE-----MIICBzCCAWegAwIBAgIEcICzVjAMBggqhkjOPQQDBAUAMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjMwOTI2MTg1ODU0WhcNMjQwOTI1MTg1ODU0WjBAMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRowGAYDVQQDExFTS0ZTIEpXVCBTaWduZXIgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKrQAlqju3NdxOyeSCb2bLIOoN37q0uOg7BqVQAapqFoIIzgBcBxaYZwW+bqW3CIJJPTDKZqHQrNe55Z4orbR0OjQjBAMB0GA1UdDgQWBBTgCVIlch+QY8xdx4dsgdAhfIV1aDAfBgNVHSMEGDAWgBRoBBScB4q6+XiHrmfchRk1iyOXVDAMBggqhkjOPQQDBAUAA4GLADCBhwJCAbAtMAvft31HmI/5nn0T30uqaPMyo4kxaz9/OaQwFG/t2gsmWov91ryRhTrnDLHeM9prYFVVBbyzz3Gl2w+1/zpCAkFeBoOZ81h10DeK+10yDa05dLDoAtPR/v3aioGFlhLwqbZdQWZHyguLA3p/8H4X12Eeuy8/CWQihyaOC01rAXvv1w==-----END CERTIFICATE-----"
}]
},
"samlcerts": {
"default": [{
"subjectdn": "CN=SKFS SAML Signer 1,OU=DID 5,O=StrongKey",
"serialnumber": "616137185",
"pemcert": "-----BEGIN CERTIFICATE-----MIIC4zCCAkOgAwIBAgIEJLmB4TAMBggqhkjOPQQDBAUAMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjMwOTI2MTkwNTU5WhcNMjQwOTI1MTkwNTU5WjBBMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRswGQYDVQQDExJTS0ZTIFNBTUwgU2lnbmVyIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYiLkOZJVb/pVApl+G7zKu2PoIFkh4K0hgJ87jVoVpRiJdEVeUTgrljw9DF5srgvg2SBZ44i3u6D8I9oGeCouXvDEsIJN3lrM6491/4izbKgeZABvmrLjYZPev4wqa3FlAMbtZowlQtRV6kCOMmQRDQza/GHGxtc8gCrSytxjtvm+6eSl7nUCrpdrPB+dLTHjFUYMKf4J5VmS7Zf0Rb1T9WHVdn4LpbckWl8WJ1OpGAMhtw2BzcdOxoslrSQ4pZhun+qXYM/+WBDWtN6metq0BuLkjBMJq7MV+6Wf+N4hjKqv9jPk+KsmTAnGAT/4ln4TREgddRuWhSOF1yVQu4uBPAgMBAAGjUjBQMB0GA1UdDgQWBBSMsjIkHdd+2O8TAkupIz0M6h5KPTAOBgNVHQ8BAf8EBAMCB4AwHwYDVR0jBBgwFoAUaAQUnAeKuvl4h65n3IUZNYsjl1QwDAYIKoZIzj0EAwQFAAOBiwAwgYcCQgCBPRzN86TTKWajtM+JbAJ75Gax7Yv0V9IA0HQCWEcJg4+JrRbzfB3knfCQ/VtA9isHIAnSIjrJqwXmC95CXGDv6QJBbqqMExrdDjn7+zVZ8YcRJrDUiO1lsfnO3RFXIviJTEaSkbMXlMotefrGguGLtqWeWZTQEm2ZXLK2VPx91qv7/Vs=-----END CERTIFICATE-----"
}, {
"subjectdn": "CN=SKFS SAML Signer 2,OU=DID 5,O=StrongKey",
"serialnumber": "918581893",
"pemcert": "-----BEGIN CERTIFICATE-----MIIC5DCCAkOgAwIBAgIENsByhTAMBggqhkjOPQQDBAUAMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjMwOTI2MTkwNjE2WhcNMjQwOTI1MTkwNjE2WjBBMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRswGQYDVQQDExJTS0ZTIFNBTUwgU2lnbmVyIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWSQa4AiXdPHn8XtiHdWw/2lhXEfGZTAQHRhXEps9WrS8JG/IZWVWpUkl7j46pfs/JNd0E3LlXdg0kqQrr7KUmTuxHhcrOeQP1KbV4x+JQ/sP63uSAmZIn4kP6i94A7Zv5CY1kTAMKnwg1Fe7GAfEJSpgT/073KfkwxsouohtJTyKAVx1qjtE0D+6MyiLo/ovK+qmWp+/cAbJ/GS2pgeO5zjcnR0HECPvTtSCKPcbeL/3cpZAga0NAua1U4ognC5o0pbctOxyO20WeVzr8oq2aMOZd3ruT4mAqUh7DCFKdjZl/BwBIoWh/xMJSGFD+p8HhHA93/iqbgBMv6qRhthDbAgMBAAGjUjBQMB0GA1UdDgQWBBSLg9e7MwcjAq15DtBl3jKLkHpSrDAOBgNVHQ8BAf8EBAMCB4AwHwYDVR0jBBgwFoAUaAQUnAeKuvl4h65n3IUZNYsjl1QwDAYIKoZIzj0EAwQFAAOBjAAwgYgCQgGD1iVCiircU+RZxsV5DUNAzeFHINlzrLaiQmIseOE426uj0Fu4Ssf/OPwVOkC8UfhJhdVkiUqtlzUEorNup+ThNAJCAbPXRPL4Dl9q4LeYH6BkRhKKQ4Xn2pMalnlTf7MWfEwqWq47GABfnwXQwcDjEQ62fzQiwK49fXOwVhkcZtqn/QB3-----END CERTIFICATE-----"
}, {
"subjectdn": "CN=SKFS SAML Signer 3,OU=DID 5,O=StrongKey",
"serialnumber": "812234217",
"pemcert": "-----BEGIN CERTIFICATE-----MIIC5DCCAkOgAwIBAgIEMGm16TAMBggqhkjOPQQDBAUAMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjMwOTI2MTkwNjMyWhcNMjQwOTI1MTkwNjMyWjBBMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRswGQYDVQQDExJTS0ZTIFNBTUwgU2lnbmVyIDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe2bXy4V73x0n9In8wNRfkDH9kic8D8yy9PrXcw1Y778UShI7k42PBH5jsJEun93KB9//AS4GE4tmtidaofttPRHjkvbdRRqWLMjRbNA/5mJbh7hX2jKimTiiSzDV/C6Q0UOHAQjNt6Mjo7MlacaLNybFy5K65pNO0lhxS7N4gDOJNZQhJSXuAf0FTDElxB3Wsqm4vJnE0NlLTdZuhHDQqXe3NEWF8+Itd/Tz7a5XCkEe7zMLKZ3wA8NSoWP0o0XiBDa9ZsU9uLx9RzD+sdQArurg8u1Tp9q42WWQAWeCmDXbKe9XQ/KCP3TGqJ24OJ7cnGjPmnQT2A98k42iN7hClAgMBAAGjUjBQMB0GA1UdDgQWBBT6mRqiqfIRLk5w2CaF3wgA/KGwtjAOBgNVHQ8BAf8EBAMCB4AwHwYDVR0jBBgwFoAUaAQUnAeKuvl4h65n3IUZNYsjl1QwDAYIKoZIzj0EAwQFAAOBjAAwgYgCQgEO3/v+OxfReQliTx3Dbs9ryxAEZ5ld9tmEK95xPuidtwR/gMAx6FHzHuAtik9hfIKvBCJQKpZMh1fA0i/A30ec3wJCAbYhgSdQpwsgtPANxStkoTt1XrBx6eRusEgWYFikgp3TVwZmvZHeiQC6f5DF4iBhc1+/DQaWb+ZsEAD18LFae0Qw-----END CERTIFICATE-----"
}],
"citrixidp": {
"subjectdn": "CN=SKFS SAML Signer 1,OU=DID 5,O=StrongKey",
"serialnumber": "616137185",
"pemcert": "-----BEGIN CERTIFICATE-----MIIC4zCCAkOgAwIBAgIEJLmB4TAMBggqhkjOPQQDBAUAMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjMwOTI2MTkwNTU5WhcNMjQwOTI1MTkwNTU5WjBBMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRswGQYDVQQDExJTS0ZTIFNBTUwgU2lnbmVyIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYiLkOZJVb/pVApl+G7zKu2PoIFkh4K0hgJ87jVoVpRiJdEVeUTgrljw9DF5srgvg2SBZ44i3u6D8I9oGeCouXvDEsIJN3lrM6491/4izbKgeZABvmrLjYZPev4wqa3FlAMbtZowlQtRV6kCOMmQRDQza/GHGxtc8gCrSytxjtvm+6eSl7nUCrpdrPB+dLTHjFUYMKf4J5VmS7Zf0Rb1T9WHVdn4LpbckWl8WJ1OpGAMhtw2BzcdOxoslrSQ4pZhun+qXYM/+WBDWtN6metq0BuLkjBMJq7MV+6Wf+N4hjKqv9jPk+KsmTAnGAT/4ln4TREgddRuWhSOF1yVQu4uBPAgMBAAGjUjBQMB0GA1UdDgQWBBSMsjIkHdd+2O8TAkupIz0M6h5KPTAOBgNVHQ8BAf8EBAMCB4AwHwYDVR0jBBgwFoAUaAQUnAeKuvl4h65n3IUZNYsjl1QwDAYIKoZIzj0EAwQFAAOBiwAwgYcCQgCBPRzN86TTKWajtM+JbAJ75Gax7Yv0V9IA0HQCWEcJg4+JrRbzfB3knfCQ/VtA9isHIAnSIjrJqwXmC95CXGDv6QJBbqqMExrdDjn7+zVZ8YcRJrDUiO1lsfnO3RFXIviJTEaSkbMXlMotefrGguGLtqWeWZTQEm2ZXLK2VPx91qv7/Vs=-----END CERTIFICATE-----"
}
}
}
}
}
}
To learn more about the SKFS FIDO Policy, check out the SKFS FIDO Policy JSON Schema.