Product Documentation

    If aaguids is set then attestation formats must be truncated only include packed and tpm.

    Aaguids are unique Authenticator model identifiers implemented by the Authenticator’s manufacturer. A manufacturer will create an aaguid for each model of Authenticator they produce so that the Authenticator’s unique properties can be easily confirmed. By default SKFS accepts all aaguids. This option enables restriction of the specific models of Authenticators SKFS will accept by specifying the model’s aaguids. The advantage of restricting the accepted Authenticator models is it can allow an added layer of standardization and security. If a company distributes only one model of Authenticator to all their employees to sign in to an internal website, they can restrict SKFS to only allow that Authenticator’s aaguid. Then if any non-employee tries registering without a valid Authenticator, they will be automatically rejected and that irregularity will be logged in SKFS. Currently only two attestation formats pass the aaguid during the registration process: packed and tpm. This is why if aaguids are specified, then attestation formats should only contain packed and tpm formats.

    Allowed Values:

    • all: Accept all Authenticators regardless of aaguid status. This will no restrict the use of Authenticators based on make and model. The benefit of this options is that it allows for the greatest variety of Authenticators. An issue with this option is that it will it is completely unrestricted. By allowing all Authenticators (that match other option criteria), it might make it easier for a potential bad actor to access the RP since they are able to use which ever Authenticators they currently have instead of needing to have the same Authenticator model as required by SKFS.
    • specify specific aaguids to accept: SKFS rejects all Authenticators that are not the correct make and model specified by aaguids. This can make it harder for potential bad actors to access the RP by automatically rejecting all Authenticators the individual has that are not the exact Authenticator model specified. Another benefit is that you can guarantee certain security features are available in the Authenticators that are accepted by SKFS by only specifying models that have those particular features.