Product Documentation
  • A successful FIDO2_0 response (accompanied by a 200 OK) will look similar to the following JSON object. Please note that the keys attribute returns an array and may have multiple FIDO credentials returned in the array:

    {
      "Response": {
        "keys": [{
          "keyid": "1-1-22",
          "fidoProtocol": "FIDO2_0",
          "credentialId": "JVfFNxwf6zK8WdLwJOrvDAZLdvYrryFpgJNFu-8zq75bPC7FSx47wIOyk4yDyEnQ0vlkWOKAMwYs15BW3xWJoDq0VkBIVWPHeUuRhDrqzclJ6nQJwW13M9RfdbGlgIo-aPK_Y4Wd0x6drSJIXSyJDzs7FdzFrj0PtpaanVA_1ie8qsACY5YKHgTjvp5yPxXkDu8z3nsGn6aQLmaAe5psaqJxyU3o8qofXVOCuV0HivI",
          "aaguid": "2fc0579f-8113-47ea-b116-bb5a8db9202a",
          "createLocation": "Cupertino, CA",
          "createDate": 1615845872000,
          "lastusedLocation": "Sunnyvale, CA",
          "lastUsedDate": 1616031951000,
          "modifyDate": 1616031951000,
          "status": "Active",
          "displayName": "Biometric Trustkey",
          "attestationFormat": "packed"
        },
        {
          "keyid": "1-1-73567",
          "fidoProtocol": "FIDO2_0",
          "credentialId": "WBQ0-B9MOEC2LwUn4Vi2K5uA_iDhg3oj7ZJiWG9A5ViFQO6yW1xtf9RGPX-f-Zx3BuS0xavJRey8mJuazZDOAGTnWc3JGH7UGTQzrcwhgizmDJ4t1MrLLjAYQrp64ML_LS9bpWe6_iaAhNHJTDhbeJcgB-Dfigu22xRfSdWbDNacloqveMoSUXuXO8ogJA0AWSq9nxL9MjI7YYV7Z3KOtg36JBe8crPuleQ5Ru_0L30",
          "aaguid": "2fc0579f-8113-47ea-b116-bb5a8db9202a"
          "createLocation": "Cupertino, CA",
          "createDate": 1615845332000,
          "lastusedLocation": "Cupertino, CA",
          "lastUsedDate": 1624381242480,
          "modifyDate": 1624381242480,
          "status": "Active",
          "displayName": "Blue Yubikey",
          "attestationFormat": "packed"
        }]
      },
      "responseCode":"FIDO-MSG-0012",
      "skfsVersion":"4.14.0",
      "skfsFQDN":"example.strongkey.com",
      "TXID":"1-1-169-1679354369053"
    }


  • A successful FIDO2_0 response with "skfs.cfg.property.return.MDS" set to true (accompanied by a 200 OK) will look similar to the following JSON object. Please note that the keys attribute returns an array and may have multiple FIDO credentials returned in the array:

    {
        "Response": {
            "keys": [{
                "keyid": "1-1-20",
                "fidoProtocol": "FIDO2_0",
                "credentialId": "druV1muSPEBmxgXIi7gcg2qRB5eMShakMci54ojhv1Mw827wKxDUu9qlc2Q7H3AHLSoQxqJWD0CjjBolqnUsvQ",
                "aaguid": "2fc0579f-8113-47ea-b116-bb5a8db9202a",
                "createLocation": "Sunnyvale, CA",
                "createDate": 1659649888000,
                "lastusedLocation": "Not used yet",
    "lastUsedDate": 0,
                "modifyDate": 0,
                "status": "Active",
                "displayName": "Initial_Key",
                "attestationFormat": "fido-u2f",
                "MDSEntry": null
            },
            {
                "keyid": "1-1-21",
                "fidoProtocol": "FIDO2_0",
                "credentialId": "_7UXP0-Bhqcy8zRZem1U2hRXbKl5fKc1LZacJvG_LiQRJ-1AdTolGNofd_WJmEat28wmmR_T9Lxsacyio5vyIA",
                "aaguid": "2fc0579f-8113-47ea-b116-bb5a8db9202a",
                "createLocation": "Sunnyvale, CA",
                "createDate": 1659649904000,
                "lastusedLocation": "Not used yet",
    "lastUsedDate": 0,
                "modifyDate": 0,
                "status": "Active",
                "displayName": "12",
                "attestationFormat": "packed",
                "MDSEntry": {
                    "aaguid": "6d44ba9b-f6ec-2e49-b930-0c8fe920cb73",
                    "metadataStatement": {
                        "legalHeader": "https://fidoalliance.org/metadata/metadata-statement-legal-header/",
                        "aaguid": "6d44ba9b-f6ec-2e49-b930-0c8fe920cb73",
                        "description": "Security Key by Yubico with NFC",
                        "authenticatorVersion": 50100,
                        "protocolFamily": "fido2",
                        "schema": 3,
                        "upv": [{
                            "major": 1,
                            "minor": 0
                        }],
                        "authenticationAlgorithms": ["ed25519_eddsa_sha512_raw", "secp256r1_ecdsa_sha256_raw"],
                        "publicKeyAlgAndEncodings": ["cose"],
                        "attestationTypes": ["basic_full"],
                        "userVerificationDetails": [
                            [{
                                "userVerificationMethod": "presence_internal"
                            }, {
                                "userVerificationMethod": "none"
                            }, {
                                "userVerificationMethod": "passcode_internal",
                                "caDesc": {
                                    "base": 64,
                                    "minLength": 4,
                                    "maxRetries": 8,
                                    "blockSlowdown": 0
                                }
                            }]
                        ],
                        "keyProtection": ["hardware", "secure_element"],
                        "matcherProtection": ["on_chip"],
                        "cryptoStrength": 128,
                        "attachmentHint": ["external", "wired", "wireless", "nfc"],
                        "tcDisplay": [],
                        "attestationRootCertificates": ["MIIDHjCCAgagAwIBAgIEG0BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbwnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXwLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4MYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kthX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2kLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1UsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqcU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw=="],
                        "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAfCAYAAACGVs+MAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAHYYAAB2GAV2iE4EAAAbNSURBVFhHpVd7TNV1FD/3d59weQSIgS9AQAXcFLAQZi9fpeVz1tY/WTZr5Wxpc7W5knLa5jI3Z85srS2nM2sjtWwZS7IUH4H4xCnEQx4DAZF74V7us885v9/lInBvVJ/B4Pv9nu/5nu/5nvM556fzA/Qv0Hb/IrX3VFKPo45cnm4inUIWYwLFRmZQUuwjFG/N1iRHh1EZ0NRVRudqt1Bd+2nSKyS/Ohys0+lk3e/3kQ9qvD4ZUta4VVSUuY0eipyiThAfocoORVgDuuw3qKRiAd3rbcEtjTjYIof6WaHsCmzVPWCMx+cgh8tLqWMKaMWsUjLqo2RtJIQ0oOzmerpQu4esZgsONkGxH7d0kdvTT17s4OMU7VI8ZhjgGaM+Aq9iENu8Pif1udz07MwvKWf8GlVoCEY04PC5WdTaXYFbR8vNvL5+3Kgfb5xNMya9RamJiynaMlGTVtFlr6ba9u+pqnEX4uMuRRgjSYEhrN7utFFe6lqal7Nfkw5imAGHynPpbk8VmY0xstnptlFCVCYtzTuBN83QpMLjTtevdPzSUnJ7e8mkjxZ39fXbKDfldZqbvU+TUgGnBVF6fQ2iPHg4W16UWUwvzbk16sMZE+Pn0pvz7JSeuAyes8lcpCmaKuo/p+qWr2UcwIAHWrvP0YEzhXAtLAbssHhp7iGamvyijP8ryqrXUWX9XoowxyAufNBrp43POBFXZlkf8MDRiqcpyowAwpuz2x+fWvz/Dtde9smszygtcR6C1wbdzBl6Olq5WNYY4oGathJMrkTEx0jARSHAVs+5rYkQNXb+QgfPLsQ6gXyInsreQfmpm7RVFYfL86n1fiUOkYvShkUPxvbukzoy6K1ihM1ho3XzW6EvSfXA+dpiWGaWd+doXzLzmGwKYFLCAsRAlPBAhMlCFXU7tBUVPr8HgVcJHWq+F00plr+DMTdrP4zvxY11kNMhxT+SeTGg+d4V5LQJityUGJNB8VFZsjgYBZM/II/XCTkj0qyDOpF2AVQ17CIjUp/DnT1UkL5F5gdj+sS1wg1gE3gigm60fCXzSnPXbyAPbIXv+IDpE16ThaHIS9skyhlmME5F3cfqAKhq2C0E5PH1gYaXaLPDkZG0HDJOnKWHp51I0z5SOux8e1WAuZzdHQrTkp8TmjXoI+la0wGZszubqbO3ifQ6A/W7vVSYsV3mR0JKwkKc4WHiBkmR8I3CCgI87oOL4qzT5P+RUJBejEOgAPK8hYPzatM+eITp2IO9yTQmeromPRxx1qxAcsile/ubSeEbcWQGYECghcLY2HyKjogjH25hMpjpUv1Ougli4eh2eRw0O32bJjkyuCgNzg0vzlYMSiSs0uoo4MG7hMOjCEaX1yFE0nSvjBzuTnEpK86Z8IoqFAIubw8kg9ArEaREWSZI+jH4Xbp6g9E9EnJT3oaRzDN+MUJBQDHn56a8oUmEBusOxBs/N5+tJEbPkAFDj8UGvOs/IWvcSglGBhvS7/FTYfpWGYdDY8fPAxWSA35sTC4p4+Lm4AaqIoPeQtfufK6Jh0ZhxlbsUXOSmXNifD5ZTAkyDofbbcclxnA8WNAqxCbRNykhXxQpaDw67fXUYbsiG0Khtv2oeIvh8rhQMYOcEAqXG/eI+zngOc5yxr8q82IAM1c/FLFOplqu5eFQXrMZzGcVCjYbLWG5I4BT1euRrlbxtNOtMitDDEhLXIIynAAvuOEWE3X3NdAft94VgaG42XIQt0ZX6PeCE/qQFe9rK6Hx7YU50KvH7fW4fS+q7KKBJxsggBX5pSAGh1jIrVh5zQ6w3RfaahBXm/aCbCZTjCUFUTyWZqW9p62MjJPXVqOrPgMO4Nv74Gkf+owftNVBDQnjFJqHSw17pXvhWW5KZqe/Q49N/USTCAVWoQXFIHBHXXe3FPrUDsuGDmtF/hHKTHpekxhiAOPI+SJq6S6HF4I9YWzkBJTo46iUMzWp8Pir/RiduLxKYsSksV8vLlOQvhGX2YlR0OBhBjC+u/gEcvY0ApK7Yk41NxjPSQnWFHTF66UrjgevB8Cu5a+l2vYSRPtuVDo73hhdMSHnUX7tTjsVZGxAl/WptiOIEQ1gnL29mX6/tR1tmlkYj8W4X+CSjWcUDGY1NpS/C7hSKqiMLM/l2QmSWZ73Ddz+gio8BCENYPQ46qnkzwXUbqvBkxjUQsWfZFgbuo3rAf+wN7jOO90+ynx4Pi3L+0nYL1SchDUgAP4gPV/7Id1q+1HShmuGkIqWRPgyxMFqP8HfjTnjXwY5bQfbJct6OIzKgMHotF/He1egsaxHSqG6wfdmQ5x8NyTFFqBcp2iSowHR3yk5+36hF7vXAAAAAElFTkSuQmCC",
                        "authenticatorGetInfo": {
                            "versions": ["U2F_V2", "FIDO_2_0"],
                            "extensions": ["hmac-secret"],
                            "aaguid": "6d44ba9bf6ec2e49b9300c8fe920cb73",
                            "options": {
                                "plat": false,
                                "rk": true,
                                "clientPin": true,
                                "up": true
                            },
                            "maxMsgSize": 1200,
                            "pinUvAuthProtocols": [1]
                        }
                    },
                    "statusReports": [{
                        "status": "FIDO_CERTIFIED_L1",
                        "effectiveDate": "2020-05-12",
                        "certificationDescriptor": "Security Key by Yubico with NFC",
                        "certificateNumber": "FIDO20020180918001",
                        "certificationPolicyVersion": "1.1.0",
                        "certificationRequirementsVersion": "1.2"
                    }, {
                        "status": "FIDO_CERTIFIED",
                        "effectiveDate": "2020-05-12"
                    }],
                    "timeOfLastStatusChange": "2020-05-12"
                }
            }]
        },
        "responseCode": "FIDO-MSG-0012",
    "skfsVersion":"4.14F.0",
    "skfsFQDN":"example.strongkey.com",
    "TXID":"1-1-169-1679354369053"
    }

Response Description

Value

Explanation

Response

The enveloping JSON object that returns an array of keys (see below).

 

keys Description

NOTE: The keys attribute returns an array and may have multiple FIDO credentials returned in the array—as shown above in this example.

Value

Explanation

keyid

A string identifying a unique key identifier in the format that resembles the following string, but with different values:

1-1-234898734

2-1-15870

4-3-9562533

The digit preceding the first hyphen (“-”) represents the SKFS unique Server ID.

The second digit between the two hyphens represents a cryptographic domain—a concept implemented in the StrongKey Tellaro appliance. In a software-only deployment of the SKFS, this will always be 1.

The number following the last hyphen represents a unique key identifier within the specific SKFS server and cryptographic domain in which the credential was registered.

As a result, within an SKFS cluster, a keyid with this “triple” will always be unique for every key.

Applications being developed with this web service should plan to build in the logic to parse and retrieve the keyid and use it as a parameter for the deregister or other web services that pertain to operations on specific FIDO credentials.

fidoProtocol

This attribute indicates whether the key is using the legacy Universal 2nd Factor (U2F) or the current FIDO2 protocol.

NOTE: As FIDO2/WebAuthn is the standard that every platform vendor supports currently, U2F has been deprecated by the FIDO Alliance. While SKFS will currently support U2F for a little longer, it is strongly recommended that RP sites do NOT use U2F beyond 2022.

credentialId

The unique identifier of the FIDO credential. Also known as credentialId within the JavaScript API—Web Authentication (WebAuthn)—it returns a base64url encoding of the FIDO credential.

aaguid

The AAGUID of the authenticator used when this FIDO credential was registered.

createLocation

If available and enabled on the client device, this attribute provides the resolution of Global Positioning System (GPS) coordinates ascertained by applications, where the credential was created.

createDate

The date and time on which this credential was registered on SKFS.

lastUsedLocation

If available and enabled on the client device, this attribute provides the resolution of GPS coordinates ascertained by applications where the credential was last used by the user.

lastUsedDate

The date and time on which this credential was last used to authenticate within SKFS.

modifyDate

The date and time on which this credential record was modified within SKFS.

status

The current status of the credential—Active or Inactive. When a credential is marked Inactive in SKFS, it cannot be used to authenticate or sign business transactions.

     Business applications can use this attribute to suspend FIDO credentials temporarily for any reason, and reinstate them when the reason for suspension is no longer true.

displayName

A label assigned to the unique authenticator used when registering with SKFS.

If this is the first registration (“genesis registration”) of the user with the application using SKFS, it is recommended the web application assign a fixed name to such genesis registrations such as, “Initial Registration,” or something equivalent. Since a well-designed FIDO application will allow the user to assign user-friendly names to additional authenticators they register with SKFS—such as “iPhone Key,” “HP laptop,” “Blue Security Key,” etc.—having the “Initial Registration” will allow the original registration to be distinguishable from all other authenticators.

NOTE: FIDO allows users to have as many authenticators as they might choose to access the application. In fact, it is a reasonable for users to have multiple authenticators to access web applications in case they lose one of them; this will allow users an alternate authenticator to access the account, so they can delete the lost authenticator credential.

attestationFormat

This attribute provides information about the specific format used by the FIDO authenticator to send an attestation about the new FIDO credential it generated. This occurs only during the registration process.

NOTE: This information is of little use to end users, but is valuable to FIDO administrators as well as security officers in troubleshooting or forensic analysis, if necessary. It is recommended that this information is displayed only within applications focused on these two roles.