Title here
Summary here
WebAuthn
Recommended Configurations
When we introduced WebAuthn the configuration was incredibly basic. As time has progressed we’ve added a lot of security and trust focused options so we can leverage the technology available more. This section contains various recommended configurations.
Passkeys
The following is a configuration that’s compliant with NIST recommendations.
# yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json
webauthn:
enable_passkey_login: true
attestation_conveyance_preference: 'direct'
filtering:
prohibit_backup_eligibility: true
metadata:
enabled: true
validate_trust_anchor: true
validate_entry: true
validate_status: true
validate_entry_permit_zero_aaguid: falseMetadata Status
Some areas of the configuration allow filtering devices based on the metadata status. This serves as a list of these status values.
| Value | Description |
|---|---|
NOT_FIDO_CERTIFIED |
This authenticator is not FIDO certified. |
FIDO_CERTIFIED |
This authenticator has passed FIDO functional certification. This certification scheme is phased out and will be replaced by FIDO_CERTIFIED_L1. |
FIDO_CERTIFIED_L1 |
The authenticator has passed FIDO Authenticator certification at level 1. This level is the more strict successor of FIDO_CERTIFIED. |
FIDO_CERTIFIED_L1plus |
The authenticator has passed FIDO Authenticator certification at level 1+. This level is the more than level 1. |
FIDO_CERTIFIED_L2 |
The authenticator has passed FIDO Authenticator certification at level 2. This level is more strict than level 1+. |
FIDO_CERTIFIED_L2plus |
The authenticator has passed FIDO Authenticator certification at level 2+. This level is more strict than level 2. |
FIDO_CERTIFIED_L3 |
The authenticator has passed FIDO Authenticator certification at level 3. This level is more strict than level 2+. |
FIDO_CERTIFIED_L3plus |
The authenticator has passed FIDO Authenticator certification at level 3+. This level is more strict than level 3. |
USER_VERIFICATION_BYPASS |
Security: Indicates that malware is able to bypass the user verification. This means that the authenticator could be used without the user’s consent and potentially even without the user’s knowledge. |
ATTESTATION_KEY_COMPROMISE |
Security: Indicates that an attestation key for this authenticator is known to be compromised. The relying party SHOULD check the certificate field and use it to identify the compromised authenticator batch. If the certificate field is not set, the relying party should reject all new registrations of the compromised authenticator. The Authenticator manufacturer should set the date to the date when compromise has occurred. |
USER_KEY_REMOTE_COMPROMISE |
Security: This authenticator has identified weaknesses that allow registered keys to be compromised and should not be trusted. This would include both, e.g. weak entropy that causes predictable keys to be generated or side channels that allow keys or signatures to be forged, guessed or extracted. |
USER_KEY_PHYSICAL_COMPROMISE |
Security: This authenticator has identified weaknesses that allow registered keys to be compromised and should not be trusted. This would include both, e.g. weak entropy that causes predictable keys to be generated or side channels that allow keys or signatures to be forged, guessed or extracted. |
UPDATE_AVAILABLE |
A software or firmware update is available for the device. |
REVOKED |
The FIDO Alliance has determined that this authenticator should not be trusted for any reason. For example if it is known to be a fraudulent product or contain a deliberate backdoor. Relying parties SHOULD reject any future registration of this authenticator model. |
SELF_ASSERTION_SUBMITTED |
The authenticator vendor has completed and submitted the self-certification checklist to the FIDO Alliance. If this completed checklist is publicly available, the URL will be specified in url. |