Configure FIDO2 security key restrictions

This week is all about FIDO2 security keys. More specifically about configuring FIDO2 security key restrictions to make sure that users can only use specific FIDO2 security keys, or to prevent users from using specific FIDO2 security keys. That makes this blog post a follow up on this post about enabling password-less sign-in with security keys. In this post I’ll provide a short introduction about the FIDO2 security key AAGUID (and how to find it), followed by the steps to configure the FIDO2 security key restrictions. I’ll end this post by looking at the end-user experience.

FIDO2 security key AAGUID

According to the FIDO2 specification each authenticator should provide an Authenticator Attestation GUID (AAGUID) during attestation. An AAGUID is a 128-bit identifier that indicates the type (for example make and model) of the authenticator. The AAGUID should be identical across identical authenticators that are created by the same manufacturer, and should be different from the AAGUID of authenticators of different types and different manufacturers. To ensure this, the AAGUID is randomly generated.

The AAGUID of a FIDO2 security can be used to configure restrictions for the end-users, by either only allowing specific FIDO2 security keys based on their AAGUID or by only blocking specific FIDO2 security keys based on their AAGUID. To help with that some manufactures (like Yubico) provide a complete list of the AAGUIDs of their FIDO2 security keys.

When this information is not easily available, it’s possible to find the AAGUID by using the script that’s available in the Python-FIDO2 library provided by Yubico. That script can make the device WINK, which will provide the information about the FIDO2 security that includes the AAGUID. Below (in Figure 1) is an example of FIDO2 security key that is sending a WINK. The information provided when sending the WINK includes the AAGUID and on some devices also the FIDO2 security key name and model.

Another method to retrieve the AAGUID of a FIDO2 security key is to register the security key as a sign-in method. That can be achieved via the Security method section of My account. After registering the security key, the AAGUID can be found with the security key as shown below in Figure 2.

Below is an overview of the FIDO2 security keys that I’ve had available during testing, including their AAGUID.

FIDO2 security keyFIDO2 AAGUID
Yubikey 5 NFC (Firmware version: 5.1.x)fa2b99dc9e3942578f924a30d23c4118
Yubikey 5C (Firmware version: 5.1.x)cb69481e8ff7403993ec0a2729a154a8
Feitian ePass FIDO-NFC Security Key K9ee041bce25e54cdb8f86897fd6418464
Feitian BioPass FIDO2 Security Key K2677010bd7212a4fc9b236d2ca5e9d4084
Feitian BioPass FIDO2 Security Key K2777010bd7212a4fc9b236d2ca5e9d4084
Feitian BioPass FIDO2 Security Key K3312ded7454bed47d4abaae713f51d6393
eWBM Goldengate Security Key G31095442b2ef15e4defb270efb106facb4e
eWBM Goldengate Security Key G32087dbc5a14c944dc88a4797d800fd1f3c

Configuring FIDO2 security key restriction

The configuration steps are pretty straightforward and can be achieved by adjusting the FIDO2 Security Keys authentication method. That can be achieved by performing the 3 steps mentioned below. Those steps are fully focussed on configuring the KEY RESTRICTION POLICY. When the FIDO2 Security Keys authentication method is not yet enabled, make sure to also perform the required actions for that. In other words, make sure to enable the authentication method and configure the target of the authentication method.

  1. Open the Azure portal and navigate to Azure Active Directory Security > Authentication methods Authentication method policy (preview) to open the Authentication methods – Authentication method policy (preview) blade
  2. On the Authentication methods – Authentication method policy (preview) blade, select FIDO2 Security Key to open the FIDO2 Security Key settings section
  3. On the FIDO2 Security Key settings section, provide at least the following information (see also Figure 3 for an overview of the available options) and click Save
  • Enforce key restrictions: Select Yes
  • Restrict specific keys: Select Block to create a key restriction policy that will blacklist the specified AAGUIDs and select Allow to create a key restriction policy that will whitelist the specified AAGUIDs
  • Click Add AAGUID and specify the specific AAGUIDs that should be blocked (blacklisted) or allowed (whitelisted)

End-user experience

Let’s end this post by having a look at the end-user experience. When the end-user wants to register a security key (either not on whitelist, or on the blacklist), via the Security info section in My Profile, the end-user can walk through the complete process of adding another sign-in method. At the end of the process, the end-user will receive an error with the message that the particular key type has been blocked by the organization. The message doesn’t provide a list of supported security keys.

More information

For more information about password-less authentication deployment and password-less FIDO2 security keys, refer to the following articles:

2 thoughts on “Configure FIDO2 security key restrictions”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.