Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Authenticator policy

Authenticator policy samples

search

Authenticator policy samples

Refer to the samples below for a starters' guide to creating a policy:

Basic 2FA

  • Security key
  • No user verification
  • No metadata service validation needed (no certification) with self or packed attestation accepted
{
    "name": "Basic 2FA",
    "discoverable": "discouraged",
    "userVerification": "discouraged",
    "metadata": "no",
    "backupEligible": "false",
    "deviceType": [
        "security-key"
    ]
}

Certified 2FA

  • Security key
  • No user verification
  • Metadata service validation needed (certification level >= 1) with trusted attestation
{
    "name": "Certified 2FA",
    "discoverable": "discouraged",
    "userVerification": "discouraged",
    "metadata": "certified-1",
    "backupEligible": "false",
    "deviceType": [
        "security-key"
    ]
}

Allow-listed 2FA

  • Security key
  • No user verification
  • Metadata service validation needed with trusted attestation
  • Allow-listed AAGUID
{
    "name": "Whitelisted 2FA",
    "discoverable": "discouraged",
    "userVerification": "discouraged",
    "metadata": "listed",
    "whitelist": [
        "8671581a-6f50-480b-a8c0-517e17ed12d1"
    ],
    "backupEligible": "false",
    "deviceType": [
        "security-key"
    ]
}

Password replacement

  • Discoverable credential
  • With user verification
  • Can be synchronized
  • No metadata service validation needed (no certification), no attestation
{
    "name": "Password Replacement",
    "discoverable": "preferred",
    "userVerification": "required",
    "metadata": "no"
}

Device bound passkey

  • Discoverable credential
  • With user verification
  • Must not be synchronized
  • No metadata service validation needed (no certification), no attestation
{
    "name": "Device Bound Passkey",
    "discoverable": "preferred",
    "userVerification": "required",
    "backupEligible": "false"
    "metadata": "no"
}

Allow-listed passkey

  • Discoverable credential
  • With user verification
  • Metadata service validation needed with trusted attestation
  • Allow-listed AAGUID
{
    "name": "Whitelisted passkey",
    "discoverable": "preferred",
    "userVerification": "required",
    "backupEligible": "true"
    "metadata": "listed",
    "whitelist": [
        "8671581a-6f50-480b-a8c0-517e17ed12d1"
    ]
}

On this page