Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Authenticator policy

Authenticator policy samples

search

Please Note:

Authenticator policy samples

The following authenticator policy samples provide a getting started guide for creating a policy:

Basic 2FA

  • Security key
  • No user verification

  • No metadata service validation needed (no certification) with self or packed attestation accepted

    !javascript

    { "name": "Basic 2FA", "discoverable": "discouraged", "userVerification": "discouraged", "metadata": "no", "backupEligible": "false", "deviceType": [ "security-key" ] }

Certified 2FA

  • Security key
  • No user verification

  • Metadata service validation needed (certification level >= 1) with trusted attestation

    !javascript

    { "name": "Certified 2FA", "discoverable": "discouraged", "userVerification": "discouraged", "metadata": "certified-1", "backupEligible": "false", "deviceType": [ "security-key" ] }

Allow-listed 2FA

  • Security key
  • No user verification
  • Metadata service validation needed with trusted attestation

  • Allow-listed AAGUID

    !javascript

    { "name": "Allow-listed 2FA", "discoverable": "discouraged", "userVerification": "discouraged", "metadata": "listed", "whitelist": [ "8671581a-6f50-480b-a8c0-517e17ed12d1" ], "backupEligible": "false", "deviceType": [ "security-key" ] }

Password replacement

  • Discoverable credential
  • With user verification
  • Can be synchronized

  • No metadata service validation needed (no certification), no attestation

    !javascript

    { "name": "Password Replacement", "discoverable": "preferred", "userVerification": "required", "metadata": "no" }

Device bound passkey

  • Discoverable credential
  • With user verification
  • Must not be synchronized

  • No metadata service validation needed (no certification), no attestation

    !javascript

    { "name": "Device Bound Passkey", "discoverable": "preferred", "userVerification": "required", "backupEligible": "false", "metadata": "no" }

Allow-listed passkey

  • Discoverable credential
  • With user verification
  • Metadata service validation needed with trusted attestation

  • Allow-listed AAGUID

    !javascript

    { "name": "Allow-listed passkey", "discoverable": "preferred", "userVerification": "required", "backupEligible": "true", "metadata": "listed", "whitelist": [ "8671581a-6f50-480b-a8c0-517e17ed12d1" ] }

Authenticator lockout

  • Platform authenticator (passkey)
  • With user verification

  • Lock out after 5 failed attempts within 5 minutes (300 seconds), for 1 hour (3600 seconds)

    !javascript

    { "name": "Passkey with Lockout", "discoverable": "preferred", "userVerification": "required", "metadata": "no", "authenticatorLockout": { "maxFailures": 5, "windowSeconds": 300, "blockSeconds": 3600 } }

On this page