FIDO Attestation

Purpose of FIDO Attestation

The following summary provides an overview of the FIDO Attestation process:

  1. During passkey enrollment, a passkey (device-bound or synced) device will provide an Attestation Certificate as part of the FIDO Enrollment package.

  2. DigitalPersona Server verifies the Attestation Certificate provided against a list of trusted Attestation Certificates. Alternatively, DigitalPersona Server may verify the Attestation Certificate signature against the list of trusted Attestation Root Certificates.

  3. If DigitalPersona Server fails to verify the Attestation Certificate provided, it will refuse the FIDO enrollment request.

    Note: FIDO Attestation is only possible during the enrollment process. Therefore we can assume that users will not be able to enroll "untrusted" passkeys and use them for passkey authentication.

  4. If DigitalPersona Server is able to validate the Attestation Certificate provided, it will then verify the public key signature against the Attestation Certificate.

  5. If the above steps are successful, DigitalPersona Server will enroll the passkey.

Using the DigitalPersona FIDO Attestation Management Utility

The DigitalPersona FIDO Attestation Management utility is used to manage Attestation Certificates in the DigitalPersona FIDO Attestation Certificate Store.

To run the utility:

  1. Open the GPO Editor and navigate to the following GPO:

    Computer Configuration\Policies\Software Settings\HID DigitalPersona Client\Security\FIDO

  2. Click the FIDO Attestation Certificates setting to launch the DigitalPersona FIDO Attestation Management utility.

Using this utility, you can enable or disable the FIDO Attestation policy and view a description of the policy on the Explanation tab.

  • If Disabled or not configured, users will be allowed to enroll any passkeys.

  • If Enabled, you can:

    • See a list of previously uploaded FIDO Attestation certificates.

    • Choose to remove any listed FIDO Attestation certificates.

    • Choose to add a new FIDO Attestation Certificate by uploading the certificate from a file or from a passkey.

Add an Attestation Certificate from a File

To add (upload) an Attestation Certificate from a file:

  1. In the FIDO Attestation Certificates Properties dialog, click Add from file.

    The Open dialog displays.

  2. Choose the certificate (.cer) file you want to add and click Open.

The Attestation Certificate from file will be added to the DigitalPersona FIDO Attestation Certificate Store.

Add Attestation Certificate from a Passkey

To add an Attestation Certificate from a passkey:

  1. In the FIDO Attestation Certificates Properties dialog, click Add from device.

    The standard Microsoft WEBAUTHN dialog displays, requesting that you insert your security key into the USB port.

  2. Insert a passkey into a USB port (or put a passkey on an attached NFC reader).

    The next dialog asks you to take action on your security key.

  3. Touch your passkey.

The Attestation Certificate from the passkey will be added to the DigitalPersona FIDO Attestation Certificate Store.