Skip to main content
Version: 10.7.0

FIDO2 Authenticators Granular Control

FIDO2 Authenticators Granular Control allows administrators to manage which authenticators are allowed for use with your applications. This feature uses Authenticator Attestation Global Unique Identifiers (AAGUIDs) to identify and control specific authenticator models.

Overview

Both the Control Center UI and HYPR API provide methods to manage FIDO2 authenticator policies. The functionality is equivalent regardless of which method you choose.

Common Concepts

AAGUIDs: Each FIDO2 authenticator model has a unique AAGUID (e.g., YubiKey 5, Windows Hello, TouchID) in standard UUID format: 00000000-0000-0000-0000-000000000000

Policy Types: You can create either an allowlist (permit specific authenticators) or denylist (block specific authenticators), but not both simultaneously.

Default Behavior: When no policies are configured, all authenticators are permitted.

Shared Capabilities

Both UI and API methods support:

  • Adding authenticators to allowlists or denylists
  • Removing specific authenticators from policies
  • Clearing all policies to return to default state
  • Viewing current policy status
  • Using authenticators from the FIDO2 Metadata Service or manual AAGUID entry (denylist only)

Key Differences

UI Method: Provides a visual interface with searchable authenticator lists, bulk selection, and immediate visual feedback on policy status.

API Method: Enables programmatic management, automation, and integration with external systems through REST endpoints.

Choose Your Method

Prerequisites

Before managing FIDO2 authenticator policies, ensure that:

  • FIDO2 Settings are properly configured and enabled for your application
  • You have Admin or App Manager role permissions