[{"data":1,"prerenderedAt":125},["ShallowReactive",2],{"i-heroicons:building-office-2":3,"i-heroicons:computer-desktop":8,"i-heroicons:cloud":10,"i-heroicons:server":12,"i-heroicons:folder":14,"i-heroicons:chart-bar":16,"i-heroicons:lock-closed":18,"i-heroicons:rectangle-stack":20,"i-heroicons:scale":22,"i-heroicons:key":24,"i-heroicons:finger-print":26,"i-heroicons:cpu-chip":28,"i-heroicons:document-text":30,"i-heroicons:shield-exclamation":32,"i-heroicons:shield-check":34,"blog-en-fido2-enterprise-attestation-technical-deep-dive":36,"i-heroicons:user":123},{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":7},0,24,false,"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M2.25 21h19.5m-18-18v18m10.5-18v18m6-13.5V21M6.75 6.75h.75m-.75 3h.75m-.75 3h.75m3-6h.75m-.75 3h.75m-.75 3h.75M6.75 21v-3.375c0-.621.504-1.125 1.125-1.125h2.25c.621 0 1.125.504 1.125 1.125V21M3 3h12m-.75 4.5H21m-3.75 3.75h.008v.008h-.008zm0 3h.008v.008h-.008zm0 3h.008v.008h-.008z\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":9},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M9 17.25v1.007a3 3 0 0 1-.879 2.122L7.5 21h9l-.621-.621A3 3 0 0 1 15 18.257V17.25m6-12V15a2.25 2.25 0 0 1-2.25 2.25H5.25A2.25 2.25 0 0 1 3 15V5.25m18 0A2.25 2.25 0 0 0 18.75 3H5.25A2.25 2.25 0 0 0 3 5.25m18 0V12a2.25 2.25 0 0 1-2.25 2.25H5.25A2.25 2.25 0 0 1 3 12V5.25\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":11},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M2.25 15a4.5 4.5 0 0 0 4.5 4.5H18a3.75 3.75 0 0 0 1.332-7.257a3 3 0 0 0-3.758-3.848a5.25 5.25 0 0 0-10.233 2.33A4.5 4.5 0 0 0 2.25 15\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":13},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M21.75 17.25v-.228a4.5 4.5 0 0 0-.12-1.03l-2.268-9.64a3.375 3.375 0 0 0-3.285-2.602H7.923a3.375 3.375 0 0 0-3.285 2.602l-2.268 9.64a4.5 4.5 0 0 0-.12 1.03v.228m19.5 0a3 3 0 0 1-3 3H5.25a3 3 0 0 1-3-3m19.5 0a3 3 0 0 0-3-3H5.25a3 3 0 0 0-3 3m16.5 0h.008v.008h-.008zm-3 0h.008v.008h-.008z\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":15},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M2.25 12.75V12A2.25 2.25 0 0 1 4.5 9.75h15A2.25 2.25 0 0 1 21.75 12v.75m-8.69-6.44l-2.12-2.12a1.5 1.5 0 0 0-1.061-.44H4.5A2.25 2.25 0 0 0 2.25 6v12a2.25 2.25 0 0 0 2.25 2.25h15A2.25 2.25 0 0 0 21.75 18V9a2.25 2.25 0 0 0-2.25-2.25h-5.379a1.5 1.5 0 0 1-1.06-.44\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":17},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M3 13.125C3 12.504 3.504 12 4.125 12h2.25c.621 0 1.125.504 1.125 1.125v6.75C7.5 20.496 6.996 21 6.375 21h-2.25A1.125 1.125 0 0 1 3 19.875zm6.75-4.5c0-.621.504-1.125 1.125-1.125h2.25c.621 0 1.125.504 1.125 1.125v11.25c0 .621-.504 1.125-1.125 1.125h-2.25a1.125 1.125 0 0 1-1.125-1.125zm6.75-4.5c0-.621.504-1.125 1.125-1.125h2.25C20.496 3 21 3.504 21 4.125v15.75c0 .621-.504 1.125-1.125 1.125h-2.25a1.125 1.125 0 0 1-1.125-1.125z\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":19},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M16.5 10.5V6.75a4.5 4.5 0 1 0-9 0v3.75m-.75 11.25h10.5a2.25 2.25 0 0 0 2.25-2.25v-6.75a2.25 2.25 0 0 0-2.25-2.25H6.75a2.25 2.25 0 0 0-2.25 2.25v6.75a2.25 2.25 0 0 0 2.25 2.25\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":21},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M6 6.878V6a2.25 2.25 0 0 1 2.25-2.25h7.5A2.25 2.25 0 0 1 18 6v.878m-12 0q.354-.126.75-.128h10.5q.396.002.75.128m-12 0A2.25 2.25 0 0 0 4.5 9v.878m13.5-3A2.25 2.25 0 0 1 19.5 9v.878m0 0a2.3 2.3 0 0 0-.75-.128H5.25q-.396.002-.75.128m15 0A2.25 2.25 0 0 1 21 12v6a2.25 2.25 0 0 1-2.25 2.25H5.25A2.25 2.25 0 0 1 3 18v-6c0-.98.626-1.813 1.5-2.122\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":23},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M12 3v17.25m0 0c-1.472 0-2.882.265-4.185.75M12 20.25c1.472 0 2.882.265 4.185.75M18.75 4.97A48 48 0 0 0 12 4.5c-2.291 0-4.545.16-6.75.47m13.5 0q1.515.215 3 .52m-3-.52l2.62 10.726c.122.499-.106 1.028-.589 1.202a6 6 0 0 1-2.031.352a6 6 0 0 1-2.031-.352c-.483-.174-.711-.703-.59-1.202zm-16.5.52q1.485-.305 3-.52m0 0l2.62 10.726c.122.499-.106 1.028-.589 1.202a6 6 0 0 1-2.031.352a6 6 0 0 1-2.031-.352c-.483-.174-.711-.703-.59-1.202z\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":25},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M15.75 5.25a3 3 0 0 1 3 3m3 0a6 6 0 0 1-7.029 5.912c-.563-.097-1.159.026-1.563.43L10.5 17.25H8.25v2.25H6v2.25H2.25v-2.818c0-.597.237-1.17.659-1.591l6.499-6.499c.404-.404.527-1 .43-1.563A6 6 0 1 1 21.75 8.25\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":27},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M7.864 4.243A7.5 7.5 0 0 1 19.5 10.5c0 2.92-.556 5.709-1.568 8.269M5.742 6.364A7.47 7.47 0 0 0 4.5 10.5a7.46 7.46 0 0 1-1.15 3.993m1.989 3.559A11.2 11.2 0 0 0 8.25 10.5a3.75 3.75 0 1 1 7.5 0q0 .79-.064 1.565M12 10.5a14.94 14.94 0 0 1-3.6 9.75m6.633-4.596a18.7 18.7 0 0 1-2.485 5.33\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":29},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M8.25 3v1.5M4.5 8.25H3m18 0h-1.5M4.5 12H3m18 0h-1.5m-15 3.75H3m18 0h-1.5M8.25 19.5V21M12 3v1.5m0 15V21m3.75-18v1.5m0 15V21m-9-1.5h10.5a2.25 2.25 0 0 0 2.25-2.25V6.75a2.25 2.25 0 0 0-2.25-2.25H6.75A2.25 2.25 0 0 0 4.5 6.75v10.5a2.25 2.25 0 0 0 2.25 2.25m.75-12h9v9h-9z\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":31},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M19.5 14.25v-2.625a3.375 3.375 0 0 0-3.375-3.375h-1.5A1.125 1.125 0 0 1 13.5 7.125v-1.5a3.375 3.375 0 0 0-3.375-3.375H8.25m0 12.75h7.5m-7.5 3H12M10.5 2.25H5.625c-.621 0-1.125.504-1.125 1.125v17.25c0 .621.504 1.125 1.125 1.125h12.75c.621 0 1.125-.504 1.125-1.125V11.25a9 9 0 0 0-9-9\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":33},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M12 9v3.75m0-10.036A11.96 11.96 0 0 1 3.598 6A12 12 0 0 0 3 9.75c0 5.592 3.824 10.29 9 11.622c5.176-1.332 9-6.03 9-11.622c0-1.31-.21-2.57-.598-3.75h-.152c-3.196 0-6.1-1.25-8.25-3.286m0 13.036h.008v.008H12z\"\u002F>",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":35},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M9 12.75L11.25 15L15 9.75m-3-7.036A11.96 11.96 0 0 1 3.598 6A12 12 0 0 0 3 9.749c0 5.592 3.824 10.29 9 11.623c5.176-1.332 9-6.03 9-11.622c0-1.31-.21-2.571-.598-3.751h-.152c-3.196 0-6.1-1.248-8.25-3.285\"\u002F>",{"id":37,"documentId":38,"title":39,"content":40,"slug":41,"published":42,"createdAt":43,"updatedAt":43,"publishedAt":44,"locale":45,"authorManual":46,"cover":47,"tags":89,"seo":120,"author":51},31,"utjws04nn0342s3bxg2xmcxx","FIDO2 Enterprise Attestation","\u003Cp>Recently, YubiOn FIDO Logon implemented a management feature for enterprise authenticators. To briefly explain this feature, it allows you to manage authenticators using the serial number of the security key. This functionality is made possible by utilizing a specification called \u003Cstrong>FIDO2 &quot;Enterprise Attestation&quot;\u003C\u002Fstrong>. However, although this specification is defined within the FIDO standard, it is not widely adopted, and in my experience, there are few in-depth explanations available in blogs or other resources. Therefore, I would like to summarize the information I have gathered, even if briefly.\u003C\u002Fp>\n\u003Cp>Please note that this article is primarily intended for technical professionals. If you are looking for details about the features of FIDO Logon, I recommend reading \u003Ca href=\"https:\u002F\u002Fwww.yubion.com\u002Fpost\u002Ftried-out-yubion-fido-logon-s-new-feature-enterprise-authenticator-management-function?lang=en\">the previous blog post\u003C\u002Fa>. This article focuses on explaining the \u003Cstrong>Enterprise Attestation\u003C\u002Fstrong> specification itself, which is largely independent of FIDO Logon. I have tried to make it understandable even for those unfamiliar with FIDO authentication technology, but readers with knowledge of FIDO authentication or digital signature technology will gain a deeper understanding.\u003C\u002Fp>\n\u003Ch2>■Background of Enterprise Attestation Specification\u003C\u002Fh2>\n\u003Cp>Under the basic FIDO authentication specification, it is not possible to determine whether authenticators used for multiple credentials belong to the same physical device. For example, if the same security key is used on Site A and Site B, or if it is used for Account X and Account Y within Site A, there is no mechanism to identify whether these credentials come from the same authenticator—even if you compare all credential data. (*1) This design primarily aims to prevent “tracking” from a privacy perspective. If such identity could be easily determined, information disclosed only on Site A could potentially be misused on Site B operated by the same company, creating privacy concerns.\u003C\u002Fp>\n\u003Cp>\u003Cimg src=\"https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fblog_fido2_enterprise_attestation_technical_deep_dive_1_fa4acb11bf.png\" alt=\"\">\u003C\u002Fp>\n\u003Cp>As a result of these privacy considerations, the individual identification information of the device used for FIDO authentication is not visible even to the service performing the authentication (the Relying Party, RP). This mechanism is excellent for protecting privacy in personal use cases.\u003C\u002Fp>\n\u003Cp>However, when companies want to manage authentication, this can be inconvenient. In the following scenarios, traditional FIDO authentication could not provide a solution:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Employee X has lost an authenticator, and the company wants to disable the authenticator that was issued to them.\u003C\u002Fstrong> Therefore, they need to identify the credentials associated with the authenticator loaned to Employee X.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>An internal report suggests that Employee X, who should only have access to System A, is secretly using System B.\u003C\u002Fstrong> The company wants to identify which credentials in System B belong to the authenticator issued to Employee X.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Employee X appears to have used a personal authenticator instead of the company-issued one.\u003C\u002Fstrong> Employee X recently left the company and returned the issued authenticator, but they can still access internal systems using their personal authenticator. The company wants to prevent access with personal authenticators (i.e., allow only company-issued authenticators).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Of course, one might argue, “Just properly manage and disable Employee X’s account.” Ideally, accounts should indeed be managed on a per-person basis. However, in reality, there are cases where shared accounts use authenticators, or authenticators are registered to another employee’s account for operational reasons—situations that often cause headaches for internal IT teams. (*2) From the perspective of verifying whether such poor practices exist, being able to identify which physical device corresponds to a credential can be a significant advantage in enterprise environments.\u003C\u002Fp>\n\u003Cp>\u003Cimg src=\"https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fblog_fido2_enterprise_attestation_technical_deep_dive_2_ecdb43ba50.png\" alt=\"\">\u003C\u002Fp>\n\u003Cp>(*1) Whether the authenticators are of the same \u003Cstrong>type\u003C\u002Fstrong> (for example, which vendor and product) can be determined depending on the options used when creating the credential.\u003C\u002Fp>\n\u003Cp>(*2) In reality, it is more common for multiple people to know the ID and password of a shared account than to use FIDO authentication for shared accounts...\u003C\u002Fp>\n\u003Ch2>■Overview of Enterprise Attestation\u003C\u002Fh2>\n\u003Cp>There are conflicting requirements: on one hand, the need to \u003Cstrong>prevent\u003C\u002Fstrong> device identification, and on the other, the need to \u003Cstrong>enable\u003C\u002Fstrong> device identification. FIDO’s solution to this conflict is \u003Cstrong>Enterprise Attestation\u003C\u002Fstrong>, a specification that allows device identification within a limited scope based on authenticator settings.\u003C\u002Fp>\n\u003Cp>I will try to explain Enterprise Attestation as simply as possible. However, explaining only that part in isolation can be confusing, so I will start by describing the overall flow of FIDO authentication. Please note that I will omit parts not necessary for explaining Enterprise Attestation, so this is not a complete introduction to FIDO authentication.\u003C\u002Fp>\n\u003Ch3>・FIDO Authentication\u003C\u002Fh3>\n\u003Cp>In simple terms, FIDO authentication consists of two main processes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>makeCredential\u003C\u002Fstrong>: the “registration” (credential creation) process\u003C\u002Fli>\n\u003Cli>\u003Cstrong>getAssertion\u003C\u002Fstrong>: the “authentication” process\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>These processes are based on digital signature technology using public-key cryptography, which involves two types of keys: a \u003Cstrong>private key\u003C\u002Fstrong> and a \u003Cstrong>public key\u003C\u002Fstrong>. The authenticator stores the private key internally and uses it to create a signature. The server performing authentication verifies the signature using the corresponding public key stored on its side.\u003C\u002Fp>\n\u003Cp>\u003Cimg src=\"https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fblog_fido2_enterprise_attestation_technical_deep_dive_3_c740274804.png\" alt=\"\">\u003C\u002Fp>\n\u003Cp>Enterprise Attestation is implemented in the \u003Cstrong>makeCredential\u003C\u002Fstrong> process, so we will focus on that here. In makeCredential, the authenticator generates a pair of private and public keys and sends the public key to the server. At the same time, it signs a string called a \u003Cstrong>challenge\u003C\u002Fstrong> (*3) provided by the server using the private key and returns the signature result to the server. The server verifies that the challenge was issued by the server immediately before and that the signature is valid (*4). If everything checks out, the server stores the public key for future authentication.\u003C\u002Fp>\n\u003Cp>This is the basic concept of FIDO authentication. In the case of \u003Cstrong>getAssertion\u003C\u002Fstrong>, the overall flow is similar, except that the step of generating a new key pair is skipped. Instead, the authenticator uses the previously created private key to sign the challenge (*3), and the server verifies the signature(*4).\u003C\u002Fp>\n\u003Cp>(*3) Strictly speaking, the signature is applied to a JSON object (clientData) that contains the challenge and other information.\u003C\u002Fp>\n\u003Cp>(*4) This explanation is simplified for conceptual understanding. In reality, additional checks are required, such as verifying that the operation was performed for the intended RP and that user verification (PIN, fingerprint, etc.) was completed.\u003C\u002Fp>\n\u003Ch3>・AttestationStatement\u003C\u002Fh3>\n\u003Cp>So far, we’ve only covered the basic concept of FIDO authentication and haven’t yet touched on the part that relates to Enterprise Attestation. To understand Enterprise Attestation, we first need to explain the \u003Cstrong>Attestation Statement\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>The Attestation Statement is a mechanism that guarantees the reliability of the authenticator. Using this mechanism, it is possible to ensure that the registered authenticator is a legitimate device certified by the FIDO Alliance. This helps prevent the use of malicious authenticators (e.g., those designed to leak private keys) or even non-malicious authenticators with vulnerabilities.\u003C\u002Fp>\n\u003Cp>From here, it will be easier to understand by looking at the data structure, so let’s start by showing the structure of the data obtained during the makeCredential process.\u003C\u002Fp>\n\u003Cp>\u003Cimg src=\"https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fblog_fido2_enterprise_attestation_technical_deep_dive_4_096378b346.png\" alt=\"\">\u003C\u002Fp>\n\u003Cp>Within this structure, the \u003Cstrong>attStmt\u003C\u002Fstrong> section is called the Attestation Statement, which contains the signature (\u003Cstrong>sig\u003C\u002Fstrong>) and the certificate (\u003Cstrong>x5c\u003C\u002Fstrong>). The signature here is applied to the fields called \u003Cstrong>authenticatorData\u003C\u002Fstrong> and \u003Cstrong>clientDataHash\u003C\u002Fstrong>. In simple terms, the signature and certificate confirm that the authenticator itself generated the authenticatorData and clientDataHash (which includes the challenge).\u003C\u002Fp>\n\u003Cp>Up to this point, what is guaranteed is only that “authenticatorData and clientDataHash were generated by this authenticator.” It does \u003Cstrong>not\u003C\u002Fstrong> guarantee that “this authenticator is a FIDO Alliance-certified authenticator.” To provide that guarantee, the FIDO Alliance offers a service called \u003Cstrong>MDS (Metadata Service)\u003C\u002Fstrong>. From MDS, you can obtain various information about authenticators provided by each security key vendor (such as model names). Among this information is an item called \u003Cstrong>attestationRootCertificates\u003C\u002Fstrong>. This is the root certificate, and by verifying that the certificate obtained from attStmt forms a certificate chain with attestationRootCertificates, you can confirm that the authenticator’s certificate was generated by the vendor—meaning the authenticator was provided by that vendor.\u003C\u002Fp>\n\u003Cp>\u003Cimg src=\"https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fblog_fido2_enterprise_attestation_technical_deep_dive_5_2f74bb7481.png\" alt=\"\">\u003C\u002Fp>\n\u003Cp>The attestation certificate obtained from \u003Cstrong>attStmt\u003C\u002Fstrong> is not unique to each authenticator; rather, it is shared among multiple authenticators. The exact scope of sharing depends on the security key vendor’s implementation—it could be at the product model level or the firmware version level. For example, in my own case, the YubiKey Bio I personally own and the YubiKey Bio issued by my company during the same period had identical attestation certificates.\u003C\u002Fp>\n\u003Ch3>・EnterpriseAttestation\u003C\u002Fh3>\n\u003Cp>Enterprise Attestation introduces a slight modification to the attestation certificate mechanism described above. Previously, the attestation certificate was the same across multiple authenticators. In contrast, with Enterprise Attestation, this certificate becomes unique to each authenticator, enabling identification of the specific device used for registration.\u003C\u002Fp>\n\u003Cp>\u003Cimg src=\"https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fblog_fido2_enterprise_attestation_technical_deep_dive_6_547432718e.png\" alt=\"\">\u003C\u002Fp>\n\u003Cp>In the official \u003Ca href=\"https:\u002F\u002Fwww.w3.org\u002FTR\u002Fwebauthn\u002F#dom-attestationconveyancepreference-enterprise\">WebAuthn specification\u003C\u002Fa>, the behavior when requesting Enterprise Attestation is described as follows:\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>This value indicates that the Relying Party wants to receive an attestation statement that may include uniquely identifying information.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>Since the specification only states “uniquely identifying information,” it seems that any implementation that provides unique identification would be acceptable. In practice, it is often possible to obtain a serial number or similar identifier. For example, in the Enterprise Attestation-enabled YubiKey provided by Yubico for our development, the serial number was stored in the \u003Cstrong>subject\u003C\u002Fstrong> field of the X.509 certificate in the form of a Distinguished Name (DN).\u003C\u002Fp>\n\u003Cp>\u003Cimg src=\"https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fblog_fido2_enterprise_attestation_technical_deep_dive_7_361dc8bc61.png\" alt=\"\">\u003C\u002Fp>\n\u003Cp>How the serial number or similar identifiers are set within the certificate likely varies by vendor. Currently, FIDO Logon has only been tested with Yubico authenticators. In this implementation, the \u003Cstrong>subject\u003C\u002Fstrong> field of the certificate is parsed as a Distinguished Name (DN), and the \u003Cstrong>CN (commonName)\u003C\u002Fstrong> field is extracted using a regular expression to obtain the authenticator ID. For other vendors, different parsing methods may need to be implemented.\u003C\u002Fp>\n\u003Ch3>・Implementing Enterprise Attestation on the Web\u003C\u002Fh3>\n\u003Cp>When using Enterprise Attestation on the web, specify &quot;enterprise&quot; for the \u003Ca href=\"https:\u002F\u002Fwww.w3.org\u002FTR\u002Fwebauthn\u002F#attestation-conveyance\">attestation\u003C\u002Fa> parameter in the \u003Ca href=\"https:\u002F\u002Fw3c.github.io\u002Fwebappsec-credential-management\u002F#dom-credentialscontainer-create\">navigator.credentials.create\u003C\u002Fa> method of WebAuthn. If the request is processed correctly, as mentioned earlier, the returned attestationObject will include the Enterprise Attestation certificate in the \u003Cstrong>attStmt\u003C\u002Fstrong> section. (*5)\u003C\u002Fp>\n\u003Cp>(*5) Technically, the method returns a PublicKeyCredential object, whose response member is an AuthenticatorAttestationResponse containing the attestationObject.\u003C\u002Fp>\n\u003Ch2>■Additional Notes\u003C\u002Fh2>\n\u003Cp>Here are some important considerations when using Enterprise Attestation.\u003C\u002Fp>\n\u003Ch3>・Obtaining Enterprise Attestation-Compatible Security Keys\u003C\u002Fh3>\n\u003Cp>For the development of FIDO Logon’s enterprise authenticator management feature, we worked with Yubico to obtain development YubiKeys. In actual enterprise deployments, collaboration with vendors (not limited to Yubico) will be necessary. The \u003Ca href=\"https:\u002F\u002Ffidoalliance.org\u002Fspecs\u002Ffido-v2.2-rd-20241003\u002Ffido-client-to-authenticator-protocol-v2.2-rd-20241003.html#sctn-feature-descriptions-enterp-attstn\">CTAP2 specification\u003C\u002Fa> states:\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>An enterprise attestation is an attestation that may include uniquely identifying information. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cblockquote>\n\u003Cp>The expectation is that enterprises will work directly with their authenticator vendor(s) in order to source their enterprise attestation capable authenticators.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>The FIDO Alliance’s intent seems to be that Enterprise Attestation-enabled authenticators should be managed by the deploying enterprise and obtained through vendor collaboration. These authenticators are not intended for general distribution. Beyond the technical aspects explained here, enterprises will likely need to discuss operational processes with vendors—such as procurement procedures and protocols for lost authenticators. As noted earlier, FIDO’s core principle is that authenticators should not be trackable, so vendors will likely handle this cautiously.\u003C\u002Fp>\n\u003Ch3>・Scope of RPs That Can Use Enterprise Attestation\u003C\u002Fh3>\n\u003Cp>Even if you obtain an Enterprise Attestation-compatible authenticator, it will not provide unique identifying information to all RPs without restriction. You must define which RPs are allowed to receive this information. There are two methods:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cp>Vendor-facilitated enterprise attestation\u003C\u002Fp>\n\u003Cp>The authenticator vendor writes the allowed RP IDs into the authenticator before shipping. This requires sharing RP information with the vendor during provisioning.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\u003Cp>Platform-managed enterprise attestation\u003C\u002Fp>\n\u003Cp>Instead of writing RP IDs into the authenticator, they are specified in the platform (e.g., browser) settings. As of February 13, 2025, Google Chrome is the only browser confirmed to support this method. (*6)\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Vendor-facilitated means RP IDs are set on the authenticator, while platform-managed means RP IDs are configured in the browser.\u003C\u002Fp>\n\u003Cp>For YubiOn FIDO Logon, which implements CTAP internally, RP ID is currently fixed to fl.yubion.com, so we use the platform-managed approach. Depending on future customer requirements, we may also support vendor-facilitated mode (e.g., registration allowed only if the authenticator has fl.yubion.com RP ID set).\u003C\u002Fp>\n\u003Cp>(*6) Chrome’s Enterprise Attestation setting can be found at chrome:\u002F\u002Fflags\u002F#web-authentication-permit-enterprise-attestation. RP IDs are entered in a text box, separated by commas for multiple entries.\u003C\u002Fp>\n\u003Ch3>・Browser and OS Support (Primarily Windows)\u003C\u002Fh3>\n\u003Cp>Information on environments supporting Enterprise Attestation is scarce online. Here’s what we know (focused on Windows):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cp>OS Restrictions:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cp>Windows 10 is not supported; only Windows 11 works (*7).\u003C\u002Fp>\n\u003Cp>This is because Windows 10’s WebAuthn API (*8) version does not support Enterprise Attestation. All browsers on Windows rely on the OS WebAuthn API, so this limitation applies universally. For Windows Server, versions before 2025 are based on Windows 10, while Windows Server 2025 aligns with Windows 11.\u003C\u002Fp>\n\u003Cp>For Remote Desktop using WebAuthn redirection, both source and destination must be Windows 11.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cp>Browser Restrictions:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cp>Google Chrome:\u003C\u002Fp>\n\u003Cp>No inherent browser limitation, but you must enable Enterprise Attestation in settings (chrome:\u002F\u002Fflags\u002F#web-authentication-permit-enterprise-attestation) and configure RP IDs for platform-managed mode.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\u003Cp>Microsoft Edge:\u003C\u002Fp>\n\u003Cp>Unlike Chrome, Edge does not expose Enterprise Attestation settings in the UI. However, when specifying &quot;enterprise&quot; for attestation in WebAuthn API calls, the Windows WebAuthn API dialog clearly includes the serial number, suggesting support for vendor-facilitated mode. (We have not confirmed this fully as our authenticators lack RP ID configuration.)\u003C\u002Fp>\n\u003Cp>\u003Cimg src=\"https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fblog_fido2_enterprise_attestation_technical_deep_dive_8_daaaa6cb3c.png\" alt=\"\">\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\u003Cp>FireFox:\u003C\u002Fp>\n\u003Cp>As of February 2025, \u003Cstrong>Enterprise Attestation\u003C\u002Fstrong> is not available in Firefox.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cp>Others:\u003C\u002Fp>\n\u003Cp>On \u003Cstrong>Mac\u003C\u002Fstrong>, Chrome can be used in the same way as on Windows by applying the appropriate settings. For \u003Cstrong>Safari\u003C\u002Fstrong>, version 17 did not interpret &#39;attestation=enterprise&#39; (it behaved the same as &#39;attestation=none&#39;). However, in version 18.3, when using an Enterprise Attestation–compatible key without RP ID configuration, it behaved similarly to the &#39;attestation=direct&#39; setting. This suggests that it may support \u003Cstrong>Vendor-facilitated enterprise attestation\u003C\u002Fstrong>, although there is no mention of this in the release notes, so the exact details remain unclear.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>(*7) When registering authenticators from the YubiOn FIDO Logon application (settings tool or logon screen), Enterprise Attestation is available even on Windows 10 systems because CTAP communication is implemented independently. However, when registering authenticators via Remote Desktop Connection, the Windows WebAuthn API is used, so both the source and destination systems must be Windows 11.\u003C\u002Fp>\n\u003Cp>(*8) The name is confusing, but this refers to the \u003Ca href=\"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fwindows\u002Fwin32\u002Fwebauthn\u002F-webauthn-portal\">Win32API on Windows\u003C\u002Fa>, not the WebAuthenticationAPI on the web.\u003C\u002Fp>\n\u003Ch2>■ Summary\u003C\u002Fh2>\n\u003Cp>To summarize the technical implementation points:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cp>Specify &quot;enterprise&quot; for the &#39;attestation&#39; parameter when calling the &#39;navigator.credentials.create&#39; method.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\u003Cp>If the authenticator supports this, the resulting Attestation Statement certificate will be device-specific.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>The certificate chain mechanism is the same as a normal Attestation Statement.\u003C\u002Fli>\n\u003Cli>Depending on the vendor implementation, the certificate may include a serial number (for Yubico, it is stored in the subject field).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>However, operational considerations seem to be more significant than technical implementation.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cp>Operational Policy and Structure:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>How to execute the steps leading up to deployment?\u003C\u002Fli>\n\u003Cli>How to manage workflows after deployment?\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cp>Selection of Services and Systems Using Authenticators:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cp>Enterprise Attestation support is likely limited among general services, so consider which services will use authenticators.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\u003Cp>For in-house developed systems, additional implementation will be required:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Simply storing Enterprise Attestation is easy, but adding features such as credential management based on serial numbers will require further planning.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cp>Decide whether to use \u003Cstrong>Vendor-facilitated\u003C\u002Fstrong>, \u003Cstrong>Platform-managed\u003C\u002Fstrong>, or a combination of both.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cp>Confirm Supported Environments (OS and Browser):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Chrome requires bulk browser setting changes.\u003C\u002Fli>\n\u003Cli>Consider how to handle unsupported environments.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>As the name suggests, this is an enterprise-oriented feature. It assumes \u003Cstrong>managed deployment within an organization\u003C\u002Fstrong>, so it’s not just a matter of “install and done.” However, for companies that can build and continuously improve operational and management structures, this feature can be a valuable aid.\u003C\u002Fp>\n\u003Cp>In FIDO Logon, we have implemented functionality using Enterprise Attestation–compatible authenticators. Of course, even with security keys or smartphones that do not support this feature, device security can still be improved. A free version offering the same functionality as the paid version is available for a 3-month trial, so please give it a try.\u003C\u002Fp>\n\u003Cp>If you are considering introducing Enterprise Attestation–compatible authenticators, please feel free to \u003Ca href=\"https:\u002F\u002Fwww.yubion.com\u002Fcontact-form\">contact\u003C\u002Fa> us.\u003C\u002Fp>\n\u003Ch2>■ Related Links\u003C\u002Fh2>\n\u003Cp>[YubiOn FIDO Logon]\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Ffl.yubion.com\">https:\u002F\u002Ffl.yubion.com\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>[YubiOn FIDO Logon Overview Page]\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.yubion.com\u002Ffidologon\">https:\u002F\u002Fwww.yubion.com\u002Ffidologon\u003C\u002Fa>\u003C\u002Fp>\n","fido2-enterprise-attestation-technical-deep-dive","2025-02-18","2026-04-28T06:24:35.939Z","2026-04-28T06:24:38.941Z","en","Shiraishi",{"id":48,"documentId":49,"name":50,"alternativeText":51,"caption":51,"focalPoint":51,"width":52,"height":53,"formats":54,"hash":84,"ext":56,"mime":60,"size":85,"url":86,"previewUrl":51,"provider":87,"provider_metadata":51,"createdAt":88,"updatedAt":88,"publishedAt":88},423,"d6kxu605cztfskjtfiwo6i59","blog-fido2-enterprise-attestation-technical-deep-dive-1.png",null,960,540,{"small":55,"medium":66,"thumbnail":75},{"ext":56,"url":57,"etag":58,"hash":59,"mime":60,"name":61,"path":51,"size":62,"width":63,"height":64,"sizeInBytes":65},".png","https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fsmall_blog_fido2_enterprise_attestation_technical_deep_dive_1_fa4acb11bf.png","2e0ef4028ce8ebde390cb249e1558a7b","small_blog_fido2_enterprise_attestation_technical_deep_dive_1_fa4acb11bf","image\u002Fpng","small_blog-fido2-enterprise-attestation-technical-deep-dive-1.png",80.55,500,281,80553,{"ext":56,"url":67,"etag":68,"hash":69,"mime":60,"name":70,"path":51,"size":71,"width":72,"height":73,"sizeInBytes":74},"https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fmedium_blog_fido2_enterprise_attestation_technical_deep_dive_1_fa4acb11bf.png","9b9015730a7b1941f54881e26de9b534","medium_blog_fido2_enterprise_attestation_technical_deep_dive_1_fa4acb11bf","medium_blog-fido2-enterprise-attestation-technical-deep-dive-1.png",150.92,750,422,150923,{"ext":56,"url":76,"etag":77,"hash":78,"mime":60,"name":79,"path":51,"size":80,"width":81,"height":82,"sizeInBytes":83},"https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fthumbnail_blog_fido2_enterprise_attestation_technical_deep_dive_1_fa4acb11bf.png","919c857399160971f70f7a20b54f566e","thumbnail_blog_fido2_enterprise_attestation_technical_deep_dive_1_fa4acb11bf","thumbnail_blog-fido2-enterprise-attestation-technical-deep-dive-1.png",26.51,245,138,26512,"blog_fido2_enterprise_attestation_technical_deep_dive_1_fa4acb11bf",56.73,"https:\u002F\u002Fdty9gbw7gew16.cloudfront.net\u002Fuploads\u002Fblog_fido2_enterprise_attestation_technical_deep_dive_1_fa4acb11bf.png","aws-s3","2026-04-28T06:23:49.679Z",[90,96,102,108,114],{"id":91,"documentId":92,"name":93,"slug":51,"createdAt":94,"updatedAt":94,"publishedAt":95},12,"aire52m2y26x0uq2lb8m0nwy","FIDO","2026-04-28T01:49:06.707Z","2026-04-28T01:49:08.676Z",{"id":97,"documentId":98,"name":99,"slug":51,"createdAt":100,"updatedAt":100,"publishedAt":101},44,"ndyi3ro2mlncggjsp6vy47ue","Passkeys","2026-04-28T05:22:55.540Z","2026-04-28T05:22:57.559Z",{"id":103,"documentId":104,"name":105,"slug":51,"createdAt":106,"updatedAt":106,"publishedAt":107},54,"aik3it1d9trj8u1rr5wbmw2d","FIDO2","2026-04-28T05:24:47.451Z","2026-04-28T05:24:49.300Z",{"id":109,"documentId":110,"name":111,"slug":51,"createdAt":112,"updatedAt":112,"publishedAt":113},14,"cayvzwteev09nngcidjgi3lb","YubiOn FIDO Logon","2026-04-28T01:49:14.235Z","2026-04-28T01:49:16.082Z",{"id":115,"documentId":116,"name":117,"slug":51,"createdAt":118,"updatedAt":118,"publishedAt":119},98,"ze8oeribfs3nh7edjn3larik","EnterpriseAttestation","2026-04-28T06:24:31.082Z","2026-04-28T06:24:32.927Z",{"id":121,"metaDescription":122},265,"A technical overview of FIDO2 Enterprise Attestation, a spec for managing authenticators by serial number, as used in YubiOn.",{"left":4,"top":4,"width":5,"height":5,"rotate":4,"vFlip":6,"hFlip":6,"body":124},"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M15.75 6a3.75 3.75 0 1 1-7.5 0a3.75 3.75 0 0 1 7.5 0M4.501 20.118a7.5 7.5 0 0 1 14.998 0A17.9 17.9 0 0 1 12 21.75c-2.676 0-5.216-.584-7.499-1.632\"\u002F>",1783406262044]