Product Documentation
A very secure policy:
- Requires Windows 10+
- Requires Windows Hello to be enabled
- Requires user verification: biometrics, PIN
- Uses TPM attestation
- Uses RSA or ECDSA (based on the TPM version)
Please follow this link to learn more about the FIDO Policy definitions.
{
"FidoPolicy": {
"name": "RestrictedSKFSPolicy-TPM",
"copyright": "StrongAuth, Inc. (DBA StrongKey) All Rights Reserved",
"version": "2.0",
"startDate": "1745341841",
"endDate": "1760103870871",
"system": {
"did": 5,
"requireCounter": "mandatory",
"integritySignatures": true,
"userVerification": [
"required"
],
"userPresenceTimeout": 30,
"allowedAaguids": [
"08987058-cadc-4b81-b6e1-30de50dcbe96"
],
"transport": [
"usb",
"internal"
]
},
"subdomains": {
"enabled": false,
"allowedSubdomains": [
]
},
"relatedOriginRequests": {
"enabled": false
},
"digitalAssetLinks": {
"enabled": false
},
"algorithms": {
"curves": [
"secp256r1",
"secp384r1",
"secp521r1",
"curve25519"
],
"rsa": [
"RS256",
"RS384",
"RS512",
"PS256",
"PS384",
"PS512"
],
"signatures": [
"ES256",
"ES384",
"ES512",
"EdDSA",
"ES256K"
]
},
"attestation": {
"conveyance": [
"direct"
],
"formats": [
"tpm"
]
},
"registration": {
"displayName": "required",
"attachment": [
"platform"
],
"discoverableCredential": [
"required"
],
"excludeCredentials": "enabled"
},
"authentication": {
"allowCredentials": "enabled"
},
"authorization": {
"maxdataLength": 256,
"preserve": true
},
"rp": {
"id": "strongkey.com",
"name": "FIDOServer"
},
"extensions": {
},
"mds": {
"authenticatorStatusReport": [
{
"status": "FIDO_CERTIFIED_L1",
"priority": "1",
"decision": "IGNORE"
},
{
"status": "FIDO_CERTIFIED_L2",
"priority": "1",
"decision": "ACCEPT"
},
{
"status": "UPDATE_AVAILABLE",
"priority": "5",
"decision": "IGNORE"
},
{
"status": "REVOKED",
"priority": "10",
"decision": "DENY"
}
]
},
"jwt": {
"algorithms": [
"ES256",
"ES384",
"ES521"
],
"duration": 30,
"required": [
"rpid",
"iat",
"exp",
"cip",
"uname",
"agent"
]
},
"signcerts": {
"rootca": {
"subjectdn": "CN=StrongKey FIDO Server RootCA,OU=DID 5,O=StrongKey",
"serialnumber": "-4339650565763296296",
"pemcert": "-----BEGIN CERTIFICATE-----MIICVjCCAbigAwIBAgIJAMPGds2KWxPYMAoGCCqGSM49BAMEMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjUwNDIyMTY1ODM4WhcNMjYwNDIyMTY1ODM4WjBLMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MSUwIwYDVQQDExxTdHJvbmdLZXkgRklETyBTZXJ2ZXIgUm9vdENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAIj7kMR1YmbBqCp/xFk6sfwv3vJVgI2QqTMsZ1AryHsyDezhrKPsPg0CcQq2NZZ8lD+Q3u+yXudXSeCEHm01Eal8AvZMqNCRbrwAUDvV+aqmyxrBoyys9njir3PQSK4c3n+5Qs3tJP1etq6tYMbJSp838Q2CI5dTneU/Roa3Yh1cS/UqjQjBAMB0GA1UdDgQWBBT+UE6W5xums9OSmlLdlxm4PF4ctTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDBAOBiwAwgYcCQQSmWpNnqHyCBZ8uRVo0suo/b7vhOvO6lt9isPir1W6b/9R/U5ykCxAYrPsFxHvJKHhIJOCgIGtGO3uSft0VacQfAkIA5JhFVhdIQIGGbTEE+F8OnA4SyhlQQjqQ/p/vpy+BKRJBLfeL242MKKZFnoWoeQTYiG6C56oug/Ip+60CouNH6Kw=-----END CERTIFICATE-----",
"jwtcerts": {
"default": [
{
"subjectdn": "CN=SKFS JWT Signer 1,OU=DID 5,O=StrongKey",
"serialnumber": "474576173225964040",
"pemcert": "-----BEGIN CERTIFICATE-----MIICBzCCAWmgAwIBAgIIBpYIg9//cggwCgYIKoZIzj0EAwQwSzESMBAGA1UEChMJU3Ryb25nS2V5MQ4wDAYDVQQLEwVESUQgNTElMCMGA1UEAxMcU3Ryb25nS2V5IEZJRE8gU2VydmVyIFJvb3RDQTAeFw0yNTA0MjIxNjU4NTBaFw0yNjA0MjIxNjU4NTBaMEAxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxGjAYBgNVBAMTEVNLRlMgSldUIFNpZ25lciAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKLRpILobZSqwvBmaUgGat8EyjoL8t4hKRIk9zyEPjWing1ga4t7LYvD9zOQQdgE5utbXm7g1d1RM88BwVFGECqNCMEAwHQYDVR0OBBYEFLFBdlDsSiOe7+A/dPJrvc95AF5BMB8GA1UdIwQYMBaAFP5QTpbnG6az05KaUt2XGbg8Xhy1MAoGCCqGSM49BAMEA4GLADCBhwJCAUIfAVdlLJT+niXRN3METQvslytLWPtc2ebLP/KdwWPTBgOogaWNqreLHY70Y4Mk6kwzCnXvQIo5kebgMBZ0Xc27AkF6kZNYmXHA++KOtTYJPeFcIrAWqICnxZ9v4wN2dhyJbfojYRVH/QfpVUYKalcmL65uDYRtrq1vOu7TyRuZz+6kgg==-----END CERTIFICATE-----"
},
{
"subjectdn": "CN=SKFS JWT Signer 2,OU=DID 5,O=StrongKey",
"serialnumber": "-9061886999239454306",
"pemcert": "-----BEGIN CERTIFICATE-----MIICCDCCAWqgAwIBAgIJAII9tck/mhGeMAoGCCqGSM49BAMEMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjUwNDIyMTY1OTA4WhcNMjYwNDIyMTY1OTA4WjBAMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRowGAYDVQQDExFTS0ZTIEpXVCBTaWduZXIgMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABA69+r6JFd00nW0h7CG6zBFvpdCkrRf/b8sLMufO1hdNjuEVZS2exkvMnMNdECzpB5VVHce0KW1tUDpu+mUt7gWjQjBAMB0GA1UdDgQWBBTbYYCIkiApNU888f6RXcoeEVgEwzAfBgNVHSMEGDAWgBT+UE6W5xums9OSmlLdlxm4PF4ctTAKBggqhkjOPQQDBAOBiwAwgYcCQgCVJ/yUzMq2qzkRa9xfUSghzpKk86reI/meTAzxBpWdxPG7ArbZM7iX+45x3+amI4A6Z4B+b4hTBxEiIsUAJUDUkQJBMo5G/JcIIZP5alfqp4MEvsliW/pBoSoxrXjstWeWRRYn1jQ12KNSg5SVUo2erJpPnbWLP20108pnMBK9cyRI/gA=-----END CERTIFICATE-----"
},
{
"subjectdn": "CN=SKFS JWT Signer 3,OU=DID 5,O=StrongKey",
"serialnumber": "-7787647328742383816",
"pemcert": "-----BEGIN CERTIFICATE-----MIICCTCCAWqgAwIBAgIJAJPsuAPmSl84MAoGCCqGSM49BAMEMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjUwNDIyMTY1OTI2WhcNMjYwNDIyMTY1OTI2WjBAMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRowGAYDVQQDExFTS0ZTIEpXVCBTaWduZXIgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABP0RUFAFAUfvdeajyMmHfT9zvYk3aYv6BfM4kBWlodHw1nP365M3b9TK9ePWsaCD2T9igFg0CQ2zGfPQOKSHhI6jQjBAMB0GA1UdDgQWBBTnHwEzZU3MKiVIW+YbB5w3qY+GNDAfBgNVHSMEGDAWgBT+UE6W5xums9OSmlLdlxm4PF4ctTAKBggqhkjOPQQDBAOBjAAwgYgCQgGeOVDRuhwbvyfNeX2D2XUAPN+Zc7q8n9EPuMrGrtVOWRWCnyCEX0ehkMNlWG1kDI/xvULr9IXWQwspZvSGi0mYKwJCAN/jFGtpZr0tEVRNlUpygaHwn7iXFndevcJXY+YCxXD+sHXH8KOgfZZPgXP4+0p58sRqmyvtXaevDG+V3iKthGee-----END CERTIFICATE-----"
}
]
},
"samlcerts": {
"default": [
{
"subjectdn": "CN=SKFS SAML Signer 1,OU=DID 5,O=StrongKey",
"serialnumber": "-122354956490492651",
"pemcert": "-----BEGIN CERTIFICATE-----MIIC5TCCAkagAwIBAgIJAP5NTtC54DUVMAoGCCqGSM49BAMEMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjUwNDIyMTcwNzAyWhcNMjYwNDIyMTcwNzAyWjBBMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRswGQYDVQQDExJTS0ZTIFNBTUwgU2lnbmVyIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMIvHXPYzdL3Y5XtCB9T5lb3yRAHvl6LLGWG/8vd8cGS7s2d8cJbYUnZExWkKZ9ute2LB689BCv9c3mQpYCQGc/Gybhm5McUtUmPz7MAuVsWXjqKZg+EtI+yrf62o1sEi1MTOPg+ISDGXtG4KBXFjmMOSOszJLEXTJBLJjVaKfCwpV0gZZTNPoNpfesU06GXBG4Xts7RolKxHioAJG9GtXqElYKp853KlGdUki48/M44c1Qo/cvX8D17YMKm44NmcAQ/SXc66650F9GIy7SvQ+F8SWoMk7CB21E8jXu2GYA8ZkBRavWO2KbO6xnBGhV1AQ4Xvjd5BhCBdzR4JsuKI9AgMBAAGjUjBQMB0GA1UdDgQWBBSyyHQtcwjAqcv8DXopjV+ehijwBDAOBgNVHQ8BAf8EBAMCB4AwHwYDVR0jBBgwFoAU/lBOlucbprPTkppS3ZcZuDxeHLUwCgYIKoZIzj0EAwQDgYwAMIGIAkIBW1taTxznRM+49irvSF9EJMOcqYonLJ1HyP2WeAQSHZnXi/lbwQuC8xXMUvP+ByBTQA58IQ4lhRuB1EWCdDvph7wCQgDOV/r9H5lywBPP3YBJ5vMhcd+BUfXyASVuiYxCHQckQvrVOmUJxBhhvMjHDAXiEsL8+CGTBbLxfb2BcF9JDwtqsQ==-----END CERTIFICATE-----"
},
{
"subjectdn": "CN=SKFS SAML Signer 2,OU=DID 5,O=StrongKey",
"serialnumber": "-155842409607334431",
"pemcert": "-----BEGIN CERTIFICATE-----MIIC5TCCAkagAwIBAgIJAP3WVid2afXhMAoGCCqGSM49BAMEMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjUwNDIyMTcwNzE5WhcNMjYwNDIyMTcwNzE5WjBBMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRswGQYDVQQDExJTS0ZTIFNBTUwgU2lnbmVyIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkTb4Jb4YnLkMgHlb8oJZ+PoOcc7DH6A1rd2OcLRHmNUaNrZVGEDCWwuvCDCSycCy3Utnfoi3UYIzEN9k1R97N5OBiBcC4urRHBk9HHy7uj5ZrsR+Haudhs7jfMt9G3YjOWSIZ9KsAlK+ewhk7s7YnLkm/3XL5fd86XQ89RXDFhQLww5h/TZc9n98BmsswrVZf0ZghDjOFswjNZfp+wYQ3GESGS3xoAkwjoMXu88W/JDJ3snHg9eJFxgkoJvBIEezCwbRpSQntLgIcDlJ+ulYAd6aSDQMxPqVzXp7V0+jXKBb1D+ledAsTrNohKncxcKr/SSY6oYniMbGYVUXKHugtAgMBAAGjUjBQMB0GA1UdDgQWBBRkjv/NjORGd2wAoGfnSOONLeTdCTAOBgNVHQ8BAf8EBAMCB4AwHwYDVR0jBBgwFoAU/lBOlucbprPTkppS3ZcZuDxeHLUwCgYIKoZIzj0EAwQDgYwAMIGIAkIBrTBZrjSy/7fNyRVhofxsuYofY5Gc0duY6g7s5hugcCao3eZpFAzWYy4yzayi9Cu/JCILda2MeLX79KxpD7PQIXICQgCqfzFlsZgh1sPYhEn9zwkzd6wJfPXzhSVGXGInahci69a6kRyA7y1SOkleA8QWgGlMIP9qhE//niSgxnEKxiQvsg==-----END CERTIFICATE-----"
},
{
"subjectdn": "CN=SKFS SAML Signer 3,OU=DID 5,O=StrongKey",
"serialnumber": "5612682686215377940",
"pemcert": "-----BEGIN CERTIFICATE-----MIIC5DCCAkWgAwIBAgIITeRBKnTaVBQwCgYIKoZIzj0EAwQwSzESMBAGA1UEChMJU3Ryb25nS2V5MQ4wDAYDVQQLEwVESUQgNTElMCMGA1UEAxMcU3Ryb25nS2V5IEZJRE8gU2VydmVyIFJvb3RDQTAeFw0yNTA0MjIxNzA3MzZaFw0yNjA0MjIxNzA3MzZaMEExEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxGzAZBgNVBAMTElNLRlMgU0FNTCBTaWduZXIgMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmaIxCS0o833BwsgX/EjBhuTxwwZEeqGKSLkfjKNY3M42JK9QJKj0/LQjT528T1gB33iSiRr9PU5AnfxZAVi1vF2vs6Uya+TTOc5/jxXgMa+gjzRdzB++BFlSwfz69XGb7ApAZFo6DMSPVZDur1VeF3LhSLZbDPN2H7cmPtJF1tKiZK7bQ/2i/Oi+kWnx8GXbW/gmWEKTdHTNsFfOfq/KnEUju0jEXWFC+CoPj2xhIzwE6tb8e1zl8l2TEeK3vSUDXjio0O3cbQQcsM+vJHTlc4NTalTp8BjkiFri7pz6qPiUPUlFmpzGKOrVMipEN6eYWMhif0xPQk+VhVz9/5jmUCAwEAAaNSMFAwHQYDVR0OBBYEFL2XOiWwXS1fsZabMPdg0p2njEbSMA4GA1UdDwEB/wQEAwIHgDAfBgNVHSMEGDAWgBT+UE6W5xums9OSmlLdlxm4PF4ctTAKBggqhkjOPQQDBAOBjAAwgYgCQgGoow0je4Y8I0uqroT/9jfpqzhjBkXPcjwd2rMo7LE/ODuQ8uTr+fUyNAkZOPkeRWYtS/AVIIWJgbsaBnMaUmSOKwJCAKqqUgyokRfYafmnu5NmRQjFaT9yM2HBvu3XWiemg3+6CNTRYIGQspVxKzxS4KQE7eqw+xwi8HNGJmoCgljnwyOS-----END CERTIFICATE-----"
}
],
"citrixidp": {
"subjectdn": "CN=SKFS SAML Signer 1,OU=DID 5,O=StrongKey",
"serialnumber": "-122354956490492651",
"pemcert": "-----BEGIN CERTIFICATE-----MIIC5TCCAkagAwIBAgIJAP5NTtC54DUVMAoGCCqGSM49BAMEMEsxEjAQBgNVBAoTCVN0cm9uZ0tleTEOMAwGA1UECxMFRElEIDUxJTAjBgNVBAMTHFN0cm9uZ0tleSBGSURPIFNlcnZlciBSb290Q0EwHhcNMjUwNDIyMTcwNzAyWhcNMjYwNDIyMTcwNzAyWjBBMRIwEAYDVQQKEwlTdHJvbmdLZXkxDjAMBgNVBAsTBURJRCA1MRswGQYDVQQDExJTS0ZTIFNBTUwgU2lnbmVyIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMIvHXPYzdL3Y5XtCB9T5lb3yRAHvl6LLGWG/8vd8cGS7s2d8cJbYUnZExWkKZ9ute2LB689BCv9c3mQpYCQGc/Gybhm5McUtUmPz7MAuVsWXjqKZg+EtI+yrf62o1sEi1MTOPg+ISDGXtG4KBXFjmMOSOszJLEXTJBLJjVaKfCwpV0gZZTNPoNpfesU06GXBG4Xts7RolKxHioAJG9GtXqElYKp853KlGdUki48/M44c1Qo/cvX8D17YMKm44NmcAQ/SXc66650F9GIy7SvQ+F8SWoMk7CB21E8jXu2GYA8ZkBRavWO2KbO6xnBGhV1AQ4Xvjd5BhCBdzR4JsuKI9AgMBAAGjUjBQMB0GA1UdDgQWBBSyyHQtcwjAqcv8DXopjV+ehijwBDAOBgNVHQ8BAf8EBAMCB4AwHwYDVR0jBBgwFoAU/lBOlucbprPTkppS3ZcZuDxeHLUwCgYIKoZIzj0EAwQDgYwAMIGIAkIBW1taTxznRM+49irvSF9EJMOcqYonLJ1HyP2WeAQSHZnXi/lbwQuC8xXMUvP+ByBTQA58IQ4lhRuB1EWCdDvph7wCQgDOV/r9H5lywBPP3YBJ5vMhcd+BUfXyASVuiYxCHQckQvrVOmUJxBhhvMjHDAXiEsL8+CGTBbLxfb2BcF9JDwtqsQ==-----END CERTIFICATE-----"
}
}
}
}
}
}
To learn more about the SKFS FIDO Policy, check out the SKFS FIDO Policy JSON Schema.