--- title: FIDO Policies description: FIDO policies allow you to fine-tune the use of FIDO2 authentication in authentication flows, for example, by limiting authentication to specific types of FIDO2 devices. component: pingone-api page_id: pingone-api:mfa:fido-policies canonical_url: https://developer.pingidentity.com/pingone-api/mfa/fido-policies.html section_ids: assigning-admin-roles-and-permissions-to-this-service: Assigning admin roles and permissions to this service fido-policies-data-model: FIDO policies data model additional-information-returned-in-responses: Additional information returned in responses fido-policies-events-generated: FIDO policies events generated fido-device-metadata: FIDO device metadata adding-a-custom-authenticator: Adding a custom authenticator sample-body-for-request-u2f-device: Sample body for request - U2F device sample-body-for-request-fido2-device: Sample body for request - FIDO2 device --- # FIDO Policies FIDO policies allow you to fine-tune the use of FIDO2 authentication in authentication flows, for example, by limiting authentication to specific types of FIDO2 devices. An endpoint (fidoDevicesMetadata) is also provided for reading information from the device metadata table stored by PingOne, and for adding or removing custom devices. ## Assigning admin roles and permissions to this service Admin role assignments determine access to PingOne APIs. When assigning admin roles to this service, refer to [PingOne Permissions by Service](../platform/reference/roles-and-permissions-in-pingone/permissions-by-service.html) for the service-specific permissions. You can also choose to assign admin roles based on particular service resources. Refer to [PingOne Permissions by Resource](../platform/reference/roles-and-permissions-in-pingone/permissions-by-resource.html) when assigning admin roles per service resources. Admin assignments to roles are set by: * [Automatic assignment for some roles](../platform/roles/predefined-roles.html#automatic-role-assignment). * [Group Role Assignments](../platform/group-role-assignments/group-role-assignments.html). * [User Role Assignments](../platform/users/user-role-assignments.html). Refer to [Roles Management](../platform/roles.html) for more information. ## FIDO policies data model | Property | Type | Required? | Mutable? | Description | | ----------------------------------------------------------- | ------- | --------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `aggregateDevices` | Boolean | Optional | Mutable | By default, when the user is presented with a list of available authentication methods, each paired FIDO2 device is displayed separately. If you prefer to have only one generic FIDO2 option displayed in the list, set `aggregateDevices` to `true`. The text displayed for the single option will be the value of the parameter `deviceDisplayName`. | | `attestationRequirements` | String | Required | Mutable | Set to DIRECT if you want to require some sort of attestation. Set to NONE if you don't want to require attestation. If you set `attestationRequirements` to NONE, you should also set `mdsAuthenticatorsRequirements.option` to NONE. Set the value to ENTERPRISE if you want to require enterprise attestation to verify that the authenticator being used was provided by the organization. | | `authenticatorAttachment` | String | Required | Mutable | Used to control the type of authenticators that are allowed. Can be one of the following values:\* PLATFORM - only allow the use of FIDO device authenticators that contain an internal authenticator (such as a face or fingerprint scanner)\* CROSS\_PLATFORM - allow use of cross-platform authenticators, which are external to the accessing device (such as a security key)\* BOTH - allow both categories of authenticators | | `backupEligibility` | Object | Required | Mutable | Used to control whether users should be allowed to register and authenticate with a device that uses cloud-synced credentials, such as a passkey. | | `backupEligibility.allow` | Boolean | Required | Mutable | Set to true if you want to let users register and authenticate with a device that uses cloud-synced credentials. Set to false if you don't want to allow this. | | `backupEligibility.enforceDuringAuthentication` | Boolean | Required | Mutable | Set to true if you want the backup eligibility of the device to be checked again at each authentication attempt and not just once during registration. Set to false to have it checked only at registration. | | `default` | Boolean | Optional | Mutable | Whether this policy should serve as the default FIDO policy. | | `description` | String | Optional | Mutable | Description of the FIDO policy. | | `deviceAuthenticationPolicies` | Array | N/A | Read-only | The device authentication policies that use the relevant FIDO policy. If you include the parameter `expand=deviceAuthenticationPolicies` in the URL of the request, this array is included in the response when reading FIDO policies. Each object in the array contains the ID and the name of the device authentication policy. | | `deviceDisplayName` | String | Required | Mutable | The name to display for FIDO2 devices in registration and authentication windows. Can be up to 100 characters. If you want to use translatable text, you can use any of the keys listed on the *FIDO Policy* page of the *Self-Service* module and the *Sign On Policy* module. The value of the parameter should include only the part of the key name that comes after the module name, for example, `fidoPolicy.deviceDisplayName01` or `fidoPolicy.deviceDisplayName07`. Refer to the pages in the UI for the full list of keys. For more information on translatable keys, refer to [Modifying translatable keys](https://docs.pingidentity.com/pingone/user_experience/p1_modifying_translatable_keys.html) in the PingOne documentation. If users have more than one paired FIDO2 device, they can differentiate between them by setting a nickname for each one. | | `discoverableCredentials` | String | Required | Mutable | Use this field to specify when registered users can authenticate without providing credentials. The possible values are:\* DISCOURAGED - discoverable credentials are not used, even when supported by the FIDO device. In cases where use of discoverable credentials is required by the FIDO device itself, this setting does not override the device setting.\* REQUIRED - require the use of discoverable credentials. This option is required for usernameless authentication.\* PREFERRED - use discoverable credentials where possible. | | `eaUniqueIdentifierAttribute.name` | String | Optional | Mutable | When defining a FIDO policy that requires enterprise attestation, you can add an additional layer of security by using `eaUniqueIdentifierAttribute.name` to specify the name of a PingOne custom attribute that represents the unique identifier for the authenticator. If you include this field when creating the FIDO policy, a user's authenticator will be registered only if its identifier matches the value of the custom attribute. The value of this parameter must be the name of a single-value string custom attribute that already exists in the PingOne environment. | | `mdsAuthenticatorsRequirements` | Object | Required | Mutable | Used to specify whether attestation is requested from the authenticator, and whether this information is used to restrict authenticator usage. | | `mdsAuthenticatorsRequirements.allowedAuthenticators` | Array | Required | Mutable | If you set `mdsAuthenticatorsRequirements.option` to SPECIFIC, use this array to specify the authenticators that you want to allow. | | `mdsAuthenticatorsRequirements.allowedAuthenticators.id` | String | Required | Mutable | The mdsIdentitfer of the authenticator to allow. | | `mdsAuthenticatorsRequirements.enforceDuringAuthentication` | Boolean | Required | Mutable | Set to true if you want the device characteristics related to attestation to be checked again at each authentication attempt and not just once during registration. Set to false to have them checked only at registration. | | `mdsAuthenticatorsRequirements.option` | String | Required | Mutable | Use `option` to specify the types of devices you want to allow on the basis of the attestation provided. Can be one of the following values:\* NONE - do not request attestation, allow all FIDO devices\* AUDIT\_ONLY - attestation is requested and the information is used for logging purposes, but the information is not used for filtering authenticators\* GLOBAL - allow use of all FIDO authenticators listed in the Global Authenticators table.\* CERTIFIED - allow only FIDO Certified authenticators\* SPECIFIC - allow only the authenticators specified with the `mdsAuthenticatorsRequirements.allowedAuthenticators` parameter. | | `name` | String | Required | Mutable | The name to use for the FIDO policy. Can be up to 256 characters. | | `publicKeyCredentialHints` | Array | Optional | Mutable | The `publicKeyCredentialHints` array is used to indicate that you want to provide public key credential hints to the browser to help give priority to the authentication method that the user is most likely to use. You can include in the array one or more of the following values: `SECURITY_KEY`, `CLIENT_DEVICE`, `HYBRID`. | | `relyingPartyId` | String | Required | Mutable | The ID of the relying party. The value should be a domain name, such as example.com (in lower-case characters). For Sandbox environments in PingOne, you can also use the value `localhost`. | | `userDisplayNameAttributes` | Object | Required | Mutable | Used to specify the string associated with the users's account that is displayed during registration and authentication. | | `userDisplayNameAttributes.attributes` | Array | Required | Mutable | List of strings associated with the users's account that can be displayed during registration and authentication. Each object in the array is a name:value pair where the first part is "name" and the second is the name of the user attribute, for example, `{"name": "username"}, {"name": "email"}`. If you want to use the "name" attribute for the user, you must also specify the "subAttributes", which can be either the "given" and "family" user attributes or the "formatted" user attribute. For example, `{"name": "name", "subAttributes":[{"name": "given"}, {"name": "family"}]}, {"name": "email"}` or `{"name": "name", "subAttributes":[{"name": "formatted"}]}, {"name": "email"}`.\* The content of the list should reflect the preferred order.\* If the first attribute is empty for the user, PingOne will continue through the list until a non-empty attribute is found.\* You can specify any user attribute (including custom attributes) that meet the following criteria: attribute type must be String, validation cannot be set to enumerated values.\* The array must contain the user attribute "username" - to ensure that there is at least one non-empty attribute.\* You can have a maximum of six user attributes in the list. | | `userDisplayNameAttributes.suffix` | String | Optional | Mutable | Include `userDisplayNameAttributes.suffix` in the request if you would like to include the PingOne environment name and/or the PingOne organization name in the popup window that is displayed when a user adds a passkey as an authentication method. The possible values are ENV\_NAME, ORG\_NAME, ORG\_NAME\_AND\_ENV\_NAME. | | `userPresenceTimeout` | Object | Optional | Mutable | Used to specify the amount of time the user has to perform a user presence gesture with their FIDO device before the request expires. The defined timeout applies also to the pairing of the device. Note that the information is provided as a hint to the authenticator so the actual time given may differ from what you defined. | | `userPresenceTimeout.duration` | Integer | Optional | Mutable | The amount of time a user presence gesture will be accepted for the authentication request. Minimum is one minute, maximum is ten minutes. Can be set in minutes or seconds. | | `userPresenceTimeout.timeUnit` | String | Optional | Mutable | The units to use for specifying the amount of time a user presence gesture will be accepted for the authentication request. Can be set to `MINUTES` or `SECONDS`. | | `userVerification` | Object | Required | Mutable | Used to control whether the user must perform a gesture (such as a public key credential, fingerprint scan, or a PIN code) when registering or authenticating with their FIDO device. | | `userVerification.enforceDuringAuthentication` | Boolean | Optional | Mutable | Set to true if you want the device characteristics related to user verification to be checked again at each authentication attempt and not just once during registration. Set to false to have them checked only at registration. | | `userVerification.option` | String | Required | Mutable | Can be one of the following values:\* REQUIRED - only FIDO devices supporting user verification can be used\* DISCOURAGED - user verification is not required, even when supported by the FIDO device. In cases where user verification is required by the FIDO device itself, this setting does not override the device setting.\* PREFERRED - user verification is required if the user's FIDO device supports it, but is not required if the user's device does not support it.For usernameless flows, only FIDO devices supporting user verification can be used, regardless of the value you set for `userVerification.option`. | | `userVerification.pinRequirement` | Object | Optional | Mutable | Include the `pinRequirement` object if you want to set a minimum PIN code length for devices. | | `userVerification.pinRequirement.minLength` | Integer | Optional | Mutable | When `pinRequirement.option` is set to ENABLED or OPTIONAL, use `minLength` to specify the minimum PIN code length that you require. | | `userVerification.pinRequirement.option` | String | Required | Mutable | Can take any of the following values:\* DISABLED - PIN code length is not checked.\* ENABLED - For devices that return the PIN code length, the code is checked to verify that it meets the minimum length you specified. For devices that don't return PIN code length, authentication fails.\* OPTIONAL - For devices that return the PIN code length, the code is checked to verify that it meets the minimum length you specified. For devices that don't return PIN code length, the check is not carried out. | ## Additional information returned in responses * `id` - the ID assigned to the policy * `createdAt` * `updatedAt` * `_embedded.deviceAuthenticationPolicies` - array of the device authentication polices that the FIDO policy is used by. Each object in the array consists of the ID of the device authentication policy and the name of the device authentication policy. Returned only if the query includes the parameter `expand=deviceAuthenticationPolicies`. ## FIDO policies events generated Refer to [Audit Reporting Events](/pingone/platform/v1/api/#audit-reporting-events) for the events generated. ## FIDO device metadata PingOne maintains a *global authenticator table*, which presents metadata for indvidual authenticators. This includes both authenticators that are represented in the FIDO Alliance Metadata Service (MDS), and custom authenticator data that you add to the table via the UI or the API. The endpoints provided for FIDO device metadata allow you to: * Retrieve the basic metadata for all of the authenticators in the table * Retrieve detailed metadata for a specific authenticator from the table * Add metadata for custom authenticators * Delete from the table a custom authenticator that you added ### Adding a custom authenticator When you use the `fidoDevicesMetadata` endpoint to add a custom authenticator to the global authenticator table, the data included in the request should comform with the [Metadata Statement Format](https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html#metadata-statement-format) provided by the FIDO Alliance. Before adding an authenticator, using JSON data provided by a manufacturer, verify that it conforms to the following details expected by the PingOne API: * The metadata outlined in the standard should be enclosed in an object called `metadataStatement`. * The `metadataStatement` should be enclosed in an object that also includes the relevant key identifier: the `attestationCertificateKeyIdentifiers` array for devices conforming with the U2F protocol, and the `aaguid` field for devices conforming with the FIDO2 protocol. #### Sample body for request - U2F device ```none { "attestationCertificateKeyIdentifiers": [ "31116a647069d1493f58fc5b54e5449e2a52d43e" ], "metadataStatement": { "legalHeader": "https://fidoalliance.org/metadata/metadata-statement-legal-header/", "attestationCertificateKeyIdentifiers": [ "31116a647069d1493f58fc5b54e5449e2a52d43e" ], "description": "Yubikey Edge", "authenticatorVersion": 1, "protocolFamily": "u2f", "schema": 3, "upv": [ { "major": 1, "minor": 1 } ], "authenticationAlgorithms": [ "secp256r1_ecdsa_sha256_raw" ], "publicKeyAlgAndEncodings": [ "ecc_x962_raw" ], "attestationTypes": [ "basic_full" ], "userVerificationDetails": [ [ { "userVerificationMethod": "presence_internal" } ] ], "keyProtection": [ "hardware", "secure_element", "remote_handle" ], "isKeyRestricted": false, "isFreshUserVerificationRequired": false, "matcherProtection": [ "on_chip" ], "cryptoStrength": 128, "attachmentHint": [ "external", "wired" ], "attestationRootCertificates": [ "MIIDHjCCAgagAwIBAgIEG0BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbwnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXwLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4MYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kthX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2kLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1UsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqcU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==" ], "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAfCAYAAACGVs+MAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAHYYAAB2GAV2iE4EAAAbNSURBVFhHpVd7TNV1FD/3d59weQSIgS9AQAXcFLAQZi9fpeVz1tY/WTZr5Wxpc7W5knLa5jI3Z85srS2nM2sjtWwZS7IUH4H4xCnEQx4DAZF74V7us885v9/lInBvVJ/B4Pv9nu/5nu/5nvM556fzA/Qv0Hb/IrX3VFKPo45cnm4inUIWYwLFRmZQUuwjFG/N1iRHh1EZ0NRVRudqt1Bd+2nSKyS/Ohys0+lk3e/3kQ9qvD4ZUta4VVSUuY0eipyiThAfocoORVgDuuw3qKRiAd3rbcEtjTjYIof6WaHsCmzVPWCMx+cgh8tLqWMKaMWsUjLqo2RtJIQ0oOzmerpQu4esZgsONkGxH7d0kdvTT17s4OMU7VI8ZhjgGaM+Aq9iENu8Pif1udz07MwvKWf8GlVoCEY04PC5WdTaXYFbR8vNvL5+3Kgfb5xNMya9RamJiynaMlGTVtFlr6ba9u+pqnEX4uMuRRgjSYEhrN7utFFe6lqal7Nfkw5imAGHynPpbk8VmY0xstnptlFCVCYtzTuBN83QpMLjTtevdPzSUnJ7e8mkjxZ39fXbKDfldZqbvU+TUgGnBVF6fQ2iPHg4W16UWUwvzbk16sMZE+Pn0pvz7JSeuAyes8lcpCmaKuo/p+qWr2UcwIAHWrvP0YEzhXAtLAbssHhp7iGamvyijP8ryqrXUWX9XoowxyAufNBrp43POBFXZlkf8MDRiqcpyowAwpuz2x+fWvz/Dtde9smszygtcR6C1wbdzBl6Olq5WNYY4oGathJMrkTEx0jARSHAVs+5rYkQNXb+QgfPLsQ6gXyInsreQfmpm7RVFYfL86n1fiUOkYvShkUPxvbukzoy6K1ihM1ho3XzW6EvSfXA+dpiWGaWd+doXzLzmGwKYFLCAsRAlPBAhMlCFXU7tBUVPr8HgVcJHWq+F00plr+DMTdrP4zvxY11kNMhxT+SeTGg+d4V5LQJityUGJNB8VFZsjgYBZM/II/XCTkj0qyDOpF2AVQ17CIjUp/DnT1UkL5F5gdj+sS1wg1gE3gigm60fCXzSnPXbyAPbIXv+IDpE16ThaHIS9skyhlmME5F3cfqAKhq2C0E5PH1gYaXaLPDkZG0HDJOnKWHp51I0z5SOux8e1WAuZzdHQrTkp8TmjXoI+la0wGZszubqbO3ifQ6A/W7vVSYsV3mR0JKwkKc4WHiBkmR8I3CCgI87oOL4qzT5P+RUJBejEOgAPK8hYPzatM+eITp2IO9yTQmeromPRxx1qxAcsile/ubSeEbcWQGYECghcLY2HyKjogjH25hMpjpUv1Ougli4eh2eRw0O32bJjkyuCgNzg0vzlYMSiSs0uoo4MG7hMOjCEaX1yFE0nSvjBzuTnEpK86Z8IoqFAIubw8kg9ArEaREWSZI+jH4Xbp6g9E9EnJT3oaRzDN+MUJBQDHn56a8oUmEBusOxBs/N5+tJEbPkAFDj8UGvOs/IWvcSglGBhvS7/FTYfpWGYdDY8fPAxWSA35sTC4p4+Lm4AaqIoPeQtfufK6Jh0ZhxlbsUXOSmXNifD5ZTAkyDofbbcclxnA8WNAqxCbRNykhXxQpaDw67fXUYbsiG0Khtv2oeIvh8rhQMYOcEAqXG/eI+zngOc5yxr8q82IAM1c/FLFOplqu5eFQXrMZzGcVCjYbLWG5I4BT1euRrlbxtNOtMitDDEhLXIIynAAvuOEWE3X3NdAft94VgaG42XIQt0ZX6PeCE/qQFe9rK6Hx7YU50KvH7fW4fS+q7KKBJxsggBX5pSAGh1jIrVh5zQ6w3RfaahBXm/aCbCZTjCUFUTyWZqW9p62MjJPXVqOrPgMO4Nv74Gkf+owftNVBDQnjFJqHSw17pXvhWW5KZqe/Q49N/USTCAVWoQXFIHBHXXe3FPrUDsuGDmtF/hHKTHpekxhiAOPI+SJq6S6HF4I9YWzkBJTo46iUMzWp8Pir/RiduLxKYsSksV8vLlOQvhGX2YlR0OBhBjC+u/gEcvY0ApK7Yk41NxjPSQnWFHTF66UrjgevB8Cu5a+l2vYSRPtuVDo73hhdMSHnUX7tTjsVZGxAl/WptiOIEQ1gnL29mX6/tR1tmlkYj8W4X+CSjWcUDGY1NpS/C7hSKqiMLM/l2QmSWZ73Ddz+gio8BCENYPQ46qnkzwXUbqvBkxjUQsWfZFgbuo3rAf+wN7jOO90+ynx4Pi3L+0nYL1SchDUgAP4gPV/7Id1q+1HShmuGkIqWRPgyxMFqP8HfjTnjXwY5bQfbJct6OIzKgMHotF/He1egsaxHSqG6wfdmQ5x8NyTFFqBcp2iSowHR3yk5+36hF7vXAAAAAElFTkSuQmCC" } } ``` #### Sample body for request - FIDO2 device ```none { "aaguid": "e1a96183-5016-4f24-b55b-e3ae23614cc6", "metadataStatement": { "legalHeader": "https://fidoalliance.org/metadata/metadata-statement-legal-header/", "aaguid": "e1a96183-5016-4f24-b55b-e3ae23614cc6", "description": "ATKey.Pro CTAP2.0", "authenticatorVersion": 2, "protocolFamily": "fido2", "schema": 3, "upv": [ { "major": 1, "minor": 0 } ], "authenticationAlgorithms": [ "secp256r1_ecdsa_sha256_raw" ], "publicKeyAlgAndEncodings": [ "cose" ], "attestationTypes": [ "basic_full" ], "userVerificationDetails": [ [ { "userVerificationMethod": "fingerprint_internal", "baDesc": { "selfAttestedFRR": 0, "selfAttestedFAR": 0, "maxTemplates": 0, "maxRetries": 0, "blockSlowdown": 0 } }, { "userVerificationMethod": "presence_internal" }, { "userVerificationMethod": "passcode_internal" } ] ], "keyProtection": [ "hardware" ], "isKeyRestricted": false, "isFreshUserVerificationRequired": true, "matcherProtection": [ "on_chip" ], "attachmentHint": [ "external" ], "attestationRootCertificates": [ "MIIBzDCCAXGgAwIBAgIBATAKBggqhkjOPQQDAjBiMQswCQYDVQQGEwJTRTESMBAGA1UECgwJQVRLZXlDQTAwMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMRswGQYDVQQDExJBdXRoZW50cmVuZCBDQSAwMDAwIBcNMTYwMjI2MDgxMTA2WhgPMjA1MDAyMjUwODExMDZaMGIxCzAJBgNVBAYTAlNFMRIwEAYDVQQKDAlBVEtleUNBMDAxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xGzAZBgNVBAMTEkF1dGhlbnRyZW5kIENBIDAwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJcWqeCxga9KJbFO2TZdjcgrtZAgfi8TXKu+v5lcR5ceb5GJYxyoCjhueESL3ddmMIkpGyhsEEtfFUyBwsyFVCjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAwCgYIKoZIzj0EAwIDSQAwRgIhAPuVS4Pm2KFXdUMi5Pb/Xy+gCROOuRPZ6I57vWc0EvkBAiEA8aRCnXppAffCEOQBJ7vlgwiiHMXA2tpWX+ObvVKxXbM=", "MIIBzDCCAXGgAwIBAgIBATAKBggqhkjOPQQDAjBiMQswCQYDVQQGEwJTRTESMBAGA1UECgwJQVRLZXlDQTAwMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMRswGQYDVQQDExJBdXRoZW50cmVuZCBDQSAwMDAwIBcNMTYwMjI2MDgxMTA2WhgPMjA1MDAyMjUwODExMDZaMGIxCzAJBgNVBAYTAlNFMRIwEAYDVQQKDAlBVEtleUNBMDAxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xGzAZBgNVBAMTEkF1dGhlbnRyZW5kIENBIDAwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJcWqeCxga9KJbFO2TZdjcgrtZAgfi8TXKu+v5lcR5ceb5GJYxyoCjhueESL3ddmMIkpGyhsEEtfFUyBwsyFVCjFjAUMBIGA1UdEwEB/wQIMAYBAQECAQAwCgYIKoZIzj0EAwIDSQAwRgIhAMqIc/Qtr+jZbnrJB7g7W8r/DHmDe+IyFvzwpzdSrxEXAiEAtXcixZznhcDzlnIqFqkIJRGmvL9Yr6lVoP1ZkDeqmjk=" ], "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJYAAAA9CAIAAADAuAeYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAEnQAABJ0Ad5mH3gAABGuSURBVHhe7ZwJfBPV9sczS/Y03Rco3XcKBVwRBHkiT58LqxvCE3AtoIICBQTZ2gItUigtVGihKPoXAR+yyPLhARZZ1EdVoPoQpKW0BVq6Zc9klvxPMrfQliZNl7QPP/l+LnTmnDuTyfzuvefcm0kws9kscHEvg6O/Lu5ZUC/8z4BnNL8WYYSIt3Y7HGsIeH5M/M4stO/CNkjCswPHan/5HRf/r0jI6gz+45/t/fkatO/CNmggxXhwHLbMNGM20d1TaEaAWy4DwzG4Ev7aXNgH9cLCR8ZBL8TEIjPHyWLCcYLo+jQHpDPTtO7iFUxIcnqD38vP9t6WgXwubNNUQpFQQDODq88Schnv7mKoylunAu4nlZ4uCR2neUYKirJaPdrpcjidAW25cJgWJxVdPYQ2ohtf+l7FNS+85+lMCVmDkTOZOBPF0TSHbC6cTqdJqP/vle9k0af8Hjrp++BJZT+mph45XDiZTpPwYuICAhebWVbAmVmjoWSxa1beRXSOhPristoTx3GFDCMIjMAJhdv1TdtpjRa5XTiTzpHw8rSFBOmBYRirN3IUIyAwAU2XLs5EbhfOpBMkNJTdqD58hJBKYELpN/455cN9zRRNKOTlG75g9K55ntPpBAkvTV9MkAoBJmBYTVTWorDUObSxDoZTjjJeS3Z91OB0OiQhzMMN16uq9x3CZVJOb/AZMUKodPMYfL8iKp6jaFIuL1+/jaNMqLYL59AhCTGB4MrMFIIQwzbNqGJyV/D2yDULGGM9dETIaErTN/JGF06iQxJSlbeqdu63dEGD0XvIMGlIIG/3eeZvssgYmOALZfKyNfkczfB2F86gQxJeSUrDcEIAiSitjtmYiqxWIlfOZQxqgZBg62rL1my22lzrn06h/RJS1bVVn+8l5FLOSHkMHCSPi0QOK77jnpKFRppNDC5TlGVsZs2cddx10fm0X8KShRlmM2vpgib17SjYmLC0JMagwUjCVHmrYt1nyOqis2mnhHS96mb+LkIuMzOMcsADsqhQqqoaQuPtYrpV6/X4I9KgYAHLEVJZ+apc1zDqJNopYcmSdWYTDTknRpLG4rKTnv1/CB7yQ8jQ2+VM0OAzIY8yKq2AwHEhaaiouL7pS3Swi06lPRIyWv3N3O3WhzMsz0yZIc6RJCYSNi8EASkMVIBapFR+bcUn6HgXnUrzZ2egbz1SekLk78u7W+TSe0uvZX1Ckm5oH4HhMgnIBVsgKmegmqWgNFPXOyczMPEVtN8ShuLSMxFD7n52JjdvS0HBCYlYrKeopYsWRkU1SZ2akZyS+uefxUJSCNdSr6p/8IEH5ibNrqmpfStxuqe7u9FkHDjw4XemTd29Z++Or3bI5Qo7mbKJNvVLSJg1a2ZxcfGsOfO8Pb04M0eQRO7GHFTDNnq94d0ZM+FO4BheW1+/MSfb19feXW03JPrrMGaW5erUPV56wdrJGoC+JiKrvtwvEAlBQFws9h33pOWJwkZ3hzPRhj+uoJ02cuHChf3fHpDL5VqdbuZ77yBrSyTNnb8pb7NcJocrUqnU8fFxu3ZsBztFGffs3Rvg76/T6iRiCVj+vHxl7/4Dnh4eZtsaGg1GygRtURAeHn6hqEij1pAkWa9SjRk9+ul/PMnXscXWrZ/u3Pm1m9LNaKDuG9DfSfoBbZYQlIvdthrtNOVG/g5S5G5mWDLQIy5/FbJ2BiKxWCqXQWEFHMRWZL2LufPm5+bn+/j6gn5wo/sPSPj+u2O8C7qCVGo5A2c2w9nAIhTC6G6x2JEQw3GRxKI3kJaaMuXtRH8Pd5wkl6eltSohtCRPH2+RUKjRaFNSliCrE2hbLKQp09Xl60tXbLianFX+yd3pScO9YFm0YQWspatyr6Zml8KxGVts3rCOMW/+wo15+d5e3tb+p4qLir6tX4vo9LqayltVllJtp6jrVXz9cc+PVcjkLMeKxaLffv+9sLCQt7fI9q92lJVXCIVCiqL6D+j38EMPIYcTaJuEFRn5lxYsvvLhqouL5pEyS1t2BAiPdFXNHws/urJg1aVZc27tOYIcnceChR/lbMr18bHqp1ZHhoefKDiKfDaY9f7M2pqbZSWXym2XqhulX2zbig6AV5k3R1WngpdQSGXJKSuRtSXWZa9XKOTwxuvqVR8mzUFW59AGCSEKlmfkSWQBhETqHv5gwKtjkcMBwlLel7gFEQo3kcjvqvWj4E7si/MXfJSVs9HX1wdurlqtjouOPn2yAPlsI5FIPD09le7udoqHh4dCoUAHCATTp0/DMYzjOJFEeurMqeLiEuRoysFDhy/+cVkoEtE0HR0R8dRTrQy5HaQNEpZnfWaqrhIICcaoDkttU8syE2Jx0MwprFaNSUTac+dqDp3orNW2JUuTczZu8rPGP7VaA8lqwfF/I1+LYB1qPW++8ZpGq8NxTCgUp6V/jKxNWbs2SyaXwfVAPJ71wQxkdRoOS8iZyz7OJaQKs4mRBocFvPwMsjuERa+g2a8TCqWA4wiRvLMejlqyNGVt9nofH0v/02g08bGxJ+3GPwtm69W0l6SkOSajEWZikBvtP3CgtrYGORo4feaHs7/+AvMfhmEC/QNeGf8ycjgNRyUsz/vSWFGOCUnaoA5b0p6WJVQqA6e+wmo1mESs+qmw9vgZ5Ggvy9PSIeT4eFviH6T70VFRR44cRD7bgH4dkdDDXTl2zCiY8+E4TjPsuqwNyNHA2rWZoB8/JCQmvoWszsQhCSG/LFu50dIFaUYaGNRjyvPI0UaCkt7GYSoNHVEo4yNiO8AJyzUvX5m+Kn21l7cXTEmh//WOiz125JCd+cZtYBTlB9Kqqqpfz50v+u13O+X8+aKSq80D3sL583RaLXRESFi2/d+XEPCQQyAoKvr9u+9PSqVSlmXdPZSvTZmMHM7EIQmrtn6tLymB4Z81aEI+nIasbUfs49VzygssxBKpuP770/WnLXl5myITZBNKN7fs9TnpqzO8fX1APxNFxcfFHT64HybdqJJj5OZtGTDggUFDhw0aYrPcP3DQjPdnowMaCI8If2zoECNF4QShUqnzNm9BDoEgMysLjPyo/uqECfIu+YKYQ822dHmOUCI3M4w4oGfPt+2tkLVK0PxEHCbLHIeT0pJFa5HVYWRSacrytOQVK72t46fAbGYoU+7GHJiBoRqt0jCMKuQKH39/fz8/+GerBPj7QVaKDmjEgg/nqVUqzCyQK2Sb8pCEpdeuHThwSC6TQcoqkYindckoCrQuYeX2/frLlwUiEavXBs15gx/H2ge0BklPf/+JY1itHpdJ6o6eUJ0tcjwyWTTD8CPHjrkpFNAdeQtGEnOS5vMVHKKh1xuNhrq6OlV9fX1dnZ2i17XwQPPDDz2Y0LcPRZuEpLC8vGL3N9+AEcYGmmUgRmp1urGjR/n5+fGVnU3ry9w/9n3K+Oc1DOKMTDqw7CRpXZ1qkWNYCKn0gHgp7uU/8JLNzNBQWvFj9HBcJOSMlOcTg/sdzEcO28vcs5PmffHl9sZTNJPJRJtoyN1Bxprq6pRlS6ZPTUS+lrh542ZUXN+AHv56rW7UqJEbsjNPnjp17Ph3MDtENVqCppnIiPCXXnwB7Tdiz779r05+3c/P12g0xsXE7Nvzr9j4BMtXzDFMr9OdPHEsIjwCVXUyrcSP6/m76otOkQIvRqCOmZ9sRz/ALGAt39NnoDRZYGuGNCTQ78Wnb37+L0Iqu3XosOb8RbeEWORzDK1W2yc+ftjQIZmZ2UovD08vr2Upy0cMHx4dHYVq2OZ26H108GAoaKftjHru2eBegRqdXiwWXy4uHj9xEs0wkMjAtT054gk7+jEMu/2rrwICAmBI0Wg1JpoOCw3pl9BPJHI4FjTF3qgI7xb6ZUxKWlT6gtjlK3rOfB05bCD08hX6+wgDfElfL2SyQcjiGeLAQKG/r8SvV1nGnXTAEeAeBQf12v/N1xCQ+t3Xz6DXwwAhEgqnvN5Fsec2774zXaW2rLcROFb488+gHwxpDM3MnPEuqtESJGn5HYORY55/dvSYc+fOUxQ1aswLUbG9YUhANdoKnA44O3Dsd+LYAre+8D91s4o3QljmNxyhWVXHj4RXuV1Zf+XqUUFQgTLhOBn128T3kdVsnjVnbkCvkMjY+KCwyEGPPgZvm7eXlpUFBoeFRcZExMZ7+/VY8NFi3n43N67fULj7wBl69AqdOv09ZO0Y0IFCw6PComIjY3tHxMTDyQNDwkeNGYfcdomK66P08r106RJsnzx1WqrwCI+MNRgsiwZtxV4vtKQPDtOsapuSFAcrw+VC/FuXmSESod/HCe7VKzV5aX29Cnwenp7Z2Rt++s9Z3tUFCEnytSmTNCoNbFuzYzNo8MFMx9c9MMpo+TAyNjbGTeEGg2p5RTnvqKyqgv9rqmsqypEFKDz787Lk1G2ffwF5ADJZaUnC2+Gi62n1pTEzhjW55kmv/nPE8L/pNFpoCR5enhP+OQk5bNGxNdJmvPfuOxKZGMYR2IY727dvn6FDh/Au+6BrsLZevV5nNBkJgoQZTlb2+lDo1PH9Pv1sG/xNGPAQTDGhDnTuF1+Z8NLLL3762RdePgGNW2oLElp+tqe7aO2l4Z3DyIt2Gsjfslkmk9E0DbNDlUrTSlDs2BppM9zd3UNDQlnWEgogSM98dzpytAZcA8jHT2cXLlisrq2bNHGCm5sbxNeQ4F6EULh9567nnntu0KCHwThn3od7v9m7Oj0tJipqS94nQrF45Og7HxM1l9AMN9Fu2ulUMMsI2eY7LJNJczZkq1QquI/u7sodu3btP2BzsdRy79BmJ3D06PFz5y+AEtCAIsMjRo8aiRwOIJfLZ8+bHx0bf/HS5d27v165Ej0Ob2mOFJW1ZvVn+Xn79uxmaPrbAweU3l49A3uCNzg42MfbS6XWnDmDFpmbTipgkCLIH8MfE9zV0rsCGOLg9d2U/DNUbeLvI4ZPGP/Sjl27QULI1ye/9sa1kssyaQvrW5Z+bN1Yty47dWU61LfutYyRMj4+bNjWLXlo/y5WpKd7KJVmgaULLl20EFkdQ6fVZa/JCAkNQfsNQEOE9w9hld/V6Q0URYMFJqC8BaYxkARTDRGxSS+0JBY4xplojmG7odCs5QF+jGhfN8lelxkY4A/JKg5zDLF47LhWPuVhOY6GGQDL2ingpps+RNKYwsKff/zprEgqgXo9/QNenTgROVri0OHDGzbc+ZIXNFNoSTp9C7/SxLfg20keNLIe8L5MpqtXr/IWPajLsv0T+vO7SEKYj1uUo0yW37Jj2O4rcBkmuAyOsVwGf20AwzCQLJggiwev7R+Hy9+SB00bWivkiscLCrLX33lUEJq2CQ62nMMEZ7NYODPrAHyq0iIr0lYplW5wp7V63eTJk+wsPUIfhSY1fXpiQcEJZNGooYlUVlbyu43R6XQmFhrXna+DLVu8iMDwzMxs2D59+oeSPy/PTZrt4enOe9EC24WxibqiyzCR562OA2/A5h1tzWsHzkD5jBwetQYNTanLV36zd59UKoHhZfOmjQkJfXj73axavWbnrq8lUgm8r5qa2u+PHfX2sawzVFZVPv7EP7y9vYwGw99HjEhJXrJly9bsnE8UbncW7e4G+vSgRx5Z83E62m9EcXHJfQ8O9PH1AY2hw5wvPCtXyJGvJd6b8UHRb7/t27tbr9O++ea0G7cqhYQQJ7DRI0d+8P6decjSZckHDh3GCcLT3X3a1MRnn3mat//yy6/LV6ykGAYXYONffrHxmp9FQhCxodf+1YD7C+Mq2ulU3nhr6rcHDyoUCrVa/cZrk1OTlyFHl2OV0Npd2of9Yzty5v9lbt2qjo1PgGkoDNAmiir86UyXfS5xN5YW2pG7bP/Yv6R+wKqMNaSQxDEM8hEY67pRPwDFQheOYzAawyOiZdZPviD1OH3ieHh4OO/qFpwSJ/7awIQSkkkIsaDlsKFDulc/wNUL20yv0AiRSAQSqupVRw7t699/AHJ0E65e2DbSV62uKC2rq62/XnGjT5/4btcPcPXCtnHu3HmaoaELMgwbFhrivK+cOY5Lwnse10B6jyMQ/D/exLg8R/4sQAAAAABJRU5ErkJggg==", "authenticatorGetInfo": { "versions": [ "U2F_V2", "FIDO_2_0", "FIDO_2_1_PRE" ], "extensions": [ "credBlob", "credProtect", "hmac-secret" ], "aaguid": "e1a9618350164f24b55be3ae23614cc6", "options": { "uv": true, "userVerificationMgmtPreview": true, "credMgmt": true, "uvBioEnroll": true, "rk": true, "plat": false, "clientPin": false, "up": true, "bioEnroll": true, "credentialMgmtPreview": true }, "maxMsgSize": 2048, "pinUvAuthProtocols": [ 1 ], "maxCredentialCountInList": 20, "maxCredentialIdLength": 128, "transports": [ "usb" ], "algorithms": [ { "type": "public-key", "alg": -7 }, { "type": "public-key", "alg": -8 } ], "firmwareVersion": 10013 } } } ```