4 Enterprise attestation

Attestation is the process of obtaining proof of authenticity from a passkey device; by default, the basic attestation process allows an authenticator to provide only its AAGUID (a 128-bit identifier of the type of the authenticator) and high-level information about its type and capabilities.

Enterprise attestation extends this process by including a unique identifier for the authenticator, such as its serial number. This allows your organization to control the issuance of passkeys to approved authenticators.

Important: You must discuss your enterprise attestation requirements with your authenticator vendor so they can supply you with devices that are suitable for your purposes. You may require devices that have been manufactured to your organization's requirements; your vendor can advise you.

The following types of enterprise attestation are available:

• Vendor-facilitated enterprise attestation.

  If you want to use vendor-facilitated enterprise attestation, you must work with an authenticator vendor to produce devices with a specific set of keys to include enterprise attestation metadata. You can then configure MyID CMS to issue passkeys to only those devices that pass the enterprise attestation checks, ensuring that you are issuing passkeys only to the approved devices.

  A major component of vendor-facilitated enterprise attestation is a preconfigured list of relying party (RP) IDs that is built into the devices by the manufacturer; that is, a list of the domains that are allowed to request enterprise attestation from a device.

  Vendor-facilitated enterprise attestation is supported using most modern browsers (for example, Chrome, Firefox, and Edge) and the MyID Client Service app.

• Platform-managed enterprise attestation

  As an alternative to manufacturing devices with a preconfigured list of RP IDs, you can instead manage and control the list of relying parties using an enterprise-managed browser.

  Currently, this is supported only using Google Chrome (as an experimental feature) and the MyID Client Service app.

  For information on configuring your organization's Chrome browsers to provide the allowed list of RP IDs, see section 4.1, Enabling platform-managed enterprise attestation in Google Chrome.

To configure MyID to issue passkeys using enterprise attestation, you must configure a credential profile with the Require Attestation option set to Enterprise or Enterprise (Restricted). See section 5.1, Setting up a passkey credential profile for the MyID Operator Client or section 5.2, Setting up a passkey credential profile for the Self-Service Request Portal for details.

Depending on the implementation of enterprise attestation by your passkey device manufacturer, the device serial number may be extracted from the device to provide unique identification; see section 4.2, Linked credentials for details.

When you issue passkeys using enterprise attestation, this affects how you can work with the passkeys, in particular when canceling a credential or marking the device as lost or disposed. See section 4.3, Working with enterprise attestation credentials.