Working with enterprise attestation credentials

4.3 Working with enterprise attestation credentials

Issuing your passkeys using enterprise attestation affects the lifecycle operations you can carry out on the device.

4.3.1 Issuing passkeys

When you attempt to register a passkey using credential profile configured for enterprise attestation, if MyID CMS does not trust the enterprise attestation certificate, it rejects the issuance of the passkey.

4.3.2 Authenticating passkeys

When you attempt to authenticate a passkey that has been issued for enterprise attestation, if the relying party does not trust the enterprise attestation certificate, it rejects the authentication.

Note: You must check that your relying party supports enterprise attestation.

If you are using platform-managed enterprise attestation, in addition to trusting the enterprise attestation certificate, the relying party must also be listed in the platform-managed RP ID list.

4.3.3 Resetting and erasing devices

You may find that the enterprise attestation feature on your devices is disabled if you reset the device; see the instructions provided by your device manufacturer for details of re-enabling this feature if required. For example, you can use an app provided by your device manufacturer such as the Yubico Authenticator app.

Note: For some devices (for example, YubiKey v57), MyID CMS carries out a reset on the device when erasing it. Therefore, this operation may also disable the enterprise attestation feature, requiring you to re-enable the feature before you can use the device for enterprise attestation again.

4.3.4 Lost or disposed authenticators

If you have an authenticator that is enabled for enterprise attestation, and you set the disposal status of a passkey on the device to Lost or Disposed, you can no longer issue any passkeys to that physical device.

If you want to issue passkeys to that device, you must reset the disposal status; for example, if a lost device is subsequently found.

Note: When you set the disposal status for a passkey, it does not affect the other passkeys on the device. To set the disposal status for all passkeys on a device, you can use the batch feature; see the Setting the disposal status of multiple devices section in the MyID Operator Client guide.

4.3.5 Canceling credentials

When you cancel a passkey, it does not affect the other passkeys on the device. To cancel all passkeys on a device, you can use the batch feature; see the Canceling multiple devices section in the MyID Operator Client guide.