What is an AAGUID
The AAGUID is the identifier for a specific make and model of a FIDO2 authenticator. The FIDO Alliance maintains a list of AAGUIDs along with related product and certification information in a metadata service (MDS), the FIDO MDS.
What triggers AAGUID changes
For certain updates, Yubico may generate new AAGUIDs to distinguish between different events/configurations, and in some cases FIDO Alliance regulations might dictate the need for new AAGUIDs. Yubico will update the AAGUIDs for its products if at least one of the following criteria are met:
- New product introduction
- A new product is being released that Yubico wants its customers to be distinguishable from previously introduced products, given its configuration or feature set, such as the new introduction of the Security Key - Enterprise Edition when previously only the Security Key was available
- Mandatory FIDO requirement to change AAGUID
- The new firmware version is based on a new CTAP version
- The new firmware version has changes that will result in an updated getInfo/FIDO MDS statement update such as the change of message buffer size or increase in blob storage
- Attestation scheme / CA infrastructure
- The new firmware version will be produced (for customers) with a new attestation scheme or new CA infrastructure
- Customer impacting compliance issues
- The new firmware version is solving a compliance issue in an already introduced firmware version and customers need to be able to distinguish between the two
- Security Advisory of any rating (low or greater) affecting FIDO functionality
How Yubico communicates AAGUID changes
Yubico will update YubiKey Hardware FIDO2 AAGUIDs when new AAGUIDs are planned for release. Simultaneously, Yubico will update the official FIDO MDS service which will also reflect the current certification status for the product.
Interested customers can sign up for regular notifications regarding product updates here by selecting the “YubiProducts” option.
Customer considerations for AAGUID changes
The FIDO MDS is used by many identity provider vendors to validate security keys for FIDO authenticator allow lists. This allows organizations to restrict their users to only use specific manufacturer’s security keys if they so desire. If a customer wants to restrict access to YubiKeys, it is important that they consider and include any new AAGUIDs that are associated with YubiKeys as part of their policies as Yubico launches new products.
Technology partner considerations for AAGUID changes
Yubico works with identity provider partners to validate that new products function properly and that they are aware of new AAGUIDs that will be listed in the FIDO MDS service. Most large IDPs automatically consume the FIDO MDS data on a scheduled basis and as a result there could be a short delay before a new AAGUID is available to be used in an allow list. Each IDP handles the consumption of new AAGUIDs in different ways and it is important to understand how your IDP processes new AAGUIDs to avoid any access disruption. Below is a list of some common IDPs and how they manage AAGUIDs.
- Microsoft will monthly retrieve AAGUID entries from MDS that meet the requirements for working with Entra ID and that are FIDO certified. The schedule for the retrieval has not been published by Microsoft. Customers that wish to use the best practices and wish to enforce attestation will not be able to use a YubiKey with a new AAGUID until Microsoft has retrieved the certified AAGUID from MDS. Learn more about Microsoft’s attestation process and see the available AAGUIDs that can be used for attestation.
- Ping Identity / PingOne will regularly retrieve AAGUID entries from MDS. Customers can optionally upload the MDS metadata to their PingOne environment if they need to use a YubiKey that hasn't been updated yet in PingOne. Learn more about Ping Identity’s attestation process.
- Okta Identity Engine (OIE) will regularly retrieve AAGUID entries from MDS. AAGUIDs can be added to an allow list that is associated with an Okta Authenticator Group. An AAGUID must be in the FIDO MDS as a certified FIDO product in order to take advantage of the Okta Authenticator Group functionality. Learn more about Okta’s attestation process.