Class AuthenticatorInfo

Namespace

Yubico.YubiKey.Fido2

Assembly

Yubico.YubiKey.dll

Device information returned by the FIDO2 GetDeviceInfo command.

public class AuthenticatorInfo

Inheritance

object

AuthenticatorInfo

Constructors

AuthenticatorInfo(ReadOnlyMemory<byte>)

Build a new instance of AuthenticatorInfo based on the given CBOR encoding.

public AuthenticatorInfo(ReadOnlyMemory<byte> cborEncoding)

Parameters

cborEncoding ReadOnlyMemory<byte>

The device info, encoded following the CTAP 2.1 and CBOR (RFC 8949) standards.

Remarks

The encoding must follow the definition of authenticatorGetInfo in section 6.4 of the CTAP 2.1 standard.

Exceptions

Ctap2DataException

The cborEncoding is not a valid CBOR encoding, or it is not a correct encoding for FIDO2 device info.

Fields

AaguidLength

An Aaguid is defined in the standard as 16 bytes, no more, no less.

public const int AaguidLength = 16

Field Value

int

DefaultMaximumMessageSize

If no MaximumMessageSize is given, the standard specifies a default size of 1024.

public const int DefaultMaximumMessageSize = 1024

Field Value

int

DefaultMinimumPinLength

If no MinimumPinLength is given, the standard specifies a default length of 4.

public const int DefaultMinimumPinLength = 4

Field Value

int

Version20

The string in the Versions property that indicates FIDO2 version 2.0.

public const string Version20 = "FIDO_2_0"

Field Value

string

Version21

The string in the Versions property that indicates FIDO2 version 2.1.

public const string Version21 = "FIDO_2_1"

Field Value

string

Version21Pre

The string in the Versions property that indicates FIDO2 version 2.1 preview.

public const string Version21Pre = "FIDO_2_1_PRE"

Field Value

string

VersionU2f

The string in the Versions property that indicates FIDO U2F.

public const string VersionU2f = "U2F_V2"

Field Value

string

Properties

Aaguid

The AAGUID, unique to the authenticator and model. This is a REQUIRED value.

public ReadOnlyMemory<byte> Aaguid { get; }

Property Value

ReadOnlyMemory<byte>

Algorithms

The list of supported algorithms for credential generation. This is an optional value and can be null.

public IReadOnlyList<Tuple<string, CoseAlgorithmIdentifier>>? Algorithms { get; }

Property Value

IReadOnlyList<Tuple<string, CoseAlgorithmIdentifier>>

Remarks

Each entry in the list is a type and algorithm. Neither the type nor algorithm are guaranteed to be unique, although each combination is. Currently, the only type defined is "public-key". The only algorithm the YubiKey supports is ECDSA with SHA-256 using the NIST P-256 curve. This is the pair "public-key"/CoseAlgorithmIdentifier.ES256.

AttestationFormats

A list of AttestationFormats supported by the authenticator.

public IReadOnlyList<string> AttestationFormats { get; }

Property Value

IReadOnlyList<string>

Certifications

The list of certifications the YubiKey has obtained. Each certification is a string and number. The string is the name of the certification, and the number describes the level. See The FIDO standard for more information, specifically section 7.3 of CTAP. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public IReadOnlyDictionary<string, int>? Certifications { get; }

Property Value

IReadOnlyDictionary<string, int>

EncIdentifier

If present, an encrypted identifier that the platform can use to identify the authenticator across resets. The platform must use the persistent UV auth token as input to decrypt the identifier. If null, the authenticator does not support this feature. The encrypted identifier is 32 bytes: the first 16 bytes are the IV, and the second 16 bytes are the ciphertext. The encryption algorithm is AES-128-CBC. The key is derived from the persistent UV auth token using HKDF-SHA-256 with the info string "encIdentifier" and a salt of 32 bytes of 0x00. The plaintext is 16 bytes.

public ReadOnlyMemory<byte>? EncIdentifier { get; }

Property Value

ReadOnlyMemory<byte>?

Extensions

List of extension strings of CTAP supported by the authenticator. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public IReadOnlyList<string>? Extensions { get; }

Property Value

IReadOnlyList<string>

FirmwareVersion

The version of the firmware on the YubiKey. Note that this is an int, not an instance of the FirmwareVersion class. The standard specifies returning an int. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public int? FirmwareVersion { get; }

Property Value

int?

Remarks

If you examine the result as a hexadecimal 32-bit value, the major, minor, and Patch numbers will be bytes 2, 1, and 0. For example, if the YubiKey's firmware is vers 5.4.2, then the result will be decimal 328,706, which in hex is 0x00050402.

ForcePinChange

If true, certain PIN commands will return errors until the PIN has been changed. If false, a PIN change is not necessary. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public bool? ForcePinChange { get; }

Property Value

bool?

LongTouchForReset

If true, the authenticator requires a 10-second touch for reset. If false, the authenticator does not require a 10-second touch for reset.

public bool LongTouchForReset { get; }

Property Value

bool

MaximumCredentialBlobLength

The maximum length, in bytes, of the "credBlob" if supported. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public int? MaximumCredentialBlobLength { get; }

Property Value

int?

MaximumCredentialCountInList

The maximum number of credentials in the CredentialID list. Note that this is not the maximum number of credentials on a YubiKey, but the maximum number of credentials represented in a CredentialID list. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public int? MaximumCredentialCountInList { get; }

Property Value

int?

MaximumCredentialIdLength

The maximum length of a CredentialID. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public int? MaximumCredentialIdLength { get; }

Property Value

int?

MaximumMessageSize

The maximum size, in bytes, of a message sent to the YubiKey. This property is OPTIONAL, and if the YubiKey provides no value, this will be null. The standard specifies a default of 1024 (see the field DefaultMaximumMessageSize).

public int? MaximumMessageSize { get; }

Property Value

int?

MaximumPinLength

The maximum length of a PIN (in bytes) that the authenticator supports. Default value is 63, which is the maximum length of a PIN in Unicode code points.

public int MaximumPinLength { get; }

Property Value

int

MaximumRpidsForSetMinPinLength

The maximum number of Relying Party IDs that the YubiKey can set via the setMinPINLength subcommand. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public int? MaximumRpidsForSetMinPinLength { get; }

Property Value

int?

MaximumSerializedLargeBlobArray

The maximum size, in bytes, of the serialized large-blob array that this YubiKey can store. If the authenticatorLargeBlobs command is not supported, this will be null. If it is supported, it will be a value greater than 1024. This property is OPTIONAL, and if the YubiKey provides no value, this will be null (the authenticatorLargeBlobs command is not supported).

public int? MaximumSerializedLargeBlobArray { get; }

Property Value

int?

MinimumPinLength

The current minimum PIN length, in Unicode code points. This property is OPTIONAL, and if the YubiKey provides no value, this will be null. The standard specifies a default of 4 (see the field DefaultMinimumPinLength).

public int? MinimumPinLength { get; }

Property Value

int?

Options

The list of supported options. Each entry in the list is a string describing the option and a boolean, indicating whether it is supported (true) or not (false). This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public IReadOnlyDictionary<string, bool>? Options { get; }

Property Value

IReadOnlyDictionary<string, bool>

PinComplexityPolicy

If present, indicates whether the authenticator is enforcing an additional current PIN complexity policy beyond minPINLength. If true, the authenticator is enforcing a PIN complexity policy. If false, the authenticator is not enforcing a PIN complexity policy. If null, the authenticator does not support this feature.

public bool? PinComplexityPolicy { get; }

Property Value

bool?

PinComplexityPolicyUrl

If present, a URL that the platform can use to provide the user more information about the enforced PIN policy. If true, the authenticator is enforcing a PIN complexity policy. If false, the authenticator is not enforcing a PIN complexity policy If null, the authenticator does not support this feature.

public ReadOnlyMemory<byte> PinComplexityPolicyUrl { get; }

Property Value

ReadOnlyMemory<byte>

PinUvAuthProtocols

List of PIN/UV Auth Protocols the YubiKey supports. They are given in the order from most to least preferred. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public IReadOnlyList<PinUvAuthProtocol>? PinUvAuthProtocols { get; }

Property Value

IReadOnlyList<PinUvAuthProtocol>

PreferredPlatformUvAttempts

The number of attempts to authenticate the UV (e.g. fingerprint) that fail before using the PIN. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public int? PreferredPlatformUvAttempts { get; }

Property Value

int?

RemainingDiscoverableCredentials

The estimated number of additional discoverable credentials that can be stored. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public int? RemainingDiscoverableCredentials { get; }

Property Value

int?

Transports

List of transport strings of CTAP supported by the authenticator. This property is OPTIONAL, and if the YubiKey provides no value, this will be null. Valid values are defined in the AuthenticatorTransports class, which contains the standard-defined transport strings.

public IReadOnlyList<string>? Transports { get; }

Property Value

IReadOnlyList<string>

TransportsForReset

List of transports that support the reset command. For example, an authenticator may choose not to support this command over NFC Valid values are defined in the AuthenticatorTransports class, which contains the standard-defined transport strings.

public IReadOnlyList<string> TransportsForReset { get; }

Property Value

IReadOnlyList<string>

UvCountSinceLastPinEntry

If present, the number of internal User Verification operations since the last pin entry including all failed attempts.

public int? UvCountSinceLastPinEntry { get; }

Property Value

int?

UvModality

A bit field indicating the user verification methods supported by the YubiKey. The meanings of the bits are specified in the FIDO standard, namely the Registry of Predefined Values, section 3.1. This property is OPTIONAL, and if the YubiKey provides no value, this will be null.

public int? UvModality { get; }

Property Value

int?

VendorPrototypeConfigCommands

A list of vendor command IDs. If this is not null, then the YubiKey chosen supports the vendor prototype subcommand of Authenticator Config. If so, the list, which can be empty, will contain the valid vendor IDs that can be used in that subcommand. If this is null, the YubiKey chosen does not support the feature.

public IReadOnlyList<long>? VendorPrototypeConfigCommands { get; }

Property Value

IReadOnlyList<long>

Remarks

Note that the standard defines a vendor ID as a 64-bit unsigned integer. These numbers are to be random values.

Versions

List of version strings of CTAP supported by the authenticator. This is a REQUIRED value.

public IReadOnlyList<string> Versions { get; }

Property Value

IReadOnlyList<string>

Remarks

A list of strings is not the easiest to parse, but that is the way the standard specifies reporting the supported versions. If you want to know if a particular version is supported, call the Contains method of the IReadOnlyList interface, using the strings defined in this class. For example, suppose you build a Fido2Session object and you want to know whether the connected YubiKey supports version 2.1, your code would look something like this.

if (fido2Session.AuthenticatorInfo.Versions.Contains(AuthenticatorInfo.Version21))
{
    . . .
}

Methods

GetIdentifier(ReadOnlyMemory<byte>)

Retrieves the identifier derived from the encrypted identifier, using the provided persistent UV authentication token.

public ReadOnlyMemory<byte>? GetIdentifier(ReadOnlyMemory<byte> persistentUvAuthToken)

Parameters

persistentUvAuthToken ReadOnlyMemory<byte>

The persistent UV authentication token used to derive the key for decryption.

Returns

ReadOnlyMemory<byte>?

The decrypted identifier as a read-only memory block of bytes, or null if the encrypted identifier is not set.

GetOptionValue(string)

Get the value of the given option in this AuthenticatorInfo.

public OptionValue GetOptionValue(string option)

Parameters

option string

Returns

OptionValue

An OptionValue enum that specifies the option as either True, False, NotSupported, or Unknown.

Remarks

An option can be "true", "false", or "not supported". This method will determine which value is appropriate for the given option.

The FIDO2 standard specifies that each option has a value, even if an authenticator does not list it. If an option is not listed, its value is a default, and the standard specifies default values for each option. This method will determine if an option is listed, and if so, return the listed value. If not, it will return the default value. A default value can be "true", "false", or "not supported".

If the option is unknown (not one of the standard-defined options), and it is not listed, this method will return "unknown".

IsExtensionSupported(string)

Determine if the given extension is listed in this AuthenticatorInfo.

public bool IsExtensionSupported(string extension)

Parameters

extension string

Returns

bool

Remarks

Because the Extensions property can be null (this happens if a YubiKey does not specify any extensions), to check for any particular extension requires first checking for null. If it is not null, then it is necessary to check to see if that extension is listed.

This method offers a convenient way to determine if an extension is listed. This method will determine if Extensions is null. If it is null, it will return false. If not, it will check to see if the given value is listed. If so, return true, otherwise return false.