MakeCredential Method
MakeCredential(MakeCredentialParameters)
Creates a FIDO2 credential on the YubiKey given a parameters object.
public MakeCredentialData MakeCredential(MakeCredentialParameters parameters)
Parameters
Type | Name | Description |
---|---|---|
MakeCredentialParameters | parameters | A fully populated MakeCredentialParameters structure that follows all of the rules set forth by that object. |
Returns
An object containing all of the relevant information returned by the YubiKey after calling MakeCredential. This includes the public key for the credential itself, along with supporting information like the attestation statement and other authenticator data.
Exceptions
Type | Condition |
---|---|
System.ArgumentNullException | The |
Fido2Exception | The YubiKey could not complete the operation, likely because of a wrong PIN or fingerprint. |
System.TimeoutException | The YubiKey either required touch for a user presence check or a biometric touch for user verification. The YubiKey timed out waiting for this action to be performed. |
Remarks
Detailed information about the parameters structure and its expected
values can be found on the MakeCredentialParameters page.
Note that a UserEntity
is a required element in order to make
a credential. The standard specifies that the UserEntity
is
made up of an ID
, a Name
, and a DisplayName
.
The standard also says the Name
and DisplayName
are
optional. It should be possible to make a credential using a
UserEntity
that contains only an ID
. However, YubiKeys
prior to version 5.3.0 require a Name
in order to make a
credential.
To make a credential requires "user presence", which for a YubiKey is
touch. This method will call the KeyCollector when touch is required
(KeyEntryRequest.TouchRequest
).
The SDK will automatically perform PIN or user verification using the KeyCollector if needed. That is, if this method determines that authentication has been successfully completed, it will not need the PIN or fingerprint, so will not call the KeyCollector. However, if it needs to perform authentication, it will request user verification and/or a PIN using the KeyCollector.
It is still possible to call this method with a KeyCollector that
does not collect a PIN (you will need to have one that supports at
least KeyEntryRequest.TouchRequest
). You must simply make sure
the appropriate Verify method has been called. See the User's Manual
entries on AuthTokens and
the SDK AuthToken logic for
more information on when to verify. If you do not provide a
KeyCollector that can collect the PIN, and the method is not able to
perform because of an authentication failure, it will throw an
exception.