TryEnableEnterpriseAttestation Method
TryEnableEnterpriseAttestation()
Try to set the YubiKey to enable enterprise attestation. If the
YubiKey selected does not support enterprise attestation, this method
will return false
.
public bool TryEnableEnterpriseAttestation()
Returns
A boolean, true
if the YubiKey now has enterprise attestation
enabled, false
if the YubiKey does not support this feature.
Exceptions
Type | Condition |
---|---|
Ctap2DataException | The YubiKey could not perform the operation, even though enterprise attestation is supported. |
Remarks
See the FIDO2 standard, section 7.1, for a discussion of enterprise attestation.
It is possible to enable enterprise attestation only if the "ep"
option is present. If the "ep" option is not present, this method
will return false
.
If the "ep" option is present, this method will make sure the value
is true
. That is, if "ep" is false
, this will call on
the YubiKey to set it to true
. If "ep" is already true
,
after calling this method, the value will still be true
.
Note that once a YubiKey has been set to enable enterprise attestation, it is not possible to disable it, other than resetting the entire Fido2 application on the YubiKey.
The enable enterprise attestation operation requires a PinUvAuthToken
with permission "acfg" (Authenticator Configuration). If the "ep"
option is present and false
, this method will need the
AuthToken. Otherwise ("ep" is present and true
or "ep" is not
supported), this method will not perform any operation that requires
an AuthToken. If the method needs an AuthToken, it will get one using
the KeyCollector. If you do not want to use a KeyCollector, make sure
you verify the PIN or UV with the
AuthenticatorConfiguration
permission before calling this method.