Ensure use of FIDO2 certified security key

Question

We plan to introduce FIDO2 security keys and passwordless login for an IT system with sensitive data and would like to ensure that only FIDO2 certified security keys are used. How can we recognize such keys during registration and reject non-certified ones? Does WebAuthn provide any such information about the key? Is it possible at all?

Our aim is to prevent to use of security keys that are not properly implemented, e.g. keys that do not store the private key in secured hardware or skip the user verification. We want to prevent people from compromising security - accidentally or intentionally.

The IT system has a web user interface. So the communication with the FIDO2 key will be via HTML / Javascript / WebAuthn.

We are aware that we could purchase certified security keys, provision them centrally and then distribute them to the users. However, this process is costly and slow. Therefore, we would rather that users can bring or purchase their own FIDO2 keys and register them themselves.

Answer 1

It's possible: the WebAuthn library you'll use will (probably - you still should check it) returns which type of attestation was used during registration. The "none" attestation means that you have no guarantee on the FIDO2 key used, while other types of attestation can give you various guarantees (use of FIDO1 or FIDO2).

For instance, you can restrict access to Attestation CA attestation type, using only FIDO2 metadata service. In this case only FIDO2 security keys registered in the metadata will allow a user to register.

Also, some libraries return the authenticator metadata involved in the registration, which means you can actually whitelist authorized security keys.

Long story short: it's technically possible and it should be handled by your FIDO2 / WebAuthn library.