FIDO Archives - MyExostar

Accepted Passkey Authenticators

stephanie.rooney — Thu, 17 Apr 2025 19:53:31 +0000

Please select the desired FIDO credential below to view accepted and approved authenticators for each FIDO type. The articles display tables that provides the FIDO Authenticator Name and AAGUID (Authenticator Attestation Global Unique Identifier) for FIDO FIPS Security Keys, FIDO Security Keys, FIDO Certification L1, and FIDO Synced Passkeys.

The Exostar Approved FIDO Authenticator List is renewed regularly and upon request by Exostar customers and partners.

Approved Authenticators

Please select the desired FIDO credential below to view approved authenticators:

Use the tool below to see if your passkey is an approved authenticator:

Exostar FIDO Security Key Validation

Exostar’s FIDO Security Key Validation

Check whether a product is supported by name or AAGUID.

Product Name

Other Products Supporting FIDO Authenticators

The lowest assurance level MAG allows for FIDO Authenticators for all MAG customers is listed on the table below:

FIDO FIPS Security Keys
FIDO Security Keys
FIDO Security Keys L1
Synced Passkeys with no metadata restrictions as per the FIDO Alliance. That includes the following:
- Synced Passkeys with Microsoft platform (Fabric)
- Synced Passkeys with Apple iCloud platform (Fabric)
- Synced Passkeys with Google Password Manager platform (Fabric)

Product	FIDO FIPS Security Key allowed	FIDO Security Key allowed	FIDO Security Key L1 allowed	Synced Passkey allowed
MAG	Yes. Only Required Applications	Yes. Available to all Applications	No	No

Extract AAGUID

How to Extract Your AAGUID and Device Details

This steps below explain how to extract the AAGUID and device details from your FIDO/passkey security key. Support uses this information to confirm device compatibility and troubleshoot registration issues.

Step 1. Open FIDO2 Key Data Explorer

Open the following link in a supported browser: https://tools.token2.com/fido2/info/index.php
(We recommend using the following browsers, Chrome or Edge).
You should see a page titled ‘FIDO2 Key Data Explorer.

Step 2. Connect your Security Key

Insert your FIDO security key into your computer’s USB port, or prepare to tap via NFC if your key supports it. Leave the key connected during the process.

Step 3. Retrieve Device Data

1. Click the Retrieve Data button.
2. When prompted by your browser, select Security Key.
3. Touch the key or press its button when it blinks.
4. Enter your PIN if prompted.

Step 4. Locate AAGUID and Device Information

After completion, scroll to the Summary section and capture the following:
– Name (example: YubiKey 5 Series with NFC)
– AAGUID (example: d7781e5d-e353-46aa-afe2-3ca49f13332a)
– Supported Protocols
– Certifications (if shown)
Note: You may see ‘Failed or not a Token2 Device’. This is expected for non-Token2 keys and does not indicate an issue.

Step. 5 Verify Device is Supported

Check whether your key appears on our accepted authenticator list:
https://myexostar.uc-us-nyc1.hostserve.io/knowledge-base/accepted-passkey-authenticators/

If your device is listed, include that confirmation when contacting Support. If not listed, still provide the AAGUID.

Step 6. Provide Information to Support

When contacting Support, include:
– The AAGUID
– Device name/model
– Screenshot of the tool results
– The error message you encountered during registration

Important Notes: The AAGUID identifies the device type, not you. No personal information is exposed. If a key is partially registered, Support may need to remove it before you can re-register.

The post Accepted Passkey Authenticators appeared first on MyExostar.

FIDO FIPS Security Keys

Ashleigh Howell — Thu, 06 Nov 2025 16:59:33 +0000

FIDO FIPS Security Keys (Device-bound passkey and FIPS 140-2/3 Validated): FIDO FIPS Security Keys are hardware authenticators that meet the NIST FIPS 140-2 cryptographic module validation requirements. They provide strong hardware-backed security and are approved for use in U.S. federal environments where AAL3 assurance is required. These keys combine phishing resistance, cryptographic protection, and compliance with federal standards.

IMPORTANT! Exostar does NOT sell the hardware key. You MUST purchase that separately.

A FIDO Security key must contain the following properties to be allowed in the Exostar product environment:
– NIST Assurance Level: AAL2
– FIPS 140-2/3 Validation: Must be active and listed on the NIST Cryptographic Module Validation Program
– Passkey Protection: Must be hardware
– Passkey Storage Location: Must be device-bound
– FIDO Alliance Certification Level: Must be at least L2
– Attestation: Required

Please follow the steps below to purchase a FIDO FIPS Security Key. Please visit your customer page for more information on the purchase and set-up process, as this can differ per customer depending on the proofing requirement and application access.

Step 1. Purchase FIDO Passkey License

It is important you verify with your partner which FIDO credential you require to access their applications. You can complete a purchase for the FIDO Passkey License with or without Proofing from Exostar’s web store. You must also purchase the hardware key separately as this is not currently offered from Exostar’s web store. Please see that process in Step 2. Purchase Hardware Key.

IMPORTANT! Once you successfully purchase the FIDO Passkey License, you will receive a purchase confirmation license key. This license key is used ONCE during the credential set-up process and IS NOT the same as the FIDO Passkey License, which is the credential you will use to authenticate to access your partner applications.

To purchase your FIDO Passkey License:

1. Navigate to Exostar’s web store.
2. Select your Partner from the drop-down provided.
3. Select the radio button for FIDO Passkey License with or without Proofing (1 year, hardware key not included). Click Next.
4. Review and complete any missing information in the Primary Information and Billing Address sections. Click Next.
5. Select your Payment Method and input payment details. Click Submit to complete your purchase.
NOTE: If you select the Invoice option, Exostar must receive full payment before you receive your license key to activate your credential.
6. On the purchase confirmation screen, you are provided the option to activate your license key directly from the web store. Otherwise, you can activate via your account using the license key provided in the confirmation email.
NOTE: The license key format is KEY-XXXXXXXXXXXXXXXXX.

Step 2. Purchase FIDO FIPS Security Key (Hardware)

It is important to note, you must purchase a security key separately, as Exostar does not currently offer the physical keys via the web store. Exostar suggests purchasing the Yubico YubiKey 5C NFC FIPS USB-C product. Please see the FIDO FIPS Security Keys Approved Authenticators article for other approved FIDO FIPS Security Key (Hardware) options.

To complete a FIDO FIPS Security Key (Hardware) purchase:

1. Navigate to https://www.yubico.com/product/yubikey-5-fips-series/yubikey-5c-nfc-fips/.
2. Select the YubiKey 5C NFC FIPS USB-C product.
3. Select a Single Key or Tray of 50 keys.
4. Click Add to Cart.
5. The cart displays along the right-hand side of your screen. Click Continue to checkout.
6. Review your cart. Click Continue to checkout.
7. On the Your details screen, complete the following and click Continue:
– Select the Profile Type: Individual or Business.
– Select the Shipping to Country.
– Input your Email.
8. Complete the Shipping Information, Billing Information, and Payment sections.
9. Click Confirm Purchase.

Step 3. Complete Credential Set-up

Once you successfully complete your purchase, you can activate your credential directly from the web store or through your Exostar account. PLEASE VISIT YOUR CUSTOMER GET STARTED ARTICLE FOR MORE DETAILED INSTRUCTIONS ON COMPLETING CREDENTIAL SET-UP.

The post FIDO FIPS Security Keys appeared first on MyExostar.

FIDO Security Keys

Ashleigh Howell — Thu, 06 Nov 2025 17:00:17 +0000

FIDO Security Keys (Device-bound passkey and L2 Certified but non-FIPS validated): FIDO Security Keys are hardware-based devices that provide strong cryptographic authentication. They protect against phishing by ensuring only the legitimate site can authenticate you. Users confirm their identity by touching the key or entering a PIN when prompted.

A FIDO Security key must contain the following properties to be allowed in the Exostar product environment:
– NIST Assurance Level: AAL2
– Passkey protection: Must be hardware
– Passkey Storage Location: Must be device-bound
– FIDO Alliance Certification Level: Must be at least L2
– Attestation: Required

Please follow the steps below to purchase and set-up a FIDO Security Key. Please visit your customer page for more information on the purchase and set-up process, as this can differ per customer depending on the proofing requirement and application access.

Step 1. Purchase FIDO Passkey License

You must purchase the FIDO Passkey License with or without Proofing from Exostar’s web store. You must also purchase the hardware key separately as this is not currently offered from Exostar’s web store. Please see that process in Step 2. Purchase Hardware Key.

To purchase your FIDO Passkey License:

Step 2. Purchase FIDO Security Key (Hardware)

It is important to note, you must purchase a security key separately, as Exostar does not currently offer the physical keys via the web store. Exostar suggests purchasing the Yubico YubiKey 5C NFC (Near Field Communication) USB-C product. Please see the FIDO Security Keys Approved Authenticators article for other approved options FIDO Security Key options.

To complete a FIDO Security Key (Hardware) purchase:

1. Navigate to https://www.yubico.com/product/yubikey-5-series/yubikey-5c-nfc/.
2. Select the YubiKey 5C NFC USB-C product.
3. Select a Single Key or Tray of 50 keys.
4. Click Add to Cart.
5. The cart displays along the right-hand side of your screen. Click Continue to checkout.
6. Review your cart. Click Continue to checkout.
7. On the Your details screen, complete the following and click Continue:
– Select the Profile Type: Individual or Business.
– Select the Shipping to Country.
– Input your Email.
8. Complete the Shipping Information, Billing Information, and Payment sections.
9. Click Confirm Purchase.

Step 3. Complete Credential Set-up

The post FIDO Security Keys appeared first on MyExostar.

FIDO Known Issues

Ashleigh Howell — Thu, 06 Nov 2025 17:05:30 +0000

Known Issues or Errors

What is browser capability for FIDO Security Keys?

The following browsers are supported:
– Google Chrome
– Microsoft Edge
– Firefox
– Safari

The following browsers are NOT supported:
– Internet Explorer

What do I do if the Security Key option does not display in my browser?

This could mean the browser or system policy blocks WebAuthn/CTAP2 access, preventing FIDO from displaying. Confirm you are on
Chrome, Edge, or Firefox (latest 2 versions) and supported OS. Ensure key inserted before setup. If the Security Key option is still missing, work with IT/Security to verify WebAuthn/CTAP2 or USB/NFC are not restricted.

I’m receiving a PIN Not Set or Incorrect PIN error when I authenticate. What do I do?

This error could mean a PIN was not created during the initial set-up process OR too many failed attempts were made, thus locking the key. You may be re-prompted to set a PIN after repeated failures. If you are not prompted to set-up a new PIN or you lock your token, use the vendor utility (YubiKey Manager) to reset the PIN. After you reset the PIN, re-register the key and create a new PIN.

I’m receiving a Browser or Version Incompatibility error. What do I do?

This means you are using an outdated browser or have restricted WebAuthn support. To fix this, update your browser to the latest two versions of Chrome, Edge, FireFox, or Safari (16+). You must then restart the browser and ensure WebAuthn is enabled.

Partially Registered FIDO / Passkey Token

Issue: In some cases, a FIDO security key (passkey) may become partially registered during setup. When this occurs, the key cannot be re-registered by the user without Support intervention.

Who is Impacted: Users attempting to register a FIDO / passkey credential when their account or subscription does not include FIDO / Passkey support, or when registration is interrupted before completion.

User-Visible Symptoms:

Users may see one or more of the following:
– “Try a different device. You already registered this device. You don’t have to register it again.”
– Registration fails immediately on retry
– The security key appears unusable despite never completing setup

Root Cause:

The system begins the FIDO registration process and creates a credential record before licensing or policy validation is fully completed. When registration fails mid-process, a partial credential remains associated with the user.

This prevents subsequent registration attempts with the same physical key.

What Should Users Know?

Retrying registration, switching browsers, or using another computer will not resolve this issue. The partial registration must be removed by Support before the key can be registered again.
What Information Users Should Provide to Support: To resolve the issue quickly, users should provide:
– Screenshot of the error message
– Security key model
– AAGUID (if available)
– Browser and operating system used
– Approximate time the error occurred

How Will Support Resolve the Issue?

Support will:
– Verify whether the user’s license includes FIDO / Passkey support
– Remove the partially registered credential from the system
– Confirm entitlement updates if a license change is required
– Guide the user to re-register the security key successfully

What is the Status or Workaround for this Issue?

This is a known issue. Improvements are planned to prevent partial registrations and provide clearer user messaging when licensing prerequisites are not met.
There is no user-side workaround. Support cleanup and license validation are required.

Additional Notes:

This issue does not indicate a problem with the physical security key. Once the partial registration is removed and licensing is correct, the same key can be reused.

The post FIDO Known Issues appeared first on MyExostar.

FIDO Training Resources

Ashleigh Howell — Thu, 06 Nov 2025 17:06:17 +0000

FAQs

What FIDO protocols does Exostar support?

Exostar supports FIDO2 and U2F.

What is FIDO2?

FIDO2 is the latest evolution of the FIDO standards that enables secure, phishing-resistant, and password-less authentication using public key cryptography through authenticators such as biometrics, hardware security keys, or platform devices.

What is a passkey?

Passkeys are a user-friendly implementation of the FIDO2 standard — essentially FIDO credentials designed to sync across a user’s devices via cloud services (like iCloud Keychain or Google Password Manager).

What Are FIDO Authenticators?

FIDO authenticators are hardware or software-based devices that allow users to authenticate securely using cryptographic keys.

What if I’d like to use an authenticator not currently supported by Exostar?

When a new FIDO Authenticator is added to FIDO Alliance and is not included in the Exostar Approved FIDO Authenticator List, you can request to add the authenticator to the Exostar list by:
1. Create a Customer Support ticket with the Subject: Add new FIDO Authenticator.
2. Include the AAUID.
3. Include the following expected properties and the corresponding values to enforce on the new authenticator:
– NIST Assurance Level
– FIPS 140-2/3 Validation
– Passkey protection
– Passkey Storage location
– FIDO Alliance Certification Level
– Attestation

Exostar will evaluate and confirm compliance and proceed to add to the Exostar Assurance levels for FIDO Authenticators.

IMPORTANT! This process could take up to a week to complete.

Can I purchase a hardware key directly from Exostar?

NO, you cannot. Exostar does not currently offer hardware keys via the Web Store. Please see the Approved Authenticators article for acceptable vendors. Exostar is currently using a bring-your-own-device model.

IMPORTANT! You must still purchase the FIDO credential from Exostar’s web store. However if you require a hardware key, that must be purchased separately.

Do I still need to login with my MAG User ID or Email Address and Password?

Yes, for the time being FIDO does not replace using your MAG password to access any applications. Once you successfully login to MAG with your User ID or Email Address and Password, you must elevate your credential strength via the Elevate button or once you click Launch on an application tile, the system will prompt for your FIDO login.

Why do I see an orange Get 2FA button instead of a green Launch button on my application tile?

This means you do not meet the authentication requirement and must complete a credential purchase and set-up.

The post FIDO Training Resources appeared first on MyExostar.

FIDO FIPS Security Keys Approved Authenticators

Ashleigh Howell — Wed, 19 Nov 2025 15:29:27 +0000

FIDO FIPS Security Keys are hardware authenticators that meet the NIST FIPS 140-2 cryptographic module validation requirements. They provide strong hardware-backed security and are approved for use in U.S. federal environments where AAL3 assurance is required. These keys combine phishing resistance, cryptographic protection, and compliance with federal standards.

Approved authenticators for FIDO FIPS Security Keys display in the table below. The table provides the FIDO Authenticator Name and AAGUID (Authenticator Attestation Global Unique Identifier).

The Exostar Approved FIDO Authenticator List is renewed regularly and upon request by Exostar customers and partners.

FIDO Authenticator Name	AAGUID
eToken Fusion NFC FIPS	10c70715-2a9a-4de1-b0aa-3cff6d496d39
Feitian BioPass FIDO2 Pro Authenticator	4c0cf95d-2f40-43b5-ba42-4c83a11c04ba
Feitian ePass FIDO2-NFC Plus Authenticator	260e3021-482d-442d-838c-7edfbe153b7e
Feitian iePass FIDO Authenticator	3e22415d-7fdf-4ea4-8a0c-dd60c4249b9d
Swissbit iShield Key 2 FIPS	817cdab8-0d51-4de1-a821-e25b88519cf3
Swissbit iShield Key 2 FIPS Enterprise	5eaff75a-dd43-451f-af9f-87c9eeae293e
YubiKey 5 FIPS Series	57f7de54-c807-4eab-b1c6-1c9be7984e92
YubiKey 5 FIPS Series	73bb0cd4-e502-49b8-9c6f-b59445bf720b
YubiKey 5 FIPS Series (Enterprise Profile)	905b4cb4-ed6f-4da9-92fc-45e0d4e9b5c7
YubiKey 5 FIPS Series with Lightning	7b96457d-e3cd-432b-9ceb-c9fdd7ef7432
YubiKey 5 FIPS Series with Lightning	85203421-48f9-4355-9bc8-8a53846e5083
YubiKey 5 FIPS Series with Lightning (Enterprise Profile)	3a662962-c6d4-4023-bebb-98ae92e78e20
YubiKey 5 FIPS Series with NFC	c1f9a0bc-1dd2-404a-b27f-8e29047a43fd
YubiKey 5 FIPS Series with NFC	fcc0118f-cd45-435b-8da1-9782b2da0715
YubiKey 5 FIPS Series with NFC (Enterprise Profile)	79f3c8ba-9e35-484b-8f47-53a5a0f5c630

The post FIDO FIPS Security Keys Approved Authenticators appeared first on MyExostar.

FIDO Security Keys Approved Authenticators

Ashleigh Howell — Wed, 19 Nov 2025 16:29:15 +0000

FIDO Security Keys are hardware-based devices that provide strong cryptographic authentication. They protect against phishing by ensuring only the legitimate site can authenticate you. Users confirm their identity by touching the key or entering a PIN when prompted.

Approved authenticators for FIDO Security Keys display in the table below. The table provides the FIDO Authenticator Name and AAGUID (Authenticator Attestation Global Unique Identifier).

The Exostar Approved FIDO Authenticator List is renewed regularly and upon request by Exostar customers and partners.

Approved FIDO Security Keys Authenticators

FIDO Authenticator Name	AAGUID
eWBM eFA310 FIDO2 Authenticator	95442b2e-f15e-4def-b270-efb106facb4e
eWBM eFA320 FIDO2 Authenticator	87dbc5a1-4c94-4dc8-8a47-97d800fd1f3c
eWBM eFA500 FIDO2 Authenticator	361a3082-0278-4583-a16f-72a527f973e4
eWBM eFPA FIDO2 Authenticator	61250591-b2bc-4456-b719-0b17be90bb30
Feitian BioPass FIDO2 Plus (Enterprise Profile)	a02140b7-0cbd-42e1-a9b5-a39da2545114
Feitian BioPass FIDO2 Plus (Enterprise Profile)	dfabb1f6665303d8d19cfd0fe1b34c4ae0586558
Feitian BioPass FIDO2 Plus Authenticator	42df17de-06ba-4177-a2bb-6701be1380d6
Feitian BioPass FIDO2 Pro (Enterprise Profile)	2bff89f2-323a-48fc-b7c8-9ff7fe87c07e
Feitian BioPass FIDO2 Pro Authenticator	4c0cf95d-2f40-43b5-ba42-4c83a11c04ba
Feitian ePass FIDO Security Key	046a7e232c03189dbc2b9b6a765702b52665be21
Feitian ePass FIDO-NFC (Enterprise Profile) (CTAP2.1, CTAP2.0, U2F)	39589099-9a75-49fc-afaa-801ca211c62a
Feitian ePass FIDO-NFC(CTAP2.1, CTAP2.0, U2F)	78ba3993-d784-4f44-8d6e-cc0a8ad5230e
Feitian ePass FIDO-NFC(CTAP2.1, CTAP2.0, U2F)	8d8ecc4daf4324406a4d7e0cf85f5e7dac65e205
Feitian MultiPass FIDO Security Key	418377e213db14abc6509db5e10c9598b42f92ea
GoTrust Idem Key FIDO2 Authenticator	3b1adb99-0dfe-46fd-90b8-7f7614a4de2a
GoTrust Idem Key U2F Authenticator	3bc1211c12d952a32b03c55b88d3ea6f7d152f18
ID-One Card	bb405265-40cf-4115-93e5-a332c1968d8c
ID-One Card	4b3b80c3dab13dba48be234f30400b28483f6e43
ID-One Key	82b0a720-127a-4788-b56d-d1d4b2d82eac
ID-One Key	f2145e86-211e-4931-b874-e22bba7d01cc
ID-One Key (USB A)	bcb8880161a2acc17b56b26fc505ec3580f612ca
ID-One Key (USB C)	1d4c4672ffcbd14456d89c7a1c8a2c12baf01938
Precision InnaIT Key FIDO 2 Level 2 certified	88bbd2f0-342a-42e7-9729-dd158be5407a
Security Key NFC by Yubico	e77e3c64-05e3-428b-8824-0cbeb04b829d
Security Key NFC by Yubico	a4e9fc6d-4cbe-4758-b8ba-37598bb5bbaa
Security Key NFC by Yubico	b7d3f68e-88a6-471e-9ecf-2df26d041ede
Security Key NFC by Yubico	ffa26cf0778fd0915b6f159df8d97a61f1038625
Security Key NFC by Yubico – Enterprise Edition	0bb43545-fd2c-4185-87dd-feb0b2916ace
Security Key NFC by Yubico – Enterprise Edition	47ab2fb4-66ac-4184-9ae1-86be814012d5
Security Key NFC by Yubico – Enterprise Edition	ed042a3a-4b22-4455-bb69-a267b652ae7e
Security Key NFC by Yubico – Enterprise Edition (Enterprise Profile)	9ff4cc65-6154-4fff-ba09-9e2af7882ad2
Security Key NFC by Yubico – Enterprise Edition (Enterprise Profile)	72c6b72d-8512-4c66-8359-9d3d10d9222f
SHALO AUTH	57235694-51a5-4a4d-a81a-f42185df6502
SHALO AUTH	dd66a09a46a1b7ad54ca335efdada2fcabf84bcb
SmartDisplayer BobeePass FIDO2 Authenticator	516d3969-5a57-5651-5958-4e7a49434167
TOKEN2 PIN Plus Security Key Series	eabb46cc-e241-80bf-ae9e-96fa6d2975cf
YubiKey 5 FIPS Series	57f7de54-c807-4eab-b1c6-1c9be7984e92
YubiKey 5 FIPS Series	73bb0cd4-e502-49b8-9c6f-b59445bf720b
YubiKey 5 FIPS Series (Enterprise Profile)	905b4cb4-ed6f-4da9-92fc-45e0d4e9b5c7
YubiKey 5 FIPS Series with Lightning	85203421-48f9-4355-9bc8-8a53846e5083
YubiKey 5 FIPS Series with Lightning	7b96457d-e3cd-432b-9ceb-c9fdd7ef7432
YubiKey 5 FIPS Series with Lightning (Enterprise Profile)	3a662962-c6d4-4023-bebb-98ae92e78e20
YubiKey 5 FIPS Series with NFC	fcc0118f-cd45-435b-8da1-9782b2da0715
YubiKey 5 FIPS Series with NFC	c1f9a0bc-1dd2-404a-b27f-8e29047a43fd
YubiKey 5 FIPS Series with NFC (Enterprise Profile)	79f3c8ba-9e35-484b-8f47-53a5a0f5c630
YubiKey 5 Series	ff4dac45-ede8-4ec2-aced-cf66103f4335
YubiKey 5 Series	19083c3d-8383-4b18-bc03-8f1c9ab2fd1b
YubiKey 5 Series (Enterprise Profile)	4599062e-6926-4fe7-9566-9e8fb1aedaa0
YubiKey 5 Series (Enterprise Profile)	20ac7a17-c814-4833-93fe-539f0d5e3389
YubiKey 5 Series (Enterprise Profile)	c76507e315328fbb06d7184bdeef12af0e327f4e
YubiKey 5 Series with Lightning	24673149-6c86-42e7-98d9-433fb5b73296
YubiKey 5 Series with Lightning	a02167b9-ae71-4ac7-9a07-06432ebb6f1c
YubiKey 5 Series with Lightning (Enterprise Profile)	3b24bf49-1d45-4484-a917-13175df0867b
YubiKey 5 Series with Lightning (Enterprise Profile)	b90e7dc1-316e-4fee-a25a-56a666a670fe
YubiKey 5 Series with NFC	a25342c0-3cdc-4414-8e46-f4807fca511c
YubiKey 5 Series with NFC	d7781e5d-e353-46aa-afe2-3ca49f13332a
YubiKey 5 Series with NFC – Enhanced PIN	662ef48a-95e2-4aaa-a6c1-5b9c40375824
YubiKey 5 Series with NFC – Enhanced PIN (Enterprise Profile)	b2c1a50b-dad8-4dc7-ba4d-0ce9597904bc
YubiKey 5 Series with NFC – Enhanced PIN (Enterprise Profile)	0a4edc7ce58f6ab75d78fd1dc2558ebc62ca0e17
YubiKey 5 Series with NFC (Enterprise Profile)	6ab56fad-881f-4a43-acb2-0be065924522
YubiKey 5 Series with NFC (Enterprise Profile)	1ac71f64-468d-4fe0-bef1-0e5f2f551f18
YubiKey 5 Series with NFC KVZR57	9eb7eabc-9db5-49a1-b6c3-555a802093f4
YubiKey Bio Series – FIDO Edition	7409272d-1ff9-4e10-9fc9-ac0019c124fd
YubiKey Bio Series – FIDO Edition	dd86a2da-86a0-4cbe-b462-4bd31f57bc6f
YubiKey Bio Series – FIDO Edition (Enterprise Profile)	8c39ee86-7f9a-4a95-9ba3-f6b097e5c2ee
YubiKey Bio Series – FIDO Edition (Enterprise Profile)	ad08c78a-4e41-49b9-86a2-ac15b06899e2
YubiKey Bio Series – Multi-protocol Edition	34744913-4f57-4e6e-a527-e9ec3c4b94e6
YubiKey Bio Series – Multi-protocol Edition	90636e1f-ef82-43bf-bdcf-5255f139d12f
YubiKey Bio Series – Multi-protocol Edition	d7c0c8dc35393096e717aa5b9cd3acc8c4ae8ce5
YubiKey Bio Series – Multi-protocol Edition (Enterprise Profile)	6ec5cff2-a0f9-4169-945b-f33b563f7b99
YubiKey Bio Series – Multi-protocol Edition (Enterprise Profile)	97e6a830-c952-4740-95fc-7c78dc97ce47
YubiKey Bio Series – Multi-protocol Edition 1VDJSN	58276709-bb4b-4bb3-baf1-60eea99282a7

The post FIDO Security Keys Approved Authenticators appeared first on MyExostar.

Synced Passkey Protection Mechanism

Ashleigh Howell — Tue, 02 Dec 2025 15:57:30 +0000

Although synced passkeys have been awarded AAL2 by the NIST 800-63-3/4 standard, they lack the following properties:
– FIDO Alliance Certification Level: Not Available
– Attestation: Not Available

Because of these missing protections, protection for synced passkeys is implemented through a layered design that combines hardware isolation, user verification, end-to-end encryption, and zero-knowledge cloud storage. As a result, Exostar recommends only using the following platforms for synced passkeys:
– Apple iCloud
– Microsoft Authenticator
– Google Password Manager

Below is a breakdown of how this protection actually works in the real ecosystems (Apple, Google, Microsoft) and what the core security model is, independent of vendor.

Architectural Overview

A synced passkey is a FIDO2/WebAuthn credential where:

The private key is created and stored on a trusted local device (TPM, Secure Enclave, Android Keystore, etc.).
A cloud copy of that key is stored only after it has been encrypted end-to-end under a key known solely to the user’s devices (and sometimes their account credentials).
Other devices logged into the same account can decrypt and import that credential, preserving continuity without giving the cloud provider visibility into the key material.

The protection model guarantees:

The provider never sees plaintext private keys.
A compromise of the provider’s cloud does not compromise user credentials.
Only verified devices belonging to the same user (or managed account) can decrypt and use the keys.

Key Generation and Hardware Protection

The following table describes key generation process and corresponding hardware protection and how each platform uses hardware attestation to tie the credential to a genuine hardware security element:

Step	Mechanism	Security Property
Key creation	Generated locally via FIDO2 API using secure hardware module (TPM / Secure Enclave / Titan M / Keystore)	Ensures entropy and prevents key extraction
Private key storage	Non-exportable key in hardware or OS keychain	Prevents raw key access, even by OS or malware
User verification	Biometric or PIN via platform authenticator	Guarantees live user presence; mitigates malware triggering signing silently

Local Encryption and Cloud Sync

Before synchronization, the private key and metadata (i.e., RP ID, credential ID, algorithm) is wrapped in an encryption layer derived from user secrets using following strategies:

Encryption scheme:
- Uses AES-256-GCM or ChaCha20-Poly1305 for confidentiality + integrity.
- The encryption key is derived via PBKDF2 / Argon2 / HKDF from a user-specific master secret.
- That master secret is usually derived from a key stored in the secure element or a key obtained through device-to-device bootstrap.
End-to-End model:
- The provider’s cloud sees only ciphertext.
- Sync servers manage versioning and delivery but cannot decrypt contents.
- Only devices enrolled under the same identity and possessing the sync decryption key can read it.

Cross-Device Trust Establishment

When a new device is added the following process is followed:

The user verifies identity (biometric + account credentials).
A secure device-to-device channel is created (QR, Bluetooth, or out-of-band ECDH).
The existing device transmits the decryption key or recovery secret over that channel.
The new device can now decrypt synced passkeys and join the trust circle.

This ensures the user must prove control of an already-trusted device before expanding the circle.

Recovery and Backup

Different vendors implement recovery differently but all aim for zero-knowledge:

Apple: iCloud Keychain Escrow with multi-party threshold HSMs. The escrow key is encrypted with the user’s device secret and a recovery key. Apple’s HSM cannot decrypt unilaterally.
Google: Encrypted with a key split between device and account; recovery requires both factors.
Microsoft: Uses account-linked encryption, Authenticator app trust, and optionally hardware-bound credentials.

The recovery systems never hold the plaintext or a single decryption factor alone.

The post Synced Passkey Protection Mechanism appeared first on MyExostar.