What is the AAGUID in WebAuthn?
Vincent
Created: October 29, 2023
Updated: September 10, 2024
What is Authenticator Attestation Global Unique Identifier (AAGUID)?#
An Authenticator Attestation Global Unique Identifier (AAGUID) is a 128-bit identifier indicating the model of the authenticator. This unique ID is used to ascertain the origin and security characteristics of the authenticator during the registration phase, ensuring a robust and secure user authentication process. As part of the WebAuthn standards:
- It provides a layer of trustworthiness to the entire authentication process.
- Makes it possible to identify and validate the type and model of the authenticator device.
- Ensures that the user is interacting with a trusted and genuine authenticator.
Key Takeaways#
- An Authenticator Attestation Global Unique Identifier (AAGUID) is a unique 128-bit identifier signifying the model of the authenticator.
- It's pivotal in establishing the credibility of the authenticator during user registration.
- AAGUID is an integral component of the WebAuthn, ensuring security and integrity in user authentication.
Understanding the AAGUID and its Importance#
The world of online security is fraught with risks, and it's imperative to ensure that each authentication step is both secure and trustworthy. This is where the AAGUID comes into play. But what exactly does it entail?
- Origins: As part of the FIDO Alliance's WebAuthn specification, the AAGUID was introduced to bolster the security and trustworthiness of the authentication process.
- Functionality: When a user registers an authenticator, the AAGUID is transmitted as part of the attestation data. This allows platforms and relying parties to determine the type and security characteristics of the authenticator, ensuring that it's a genuine and trusted device.
- Security Implications: By ensuring that the authenticator's model can be identified and validated, the AAGUID acts as a barrier against malicious actors using untrusted or spoofed devices to compromise user security.
In the following table, you find an overview of common AAGUIDs and the corresponding passkey provider:
| AAGUID | Passkey Provider |
|---|---|
00000000-0000-0000-0000-000000000000 | n/a (see below) |
ea9b8d66-4d01-1d21-3ce4-b6b48cb575d4 | Google Password Manager |
adce0002-35bc-c60a-648b-0b25f1f05503 | Chrome on Mac |
08987058-cadc-4b81-b6e1-30de50dcbe96 | Windows Hello |
9ddd1817-af5a-4672-a2b9-3e3dd95000a9 | Windows Hello |
6028b017-b1d4-4c02-b4b3-afcdafc96bb2 | Windows Hello |
dd4ec289-e01d-41c9-bb89-70fa845d4bf2 | iCloud Keychain (Managed) |
531126d6-e717-415c-9320-3d9aa6981239 | Dashlane |
bada5566-a7aa-401f-bd96-45619a55120d | 1Password |
b84e4048-15dc-4dd0-8640-f4f60813c8af | NordPass |
0ea242b4-43c4-4a1b-8b17-dd6d0b6baec6 | Keeper |
f3809540-7f14-49c1-a8b3-8f813b225541 | Enpass |
b5397666-4885-aa6b-cebf-e52262a439a2 | Chromium Browser |
771b48fd-d3d4-4f74-9232-fc157ab0507a | Edge on Mac |
39a5647e-1853-446c-a1f6-a79bae9f5bc7 | IDmelon |
d548826e-79b4-db40-a3d8-11116f7e8349 | Bitwarden |
fbfc3007-154e-4ecc-8c0b-6e020557d7bd | iCloud Keychain |
53414d53-554e-4700-0000-000000000000 | Samsung Pass |
66a0ccb3-bd6a-191f-ee06-e375c50b9846 | Thales Bio iOS SDK |
8836336a-f590-0921-301d-46427531eee6 | Thales Bio Android SDK |
cd69adb5-3c7a-deb9-3177-6800ea6cb72a | Thales PIN Android SDK |
17290f1e-c212-34d0-1423-365d729f09d9 | Thales PIN iOS SDK |
50726f74-6f6e-5061-7373-50726f746f6e | Proton Pass |
fdb141b2-5d84-443e-8a35-4698c205a502 | KeePassXC |
AAGUID FAQs#
What is the main purpose of the AAGUID in authentication?#
The AAGUID helps in identifying and validating the type and model of the authenticator during the registration phase, ensuring users are interacting with a genuine device, thus promoting a secure authentication process.
How is the AAGUID different from other identifiers?#
The AAGUID is specifically designed for authenticators within WebAuthn. It's a unique 128-bit identifier that signifies the model of the authenticator, setting it apart from generic identifiers.
Is the use of AAGUID mandatory in the WebAuthn specification?#
While the WebAuthn specification strongly advocates for its use, it's up to the individual implementations and relying parties to decide its necessity based on their security requirements.
What does AAGUID 00000000-0000-0000-0000-000000000000 mean?#
The AAGUID 00000000-0000-0000-0000-000000000000 is a special value indicating that the authenticator is not providing detailed information about its type or manufacturer, often used in cases where attestation is not provided or required (e.g. Apple used this AAGUID for a long time to not disclose too many user details, as Apple devices are not supporting attestation). Essentially, it represents a generic or unspecified authenticator in the context of WebAuthn.
Share this article
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free
