What is the AAGUID in WebAuthn?

What is Authenticator Attestation Global Unique Identifier (AAGUID)?#

An Authenticator Attestation Global Unique Identifier (AAGUID) is a 128-bit identifier indicating the model of the authenticator. This unique ID is used to ascertain the origin and security characteristics of the authenticator during the registration phase, ensuring a robust and secure user authentication process. As part of the WebAuthn standards:

• It provides a layer of trustworthiness to the entire authentication process.
• Makes it possible to identify and validate the type and model of the authenticator device.
• Ensures that the user is interacting with a trusted and genuine authenticator.

Key Takeaways#

---

Understanding the AAGUID and its Importance#

The world of online security is fraught with risks, and it's imperative to ensure that each authentication step is both secure and trustworthy. This is where the AAGUID comes into play. But what exactly does it entail?

• Origins: As part of the FIDO Alliance's WebAuthn specification, the AAGUID was introduced to bolster the security and trustworthiness of the authentication process.
• Functionality: When a user registers an authenticator, the AAGUID is transmitted as part of the attestation data. This allows platforms and relying parties to determine the type and security characteristics of the authenticator, ensuring that it's a genuine and trusted device.
• Security Implications: By ensuring that the authenticator's model can be identified and validated, the AAGUID acts as a barrier against malicious actors using untrusted or spoofed devices to compromise user security.

---

In the following table, you find an overview of common AAGUIDs and the corresponding passkey provider:

---

AAGUID FAQs#

What is the main purpose of the AAGUID in authentication?#

The AAGUID helps in identifying and validating the type and model of the authenticator during the registration phase, ensuring users are interacting with a genuine device, thus promoting a secure authentication process.

How is the AAGUID different from other identifiers?#

The AAGUID is specifically designed for authenticators within WebAuthn. It's a unique 128-bit identifier that signifies the model of the authenticator, setting it apart from generic identifiers.

Is the use of AAGUID mandatory in the WebAuthn specification?#

Yes, FIDO2 authenticators are required to include an AAGUID in the attestedCredentialData as part of the WebAuthn specification. While relying parties can choose their attestation policies (such as accepting 'none' attestation), authenticators implementing FIDO2 must provide an AAGUID value as part of the normative data model. For synched passkeys that use attestation:none this is not required.

What does AAGUID 00000000-0000-0000-0000-000000000000 mean?#

The AAGUID 00000000-0000-0000-0000-000000000000 is a special value indicating that the authenticator is not providing detailed information about its type or manufacturer, often used in cases where attestation is not provided or required (e.g. Apple used this AAGUID for a long time to not disclose too many user details, as Apple devices are not supporting attestation). Essentially, it represents a generic or unspecified authenticator in the context of WebAuthn.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →