Google is committed to advancing racial equity for Black communities. See how.

KeyProtectionTypes

public final class KeyProtectionTypes extends Object

The method used by the authenticator to protect the FIDO registration private key material. Available values are defined in Section 3.2 Key Protection Types.

Constant Summary

short KEY_PROTECTION_HARDWARE This flag should be set if the authenticator uses hardware-based key management.
short KEY_PROTECTION_REMOTE_HANDLE This flag must be set if the authenticator does not store (wrapped) UAuth keys at the client, but relies on a server-provided key handle.
short KEY_PROTECTION_SECURE_ELEMENT This flag should be set if the authenticator uses a Secure Element for key management.
short KEY_PROTECTION_SOFTWARE This flag must be set if the authenticator uses software-based key management.
short KEY_PROTECTION_TEE This flag should be set if the authenticator uses the Trusted Execution Environment for key management.

Inherited Method Summary

Constants

public static final short KEY_PROTECTION_HARDWARE

This flag should be set if the authenticator uses hardware-based key management. Exclusive in authenticator metadata with KEY_PROTECTION_SOFTWARE.

Constant Value: 2

public static final short KEY_PROTECTION_REMOTE_HANDLE

This flag must be set if the authenticator does not store (wrapped) UAuth keys at the client, but relies on a server-provided key handle. This flag must be set in conjunction with one of the other KEY_PROTECTION flags to indicate how the local key handle wrapping key and operations are protected. Servers may unset this flag in authenticator policy if they are not prepared to store and return key handles, for example, if they have a requirement to respond indistinguishably to authentication attempts against userIDs that do and do not exist. Refer to for more details.

Constant Value: 16

public static final short KEY_PROTECTION_SECURE_ELEMENT

This flag should be set if the authenticator uses a Secure Element for key management. In authenticator metadata, this flag should be set in conjunction with KEY_PROTECTION_HARDWARE. Mutually exclusive in authenticator metadata with KEY_PROTECTION_TEE, KEY_PROTECTION_SOFTWARE.

Constant Value: 8

public static final short KEY_PROTECTION_SOFTWARE

This flag must be set if the authenticator uses software-based key management. Exclusive in authenticator metadata with KEY_PROTECTION_HARDWARE, KEY_PROTECTION_TEE, KEY_PROTECTION_SECURE_ELEMENT.

Constant Value: 1

public static final short KEY_PROTECTION_TEE

This flag should be set if the authenticator uses the Trusted Execution Environment for key management. In authenticator metadata, this flag should be set in conjunction with KEY_PROTECTION_HARDWARE. Mutually exclusive in authenticator metadata with KEY_PROTECTION_SOFTWARE, KEY_PROTECTION_SECURE_ELEMENT.

Constant Value: 4