Attestation and metadata

Attestation certificates

Upon registration, a device gives the server its attestation certificate. This certificate can be (optionally) used to verify the authenticity of the device. For example, a banking site might wish users to be able to provide their own U2F devices for two-factor authentication, but only wishes to allow devices of certain approved vendors. For other sites it might be more about being able to provide some useful device information to the user, when listing his or her registered devices.

It’s up to each U2F device vendor to decide what type of information goes into the attestation certificates, and how the authenticity of a certificate is validated. In Yubico’s case, all our attestation certificates are signed by our root CA.

Note
If you have a YubiKey Preview device, the attestation certificate will instead be signed by our Yubico FIDO Preview CA.

Yubico’s metadata format

Note
This is not part of the U2F standard.

The attestation certificates are often small, and do not contain much information about the device model itself. For this reason Yubico has specified a metadata format which allows mapping attestation certificates to additional information about the device model and vendor, providing product images, etc. Yubico provides such metadata about our devices here. Several of our U2F server libraries are capable of reading this format.

Metadata gives the user a richer experience.