Authentication Method - FIDO2 security key - Restricted
Why This Matter
Without restricting FIDO2 security keys to approved authenticator attestation GUIDs (AAGUIDs), your organization may allow users to register noncompliant or untrusted hardware keys. This can weaken authentication assurance, increase the risk of rogue device usage, and bypass your security baseline for phishing-resistant multifactor authentication.
What Aether365 Checks
Aether365 verifies that the FIDO2 authentication method configuration enforces a list of allowed authenticator attestation GUIDs (keyRestrictions.aaGuids contains at least one value). This check appears in the Aether365 dashboard under entra-id checks.