Deepak Gupta

Authenticator Attestation Globally Unique Identifier

AAGUID.

A 128-bit identifier that names the make and model of a WebAuthn authenticator, useful for policy decisions about which authenticators to accept.

AAGUIDs identify authenticator models, not users. The FIDO Alliance Metadata Service maintains the canonical mapping from AAGUID to vendor and model. For consumer deployments, set attestation: "none" and ignore AAGUIDs; for enterprise workforce or regulated scenarios where authenticator policy is meaningful, use direct attestation and validate against the metadata service.

Common questions

Should my consumer app use AAGUID-based policy?

Where do I get the list of AAGUIDs?

Does AAGUID identify the user?

Related terms

In the guides

WebAuthn Explained: How Passkeys Work Under the Hood
WebAuthn is the W3C browser API that powers passkeys. A practical explanation of registration, assertion, RP-IDs, attestation, and the architecture choices that determine adoption.