The FIDO2 specification details a new way to identify authenticators, which is a 128-bit code that indicates the type of authenticator (e.g., brand and model). The AAGUID must be selected by the manufacturer to be consistent across all authenticators manufactured by that manufacturer that are essentially identical and different from the AAGUID of all other types of authenticators (with probabilities 1-2-128 or greater). The AAGUID is represented as a string (e.g., “7a98c250-6808-11cf-b73b-00aa00b677a7”) consisting of five hexadecimal strings separated by a dash (“-“).
New AAGUIDs will be issued for our new products that support FIDO2, or when existing products have features added or taken away.
|(firmware 1.x) e1a96183-5016-4f24-b55b-e3ae23614cc6
(CTAP2.1 firmware 2.x) e416201b-afeb-41ca-a03d-2281c28322aa
(CTAP2.1 firmware 5.x) ba76a271-6eb6-4171-874d-b6428dbe3437
Normally, there are two ways to obtain your AAGUID. You can ask the security key provider or view the details of how each subscriber key is verified. Please see the example from the Microsoft document: