This article explains how to find the Metadata Service (MDS) lists for YubiKey authenticators that use FIDO2 (WebAuthn). It addresses scenarios where an administrator navigates to Security > Authenticators > Set up > FIDO2 (WebAuthn) > Actions > Edit > Authenticator Settings and cannot find the Authenticator Attestation Globally Unique Identifier (AAGUID) for a new YubiKey device in the View list of Okta recognized authenticators.

• Multi-Factor Authentication (MFA)
• Devices and Mobile Apps
• Okta Identity Engine (OIE)
• YubiKey as FIDO2 (WebAuthn)

1. Download the latest blob.
2. Open the file in TextEdit or a similar application.
3. Copy the entire value.
4. Open jwt.io.
5. Paste the jwt payload copied from the text editor. into the Encoded box (left-hand side) (NOTE: This may take a while to read the file). Give it a few minutes to process.

6. The payload is decoded on the right-hand side.

7. Search for AAGUID Value via ctrl+f or command + f.

c1f9a0bc-1dd2-404a-b27f-8e29047a43fd

Search from the jwt.io page: 

Search from the Okta Portal:

NOTE:

1. Check if the Yubico page shows the status "In Progress" under FIDO Certification Level. In this case, please contact Yubico's Customer Support. 
2. Alternatively, if the authenticator does not appear in the FIDO MDS AAGUID list, add it to the custom AAGUID list. When adding an entry to the custom AAGUID list that's already in the FIDO MDS AAGUID list, the custom entry overrides the FIDO MDS entry.
   • Please follow the steps here: Review and manage FIDO MDS and custom authenticators documentation.