1. Introduction
This section is not normative.
This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. A public key credential is created and stored by an authenticator at the behest of a Relying Party, subject to user consent. Subsequently, the public key credential can only be accessed by origins belonging to that Relying Party. This scoping is enforced jointly by conforming User Agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties.
Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user. The first is Registration, where a public key credential is created on an authenticator, and associated by a Relying Party with the present user’s account (the account may already exist or may be created at this time). The second is Authentication, where the Relying Party is presented with an Authentication Assertion proving the presence and consent of the user who registered the public key credential. Functionally, the Web Authentication API comprises a PublicKeyCredential
which extends the Credential Management API [CREDENTIAL-MANAGEMENT-1], and infrastructure which allows those credentials to be used with navigator.credentials.create()
and navigator.credentials.get()
. The former is used during Registration, and the latter during Authentication.
Broadly, compliant authenticators protect public key credentials, and interact with user agents to implement the Web Authentication API. Some authenticators may run on the same computing device (e.g., smart phone, tablet, desktop PC) as the user agent is running on. For instance, such an authenticator might consist of a Trusted Execution Environment (TEE) applet, a Trusted Platform Module (TPM), or a Secure Element (SE) integrated into the computing device in conjunction with some means for user verification, along with appropriate platform software to mediate access to these components' functionality. Other authenticators may operate autonomously from the computing device running the user agent, and be accessed over a transport such as Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field Communications (NFC).
1.1. Use Cases
The below use case scenarios illustrate use of two very different types of authenticators, as well as outline further scenarios. Additional scenarios, including sample code, are given later in §11 §12 Sample scenarios.
1.1.1. Registration
-
On a phone:
-
User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using (possibly a legacy method such as a password), or creates a new account.
-
The phone prompts, "Do you want to register this device with example.com?"
-
User agrees.
-
The phone prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user provides this.
-
Website shows message, "Registration complete."
-
1.1.2. Authentication
-
On a laptop or desktop:
-
User navigates to example.com in a browser, sees an option to "Sign in with your phone."
-
User chooses this option and gets a message from the browser, "Please complete this action on your phone."
-
-
Next, on their phone:
-
User sees a discrete prompt or notification, "Sign in to example.com."
-
User selects this prompt / notification.
-
User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."
-
User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.
-
-
Now, back on the laptop:
-
Web page shows that the selected user is signed-in, and navigates to the signed-in page.
-
1.1.3. Other use cases and configurations
A variety of additional use cases and configurations are also possible, including (but not limited to):
-
A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.
-
A user obtains an discrete, roaming authenticator, such as a "fob" with USB or USB+NFC/BLE connectivity options, loads example.com in their browser on a laptop or phone, and is guided though a flow to create and register a credential on the fob.
-
A Relying Party prompts the user for their authorization gesture in order to authorize a single transaction, such as a payment or other financial transaction.
2. Conformance
This specification defines criteria for a Conforming User Agent: three conformance classes. Each of these classes is specified so that conforming members of the class are secure against non-conforming or hostile members of the other classes.
2.1. User Agents
A User Agent MUST behave as described in this specification in by §5 Web Authentication API in order to be considered conformant. Conforming User Agents MAY implement algorithms given in this specification in any way desired, so long as the end result is indistinguishable from the result that would be obtained by the specification’s algorithms.
A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this specification, as described in the “Web IDL” specification. [WebIDL-1]This specification also defines a model of a conformant authenticator (see §5 WebAuthn Authenticator model)
2.2. Authenticators
An authenticator MUST provide the operations defined by §6 WebAuthn Authenticator model, and those operations MUST behave as described there. This is a set of functional and security requirements for an authenticator to be usable by a Conforming User Agent.
As described in §1.1 Use Cases, an authenticator may be implemented in the operating system underlying the User Agent, or in external hardware, or a combination of both.
2.
1.3. Relying Parties
A Relying Party MUST behave as described in §7 Relying Party Operations to get the security benefits offered by this specification.
3. Dependencies
This specification relies on several other underlying specifications, listed below and in Terms defined by reference.
- Base64url encoding
-
The term Base64url Encoding refers to the base64 encoding using the URL- and filename-safe character set defined in Section 5 of [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the inclusion of any line breaks, whitespace, or other additional characters.
- CBOR
-
A number of structures in this specification, including attestation statements and extensions, are encoded using the Compact Binary Object Representation (CBOR) [RFC7049].
- CDDL
-
This specification describes the syntax of all CBOR-encoded data using the CBOR Data Definition Language (CDDL) [CDDL].
- COSE
-
CBOR Object Signing and Encryption (COSE) [RFC8152]. The IANA COSE Algorithms registry established by this specification is also used.
- Credential Management
-
The API described in this document is an extension of the
Credential
concept defined in [CREDENTIAL-MANAGEMENT-1]. - DOM
-
DOMException
and the DOMException values used in this specification are defined in [DOM4]. - ECMAScript
-
%ArrayBuffer% is defined in [ECMAScript].
- HTML
-
The concepts of relevant settings object, origin, opaque origin, and is a registrable domain suffix of or is equal to are defined in [HTML52].
- Web IDL
-
Many of the interface definitions and all of the IDL in this specification depend on [WebIDL-1]. This updated version of the Web IDL standard adds support for
Promise
s, which are now the preferred mechanism for asynchronous interaction in all new web APIs.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
34. Terminology
- Assertion
- Attestation
-
Generally, attestation is a statement serving to bear witness, confirm, or authenticate. In the WebAuthn context, attestation is employed to attest to the provenance of an authenticator and the data it emits; including, for example: credential IDs, credential key pairs, signature counters, etc. An attestation statement is conveyed in an attestation object during registration. See also §5§6.3 Attestation and Figure 3. Whether or how the client platform conveys the attestation statement and AAGUID portions of the attestation object to the Relying Party is described by attestation conveyance.
- Attestation Certificate
-
A X.509 Certificate for the attestation key pair used by an authenticator to attest to its manufacture and capabilities. At registration time, the authenticator uses the attestation private key to sign the Relying Party-specific credential public key (and additional data) that it generates and returns via the authenticatorMakeCredential operation. Relying Parties use the attestation public key conveyed in the attestation certificate to verify the attestation signature. Note that in the case of self attestation, the authenticator has no distinct attestation key pair nor attestation certificate, see self attestation for details.
- Authentication
-
The ceremony where a user, and the user’s computing device(s) (containing at least one authenticator) work in concert to cryptographically prove to an Relying Party that the user controls the credential private key associated with a previously-registered public key credential (see Registration). Note that this typically includes employing a test of user presence or user verification.
- Authentication Assertion
-
The cryptographically signed
AuthenticatorAssertionResponse
object returned by an authenticator as the result of a authenticatorGetAssertion operation.This corresponds to the [CREDENTIAL-MANAGEMENT-1] specification’s single-use credentials.
- Authenticator
-
A cryptographic device entity used by a WebAuthn Client to (i) generate a public key credential and register it with a Relying Party, and (ii) subsequently used to cryptographically sign and return authenticate by potentially verifying the user, and then cryptographically signing and returning, in the form of an Authentication Assertion, a challenge and other data presented by a Relying Party (in concert with the WebAuthn Client) in order to effect authentication.
- Authorization Gesture
-
An authorization gesture is a physical interaction performed by a user with an authenticator as part of a ceremony, such as registration or authentication. By making such an authorization gesture, a user provides consent for (i.e., authorizes) a ceremony to proceed. This may involve user verification if the employed authenticator is capable, or it may involve a simple test of user presence.
- Biometric Recognition
-
The automated recognition of individuals based on their biological and behavioral characteristics [ISOBiometricVocabulary].
- Ceremony
-
The concept of a ceremony [Ceremony] is an extension of the concept of a network protocol, with human nodes alongside computer nodes and with communication links that include user interface(s), human-to-human communication, and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony. In this specification, Registration and Authentication are ceremonies, and an authorization gesture is often a component of those ceremonies.
- Client
- Client-Side
-
This refers in general to the combination of the user’s platform device, user agent, authenticators, and everything gluing it all together.
- Client-side-resident Credential Private Key
-
A Client-side-resident Credential Private Key is stored either on the client platform, or in some cases on the authenticator itself, e.g., in the case of a discrete first-factor roaming authenticator. Such client-side credential private key storage has the property that the authenticator is able to select the credential private key given only an RP ID, possibly with user assistance (e.g., by providing the user a pick list of credentials associated with the RP ID). By definition, the private key is always exclusively controlled by the Authenticator. In the case of a Client-side-resident Credential Private Key, the Authenticator might offload storage of wrapped key material to the client platform, but the client platform is not expected to offload the key storage to remote entities (e.g. RP Server).
- Conforming User Agent
-
A user agent implementing, in conjunction with the underlying platform, the Web Authentication API and algorithms given in this specification, and handling communication between authenticators and Relying Parties.
- Credential ID
-
A probabilistically-unique byte sequence identifying a public key credential source and its authentication assertions.
Credential IDs are generated by authenticators in two forms:
-
At least 16 bytes that include at least 100 bits of entropy, or
-
The public key credential source, without its Credential ID, encrypted so only its managing authenticator can decrypt it. This form allows the authenticator to be nearly stateless, by having the Relying Party store any necessary state.
Note: [FIDO-UAF-AUTHNR-CMDS] includes guidance on encryption techniques under "Security Guidelines".
Relying Parties do not need to distinguish these two Credential ID forms.
-
- Credential Public Key
-
The public key portion of an Relying Party-specific credential key pair, generated by an authenticator and returned to an Relying Party at registration time (see also public key credential). The private key portion of the credential key pair is known as the credential private key. Note that in the case of self attestation, the credential key pair is also used as the attestation key pair, see self attestation for details.
- Public Key Credential Source
-
A credential source ([CREDENTIAL-MANAGEMENT-1]) used by an authenticator to generate authentication assertions. A public key credential source has:
-
The Relying Party Identifier for the Relying Party that created this credential source.
-
An optional user handle for the person who created this credential source.
-
Optional other information used by the authenticator to inform its UI. For example, this might include the user’s
displayName
.
The authenticatorMakeCredential operation creates a public key credential source bound to a managing authenticator and returns the credential public key associated with its credential private key. The Relying Party can use this credential public key to verify the authentication assertions created by this public key credential source.
- Public Key Credential
-
Generically, a credential is data one entity presents to another in order to authenticate the former to the latter [RFC4949]. The term public key credential refers to one of: a public key credential source, the possibly-attested credential public key corresponding to a public key credential source, or an authentication assertion. Which one is generally determined by context.
Note: This is a willful violation of [RFC4949]. In English, a "credential" is both a) the thing presented to prove a statement and b) intended to be used multiple times. It’s impossible to achieve both criteria securely with a single piece of data in a public key system. [RFC4949] chooses to define a credential as the thing that can be used multiple times (the public key), while this specification gives "credential" the English term’s flexibility. This specification uses more specific terms to identify the data related to an [RFC4949] credential:- "Authentication information" (possibly including a private key)
- "Signed value"
- [RFC4949] "credential"
At registration time, the authenticator creates an asymmetric key pair, and stores its private key portion and information from the Relying Party into a public key credential source. The public key portion is returned to the Relying Party, who then stores it in conjunction with the present user’s account. Subsequently, only that Relying Party, as identified by its RP ID, is able to employ the public key credential in authentication ceremonies, via the
get()
method. The Relying Party uses its stored copy of the credential public key to verify the resultant authentication assertion. - Rate Limiting
-
The process (also known as throttling) by which an authenticator implements controls against brute force attacks by limiting the number of consecutive failed authentication attempts within a given period of time. If the limit is reached, the authenticator should impose a delay that increases exponentially with each successive attempt, or disable the current authentication modality and offer a different authentication factor if available. Rate limiting is often implemented as an aspect of user verification.
- Registration
-
The ceremony where a user, a Relying Party, and the user’s computing device(s) (containing at least one authenticator) work in concert to create a public key credential and associate it with the user’s Relying Party account. Note that this typically includes employing a test of user presence or user verification.
- Relying Party
-
The entity whose web application utilizes the Web Authentication API to register and authenticate users. See Registration and Authentication, respectively.
Note: While the term Relying Party is used in other contexts (e.g., X.509 and OAuth), an entity acting as a Relying Party in one context is not necessarily a Relying Party in other contexts.
- Relying Party Identifier
- RP ID
-
A valid domain string that identifies the Relying Party on whose behalf a given registration or authentication ceremony is being performed. A public key credential can only be used for authentication with the same entity (as identified by RP ID) it was registered with. By default, the RP ID for a WebAuthn operation is set to the caller’s origin's effective domain. This default MAY be overridden by the caller, as long as the caller-specified RP ID value is a registrable domain suffix of or is equal to the caller’s origin's effective domain. See also §4§5.1.3 Create a new credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) method and §4§5.1.4 Use an existing credential to make an assertion - PublicKeyCredential’s [[DiscoverFromExternalSourceGet]](options) method.
Note: A Public key credential's scope is for a Relying Party's origin, with the following restrictions and relaxations:-
The scheme is always
https
(i.e., a restriction), and, -
the host may be equal to the Relying Party's origin's effective domain, or it may be equal to a registrable domain suffix of the Relying Party's origin's effective domain (i.e., an available relaxation), and,
-
all (TCP) ports on that host (i.e., a relaxation).
This is done in order to match the behavior of pervasively deployed ambient credentials (e.g., cookies, [RFC6265]). Please note that this is a greater relaxation of "same-origin" restrictions than what document.domain's setter provides.
-
- Public Key Credential
-
Generically, a credential is data one entity presents to another in order to authenticate the former to the latter [RFC4949]. A WebAuthn public key credential is a
{ identifier, type }
pair identifying authentication information established by the authenticator and the Relying Party, together, at registration time. The authentication information consists of an asymmetric key pair, where the public key portion is returned to the Relying Party, who then stores it in conjunction with the present user’s account. The authenticator maps the private key portion to the Relying Party's RP ID and stores it. Subsequently, only that Relying Party, as identified by its RP ID, is able to employ the public key credential in authentication ceremonies, via theget()
method. The Relying Party uses its stored copy of the credential public key to verify the resultant authentication assertion. - Test of User Presence
-
A test of user presence is a simple form of authorization gesture and technical process where a user interacts with an authenticator by (typically) simply touching it (other modalities may also exist), yielding a boolean result. Note that this does not constitute user verification because a user presence test, by definition, is not capable of biometric recognition, nor does it involve the presentation of a shared secret such as a password or PIN.
- User Consent
-
User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts. An authorization gesture is a ceremony component often employed to indicate user consent.
- User Handle
-
The user handle is specified by a Relying Party and is a unique identifier for a user account with that Relying Party. A user handle is an opaque byte sequence with a maximum size of 64 bytes.
The user handle is not meant to be displayed to the user, but is used by the Relying Party to control the number of credentials - an authenticator will never contain more than one credential for a given Relying Party under the same user handle.
- User Verification
-
The technical process by which an authenticator locally authorizes the invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations. User verification may be instigated through various authorization gesture modalities; for example, through a touch plus pin code, password entry, or biometric recognition (e.g., presenting a fingerprint) [ISOBiometricVocabulary]. The intent is to be able to distinguish individual users. Note that invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations implies use of key material managed by the authenticator. Note that for security, user verification and use of credential private keys must occur within a single logical security boundary defining the authenticator.
- User Present
- UP
-
Upon successful completion of a user presence test, the user is said to be "present".
- User Verified
- UV
-
Upon successful completion of a user verification process, the user is said to be "verified".
- WebAuthn Client
-
Also referred to herein as simply a client. See also Conforming User Agent.
5. Web Authentication API
This section normatively specifies the API for creating and using public key credentials. The basic idea is that the credentials belong to the user and are managed by an authenticator, with which the Relying Party interacts through the client (consisting of the browser and underlying OS platform). Scripts can (with the user’s consent) request the browser to create a new credential for future use by the Relying Party. Scripts can also request the user’s permission to perform authentication operations with an existing credential. All such operations are performed in the authenticator and are mediated by the browser and/or platform on the user’s behalf. At no point does the script get access to the credentials themselves; it only gets information about the credentials in the form of objects.
In addition to the above script interface, the authenticator may implement (or come with client software that implements) a user interface for management. Such an interface may be used, for example, to reset the authenticator to a clean state or to inspect the current state of the authenticator. In other words, such an interface is similar to the user interfaces provided by browsers for managing user state such as history, saved passwords and cookies. Authenticator management actions such as credential deletion are considered to be the responsibility of such a user interface and are deliberately omitted from the API exposed to scripts.
The security properties of this API are provided by the client and the authenticator working together. The authenticator, which holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against a different origin, by incorporating the origin in its responses. Specifically, as defined in §5§6.2 Authenticator operations, the full origin of the requester is included, and signed over, in the attestation object produced when a new credential is created as well as in all assertions produced by WebAuthn credentials.
Additionally, to maintain user privacy and prevent malicious Relying Parties from probing for the presence of public key credentials belonging to other Relying Parties, each credential is also associated with a Relying Party Identifier, or RP ID. This RP ID is provided by the client to the authenticator for all operations, and the authenticator ensures that credentials created by a Relying Party can only be used in operations requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases where a single Relying Party maintains multiple origins.
The client facilitates these security measures by providing the Relying Party's origin and RP ID to the authenticator for each operation. Since this is an integral part of the WebAuthn security model, user agents only expose this API to callers in secure contexts.
The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL listing is given in the IDL Index.
4
5.1. PublicKeyCredential
Interface
The PublicKeyCredential
interface inherits from Credential
[CREDENTIAL-MANAGEMENT-1], and contains the attributes that are returned to the caller when a new credential is created, or a new assertion is requested.
[SecureContext, Exposed=Window] interface PublicKeyCredential : Credential { [SameObject] readonly attribute ArrayBufferrawId
; [SameObject] readonly attribute AuthenticatorResponse response; [SameObject] readonly attribute AuthenticationExtensions clientExtensionResultsgetClientExtensionResults
(); };
-
id
-
This attribute is inherited from
Credential
, thoughPublicKeyCredential
overridesCredential
's getter, instead returning the base64url encoding of the data contained in the object’s[[identifier]]
internal slot. -
rawId
-
This attribute returns the
ArrayBuffer
contained in the[[identifier]]
internal slot. -
response
, of type AuthenticatorResponse, readonly -
This attribute contains the authenticator's response to the client’s request to either create a public key credential, or generate an authentication assertion. If the
PublicKeyCredential
is created in response tocreate()
, this attribute’s value will be anAuthenticatorAttestationResponse
, otherwise, thePublicKeyCredential
was created in response toget()
, and this attribute’s value will be anAuthenticatorAssertionResponse
. -
clientExtensionResults
, of type AuthenticationExtensions, readonly
This attribute contains
-
getClientExtensionResults()
-
This operation returns the value of
[[clientExtensionsResults]]
, which is a map containing extension identifier → client extension output entries produced by the extension’s client extension processing. -
[[type]]
-
The
PublicKeyCredential
interface object's[[type]]
internal slot's value is the string "public-key
".Note: This is reflected via the
type
attribute getter inherited fromCredential
. -
[[discovery]]
-
The
PublicKeyCredential
interface object's[[discovery]]
internal slot's value is "remote
". -
[[identifier]]
-
This internal slot contains an identifier for the credential, chosen by the platform with help from the authenticator. This identifier is used to look up credentials for use, and is therefore expected to be globally unique with high probability across all credentials of the same type, across all authenticators. This API does not constrain the format or length of this identifier, except that it must be sufficient for the platform to uniquely select a key. For example, an authenticator without on-board storage may create identifiers containing a credential private key wrapped with a symmetric key that is burned into the authenticator.
-
[[clientExtensionsResults]]
-
This internal slot contains the results of processing client extensions requested by the Relying Party upon the Relying Party's invocation of either
navigator.credentials.create()
ornavigator.credentials.get()
.
PublicKeyCredential
's interface object inherits Credential
's implementation of [[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)
, and defines its own implementation of [[StoreCreate]](credentialorigin, options, sameOriginWithAncestors)
, and defines its own implementation of [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
, and [[CreateStore]](optionscredential, sameOriginWithAncestors)
.
5.1.1. CredentialCreationOptions
Extension
To support registration via navigator.credentials.create()
, this document extends the CredentialCreationOptions
dictionary as follows:
partial dictionary CredentialCreationOptions {
MakePublicKeyCredentialOptions publicKey
;
};
4
5.1.2. CredentialRequestOptions
Extension
To support obtaining assertions via navigator.credentials.get()
, this document extends the CredentialRequestOptions
dictionary as follows:
partial dictionary CredentialRequestOptions {
PublicKeyCredentialRequestOptions publicKey
;
};
4
5.1.3. Create a new credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors)
method
Note: This algorithm is synchronous; the Promise
resolution/rejection is handled by
PublicKeyCredential
's interface object's implementation of the
[[Create]](origin, options, sameOriginWithAncestors)
internal method [CREDENTIAL-MANAGEMENT-1] allows Relying Party scripts to call navigator.credentials.create()
to request the creation of a new
PublicKeyCredential
, managed by an authenticator. The user agent will prompt the user for consent. On success, the returned promise
will be resolved with a PublicKeyCredential
containing an AuthenticatorAttestationResponse
object.
public key credential source, bound to an authenticator. This navigator.credentials.create()
operation can be aborted by leveraging the AbortController
; see DOM §3.3 Using AbortController and AbortSignal objects in APIs for detailed instructions.
This internal method accepts
name
member of options.rp
, the name
member of options.user
, the displayName
member of options.user
, or the id
member of options.user
are not present, return a TypeError
simple exception
three arguments:
-
origin
-
This argument is the relevant settings object's origin, as determined by the calling
create()
implementation. -
options
-
This argument is a
CredentialCreationOptions
object whoseoptions.
member contains apublicKey
MakePublicKeyCredentialOptions
object specifying the desired attributes of the to-be-created public key credential. -
sameOriginWithAncestors
-
This argument is a boolean which is true if and only if the caller’s environment settings object is same-origin with its ancestors.
Note: This algorithm is synchronous: the Promise
resolution/rejection is handled by navigator.credentials.create()
.
When this method is invoked, the user agent MUST execute the following algorithm:
Let options be the value of options.
.
publicKey
-
If sameOriginWithAncestors is
false
, return a "NotAllowedError
"DOMException
.Note: This "sameOriginWithAncestors" restriction aims to address the concern raised in the Origin Confusion section of [CREDENTIAL-MANAGEMENT-1], while allowing Relying Party script access to Web Authentication functionality, e.g., when running in a secure context framed document that is same-origin with its ancestors. However, in the future, this specification (in conjunction with [CREDENTIAL-MANAGEMENT-1]) may provide Relying Parties with more fine-grained control--e.g., ranging from allowing only top-level access to Web Authentication functionality, to allowing cross-origin embedded cases--by leveraging [Feature-Policy] once the latter specification becomes stably implemented in user agents.
-
Let options be the value of
options.
.publicKey
-
If the
timeout
member of options is present, check if its value lies within a reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set
-
a timer lifetimeTimer to this adjusted value. If the
timeout
member of options is not present, then set
-
lifetimeTimer to a platform-specific default.
-
Let
PublicKeyCredential
's interface object's environment settings object’s global object.
-
callerOrigin be
PublicKeyCredential
interface object's relevant settings object
-
. If callerOrigin is an opaque origin, return a
DOMException
whose name is "NotAllowedError
", and terminate this algorithm. -
Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, then return a
DOMException
whose name is "SecurityError
" and terminate this algorithm.Note: An effective domain may resolve to a host, which can be represented in various manners, such as domain, ipv4 address, ipv6 address, opaque host, or empty host. Only the domain format of host is allowed here.
Let rpId be effectiveDomain.
-
- Is present
-
-
If
options.
is not a registrable domain suffix of and is not equal to effectiveDomain, return arp
.id
DOMException
whose name is "SecurityError
", and terminate this algorithm. - Is not present
-
Set
-
-
options.
represents the caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly setrp
.id
options.
when callingrp
.id
create()
. -
Let credTypesAndPubKeyAlgs be a new list whose items are pairs of
PublicKeyCredentialType
and aCOSEAlgorithmIdentifier
. -
For each current of
options.
:pubKeyCredParams
-
If credTypesAndPubKeyAlgs is empty and
options.
is not empty,pubKeyCredParams
-
return a
DOMException
whose name is "NotSupportedError
", and terminate this algorithm. -
Let clientExtensions be a new map and let authenticatorExtensions be a new map.
-
If the
extensions
member of options is present, then for each extensionId → clientExtensionInput ofoptions.
:extensions
-
If extensionId is not supported by this client platform or is not a registration extension, then continue.
-
Set clientExtensions[extensionId] to clientExtensionInput.
-
If extensionId is not an authenticator extension, then continue.
-
Let authenticatorExtensionInput be the (CBOR) result of running extensionId’s client extension processing algorithm on clientExtensionInput. If the algorithm returned an error, continue.
-
Set authenticatorExtensions[extensionId] to the base64url encoding of authenticatorExtensionInput.
-
-
Let collectedClientData be a new
CollectedClientData
instance whose fields are:-
type
-
The string "webauthn.create".
-
challenge
-
The base64url encoding of options.
challenge
. -
origin
-
The serialization of callerOrigin.
-
hashAlgorithm
-
The recognized algorithm name of the hash algorithm selected by the client for generating the hash of the serialized client data.
-
tokenBindingId
-
The Token Binding ID associated with callerOrigin, if one is available.
-
clientExtensions
-
clientExtensions
-
authenticatorExtensions
-
authenticatorExtensions
-
-
Let clientDataJSON be the JSON-serialized client data constructed from collectedClientData.
-
Let clientDataHash be the hash of the serialized client data represented by clientDataJSON.
Let currentlyAvailableAuthenticators be a new ordered set consisting of all authenticators currently available on this platform.
-
If the
options.
is present and its aborted flag is set to true, return asignal
DOMException
whose name is "AbortError
" and terminate this algorithm. -
Start lifetimeTimer.
-
Let issuedRequests be a new ordered set.
DOMException
whose name is "NotFoundError
", and terminate this algorithm
-
For each authenticator that becomes available on this platform during the lifetime of lifetimeTimer, do the following:
The definitions of "lifetime of" and "becomes available" are intended to represent how devices are hotplugged into (USB) or discovered by (NFC) browsers, and are under-specified. Resolving this with good definitions or some other means will be addressed by resolving Issue #613.
-
If
options.
is presentauthenticatorSelection
-
-
-
:
-
If
-
-
aa
-
-
-
options.
is present and its value is not equal to authenticator’s attachment modality, continue.authenticatorSelection
.authenticatorAttachment
-
If
-
-
rk
-
-
-
options.
is set toauthenticatorSelection
.requireResidentKey
true
and the authenticator is not capable of storing a Client-Side-Resident Credential Private Key, continue. -
If
-
-
uv
-
-
-
options.
is set toauthenticatorSelection
.userVerification
-
-
-
-
-
required
and the authenticator is not capable of performing user verification, continue.
-
-
Append authenticator to selectedAuthenticators.
If selectedAuthenticators is empty, return a DOMException
whose name is "ConstraintError
", and terminate this algoritm.
Let issuedRequests be a new ordered set.
For each authenticator in currentlyAvailableAuthenticators:
-
-
Let userVerification be the effective user verification requirement for credential creation, a Boolean value, as follows. If
options.
authenticatorSelection
.userVerification
-
is set to
required
-
Let userVerification be
true
. -
is set to
preferred
-
If the authenticator
- is capable of user verification
-
Let userVerification be
true
. - is not capable of user verification
-
Let userVerification be
false
.
-
is set to
discouraged
-
Let userVerification be
false
.
-
is set to
-
Let userPresence be a Boolean value set to the inverse of userVerification.
-
Let excludeCredentialDescriptorList be a new list.
-
For each credential descriptor C in
options.
:excludeCredentials
-
If
C.
is not empty, and authenticator is connected over a transport not mentioned intransports
C.
, the client MAY continue.transports
-
Otherwise, Append C to excludeCredentialDescriptorList.
-
-
-
-
Invoke the authenticatorMakeCredential operation on authenticator with
-
-
-
clientDataHash,
options.
,rp
options.
,user
options.
authenticatorSelection
.
-
rk
-
-
, userPresence, userVerification, credTypesAndPubKeyAlgs, excludeCredentialDescriptorList, and authenticatorExtensions as parameters.requireResidentKey
-
Append authenticator to issuedRequests.
-
Start a timer for adjustedTimeout milliseconds. Then execute the following steps in parallel. The task source for these tasks is the dom manipulation task source.
-
While issuedRequests is not empty, perform the following actions depending upon
-
lifetimeTimer and responses from the authenticators:
- If
-
- lifetimeTimer expires,
-
For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests.
-
If the
options.
is present and its aborted flag is set to true,signal
-
For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Then return a
DOMException
whose name is "AbortError
" and terminate this algorithm. - If any authenticator returns a status indicating that the user cancelled the operation,
-
-
Remove authenticator from issuedRequests.
-
For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.
-
- If any authenticator returns an error status,
-
Remove authenticator from issuedRequests.
- If any authenticator indicates success,
-
-
Remove authenticator from issuedRequests.
-
Let
-
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes of the value
-
-
-
credentialCreationData be a struct whose items are:
-
attestationObjectResult
-
whose value is the bytes returned from the successful authenticatorMakeCredential operation
-
-
-
-
-
-
-
.
Note: this value is
attObj
, as defined in
-
-
-
Let id be attestationObject.authData.attestation data.credential ID
(see §5.3.1 Attestation data and §5.1 Authenticator data).
-
-
-
-
.
-
clientDataJSONResult
-
whose value is the bytes of clientDataJSON.
-
attestationConveyancePreferenceOption
-
whose value is the value of options.
attestation
. -
clientExtensionResults
-
whose value is an
AuthenticationExtensions
object containing extension identifier → client extension output entries. The entries are created by running each extension’s client extension processing algorithm to create the client extension outputs, for each client extension in
.clientDataJSON
.clientExtensions
-
-
Let constructCredentialAlg be an algorithm that takes a global object global, and whose steps are:
-
Let attestationObject be a new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofcredentialCreationData.attestationObjectResult
’s value. -
If
credentialCreationData.attestationConveyancePreferenceOption
’s value is- "none"
-
Replace potentially uniquely identifying information (such as AAGUID and attestation certificates) in the attested credential data and attestation statement, respectively, with blinded versions of the same data.
-
need to define "blinding". See also #462. <https://github.com/w3c/webauthn/issues/694>
- "indirect"
-
The client MAY replace the AAGUID and attestation statement with a more privacy-friendly and/or more easily verifiable version of the same data (for example, by employing a Privacy CA).
- "direct"
-
Convey the authenticator's AAGUID and attestation statement, unaltered, to the RP.
-
@balfanz wishes to add to the "direct" case: If the authenticator violates the privacy requirements of the attestation type it is using, the client SHOULD terminate this algorithm with a "AttestationNotPrivateError".
-
Let id be
attestationObject.authData.attestedCredentialData.credentialId
. -
Let pubKeyCred be a new
PublicKeyCredential
object associated with global whose fields are:-
[[identifier]]
-
id
-
response
-
A new
AuthenticatorAttestationResponse
object associated with global whose fields are:-
clientDataJSON
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes of
-
-
-
-
-
-
-
-
-
-
-
credentialCreationData.clientDataJSONResult
. -
attestationObject
-
attestationObject
-
-
-
-
-
clientExtensionResults
AuthenticationExtensions
object containing the extension identifier → client extension output entries created by running each extension’s client extension processing algorithm to create the client extension outputs, for each client extension in clientDataJSON
.clientExtensions.
-
-
-
-
-
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofcredentialCreationData.clientExtensionResults
.
-
-
Return pubKeyCred.
-
-
For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.
-
Return
-
-
-
-
-
constructCredentialAlg and terminate this algorithm.
-
-
-
Return a
DOMException
whose name is "NotAllowedError
".
During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and authorizing an authenticator.
5.1.4. Use an existing credential to make an assertion - PublicKeyCredential’s [[
DiscoverFromExternalSource
Get]](options)
method
The [[DiscoverFromExternalSource]](options)
method is used
Relying Parties call navigator.credentials.get({publicKey:..., ...})
to discover and use an existing public key credential, with the user’s consent.
Relying Party script optionally specifies some criteria to indicate what
credentialscredential sources are acceptable to it. The user agent and/or platform locates
credentialscredential sources matching the specified criteria, and guides the user to pick one that the script will be allowed to use. The user may choose
not to provideto decline the entire interaction even if a credential
even if onesource is present, for example to maintain privacy.
Note: This algorithm is synchronous; the Promise
resolution/rejection is handled by navigator.credentials.get()
.
This method accepts a single argument:
If the user picks a credential source, the user agent then uses §6.2.2 The authenticatorGetAssertion operation to sign a Relying Party-provided challenge and other collected data into an assertion, which is used as a credential.
The get()
implementation [CREDENTIAL-MANAGEMENT-1] calls PublicKeyCredential.
to collect any credentials that should be available without user mediation (roughly, this specification’s authorization gesture), and if it does not find exactly one of those, it then calls [[CollectFromCredentialStore]]()
PublicKeyCredential.
to have the user select a credential source.
[[DiscoverFromExternalSource]]()
Since this specification requires an authorization gesture to create any credentials, the PublicKeyCredential.
internal method inherits the default behavior of [[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)
Credential.[[CollectFromCredentialStore]]()
, of returning an empty set.
5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
method
[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
This internal method accepts three arguments:
-
origin
-
This argument is the relevant settings object's origin, as determined by the calling
get()
implementation, i.e.,CredentialsContainer
's Request aCredential
abstract operation. -
options
-
This argument is a
CredentialRequestOptions
object whoseoptions.
member contains apublicKey
-
PublicKeyCredentialRequestOptions
object specifying the desired attributes of the public key credential to discover. -
sameOriginWithAncestors
-
This argument is a boolean which is true if and only if the caller’s environment settings object is same-origin with its ancestors.
Note: This algorithm is synchronous: the Promise
resolution/rejection is handled by navigator.credentials.get()
.
When this method is invoked, the user agent MUST execute the following algorithm:
-
If sameOriginWithAncestors is
false
, return a "NotAllowedError
"DOMException
.Note: This "sameOriginWithAncestors" restriction aims to address the concern raised in the Origin Confusion section of [CREDENTIAL-MANAGEMENT-1], while allowing Relying Party script access to Web Authentication functionality, e.g., when running in a secure context framed document that is same-origin with its ancestors. However, in the future, this specification (in conjunction with [CREDENTIAL-MANAGEMENT-1]) may provide Relying Parties with more fine-grained control--e.g., ranging from allowing only top-level access to Web Authentication functionality, to allowing cross-origin embedded cases--by leveraging [Feature-Policy] once the latter specification becomes stably implemented in user agents.
-
Let options be the value of
options.
.publicKey
-
If the
timeout
member of options is present, check if its value lies within a reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set
-
a timer lifetimeTimer to this adjusted value. If the
timeout
member of options is not present, then set
-
lifetimeTimer to a platform-specific default.
-
Let
PublicKeyCredential
's interface object's environment settings object’s global object.
-
callerOrigin be
PublicKeyCredential
interface object's relevant settings objectIf there are no authenticators currently available on this platform
-
. If callerOrigin is an opaque origin, return a
DOMException
whose name is "NotAllowedError
", and terminate this algorithm. -
Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, then return a
DOMException
whose name is "SecurityError
" and terminate this algorithm.Note: An effective domain may resolve to a host, which can be represented in various manners, such as domain, ipv4 address, ipv6 address, opaque host, or empty host. Only the domain format of host is allowed here.
-
If options.
rpId
is not present, then set rpId to effectiveDomain.Otherwise:
-
If options.
rpId
is not a registrable domain suffix of and is not equal to effectiveDomain, return aDOMException
whose name is "SecurityError
", and terminate this algorithm. -
Set rpId to options.
rpId
.Note: rpId represents the caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly set options.
rpId
when callingget()
.
-
-
Let clientExtensions be a new map and let authenticatorExtensions be a new map.
-
If the
extensions
member of options is present, then for each extensionId → clientExtensionInput ofoptions.
:extensions
-
If extensionId is not supported by this client platform or is not an authentication extension, then continue.
-
Set clientExtensions[extensionId] to clientExtensionInput.
-
If extensionId is not an authenticator extension, then continue.
-
Let authenticatorExtensionInput be the (CBOR) result of running extensionId’s client extension processing algorithm on clientExtensionInput. If the algorithm returned an error, continue.
-
Set authenticatorExtensions[extensionId] to the base64url encoding of authenticatorExtensionInput.
-
-
Let collectedClientData be a new
CollectedClientData
instance whose fields are:-
type
-
The string "webauthn.get".
-
challenge
-
The base64url encoding of options.
challenge
-
origin
-
The serialization of callerOrigin.
-
hashAlgorithm
-
The recognized algorithm name of the hash algorithm selected by the client for generating the hash of the serialized client data
-
tokenBindingId
-
The Token Binding ID associated with callerOrigin, if one is available.
-
clientExtensions
-
clientExtensions
-
authenticatorExtensions
-
authenticatorExtensions
-
-
Let clientDataJSON be the JSON-serialized client data constructed from collectedClientData.
-
Let clientDataHash be the hash of the serialized client data represented by clientDataJSON.
Let issuedRequests be a new ordered set.
-
If the
options.
is present and its aborted flag is set to true, return asignal
DOMException
whose name is "
NotFoundError
,
-
and terminate this algorithm.
-
Let issuedRequests be a new ordered set.
-
Let authenticator be a platform-specific handle whose value identifies an authenticator.
-
Start lifetimeTimer.
-
For each authenticator
-
that becomes available on this platform during the lifetime of lifetimeTimer, perform the following steps:
The definitions of "lifetime of" and "becomes available" are intended to represent how devices are hotplugged into (USB) or discovered by (NFC) browsers, and are under-specified. Resolving this with good definitions or some other means will be addressed by resolving Issue #613.
-
If
options.
is set touserVerification
required
and the authenticator is not capable of performing user verification, continue. -
Let userVerification be the effective user verification requirement for assertion, a Boolean value, as follows. If
options.
userVerification
-
is set to
required
-
Let userVerification be
true
. -
is set to
preferred
-
If the authenticator
- is capable of user verification
-
Let userVerification be
true
. - is not capable of user verification
-
Let userVerification be
false
.
-
is set to
discouraged
-
Let userVerification be
false
.
-
is set to
-
Let userPresence be a Boolean value set to the inverse of userVerification.
-
Let allowCredentialDescriptorList be a new list.
-
If
options.
is not empty, execute a platform-specific procedure to determine which, if any, public key credentials described byallowCredentials
options.
are bound to this authenticator, by matching with rpId,allowCredentials
options.
, andallowCredentials
.id
options.
. Set allowCredentialDescriptorList to this filtered list.allowCredentials
.type
-
If allowCredentialDescriptorList
- is not empty
-
-
Let distinctTransports be a new ordered set.
-
If allowCredentialDescriptorList has exactly one value, let savedCredentialId be a new
PublicKeyCredentialDescriptor
.id
and set its value toallowCredentialDescriptorList[0].id
’s value (see here in §6.2.2 The authenticatorGetAssertion operation for more information).
The foregoing step _may_ be incorrect, in that we are attempting to create savedCredentialId here and use it later below, and we do not have a global in which to allocate a place for it. Perhaps this is good enough? addendum: @jcjones feels the above step is likely good enough.
-
For each credential descriptor C in allowCredentialDescriptorList, append each value, if any, of
C.
to distinctTransports.transports
Note: This will aggregate only distinct values of
transports
(for this authenticator) in distinctTransports due to the properties of ordered sets. -
If distinctTransports
- is not empty
-
The client selects one transport value from distinctTransports, possibly incorporating local configuration knowledge of the appropriate transport to use with authenticator in making its selection.
Then, using transport, invoke
-
-
-
-
-
-
-
the authenticatorGetAssertion operation on authenticator, with rpId, clientDataHash, allowCredentialDescriptorList, userPresence, userVerification, and authenticatorExtensions as parameters.
- is empty
-
Using local configuration knowledge of the appropriate transport to use with authenticator, invoke
-
-
-
-
-
-
-
-
-
the authenticatorGetAssertion operation on authenticator with rpId, clientDataHash, allowCredentialDescriptorList, userPresence, userVerification, and clientExtensions as parameters.
-
-
- is empty
-
Using local configuration knowledge of the appropriate transport to use with authenticator, invoke
-
-
-
-
-
the authenticatorGetAssertion operation on authenticator with rpId, clientDataHash, userPresence, userVerification and clientExtensions as parameters.
Note: In this case, the Relying Party did not supply a list of acceptable credential descriptors. Thus the authenticator is being asked to exercise any credential it may possess that is bound to the Relying Party, as identified by rpId.
-
-
Append authenticator to issuedRequests.
-
Start a timer for adjustedTimeout milliseconds. Then execute the following steps in parallel. The task source for these tasks is the dom manipulation task source.
-
While issuedRequests is not empty, perform the following actions depending upon
-
lifetimeTimer and responses from the authenticators:
- If
-
- lifetimeTimer expires,
-
For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests.
-
If the
signal
member is present and the aborted flag is set to true, -
For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Then return a
DOMException
whose name is "AbortError
" and terminate this algorithm. - If any authenticator returns a status indicating that the user cancelled the operation,
-
-
Remove authenticator from issuedRequests.
-
For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.
-
- If any authenticator returns an error status,
-
Remove authenticator from issuedRequests.
- If any authenticator indicates success,
-
-
Remove authenticator from issuedRequests.
-
Let assertionCreationData be a struct whose items are:
-
credentialIdResult
-
If savedCredentialId exists, set the value of credentialIdResult to be the bytes of savedCredentialId. Otherwise, set the value of credentialIdResult to be the bytes of the credential ID returned from the successful authenticatorGetAssertion operation, as defined in §6.2.2 The authenticatorGetAssertion operation.
-
clientDataJSONResult
-
whose value is the bytes of clientDataJSON.
-
authenticatorDataResult
-
whose value is the bytes of the authenticator data returned by the authenticator.
-
signatureResult
-
whose value is the bytes of the signature value returned by the authenticator.
-
userHandleResult
-
whose value is the bytes of the user handle returned by the authenticator.
-
clientExtensionResults
-
whose value is an
AuthenticationExtensions
object containing extension identifier → client extension output entries. The entries are created by running each extension’s client extension processing algorithm to create the client extension outputs, for each client extension in
.clientDataJSON
.clientExtensions
-
-
Let constructAssertionAlg be an algorithm that takes a global object global, and whose steps are:
-
Let pubKeyCred be a new
PublicKeyCredential
object associated with global whose fields are:-
[[identifier]]
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes of
-
-
-
-
-
-
-
-
assertionCreationData.credentialIdResult
. -
response
-
A new
AuthenticatorAssertionResponse
object associated with global whose fields are:-
clientDataJSON
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes of
-
-
-
-
-
-
-
-
-
-
-
assertionCreationData.clientDataJSONResult
. -
authenticatorData
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes of
-
-
-
-
-
authenticatorData
-
-
-
-
-
-
assertionCreationData.authenticatorDataResult
. -
signature
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes of
-
-
-
-
-
signature
clientExtensionResults
-
-
-
-
-
-
assertionCreationData.signatureResult
. -
userHandle
-
A new
-
-
-
-
-
AuthenticationExtensions
object containing the extension identifier → client extension output entries created by running each extension’s client extension processing algorithm to create the client extension outputs, for each client extension in clientDataJSON
.clientExtensions.
-
-
-
-
-
-
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofassertionCreationData.userHandleResult
.
-
-
[[clientExtensionsResults]]
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofassertionCreationData.clientExtensionResults
.
-
-
Return pubKeyCred.
-
-
For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.
-
Return
-
-
-
-
-
constructAssertionAlg and terminate this algorithm.
-
-
-
Return a
DOMException
whose name is "NotAllowedError
".
During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and authorizing an authenticator with which to complete the operation.
5.1.5.
Platform Authenticator Availability - PublicKeyCredential’s
Store an existing credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors)
method
The [[Store]](credential, sameOriginWithAncestors)
method is not supported for Web Authentication’s PublicKeyCredential
type, so it always returns an error.
Note: This algorithm is synchronous; the Promise
resolution/rejection is handled by navigator.credentials.store()
.
This internal method accepts two arguments:
-
credential
-
This argument is a
PublicKeyCredential
object. -
sameOriginWithAncestors
-
This argument is a boolean which is true if and only if the caller’s environment settings object is same-origin with its ancestors.
When this method is invoked, the user agent MUST execute the following algorithm:
-
Return a
DOMException
whose name is "NotSupportedError
", and terminate this algorithm
5.1.6. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable()
method
Relying Parties use this method to determine whether they can create a new credential using a user-verifying platform authenticator. Upon invocation, the client employs a platform-specific procedure to discover available user-verifying platform authenticators. If successful, the client then assesses whether the user is willing to create a credential using one of the available user-verifying platform authenticators. This assessment may include various factors, such as:
-
Whether the user is running in private or incognito mode.
-
Whether the user has configured the client to not create such credentials.
-
Whether the user has previously expressed an unwillingness to create a new credential for this Relying Party, either through configuration or by declining a user interface prompt.
-
The user’s explicitly stated intentions, determined through user interaction.
This method has no arguments and returns a boolean value.
If the promise will return False, the client SHOULD wait a fixed period of time from the invocation of the method before returning False. This is done so that callers can not distinguish between the case where the user was unwilling to create a credential using one of the available user-verifying platform authenticators and the case where no user-verifying platform authenticator exists. Trying to make these cases indistinguishable is done in an attempt to not provide additional information that could be used for fingerprinting. A timeout value on the order of 10 minutes is recommended; this is enough time for successful user interactions to be performed but short enough that the dangling promise will still be resolved in a reasonably timely fashion.
partial interface PublicKeyCredential {
static Promise < boolean >
isPlatformAuthenticatorAvailable
4
5.2. Authenticator Responses (interface AuthenticatorResponse
)
Authenticators respond to Relying Party requests by returning an object derived from the AuthenticatorResponse
interface:
[SecureContext, Exposed=Window] interface AuthenticatorResponse { [SameObject] readonly attribute ArrayBuffer clientDataJSON; };
-
clientDataJSON
, of type ArrayBuffer, readonly -
This attribute contains a JSON serialization of the client data passed to the authenticator by the client in its call to either
create()
orget()
.
5.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse
)
The AuthenticatorAttestationResponse
interface represents the authenticator's response to a client’s request for the creation of a new public key credential. It contains information about the new credential that can be used to identify it for later use, and metadata that can be used by the Relying Party to assess the characteristics of the credential during registration.
[SecureContext, Exposed=Window] interface AuthenticatorAttestationResponse : AuthenticatorResponse { [SameObject] readonly attribute ArrayBuffer attestationObject; };
-
clientDataJSON
-
This attribute, inherited from
AuthenticatorResponse
, contains the JSON-serialized client data (see §5§6.3 Attestation) passed to the authenticator by the client in order to generate this credential. The exact JSON serialization must be preserved, as the hash of the serialized client data has been computed over it. -
attestationObject
, of type ArrayBuffer, readonly -
This attribute contains an attestation object, which is opaque to, and cryptographically protected against tampering by, the client. The attestation object contains both authenticator data and an attestation statement. The former contains the AAGUID, a unique credential ID, and the credential public key. The contents of the attestation statement are determined by the attestation statement format used by the authenticator. It also contains any additional information that the Relying Party's server requires to validate the attestation statement, as well as to decode and validate the authenticator data along with the JSON-serialized client data. For more details, see §5§6.3 Attestation, §5§6.3.4 Generating an Attestation Object, and Figure 3.
5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse
)
The AuthenticatorAssertionResponse
interface represents an authenticator's response to a client’s request for generation of a new authentication assertion given the Relying Party's challenge and optional list of credentials it is aware of. This response contains a cryptographic signature proving possession of the credential private key, and optionally evidence of user consent to a specific transaction.
[SecureContext, Exposed=Window] interface AuthenticatorAssertionResponse : AuthenticatorResponse { [SameObject] readonly attribute ArrayBuffer authenticatorData; [SameObject] readonly attribute ArrayBuffer signature; [SameObject] readonly attribute ArrayBuffer userHandle; };
-
clientDataJSON
-
This attribute, inherited from
AuthenticatorResponse
, contains the JSON-serialized client data (see §4§5.78.1 Client data used in WebAuthn signatures (dictionary CollectedClientData)) passed to the authenticator by the client in order to generate this assertion. The exact JSON serialization must be preserved, as the hash of the serialized client data has been computed over it. -
authenticatorData
, of type ArrayBuffer, readonly -
This attribute contains the authenticator data returned by the authenticator. See §5§6.1 Authenticator data.
-
signature
, of type ArrayBuffer, readonly -
This attribute contains the raw signature returned from the authenticator. See §5§6.2.2 The authenticatorGetAssertion operation.
-
userHandle
, of type ArrayBuffer, readonly -
This attribute contains the user handle returned from the authenticator. See §6.2.2 The authenticatorGetAssertion operation.
5.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters
)
dictionary PublicKeyCredentialParameters { required PublicKeyCredentialType type; required COSEAlgorithmIdentifier alg; };
The type
member specifies the type of credential to be created.
The alg
member specifies the cryptographic signature algorithm with which the newly generated credential will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.
Note: we use "alg" as the latter member name, rather than spelling-out "algorithm", because it will be serialized into a message to the authenticator, which may be sent over a low-bandwidth link.
5.4. Options for Credential Creation (dictionary MakePublicKeyCredentialOptions
)
dictionary MakePublicKeyCredentialOptions { required PublicKeyCredentialEntityPublicKeyCredentialRpEntity rp; required PublicKeyCredentialUserEntity user; required BufferSource challenge; required sequence<PublicKeyCredentialParameters> pubKeyCredParams; unsigned long timeout; sequence<PublicKeyCredentialDescriptor> excludeCredentials = []; AuthenticatorSelectionCriteria authenticatorSelection; AttestationConveyancePreference attestation = "none"; AuthenticationExtensions extensions; };
-
rp
, of type PublicKeyCredentialEntity PublicKeyCredentialRpEntity -
This member contains data about the Relying Party responsible for the request.
Its value’s
name
member is required, and contains the friendly name of the Relying Party (e.g. "Acme Corporation", "Widgets, Inc.", or "Awesome Site".Its value’s
id
member specifies the relying party identifier with which the credential should be associated. If omitted, its value will be theCredentialsContainer
object’s relevant settings object's origin's effective domain. -
user
, of type PublicKeyCredentialUserEntity -
This member contains data about the user account for which the Relying Party is requesting attestation.
Its value’s
name
member is required, and contains a name for the user account (e.g., "john.p.smith@example.com" or "+14255551234").Its value’s
displayName
member is required, and contains a friendly name for the user account (e.g., "John P. Smith").Its value’s
id
member is required, and contains an identifier contains the user handle for the account, specified by the Relying Party. This is not meant to be displayed to the user, but is used by the Relying Party to control the number of credentials - an authenticator will never contain more than one credential for a given Relying Party under the sameid
. -
challenge
, of type BufferSource -
This member contains a challenge intended to be used for generating the newly created credential’s attestation object.
-
pubKeyCredParams
, of type sequence<PublicKeyCredentialParameters> -
This member contains information about the desired properties of the credential to be created. The sequence is ordered from most preferred to least preferred. The platform makes a best-effort to create the most preferred credential that it can.
-
timeout
, of type unsigned long -
This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is treated as a hint, and may be overridden by the platform.
-
excludeCredentials
, of type sequence<PublicKeyCredentialDescriptor>, defaulting toNone
-
This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for the same account on a single authenticator. The platform is requested to return an error if the new credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.
-
authenticatorSelection
, of type AuthenticatorSelectionCriteria -
This member is intended for use by Relying Parties that wish to select the appropriate authenticators to participate in the
create()
orget()
operation. -
attestation
, of type AttestationConveyancePreference, defaulting to"none"
-
This member is intended for use by Relying Parties that wish to express their preference for attestation conveyance. The default is
none
. -
extensions
, of type AuthenticationExtensions -
This member contains additional parameters requesting additional processing by the client and authenticator. For example, the caller may request that only authenticators with certain capabilies be used to create the credential, or that particular information be returned in the attestation object. Some extensions are defined in §8 §9 WebAuthn Extensions; consult the IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries] for an up-to-date list of registered WebAuthn Extensions.
5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity
)
The PublicKeyCredentialEntity
dictionary describes a user account, or a Relying Party, with which a public key credential is associated.
dictionary PublicKeyCredentialEntity { required DOMString idname; DOMStringUSVString name; USVString icon; };
-
id
, of type DOMString -
A unique identifier for the entity. For a relying party entity, sets the RP ID. For a user account entity, this will be an arbitrary string specified by the relying party.
-
name
, of type DOMString -
A human-friendly identifier for the entity. For example, this could be a company name for a Relying Party, or a user’s name. This identifier is intended for display. Authenticators MUST accept and store a 64 byte minimum length for a name members’s value. Authenticators MAY truncate a name member’s value to a length equal to or greater than 64 bytes.
-
icon
, of type USVString -
A serialized URL which resolves to an image associated with the entity. For example, this could be a user’s avatar or a Relying Party's logo.
-
This URL MUST be an a priori authenticated URL. Authenticators MUST accept and store a 128 byte minimum length for a icon members’s value. Authenticators MAY ignore a icon members’s value if its length is greater than 128 byes.
5.4.2. RP Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity
)
The PublicKeyCredentialRpEntity
dictionary is used to supply additional Relying Party attributes when creating a new credential.
dictionary PublicKeyCredentialRpEntity : PublicKeyCredentialEntity { DOMString id; };
5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity
)
The PublicKeyCredentialUserEntity
dictionary is used to supply additional user account attributes when creating a new credential.
dictionary PublicKeyCredentialUserEntity : PublicKeyCredentialEntity { required BufferSource id; required DOMString displayName; };
-
id
, of type BufferSource -
The user handle of the user account entity.
-
displayName
, of type DOMString -
A friendly name for the user account (e.g., "John P. Smith"). Authenticators MUST accept and store a 64 byte minimum length for a displayName members’s value. Authenticators MAY truncate a displayName member’s value to a length equal to or greater than 64 bytes.
5.4.4.
3.
Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria
)
Relying Parties may use the AuthenticatorSelectionCriteria
dictionary to specify their requirements regarding authenticator attributes.
dictionary AuthenticatorSelectionCriteria { AuthenticatorAttachment aaauthenticatorAttachment; // authenticatorAttachment boolean rkrequireResidentKey = false; // requireResidentKey UserVerificationRequirement boolean uv = false; // requireUserVerification userVerification = "preferred"; };
-
aa
(authenticatorAttachment
), of type AuthenticatorAttachment -
If this member is present, eligible authenticators are filtered to only authenticators attached with the specified §4§5.4.4 5 Authenticator Attachment enumeration (enum AuthenticatorAttachment).
-
rk
(requireResidentKey
), of type boolean, defaulting tofalse
-
This member describes the Relying Parties' requirements regarding availability of the Client-side-resident Credential Private Key. If the parameter is set to true, the authenticator MUST create a Client-side-resident Credential Private Key when creating a public key credential.
-
uv
(requireUserVerification)userVerification
, of type boolean UserVerificationRequirement, defaulting tofalse
"preferred"
-
This member describes the Relying PartiesParty's requirements regarding the authenticator being capable of performing user verification. If the parameter is set to true, the authenticator MUST perform user verification when performing the for the
create()
operation and future §4.1.4 Use an existing credential to make an assertion - PublicKeyCredential’s [[DiscoverFromExternalSource]](options) method operations when it is requested to verify the credential.
Note: These identifiers are intentionally short, rather than descriptive, because they will be serialized into a message to the authenticator, which may be sent over a low-bandwidth link.
-
. Eligible authenticators are filtered to only those capable of satisfying this requirement.
5.4.5. Authenticator Attachment enumeration (enum AuthenticatorAttachment
)
enum AuthenticatorAttachment {"
platplatform"
, // Platform attachment"
xplatcross-platform"
// Cross-platform attachment };
Clients may communicate with authenticators using a variety of mechanisms. For example, a client may use a platform-specific API to communicate with an authenticator which is physically bound to a platform. On the other hand, a client may use a variety of standardized cross-platform transport protocols such as Bluetooth (see §4§5.78.4 Authenticator Transport enumeration (enum AuthenticatorTransport)) to discover and communicate with cross-platform attached authenticators. Therefore, we use AuthenticatorAttachment
to describe an authenticator's attachment modality. We define authenticators that are part of the client’s platform as having a platform attachment, and refer to them as platform authenticators. While those that are reachable via cross-platform transport protocols are defined as having cross-platform attachment, and refer to them as roaming authenticators.
- platform attachment - the respective authenticator is attached using platform-specific transports. Usually, authenticators of this class are non-removable from the platform.
- cross-platform attachment - the respective authenticator is attached using cross-platform transports. Authenticators of this class are removable from, and can "roam" among, client platforms.
This distinction is important because there are use-cases where only platform authenticators are acceptable to a Relying Party, and conversely ones where only roaming authenticators are employed. As a concrete example of the former, a credential on a platform authenticator may be used by Relying Parties to quickly and conveniently reauthenticate the user with a minimum of friction, e.g., the user will not have to dig around in their pocket for their key fob or phone. As a concrete example of the latter, when the user is accessing the Relying Party from a given client for the first time, they may be required to use a roaming authenticator which was originally registered with the Relying Party using a different client.
5.4.6. Attestation Conveyance Preference enumeration (enum AttestationConveyancePreference
)
Relying Parties may use AttestationConveyancePreference
to specify their preference regarding attestation conveyance during credential generation.
enum AttestationConveyancePreference { "none", "indirect", "direct" };
-
none
- indicates that the Relying Party is not interested in authenticator attestation. The client may replace the AAGUID and attestation statement generated by the authenticator with meaningless client-generated values. For example, in order to avoid having to obtain user consent to relay uniquely identifying information to the Relying Party, or to save a roundtrip to a Privacy CA.This is the default value.
-
indirect
- indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation statements, but allows the client to decide how to obtain such attestation statements. The client may replace the authenticator-generated attestation statements with attestation statements generated by a Privacy CA, in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a heterogeneous ecosystem.Note: There is no guarantee that the Relying Party will obtain a verifiable attestation statement in this case. For example, in the case that the authenticator employs self attestation.
-
direct
- indicates that the Relying Party wants to receive the attestation statement as generated by the authenticator.
5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions
)
The PublicKeyCredentialRequestOptions
dictionary supplies get()
with the data it needs to generate an assertion. Its challenge
member must be present, while its other members are optional.
dictionary PublicKeyCredentialRequestOptions { required BufferSource challenge; unsigned long timeout; USVString rpId; sequence<PublicKeyCredentialDescriptor> allowCredentials = []; UserVerificationRequirement userVerification = "preferred"; AuthenticationExtensions extensions; };
-
challenge
, of type BufferSource -
This member represents a challenge that the selected authenticator signs, along with other data, when producing an authentication assertion. See the §13.1 Cryptographic Challenges security consideration.
-
timeout
, of type unsigned long -
This optional member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. The value is treated as a hint, and may be overridden by the platform.
-
rpId
, of type USVString -
This optional member specifies the relying party identifier claimed by the caller. If omitted, its value will be the
CredentialsContainer
object’s relevant settings object's origin's effective domain. -
allowCredentials
, of type sequence<PublicKeyCredentialDescriptor>, defaulting toNone
-
This optional member contains a list of
PublicKeyCredentialDescriptor
object objects representing public key credentials acceptable to the caller, in decending order of the caller’s preference (the first item in the list is the most preferred credential, and so on down the list). -
userVerification
, of type UserVerificationRequirement, defaulting to"preferred"
-
This member describes the Relying Party's requirements regarding user verification for the
get()
operation. Eligible authenticators are filtered to only those capable of satisfying this requirement. -
extensions
, of type AuthenticationExtensions -
This optional member contains additional parameters requesting additional processing by the client and authenticator. For example, if transaction confirmation is sought from the user, then the prompt string might be included as an extension.
5.6. Abort operations with AbortSignal
Developers are encouraged to leverage the AbortController
to manage the [[Create]](origin, options, sameOriginWithAncestors)
and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
operations. See DOM §3.3 Using AbortController and AbortSignal objects in APIs section for detailed instructions.
Note: DOM §3.3 Using AbortController and AbortSignal objects in APIs section specifies that web platform APIs integrating with the AbortController
must reject the promise immediately once the aborted flag is set. Given the complex inheritance and parallelization structure of the [[Create]](origin, options, sameOriginWithAncestors)
and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
methods, the algorithms for the two APIs fulfills this requirement by checking the aborted flag in three places. In the case of [[Create]](origin, options, sameOriginWithAncestors)
, the aborted flag is checked first in Credential Management 1 §2.5.4 Create a Credential immediately before calling [[Create]](origin, options, sameOriginWithAncestors)
, then in §5.1.3 Create a new credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) method right before authenticator sessions start, and finally during authenticator sessions. The same goes for [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
.
The visibility and focus state of the Window object determines whether the [[Create]](origin, options, sameOriginWithAncestors)
and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
operations should continue. When the Window object associated with the [Document loses focus, [[Create]](origin, options, sameOriginWithAncestors)
and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
operations SHOULD be aborted.
The WHATWG HTML WG is discussing whether to provide a hook when a browsing context gains or loses focuses. If a hook is provided, the above paragraph will be updated to include the hook. See WHATWG HTML WG Issue #2711 for more details.
5.7. Authentication Extensions (typedef AuthenticationExtensions)
typedef record<DOMString, any> AuthenticationExtensions
;
This is a dictionary containing zero or more WebAuthn extensions, as defined in §8 §9 WebAuthn Extensions. An AuthenticationExtensions instance can contain either client extensions or authenticator extensions, depending upon context.
45.
78. Supporting Data Structures
The public key credential type uses certain data structures that are specified in supporting specifications. These are as follows.
45.
7
8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData
)
The client data represents the contextual bindings of both the Relying Party and the client platform. It is a key-value mapping with string-valued keys. Values may be any type that has a valid encoding in JSON. Its structure is defined by the following Web IDL.
dictionary CollectedClientData { required DOMString type; required DOMString challenge; required DOMString origin; required DOMString hashAlgorithm; DOMString tokenBindingId; AuthenticationExtensions clientExtensions; AuthenticationExtensions authenticatorExtensions; };
type
member contains the string "webauthn.create" when creating new credentials, and "webauthn.get" when getting an assertion from an existing credential. The purpose of this member is to prevent certain types of signature confusion attacks (where an attacker substitutes one legitimate signature for another).
The challenge
member contains the base64url encoding of the challenge provided by the RP. See the §13.1 Cryptographic Challenges security consideration.
The origin
member contains the fully qualified origin of the requester, as provided to the authenticator by the client, in the syntax defined by [RFC6454].
The hashAlgorithm
member is a recognized algorithm name that supports the "digest"
operation, which specifies the algorithm used to compute the hash of the serialized client data. This algorithm is chosen by the client at its sole discretion.
The tokenBindingId
member contains the base64url encoding of the Token Binding ID that this client uses for the Token Binding protocol when communicating with the Relying Party. This can be omitted if no Token Binding has been negotiated between the client and the Relying Party.
The optional clientExtensions
and authenticatorExtensions
members contain additional parameters generated by processing the extensions passed in by the Relying Party. WebAuthn extensions are detailed in Section §8 §9 WebAuthn Extensions.
This structure is used by the client to compute the following quantities:
- JSON-serialized client data
-
This is the UTF-8 encoding of the result of calling the initial value of
JSON.stringify
on aCollectedClientData
dictionary. - Hash of the serialized client data
-
This is the hash (computed using
hashAlgorithm
) of the JSON-serialized client data, as constructed by the client.
5.
7
8.2. Credential Type enumeration (enum PublicKeyCredentialType
)
enum PublicKeyCredentialType {
"public-key"
};
Currently one credential type is defined, namely "public-key
".
5.
7
8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor
)
dictionary PublicKeyCredentialDescriptor {
required PublicKeyCredentialType type;
required BufferSource id;
sequence<AuthenticatorTransport> transports
;
};
This dictionary contains the attributes that are specified by a caller when referring to a credential as an input parameter to the create()
or get()
methods. It mirrors the fields of the PublicKeyCredential
object returned by the latter methods.
type
member contains the type of the credential the caller is referring to. The id
member contains the identifier of the credential that the caller is referring to.
5.
7
8.4. Authenticator Transport enumeration (enum AuthenticatorTransport
)
enum AuthenticatorTransport {
"usb",
"nfc",
"ble"
};
-
usb
- the respective Authenticator may be contacted over USB. -
nfc
- the respective Authenticator may be contacted over Near Field Communication (NFC). -
ble
- the respective Authenticator may be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).
5.
78.5. Cryptographic Algorithm Identifier (typedef COSEAlgorithmIdentifier)
typedef long COSEAlgorithmIdentifier
;
COSEAlgorithmIdentifier
's value is a number identifying a cryptographic algorithm. The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry [IANA-COSE-ALGS-REG], for instance, -7
for "ES256" and -257
for "RS256".
5.8.6. User Verification Requirement enumeration (enum UserVerificationRequirement
)
enum UserVerificationRequirement {"required"
,"preferred"
,"discouraged"
};
A Relying Party may require user verification for some of its operations but not for others, and may use this type to express its needs.
The value required
indicates that the Relying Party requires user verification for the operation and will fail the operation if the response does not have the UV flag set.
The value preferred
indicates that the Relying Party prefers user verification for the operation if possible, but will not fail the operation if the response does not have the UV flag set.
The value discouraged
indicates that the Relying Party does not want user verification employed during the operation (e.g., in the interest of minimizing disruption to the user interaction flow).
6. WebAuthn Authenticator model
The API defined in this specification implies a specific abstract functional model for an authenticator. This section describes the authenticator model.
Client platforms may implement and expose this abstract model in any way desired. However, the behavior of the client’s Web Authentication API implementation, when operating on the authenticators supported by that platform, MUST be indistinguishable from the behavior specified in §4 §5 Web Authentication API.
For authenticators, this model defines the logical operations that they must support, and the data formats that they expose to the client and the Relying Party. However, it does not define the details of how authenticators communicate with the client platform, unless they are required for interoperability with Relying Parties. For instance, this abstract model does not define protocols for connecting authenticators to clients over transports such as USB or NFC. Similarly, this abstract model does not define specific error codes or methods of returning them; however, it does define error behavior in terms of the needs of the client. Therefore, specific error codes are mentioned as a means of showing which error conditions must be distinguishable (or not) from each other in order to enable a compliant and secure client implementation.
In this abstract model, the authenticator provides key management and cryptographic signatures. It may be embedded in the WebAuthn client, or housed in a separate device entirely. The authenticator may itself contain a cryptographic module which operates at a higher security level than the rest of the authenticator. This is particularly important for authenticators that are embedded in the WebAuthn client, as in those cases this cryptographic module (which may, for example, be a TPM) could be considered more trustworthy than the rest of the authenticator.
Each authenticator stores some number of public key credentials. Each public key credential has an identifier which is unique (or extremely unlikely to be duplicated) among all public key credentials. Each credential is also associated with a Relying Party, whose identity is represented by a Relying Party Identifier (RP ID).
Each authenticator has an AAGUID, which is a 128-bit identifier that indicates the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators made by that manufacturer, and different (with probability 1-2-128 or greater) from the AAGUIDs of all other types of authenticators. The RP MAY use the AAGUID to infer certain properties of the authenticator, such as certification level and strength of key protection, using information from other sources.
The primary function of the authenticator is to provide WebAuthn signatures, which are bound to various contextual data. These data are observed, and added at different levels of the stack as a signature request passes from the server to the authenticator. In verifying a signature, the server checks these bindings against expected values. These contextual bindings are divided in two: Those added by the RP or the client, referred to as client data; and those added by the authenticator, referred to as the authenticator data. The authenticator signs over the client data, but is otherwise not interested in its contents. To save bandwidth and processing requirements on the authenticator, the client hashes the client data and sends only the result to the authenticator. The authenticator signs over the combination of the hash of the serialized client data, and its own authenticator data.
The goals of this design can be summarized as follows.
-
The scheme for generating signatures should accommodate cases where the link between the client platform and authenticator is very limited, in bandwidth and/or latency. Examples include Bluetooth Low Energy and Near-Field Communication.
-
The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators should not have to parse high-level encodings such as JSON.
-
Both the client platform and the authenticator should have the flexibility to add contextual bindings as needed.
-
The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.
Authenticators produce cryptographic signatures for two distinct purposes:
-
An attestation signature is produced when a new public key credential is created via an authenticatorMakeCredential operation. An attestation signature provides cryptographic proof of certain properties of the the authenticator and the credential. For instance, an attestation signature asserts the authenticator type (as denoted by its AAGUID) and the credential public key. The attestation signature is signed by an attestation private key, which is chosen depending on the type of attestation desired. For more details on attestation, see §5§6.3 Attestation.
-
An assertion signature is produced when the authenticatorGetAssertion method is invoked. It represents an assertion by the authenticator that the user has consented to a specific transaction, such as logging in, or completing a purchase. Thus, an assertion signature asserts that the authenticator possessing a particular credential private key has established, to the best of its ability, that the user requesting this transaction is the same user who consented to creating that particular public key credential. It also asserts additional information, termed client data, that may be useful to the caller, such as the means by which user consent was provided, and the prompt shown to the user by the authenticator. The assertion signature format is illustrated in Figure 2, below.
The formats of these signatures, as well as the procedures for generating them, are specified below.
56.1. Authenticator data
The authenticator data structure encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the Relying Party's assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.
The authenticator data has a compact but extensible encoding. This is desired since authenticators can be devices with limited capabilities and low power requirements, with much simpler software stacks than the client platform components.
The authenticator data structure is a byte array of 37 bytes or more, as follows.
Name | Length (in bytes) | Description |
---|---|---|
rpIdHash | 32 | SHA-256 hash of the RP ID associated with the credential. |
flags | 1 | Flags (bit 0 is the least significant bit):
|
signCount | 4 | Signature counter (signCount ), 32-bit unsigned big-endian integer. |
attestedCredentialData | variable (if present) | attestation attested credential data (if present). See §5§6.3.1 Attestation Attested credential data for details. Its length depends on the length of the credential ID and credential public key and credential ID being attested. |
extensions | variable (if present) | Extension-defined authenticator data. This is a CBOR [RFC7049] map with extension identifiers as keys, and authenticator extension outputs as values. See §8 §9 WebAuthn Extensions for details. |
NOTE: The names in the Name column in the above table are only for reference within this document, and are not present in the actual representation of the authenticator data.
The RP ID is originally received from the client when the credential is created, and again when an assertion is generated. However, it differs from other client data in some important ways. First, unlike the client data, the RP ID of a credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is validated by the authenticator during the authenticatorGetAssertion operation, by verifying that the RP ID associated with the requested credential exactly matches the RP ID supplied by the client, and that the RP ID is a registrable domain suffix of or is equal to the effective domain of the RP’s origin's effective domain.
The UP
flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The RFU
bits SHALL be set to zero.
For attestation signatures, the authenticator MUST set the AT flag and include the attestation data attestedCredentialData
. For authentication signatures, the AT flag MUST NOT be set and the attestation data attestedCredentialData
MUST NOT be included.
If the authenticator does not include any extension data, it MUST set the ED
flag to zero, and to one if extension data is included.
The figure below shows a visual representation of the authenticator data structure.
Note that the authenticator data describes its own length: If the AT and ED flags are not set, it is always 37 bytes long. The attestation attested credential data (which is only present if the AT flag is set) describes its own length. If the ED flag is set, then the total length is 37 bytes plus the length of the attestation attested credential data, plus the length of the CBOR map that follows.
5.6.1.1. Signature Counter Considerations
Authenticators MUST implement a signature counter feature. The signature counter is incremented for each successful authenticatorGetAssertion operation by some positive value, and its value is returned to the Relying Party within the authenticator data. The signature counter's purpose is to aid Relying Parties in detecting cloned authenticators. Clone detection is more important for authenticators with limited protection measures.
An Relying Party stores the signature counter of the most recent authenticatorGetAssertion operation. Upon a new authenticatorGetAssertion operation, the Relying Party compares the stored signature counter value with the new signCount
value returned in the assertion’s authenticator data. If this new signCount
value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.
Detecting a signature counter mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator. Relying Parties should address this situation appropriately relative to their individual situations, i.e., their risk tolerance.
Authenticators:
-
should implement per-RP ID signature counters. This prevents the signature counter value from being shared between Relying Parties and being possibly employed as a correlation handle for the user. Authenticators may implement a global signature counter, i.e., on a per-authenticator basis, but this is less privacy-friendly for users.
-
should ensure that the signature counter value does not accidentally decrease (e.g., due to hardware failures).
6.2. Authenticator operations
A client must connect to an authenticator in order to invoke any of the operations of that authenticator. This connection defines an authenticator session. An authenticator must maintain isolation between sessions. It may do this by only allowing one session to exist at any particular time, or by providing more complicated session management.
The following operations can be invoked by the client in an authenticator session.
56.2.1. The authenticatorMakeCredential operation
This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following input parameters:
The caller’s RP ID, as determined by the user agent and the client.- hash
-
The hash of the serialized client data, provided by the client.
- rpEntity
-
The Relying Party's
PublicKeyCredentialEntity
Extension data
- userEntity
-
The user account’s
PublicKeyCredentialUserEntity
, containing the user handle given by the Relying Party. - requireResidentKey
-
The
authenticatorSelection
.requireResidentKey
value given by the Relying Party. - requireUserPresence
-
A Boolean value provided by the client, which in invocations from a WebAuthn Client's
[[Create]](origin, options, sameOriginWithAncestors)
method is always set to the inverse of requireUserVerification. - requireUserVerification
-
The effective user verification requirement for credential creation, a Boolean value provided by the client.
- credTypesAndPubKeyAlgs
-
A sequence of pairs of
PublicKeyCredentialType
and public key algorithms (COSEAlgorithmIdentifier
) requested by the Relying Party. This sequence is ordered from most preferred to least preferred. The platform makes a best-effort to create the most preferred credential that it can. - excludeCredentialDescriptorList
-
An optional list of
PublicKeyCredentialDescriptor
objects provided by the Relying Party with the intention that, if any of these are known to the authenticator, it should not create a new credential.
The rk member of the options.authenticatorSelection
dictionary.
The uv member of the options.authenticatorSelection
dictionary.
-
excludeCredentialDescriptorList contains a list of known credentials.
- extensions
-
A map from extension identifiers to their authenticator extension inputs, created by the client based on the extensions requested by the Relying Party, if any.
Note: Before performing this operation, all other operations in progress in the authenticator session must be aborted by running the authenticatorCancel operation.
When this operation is invoked, the authenticator must perform the following procedure:
-
Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code equivalent to "
UnknownError
" and terminate the operation. -
Check if at least one of the specified combinations of
PublicKeyCredentialType
and cryptographic parameters in credTypesAndPubKeyAlgs is supported. If not, return an error code equivalent to "NotSupportedError
" and terminate the operation. -
Check if
PublicKeyCredential
identifiers is present on this authenticator.
-
any credential bound to this authenticator matches an item of excludeCredentialDescriptorList. A match occurs if a credential matches
rpEntity.
and an excludeCredentialDescriptorList item’sid
excludeCredentialDescriptorList.
andid
excludeCredentialDescriptorList.
. If so, return an error code equivalent to "type
NotAllowedError
" and terminate the operation. -
If
-
requireResidentKey is
true
and the authenticator cannot store a Client-side-resident Credential Private Key, return an error code equivalent to "ConstraintError
" and terminate the operation. -
If
-
requireUserVerification is
true
and the authenticator cannot perform user verification, return an error code equivalent to "ConstraintError
" and terminate the operation.
-
Obtain user consent for
-
creating a new credential. The prompt for obtaining this consent is shown by the authenticator if it has its own output capability, or by the user agent otherwise. The prompt SHOULD display
rpEntity.
,id
rpEntity.
,name
userEntity.
andname
userEntity.
, if possible.displayName
If requireUserVerification is
true
, the method of obtaining user consent MUST include user verification.If requireUserPresence is
true
, the method of obtaining user consent MUST include a test of user presence.If the user denies consent or if user verification fails, return an error code equivalent to "
NotAllowedError
" and terminate the operation. -
Once user consent has been obtained, generate a new credential object:
-
-
Let (publicKey,privateKey) be a new pair of cryptographic keys using the
-
-
-
combination of
PublicKeyCredentialType
and cryptographic parameters represented by the first item in credTypesAndPubKeyAlgs that is supported by this authenticator.
-
-
-
Let credentialId be a new identifier for this credential
-
-
-
that
-
-
-
is globally unique with high probability across all credentials with the same type across all authenticators.
-
Let userHandle be
userEntity.
.id
-
Associate the
-
user
.id
-
-
credentialId and privateKey with
rpEntity.
and userHandle.id
-
Delete any older credentials with the same
-
user
-
-
rpEntity.
and userHandle that are stored locally by the authenticator.id
-
-
If any error occurred while creating the new credential object, return an error code equivalent to "
UnknownError
" and terminate the operation.
-
Let processedExtensions be the result of authenticator extension processing for each supported extension identifier/input pair in extensions.
-
If the authenticator supports:
- a per-RP ID signature counter
-
allocate the counter, associate it with the RP ID, and initialize the counter value as zero.
- a global signature counter
-
Use the global signature counter's actual value when generating authenticator data.
- a per credential signature counter
-
allocate the counter, associate it with the new credential, and initialize the counter value as zero.
-
Let attestedCredentialData be the attested credential data byte array including the credentialId and publicKey.
-
Let authenticatorData be the byte array specified in §6.1 Authenticator data, including attestedCredentialData as the
attestedCredentialData
and processedExtensions, if any, as theextensions
. -
Return the attestation object for the new credential
-
created by the procedure specified in
-
§6.3.4 Generating an Attestation Object using an authenticator-chosen attestation statement format, authenticatorData, and hash. For more details on attestation, see
On successful completion of this operation, the authenticator returns the attestation object to the client.
56.2.2. The authenticatorGetAssertion operation
This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following input parameters:
- rpId
-
The caller’s RP ID, as determined by the user agent and the client.
- hash
-
The hash of the serialized client data, provided by the client.
- allowCredentialDescriptorList
-
An optional list of
PublicKeyCredentialDescriptor
s describing credentials acceptable to the Relying Party (possibly filtered by the client), if any.
- requireUserPresence
-
A Boolean value provided by the client, which in invocations from a WebAuthn Client's
[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
method is always set to the inverse of requireUserVerification. - requireUserVerification
-
The effective user verification requirement for assertion, a Boolean value provided by the client.
- extensions
-
A map from extension identifiers to their authenticator extension inputs, created by the client based on the extensions requested by the Relying Party, if any.
Note: Before performing this operation, all other operations in progress in the authenticator session must be aborted by running the authenticatorCancel operation.
When this method is invoked, the authenticator must perform the following procedure:
-
Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code equivalent to "
UnknownError
" and terminate the operation. -
If
-
requireUserVerification is
true
and the authenticator cannot perform user verification, return an error code equivalent to "ConstraintError
" and terminate the operation. -
If allowCredentialDescriptorList was not supplied, set it to a list of all credentials stored for rpId (as determined by an exact match of
-
rpId).
-
Remove any items from allowCredentialDescriptorList that do not match a credential bound to this authenticator. A match occurs if a credential matches
rpId
and an allowCredentialDescriptorList item'sid
andtype
members. -
If allowCredentialDescriptorList is now empty, return an error code equivalent to "
NotAllowedError
" and terminate the operation. -
Let selectedCredential be a credential as follows. If the size of allowCredentialDescriptorList
- is exactly 1
-
Let selectedCredential be the credential matching
allowCredentialDescriptorList[0]
. - is greater than 1
-
Prompt the user to select
-
-
selectedCredential from
-
-
-
the credentials matching the items in allowCredentialDescriptorList.
-
-
Obtain user consent for using
-
selectedCredential. The prompt for obtaining this consent may be shown by the authenticator if it has its own output capability, or by the user agent otherwise.
-
The prompt SHOULD display the rpId and any additional displayable data associated with selectedCredential, if possible.
If requireUserVerification is
true
, the method of obtaining user consent MUST include user verification.If requireUserPresence is
true
, the method of obtaining user consent MUST include a test of user presence.If the user denies consent or if user verification fails, return an error code equivalent to "
NotAllowedError
" and terminate the operation. -
Let processedExtensions be the result of authenticator extension processing for each supported extension identifier/input pair in extensions.
-
Increment the RP ID-associated signature counter or the global signature counter value, depending on which approach is implemented by the authenticator, by some positive value.
-
Let authenticatorData be the byte array specified in §6.1 Authenticator data including processedExtensions, if any, as the
extensions
and excludingattestedCredentialData
. -
Let signature be the assertion signature of the concatenation
authenticatorData || hash
using the private key of selectedCredential as shown in Figure 2, below. A simple, undelimited concatenation is safe to use here because the authenticator data describes its own length. The hash of the serialized client data (which potentially has a variable length) is always the last element. -
If any error occurred while generating the assertion signature, return an error code equivalent to "
UnknownError
" and terminate the operation.
The identifier of the credential (credential ID) used to generate the assertion signature.
The authenticator data used to generate the assertion signature.
-
-
selectedCredential’s credential ID, if either a list of credentials of size 2 or greater was supplied by the client, or no such list was supplied. Otherwise, return only the below values.
Note: If the client supplies a list of exactly one credential and it was successfully employed, then its credential ID is not returned since the client already knows it. This saves transmitting these bytes over what may be a constrained connection in what is likely a common case.
-
authenticatorData
-
signature
-
The user handle associated with selectedCredential.
-
If the authenticator cannot find any credential corresponding to the specified Relying Party that matches the specified criteria, it terminates the operation and returns an error.
If the user refuses consent, the authenticator returns an appropriate error status to the client.
5.6.2.3. The authenticatorCancel operation
This operation takes no input parameters and returns no result.
When this operation is invoked by the client in an authenticator session, it has the effect of terminating any authenticatorMakeCredential or authenticatorGetAssertion operation currently in progress in that authenticator session. The authenticator stops prompting for, or accepting, any user input related to authorizing the canceled operation. The client ignores any further responses from the authenticator for the canceled operation.
This operation is ignored if it is invoked in an authenticator session which does not have an authenticatorMakeCredential or authenticatorGetAssertion operation currently in progress.
56.3. Attestation
Authenticators must also provide some form of attestation. The basic requirement is that the authenticator can produce, for each credential public key, an attestation statement verifable by the Relying Party. Typically, this attestation statement contains a signature by an attestation private key over the attested credential public key and a challenge, as well as a certificate or similar data providing provenance information for the attestation public key, enabling the Relying Party to make a trust decision. However, if an attestation key pair is not available, then the authenticator MUST perform self attestation of the credential public key with the corresponding credential private key. All this information is returned by authenticators any time a new public key credential is generated, in the overall form of an attestation object. The relationship of the attestation object with authenticator data (containing attestation attested credential data) and the attestation statement is illustrated in figure 3, below.
This figure illustrates only the packed
attestation statement format. Several additional attestation statement formats are defined in
§8 Defined Attestation Statement Formats.
An important component of the attestation object is the attestation statement. This is a specific type of signed data object, containing statements about a public key credential itself and the authenticator that created it. It contains an attestation signature created using the key of the attesting authority (except for the case of self attestation, when it is created using the credential private key). In order to correctly interpret an attestation statement, a Relying Party needs to understand these two aspects of attestation:
-
The attestation statement format is the manner in which the signature is represented and the various contextual bindings are incorporated into the attestation statement by the authenticator. In other words, this defines the syntax of the statement. Various existing devices and platforms (such as TPMs and the Android OS) have previously defined attestation statement formats. This specification supports a variety of such formats in an extensible way, as defined in §5§6.3.2 Attestation Statement Formats.
-
The attestation type defines the semantics of attestation statements and their underlying trust models. Specifically, it defines how a Relying Party establishes trust in a particular attestation statement, after verifying that it is cryptographically valid. This specification supports a number of attestation types, as described in §5§6.3.3 Attestation Types.
In general, there is no simple mapping between attestation statement formats and attestation types. For example, the "packed" attestation statement format defined in §7§8.2 Packed Attestation Statement Format can be used in conjunction with all attestation types, while other formats and types have more limited applicability.
The privacy, security and operational characteristics of attestation depend on:
-
The attestation type, which determines the trust model,
-
The attestation statement format, which may constrain the strength of the attestation by limiting what can be expressed in an attestation statement, and
-
The characteristics of the individual authenticator, such as its construction, whether part or all of it runs in a secure operating environment, and so on.
It is expected that most authenticators will support a small number of attestation types and attestation statement formats, while Relying Parties will decide what attestation types are acceptable to them by policy. Relying Parties will also need to understand the characteristics of the authenticators that they trust, based on information they have about these authenticators. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to access such information.
56.3.1.
AttestationAttested credential data
Attestation Attested credential data is a variable-length byte array added to the authenticator data when generating an attestation object for a given credential. It has the following format:
Name | Length (in bytes) | Description |
---|---|---|
aaguid | 16 | The AAGUID of the authenticator. |
credentialIdLength | 2 | Byte length L of Credential ID |
credentialId | L | Credential ID |
credentialPublicKey | variable | The credential public key encoded in COSE_Key format, as defined in Section 7 of [RFC8152]. The encoded credential public key MUST contain the "alg" parameter and MUST NOT contain any other optional parameters. The "alg" parameter MUST contain a COSEAlgorithmIdentifier value. |
NOTE: The names in the Name column in the above table are only for reference within this document, and are not present in the actual representation of the attested credential data.
6.3.2. Attestation Statement Formats
As described above, an attestation statement format is a data format which represents a cryptographic signature by an authenticator over a set of contextual bindings. Each attestation statement format MUST be defined using the following template:
-
Supported attestation types:
-
Syntax: The syntax of an attestation statement produced in this format, defined using [CDDL] for the extension point
$attStmtFormat
defined in §5§6.3.4 Generating an Attestation Object. -
Signing procedure: The signing procedure for computing an attestation statement in this format given the public key credential to be attested, the authenticator data structure containing the authenticator data for the attestation, and the hash of the serialized client data.
-
Verification proceduresprocedure: The procedure for verifying an attestation statement, which takes as inputs the authenticator data structure containing the the following verification procedure inputs:
-
attStmt: The attestation statement structure
-
authenticatorData: The authenticator data claimed to have been used for the attestation
-
-
clientDataHash: The hash of the serialized client data
The procedure returns either:
-
An error indicating that the attestation is invalid, or
-
The attestation type, and the trust path of the attestation. This attestation trust path is either empty (in case of self attestation), an identifier of a ECDAA-Issuer public key (in the case of ECDAA), or a set of X.509 certificates.
-
The initial list of specified attestation statement formats is in §7 §8 Defined Attestation Statement Formats.
56.3.3. Attestation Types
WebAuthn supports multiple attestation types:
- Basic Attestation
-
In the case of basic attestation [UAFProtocol], the authenticator’s attestation key pair is specific to an authenticator model. Thus, authenticators of the same model often share the same attestation key pair. See §5§6.3.5.1 Privacy for futher information.
- Self Attestation
-
In the case of self attestation, also known as surrogate basic attestation [UAFProtocol], the Authenticator does not have any specific attestation key. Instead it uses the authentication credential private key itself to create the attestation signature. Authenticators without meaningful protection measures for an attestation private key typically use this attestation type.
- Privacy CA
-
In this case, the Authenticator owns an authenticator-specific (endorsement) key. This key is used to securely communicate with a trusted third party, the Privacy CA. The Authenticator can generate multiple attestation key pairs and asks the Privacy CA to issue an attestation certificate for it. Using this approach, the Authenticator can limit the exposure of the endorsement key (which is a global correlation handle) to Privacy CA(s). Attestation keys can be requested for each public key credential individually.
Note: This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently is called "active".
- Elliptic Curve based Direct Anonymous Attestation (ECDAA)
-
In this case, the Authenticator receives direct anonymous attestation (DAA]) credentials from a single DAA-Issuer. These DAA credentials are used along with blinding to sign the attestation attested credential data. The concept of blinding avoids the DAA credentials being misused as global correlation handle. WebAuthn supports DAA using elliptic curve cryptography and bilinear pairings, called ECDAA (see [FIDOEcdaaAlgorithm]) in this specification. Consequently we denote the DAA-Issuer as ECDAA-Issuer (see [FIDOEcdaaAlgorithm]).
6.3.4. Generating an Attestation Object
This section specifies the algorithm for generating To generate an attestation object (see: Figure 3) for any given:
authenticator- attestationFormat
- authData
-
A byte array containing authenticator data.
- hash
-
.
Finally, the authenticator MUST construct the attestation :
-
Let attStmt be the result of running attestationFormat’s signing procedure given authData and hash.
-
Let fmt be attestationFormat’s attestation statement format identifier
-
Return the attestation object as a CBOR map with the following syntax, filled in with variables initialized by this algorithm:
attObj = { authData: bytes, $$attStmtType } attStmtTemplate = ( fmt: text, attStmt:
-
{ * tstr => any } ; Map is filled in by each concrete attStmtType ) ; Every attestation statement format must have the above fields attStmtTemplate .within $$attStmtType
The semantics of the fields in the attestation object are as follows:
- fmt
-
The attestation statement format identifier associated with the attestation statement. Each attestation statement format defines its identifier.
- authData
-
The authenticator data used to generate the attestation statement.
- attStmt
-
The attestation statement constructed above. The syntax of this is defined by the attestation statement format used.
6.3.5. Security Considerations
56.3.5.1. Privacy
Attestation keys may be used to track users or link various online identities of the same user together. This may be mitigated in several ways, including:
-
A WebAuthn authenticator manufacturer may choose to ship all of their devices with the same (or a fixed number of) attestation key(s) (called Basic Attestation). This will anonymize the user at the risk of not being able to revoke a particular attestation key should its WebAuthn Authenticator be compromised.
-
A WebAuthn Authenticator may be capable of dynamically generating different attestation keys (and requesting related certificates) per origin (following the Privacy CA approach). For example, a WebAuthn Authenticator can ship with a master attestation key (and certificate), and combined with a cloud operated privacy CA, can dynamically generate per origin attestation keys and attestation certificates.
-
A WebAuthn Authenticator can implement Elliptic Curve based direct anonymous attestation (see [FIDOEcdaaAlgorithm]). Using this scheme, the authenticator generates a blinded attestation signature. This allows the Relying Party to verify the signature using the ECDAA-Issuer public key, but the attestation signature does not serve as a global correlation handle.
6.3.5.2. Attestation Certificate and Attestation Certificate CA Compromise
When an intermediate CA or a root CA used for issuing attestation certificates is compromised, WebAuthn authenticator attestation keys are still safe although their certificates can no longer be trusted. A WebAuthn Authenticator manufacturer that has recorded the public attestation keys for their devices can issue new attestation certificates for these keys from a new intermediate CA or from a new root CA. If the root CA changes, the Relying Parties must update their trusted root certificates accordingly.
A WebAuthn Authenticator attestation certificate must be revoked by the issuing CA if its key has been compromised. A WebAuthn Authenticator manufacturer may need to ship a firmware update and inject new attestation keys and certificates into already manufactured WebAuthn Authenticators, if the exposure was due to a firmware flaw. (The process by which this happens is out of scope for this specification.) If the WebAuthn Authenticator manufacturer does not have this capability, then it may not be possible for Relying Parties to trust any further attestation statements from the affected WebAuthn Authenticators.
If attestation certificate validation fails due to a revoked intermediate attestation CA certificate, and the Relying Party's policy requires rejecting the registration/authentication request in these situations, then it is recommended that the Relying Party also un-registers (or marks with a trust level equivalent to "self attestation") public key credentials that were registered after the CA compromise date using an attestation certificate chaining up to the same intermediate CA. It is thus recommended that Relying Parties remember intermediate attestation CA certificates during Authenticator registration in order to un-register related public key credentials if the registration was performed after revocation of such certificates.
If an ECDAA attestation key has been compromised, it can be added to the RogueList (i.e., the list of revoked authenticators) maintained by the related ECDAA-Issuer. The Relying Party should verify whether an authenticator belongs to the RogueList when performing ECDAA-Verify (see section 3.6 in [FIDOEcdaaAlgorithm]). For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to access such information.
56.3.5.3. Attestation Certificate Hierarchy
A 3-tier hierarchy for attestation certificates is recommended (i.e., Attestation Root, Attestation Issuing CA, Attestation Certificate). It is also recommended that for each WebAuthn Authenticator device line (i.e., model), a separate issuing CA is used to help facilitate isolating problems with a specific version of a device.
If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID should be specified in the attestation certificate itself, so that it can be verified against the authenticator data.
67. Relying Party Operations
Upon successful execution of create()
or get()
, the Relying Party's script receives a PublicKeyCredential
containing an AuthenticatorAttestationResponse
or AuthenticatorAssertionResponse
structure, respectively, from the client. It must then deliver the contents of this structure to the Relying Party server, using methods outside the scope of this specification. This section describes the operations that the Relying Party must perform upon receipt of these structures.
7.1. Registering a new credential
When registering a new credential, represented by a AuthenticatorAttestationResponse
structure, as part of a registration ceremony, a Relying Party MUST proceed as follows:
-
Perform JSON deserialization on the
clientDataJSON
field of theAuthenticatorAttestationResponse
object to extract the client data C claimed as collected during the credential creation. -
Verify that the
type
in C is the stringwebauthn.create
. -
Verify that the
challenge
in C matches the challenge that was sent to the authenticator in thecreate()
call. -
Verify that the
origin
in C matches the Relying Party's origin. -
Verify that the
tokenBindingId
in C matches the Token Binding ID for the TLS connection over which the attestation was obtained. -
Verify that the
clientExtensions
in C is a proper subset of the extensions requested by the RP and that theauthenticatorExtensions
in C is also a proper subset of the extensions requested by the RP. -
Compute the hash of
clientDataJSON
using the algorithm identified byC.
.hashAlgorithm
-
Perform CBOR decoding on the
attestationObject
field of theAuthenticatorAttestationResponse
structure to obtain the attestation statement format fmt, the authenticator data authData, and the attestation statement attStmt. -
Verify that the RP ID hash in authData is indeed the SHA-256 hash of the RP ID expected by the RP.
-
Determine the attestation statement format by performing an USASCII case-sensitive match on fmt against the set of supported WebAuthn Attestation Statement Format Identifier values. The up-to-date list of registered WebAuthn Attestation Statement Format Identifier values is maintained in the in the IANA registry of the same name [WebAuthn-Registries].
-
Verify that attStmt is a correct , validly-signed attestation statement, conveying a valid attestation signature, by using the attestation statement format fmt’s verification procedure given authenticator data attStmt, authData and the hash of the serialized client data computed in step 6.
Note: Each attestation statement format specifies its own verification procedure. See §8 Defined Attestation Statement Formats for the initially-defined formats, and [WebAuthn-Registries] for the up-to-date list.
-
If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or ECDAA-Issuer public keys) for that attestation type and attestation statement format fmt, from a trusted source or from policy. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the AAGUID
aaguid
in the attestation data containedattestedCredentialData
in authData. -
Assess the attestation trustworthiness using the outputs of the verification procedure in step 10, as follows:
-
If self attestation was used, check if self attestation is acceptable under Relying Party policy.
-
If ECDAA was used, verify that the identifier of the ECDAA-Issuer public key used is included in the set of acceptable trust anchors obtained in step 11.
-
Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key correctly chains up to an acceptable root certificate.
-
-
If the attestation statement attStmt verified successfully and is found to be trustworthy, then register the new credential with the account that was denoted in the
options
.user
passed tocreate()
, by associating it with the credential ID and credential public key contained in authData’s attestation datacredentialId
andcredentialPublicKey
in theattestedCredentialData
in authData, as appropriate for the Relying Party's systemssystem. -
If the attestation statement attStmt successfully verified but is not trustworthy per step 12 above, the Relying Party SHOULD fail the registration ceremony.
NOTE: However, if permitted by policy, the Relying Party MAY register the credential ID and credential public key but treat the credential as one with self attestation (see §5§6.3.3 Attestation Types). If doing so, the Relying Party is asserting there is no cryptographic proof that the public key credential has been generated by a particular authenticator model. See [FIDOSecRef] and [UAFProtocol] for a more detailed discussion.
-
If verification of the attestation statement failed, the Relying Party MUST fail the registration ceremony.
Verification of attestation objects requires that the Relying Party has a trusted method of determining acceptable trust anchors in step 11 above. Also, if certificates are being used, the Relying Party must have access to certificate status information for the intermediate CA certificates. The Relying Party must also be able to build the attestation certificate chain if the client did not provide this chain in the attestation information.
To avoid ambiguity during authentication, the Relying Party SHOULD check that each credential is registered to no more than one user. If registration is requested for a credential that is already registered to a different user, the Relying Party SHOULD fail this ceremony, or it MAY decide to accept the registration, e.g. while deleting the older registration.
67.2. Verifying an authentication assertion
When verifying a given PublicKeyCredential
structure (credential) as part of an authentication ceremony, the Relying Party MUST proceed as follows:
-
Using credential’s
id
attribute (or the correspondingrawId
, if base64url encoding is inappropriate for your use case), look up the corresponding credential public key. -
Let cData, aData and sig denote the value of credential’s
response
'sclientDataJSON
,authenticatorData
, andsignature
respectively. -
Perform JSON deserialization on cData to extract the client data C used for the signature.
-
Verify that the
type
in C is the stringwebauthn.get
. -
Verify that the
challenge
member of C matches the challenge that was sent to the authenticator in thePublicKeyCredentialRequestOptions
passed to theget()
call. -
Verify that the
origin
member of C matches the Relying Party's origin. -
Verify that the
tokenBindingId
member of C (if present) matches the Token Binding ID for the TLS connection over which the signature was obtained. -
Verify that the
clientExtensions
member of C is a proper subset of the extensions requested by the Relying Party and that theauthenticatorExtensions
in C is also a proper subset of the extensions requested by the Relying Party. -
Verify that the RP ID hash
rpIdHash
in aData is the SHA-256 hash of the RP ID expected by the Relying Party. -
Let hash be the result of computing a hash over the cData using the algorithm represented by the
hashAlgorithm
member of C. -
Using the credential public key looked up in step 1, verify that sig is a valid signature over the binary concatenation of aData and hash.
-
If the signature counter value adata.
signCount
is nonzero or the value stored in conjunction with credential’sid
attribute is nonzero, then run the following substep:-
If the signature counter value adata.
signCount
is-
greater than the signature counter value stored in conjunction with credential’s
id
attribute. -
Update the stored signature counter value, associated with credential’s
id
attribute, to be the value of adata.signCount
. -
less than or equal to the signature counter value stored in conjunction with credential’s
id
attribute. - This is an signal that the authenticator may be cloned, i.e. at least two copies of the credential private key may exist and are being used in parallel. Relying Parties should incorporate this information into their risk scoring. Whether the Relying Party updates the stored signature counter value in this case, or not, or fails the authentication ceremony or not, is Relying Party-specific.
-
greater than the signature counter value stored in conjunction with credential’s
-
-
If all the above steps are successful, continue with the authentication ceremony as appropriate. Otherwise, fail the authentication ceremony.
8. Defined Attestation Statement Formats
WebAuthn supports pluggable attestation statement formats. This section defines an initial set of such formats.
78.1. Attestation Statement Format Identifiers
Attestation statement formats are identified by a string, called a attestation statement format identifier, chosen by the author of the attestation statement format.
Attestation statement format identifiers SHOULD be registered per [WebAuthn-Registries] "Registries for Web Authentication (WebAuthn)". All registered attestation statement format identifiers are unique amongst themselves as a matter of course.
Unregistered attestation statement format identifiers SHOULD use lowercase reverse domain-name naming, using a domain name registered by the developer, in order to assure uniqueness of the identifier. All attestation statement format identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote, i.e., VCHAR as defined in [RFC5234] but without %x22 and %x5c.
Note: This means attestation statement format identifiers based on domain names MUST incorporate only LDH Labels [RFC5890].
Implementations MUST match WebAuthn attestation statement format identifiers in a case-sensitive fashion.
Attestation statement formats that may exist in multiple versions SHOULD include a version in their identifier. In effect, different versions are thus treated as different formats, e.g., packed2
as a new version of the packed
attestation statement format.
The following sections present a set of currently-defined and registered attestation statement formats and their identifiers. The up-to-date list of registered WebAuthn Extensions is maintained in the IANA "WebAuthn Attestation Statement Format Identifier" registry established by [WebAuthn-Registries].
78.2. Packed Attestation Statement Format
This is a WebAuthn optimized attestation statement format. It uses a very compact but still extensible encoding method. It is implementable by authenticators with limited resources (e.g., secure elements).
- Attestation statement format identifier
-
packed
- Attestation types supported
-
All
- Syntax
-
The syntax of a Packed Attestation statement is defined by the following CDDL:
$$attStmtType //= ( fmt: "packed", attStmt: packedStmtFormat ) packedStmtFormat = { alg: rsaAlgName / eccAlgNameCOSEAlgorithmIdentifier, sig: bytes, x5c: [ attestnCert: bytes, * (caCert: bytes) ] } // { alg: "ED256"COSEAlgorithmIdentifier, (-260 for ED256 / "ED512",-261 for ED512) sig: bytes, ecdaaKeyId: bytes }
The semantics of the fields are as follows:
- alg
-
A text string
COSEAlgorithmIdentifier
containing the name identifier of the algorithm used to generate the attestation signature. The typesrsaAlgName
andeccAlgName
are as defined in §5.3.1 Attestation data. "ED256" and "ED512" refer to algorithms defined in [FIDOEcdaaAlgorithm]. - sig
-
A byte string containing the attestation signature.
- x5c
-
The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format. The attestation certificate must be the first element in the array.
- ecdaaKeyId
-
The identifier of the ECDAA-Issuer public key. This is the BigNumberToB encoding of the component "c" of the ECDAA-Issuer public key as defined section 3.3, step 3.5 in [FIDOEcdaaAlgorithm].
- Signing procedure
-
The signing procedure for this attestation statement format is similar to the procedure for generating assertion signatures.
-
Let authenticatorData denote the authenticator data for the attestation, and let clientDataHash denote the hash of the serialized client data.
-
If Basic or Privacy CA attestation is in use, the authenticator produces the sig by concatenating authenticatorData and clientDataHash, and signing the result using an attestation private key selected through an authenticator-specific mechanism. It sets x5c to the certificate chain of the attestation public key and alg to the algorithm of the attestation private key.
-
If ECDAA is in use, the authenticator produces sig by concatenating authenticatorData and clientDataHash, and signing the result using ECDAA-Sign (see section 3.5 of [FIDOEcdaaAlgorithm])
-
after selecting an ECDAA-Issuer public key
-
related to the ECDAA signature private key through an authenticator-specific mechanism (see [FIDOEcdaaAlgorithm]). It sets alg to the algorithm of the selected ECDAA-Issuer public key and ecdaaKeyId to the identifier of the ECDAA-Issuer public key (see above).
-
If self attestation is in use, the authenticator produces sig by concatenating authenticatorData and clientDataHash, and signing the result using the credential private key. It sets alg to the algorithm of the credential private key, and omits the other fields.
-
- Verification procedure
-
Verify that the given attestation statement Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is as follows:
-
Verify that attStmt is valid CBOR conforming to the syntax defined above
-
, and perform CBOR decoding on it to extract the contained fields.
-
If x5c is present, this indicates that the attestation type is not ECDAA. In this case:
-
Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash using the attestation public key in x5c with the algorithm specified in alg.
-
Verify that x5c meets the requirements in
-
-
-
§8.2.1 Packed attestation statement certificate requirements.
-
If x5c contains an extension with OID
1 3 6 1 4 1 45724 1 1 4
(id-fido-gen-ce-aaguid) verify that the value of this extension matches the
-
-
-
aaguid
in authenticatorData. -
If successful, return attestation type Basic and attestation trust path x5c.
-
-
If ecdaaKeyId is present, then the attestation type is ECDAA. In this case:
-
Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash using ECDAA-Verify with ECDAA-Issuer public key identified by ecdaaKeyId (see [FIDOEcdaaAlgorithm]).
-
If successful, return attestation type ECDAA and attestation trust path ecdaaKeyId.
-
-
If neither x5c nor ecdaaKeyId is present, self attestation is in use.
-
Validate that alg matches the algorithm of the
-
-
-
credentialPublicKey
in authenticatorData. -
Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash using the credential public key with alg.
-
If successful, return attestation type Self and empty attestation trust path.
-
-
8.2.1. Packed attestation statement certificate requirements
The attestation certificate MUST have the following fields/extensions:
-
Version must be set to 3.
-
Subject field MUST be set to:
- Subject-C
-
Country where the Authenticator vendor is incorporated
- Subject-O
-
Legal name of the Authenticator vendor
- Subject-OU
-
Authenticator Attestation
- Subject-CN
-
No stipulation.
-
If the related attestation root certificate is used for multiple authenticator models, the Extension OID
1 3 6 1 4 1 45724 1 1 4
(id-fido-gen-ce-aaguid) MUST be present, containing the AAGUID as value. -
The Basic Constraints extension MUST have the CA component set to false
-
An Authority Information Access (AIA) extension with entry
id-ad-ocsp
and a CRL Distribution Point extension [RFC5280] are both optional as the status of many attestation certificates is available through authenticator metadata services. See, for example, the FIDO Metadata Service [FIDOMetadataService].
8.3. TPM Attestation Statement Format
This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic engine.
- Attestation statement format identifier
-
tpm
- Attestation types supported
- Syntax
-
The syntax of a TPM Attestation statement is as follows:
$$attStmtType // = ( fmt: "tpm", attStmt: tpmStmtFormat ) tpmStmtFormat = { ver: "2.0", ( alg: rsaAlgName / eccAlgNameCOSEAlgorithmIdentifier, x5c: [ aikCert: bytes, * (caCert: bytes) ] ) // ( alg: "ED256"COSEAlgorithmIdentifier, (-260 for ED256 / "ED512",-261 for ED512) ecdaaKeyId: bytes ), sig: bytes, certInfo: bytes, pubArea: bytes }
The semantics of the above fields are as follows:
- ver
-
The version of the TPM specification to which the signature conforms.
- alg
-
The name A
COSEAlgorithmIdentifier
containing the identifier of the algorithm used to generate the attestation signature. The typesrsaAlgName
andeccAlgNAme
are as defined in §5.3.1 Attestation data. The types "ED256" and "ED512" refer to the algorithms specified in [FIDOEcdaaAlgorithm]. - x5c
-
The AIK certificate used for the attestation and its certificate chain, in X.509 encoding.
- ecdaaKeyId
-
The identifier of the ECDAA-Issuer public key. This is the BigNumberToB encoding of the component "c" as defined section 3.3, step 3.5 in [FIDOEcdaaAlgorithm].
- sig
-
The attestation signature, in the form of a TPMT_SIGNATURE structure as specified in [TPMv2-Part2] section 11.3.4.
- certInfo
-
The TPMS_ATTEST structure over which the above signature was computed, as specified in [TPMv2-Part2] section 10.12.8.
- pubArea
-
The TPMT_PUBLIC structure (see [TPMv2-Part2] section 12.2.4) used by the TPM to represent the credential public key.
- Signing procedure
-
Let authenticatorData denote the authenticator data for the attestation, and let clientDataHash denote the hash of the serialized client data.
Concatenate authenticatorData and clientDataHash to form attToBeSigned.
Generate a signature using the procedure specified in [TPMv2-Part3] Section 18.2, using the attestation private key and setting the
qualifyingData
extraData
parameter to the digest of attToBeSigned using the hash algorithm corresponding to the "alg" signature algorithm. (For the "RS256" algorithm, this would be a SHA-256 digest.)Set the pubArea field to the public area of the credential public key, the certInfo field to the output parameter of the same name, and the sig field to the signature obtained from the above procedure.
- Verification procedure
-
Verify that the given attestation statement Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is as follows:
Verify that attStmt is valid CBOR conforming to the syntax defined above.Let authenticatorData denote the authenticator data claimed to have been used for the attestation, and let clientDataHash denote the hash of the serialized client data, and perform CBOR decoding on it to extract the contained fields.
Verify that the public key specified by the
parameters
andunique
fields of pubArea is identical to the public key containedcredentialPublicKey
in the attestation data insideattestedCredentialData
in authenticatorData.Concatenate authenticatorData and clientDataHash to form attToBeSigned.
Validate that certInfo is valid:
-
Verify that
magic
is set toTPM_GENERATED_VALUE
. -
Verify that
type
is set toTPM_ST_ATTEST_CERTIFY
. -
Verify that
extraData
is set to the hash of attToBeSigned using the hash algorithm employed in "alg". -
Verify that
attested
contains aTPMS_CERTIFY_INFO
structure, whosename
field contains a valid Name for pubArea, as computed using the algorithm in thenameAlg
field of pubArea using the procedure specified in [TPMv2-Part1] section 16.
If x5c is present, this indicates that the attestation type is not ECDAA. In this case:
-
Verify the sig is a valid signature over certInfo using the attestation public key in x5c with the algorithm specified in alg.
-
Verify that x5c meets the requirements in §7§8.3.1 TPM attestation statement certificate requirements.
-
If x5c contains an extension with OID
1 3 6 1 4 1 45724 1 1 4
(id-fido-gen-ce-aaguid) verify that the value of this extension matches the AAGUIDaaguid
in authenticatorData. -
If successful, return attestation type Privacy CA and attestation trust path x5c.
If ecdaaKeyId is present, then the attestation type is ECDAA.
-
Perform ECDAA-Verify on sig to verify that it is a valid signature over certInfo (see [FIDOEcdaaAlgorithm]).
-
If successful, return attestation type ECDAA and the identifier of the ECDAA-Issuer public key ecdaaKeyId.
-
8.3.1. TPM attestation statement certificate requirements
TPM attestation certificate MUST have the following fields/extensions:
-
Version must be set to 3.
-
Subject field MUST be set to empty.
-
The Subject Alternative Name extension must be set as defined in [TPMv2-EK-Profile] section 3.2.9.
-
The Extended Key Usage extension MUST contain the "joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)" OID.
-
The Basic Constraints extension MUST have the CA component set to false.
-
An Authority Information Access (AIA) extension with entry
id-ad-ocsp
and a CRL Distribution Point extension [RFC5280] are both optional as the status of many attestation certificates is available through metadata services. See, for example, the FIDO Metadata Service [FIDOMetadataService].
8.4. Android Key Attestation Statement Format
When the authenticator in question is a platform-provided Authenticator on the Android "N" or later platform, the attestation statement is based on the Android key attestation. In these cases, the attestation statement is produced by a component running in a secure operating environment, but the authenticator data for the attestation is produced outside this environment. The Relying Party is expected to check that the authenticator data claimed to have been used for the attestation is consistent with the fields of the attestation certificate’s extension data.
- Attestation statement format identifier
-
android-key
- Attestation types supported
- Syntax
-
An Android key attestation statement consists simply of the Android attestation statement, which is a series of DER encoded X.509 certificates. See the Android developer documentation. Its syntax is defined as follows:
$$attStmtType //= ( fmt: "android-key", attStmt: androidStmtFormat ) androidStmtFormat = { alg: COSEAlgorithmIdentifier, sig: bytes, x5c: [ credCert: bytes, * (caCert: bytes) ] }
- Signing procedure
-
Let authenticatorData denote the authenticator data for the attestation, and let clientDataHash denote the hash of the serialized client data.
Concatenate authenticatorData and clientDataHash to form attToBeSigned.
Request an Android Key Attestation by calling "keyStore.getCertificateChain(myKeyUUID)") providing attToBeSigned clientDataHash as the challenge value (e.g., by using setAttestationChallenge). Set x5c to the returned value.
The authenticator produces sig by concatenating authenticatorData and clientDataHash, and set the attestation statement to the returned valuesigning the result using the credential private key. It sets alg to the algorithm of the signature format.
- Verification procedure
-
Verification is performed Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is as follows:
-
Let authenticatorData denote the authenticator data claimed to have been used for the attestation, and let clientDataHash denote the hash of the serialized client dataVerify that attStmt is valid CBOR conforming to the syntax defined above, and perform CBOR decoding on it to extract the contained fields.
-
Verify that the public key in the first certificate in the series of certificates represented by the signature matches the credential public key
credentialPublicKey
in the attestation data field ofattestedCredentialData
in authenticatorData. -
Verify that in the attestation certificate extension data:
-
The value of the
attestationChallenge
field is identical to the concatenation of authenticatorData and clientDataHash. -
The
AuthorizationList.allApplications
field is not present, since PublicKeyCredentials must be bound to the RP ID. -
The value in the
AuthorizationList.origin
field is equal toKM_TAG_GENERATED
. -
The value in the
AuthorizationList.purpose
field is equal toKM_PURPOSE_SIGN
.
-
-
If successful, return attestation type Basic with the attestation trust path set to the entire attestation statement.
-
8.5. Android SafetyNet Attestation Statement Format
When the authenticator in question is a platform-provided Authenticator on certain Android platforms, the attestation statement is based on the SafetyNet API. In this case the authenticator data is completely controlled by the caller of the SafetyNet API (typically an application running on the Android platform) and the attestation statement only provides some statements about the health of the platform and the identity of the calling application. This attestation does not provide information regarding provenance of the authenticator and its associated data. Therefore platform-provided authenticators should make use of the Android Key Attestation when available, even if the SafetyNet API is also present.
- Attestation statement format identifier
-
android-safetynet
- Attestation types supported
- Syntax
-
The syntax of an Android Attestation statement is defined as follows:
$$attStmtType //= ( fmt: "android-safetynet", attStmt: safetynetStmtFormat ) safetynetStmtFormat = { ver: text, response: bytes }
The semantics of the above fields are as follows:
- ver
-
The version number of Google Play Services responsible for providing the SafetyNet API.
- response
-
The value returned by the above UTF-8 encoded result of the getJwsResult() call of the SafetyNet API. This value is a JWS [RFC7515] object (see SafetyNet online documentation) in Compact Serialization.
- Signing procedure
-
Let authenticatorData denote the authenticator data for the attestation, and let clientDataHash denote the hash of the serialized client data.
Concatenate authenticatorData and clientDataHash to form attToBeSigned.
Request a SafetyNet attestation, providing attToBeSigned as the nonce value. Set response to the result, and ver to the version of Google Play Services running in the authenticator.
- Verification procedure
-
Verification is performed Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is as follows:
-
Verify that the given attestation statement attStmt is valid CBOR conforming to the syntax defined above, and perform CBOR decoding on it to extract the contained fields.
-
Verify that response is a valid SafetyNet response of version ver.
-
Verify that the nonce in the response is identical to the concatenation of the authenticatorData and clientDataHash.
-
Verify that the attestation certificate is issued to the hostname "attest.android.com" (see SafetyNet online documentation).
-
Verify that the
ctsProfileMatch
attribute in the payload of response is true. -
If successful, return attestation type Basic with the attestation trust path set to the above attestation certificate.
-
8.6. FIDO U2F Attestation Statement Format
This attestation statement format is used with FIDO U2F authenticators using the formats defined in [FIDO-U2F-Message-Formats].
- Attestation statement format identifier
-
fido-u2f
- Attestation types supported
-
Basic , self attestationAttestation, Self Attestation, Privacy CA
- Syntax
-
The syntax of a FIDO U2F attestation statement is defined as follows:
$$attStmtType //= ( fmt: "fido-u2f", attStmt: u2fStmtFormat ) u2fStmtFormat = { x5c: [ attestnCert: bytes, * (caCert: bytes) ], sig: bytes }
The semantics of the above fields are as follows:
- x5c
-
The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format. The attestation certificate must be the first element in the array.
- sig
-
The attestation signature. The signature was calculated over the (raw) U2F registration response message [FIDO-U2F-Message-Formats] received by the platform from the authenticator.
- Signing procedure
-
If the credential public key of the given credential is not of algorithm -7 ("ES256"), stop and return an error. Let Otherwise, let authenticatorData denote the authenticator data for the attestation, and let clientDataHash denote the hash of the serialized client data.
If clientDataHash is 256 bits long, set tbsHash to this value. Otherwise set tbsHash to the SHA-256 hash of clientDataHash.
Generate a signature Registration Response Message as specified in [FIDO-U2F-Message-Formats] section 4.3, with the application parameter set to the SHA-256 hash of the RP ID associated with the given credential, the challenge parameter set to tbsHash, and the key handle parameter set to the credential ID of the given credential. Set the raw signature part of this Registration Response Message (i.e., without the user public key, key handle, and attestation certificates) as sig and set the attestation certificate certificates of the attestation public key as x5c.
- Verification procedure
-
Verification is performed Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is as follows:
-
Verify that
-
attStmt is valid CBOR conforming to the syntax defined above, and perform CBOR decoding on it to extract the contained fields.
-
Let attCert be value of the first element of x5c. Let certificate public key be the public key conveyed by attCert. If certificate public key is not an Elliptic Curve (EC) public key over the P-256 curve,
-
terminate this algorithm and return an appropriate error.
-
Extract the
-
claimed rpIdHash from authenticatorData, and the claimed credentialId and credentialPublicKey from authenticatorData.
attestedCredentialData
. -
If clientDataHash is 256 bits long, set tbsHash to this value. Otherwise set tbsHash to the SHA-256 hash of clientDataHash.
From authenticatorData, extract the claimed RP ID hash, the claimed credential ID and the claimed credential public key.
Generate the claimed to-be-signed data as specified in [FIDO-U2F-Message-Formats] section 4.3, with the application parameter set to the claimed RP ID hash, the challenge parameter set to tbsHash, the key handle parameter set to the claimed credential ID of the given credential, and the user public key parameter set to the claimed credential public key.
Verify that the sig is a valid ECDSA P-256 signature over the to-be-signed data constructed above.
-
Convert the COSE_KEY formatted credentialPublicKey (see Section 7 of [RFC8152]) to CTAP1/U2F public Key format [FIDO-CTAP].
-
Let publicKeyU2F represent the result of the conversion operation and set its first byte to 0x04. Note: This signifies uncompressed ECC key format.
-
Extract the value corresponding to the "-2" key (representing x coordinate) from credentialPublicKey, confirm its size to be of 32 bytes and concatenate it with publicKeyU2F. If size differs or "-2" key is not found, terminate this algorithm and return an appropriate error.
-
Extract the value corresponding to the "-3" key (representing y coordinate) from credentialPublicKey, confirm its size to be of 32 bytes and concatenate it with publicKeyU2F. If size differs or "-3" key is not found, terminate this algorithm and return an appropriate error.
-
-
Let verificationData be the concatenation of (0x00 || rpIdHash || tbsHash || credentialId || publicKeyU2F) (see Section 4.3 of [FIDO-U2F-Message-Formats]).
-
Verify the sig using verificationData and certificate public key per [SEC1].
-
If successful, return attestation type Basic with the attestation trust path set to x5c.
-
9. WebAuthn Extensions
The mechanism for generating public key credentials, as well as requesting and generating Authentication assertions, as defined in §4 §5 Web Authentication API, can be extended to suit particular use cases. Each case is addressed by defining a registration extension and/or an authentication extension.
Every extension is a client extension, meaning that the extension involves communication with and processing by the client. Client extensions define the following steps and data:
-
navigator.credentials.create()
extension request parameters and response values for registration extensions. -
navigator.credentials.get()
extension request parameters and response values for authentication extensions. -
Client extension processing for registration extensions and authentication extensions.
When creating a public key credential or requesting an authentication assertion, a Relying Party can request the use of a set of extensions. These extensions will be invoked during the requested operation if they are supported by the client and/or the authenticator. The Relying Party sends the client extension input for each extension in the get()
call (for authentication extensions) or create()
call (for registration extensions) to the client platform. The client platform performs client extension processing for each extension that it supports, and augments the client data as specified by each extension, by including the extension identifier and client extension output values.
An extension can also be an authenticator extension, meaning that the extension invoves communication with and processing by the authenticator. Authenticator extensions define the following steps and data:
-
authenticatorMakeCredential extension request parameters and response values for registration extensions.
-
authenticatorGetAssertion extension request parameters and response values for authentication extensions.
-
Authenticator extension processing for registration extensions and authentication extensions.
For authenticator extensions, as part of the client extension processing, the client also creates the CBOR authenticator extension input value for each extension (often based on the corresponding client extension input value), and passes them to the authenticator in the create()
call (for registration extensions) or the get()
call (for authentication extensions). These authenticator extension input values are represented in CBOR and passed as name-value pairs, with the extension identifier as the name, and the corresponding authenticator extension input as the value. The authenticator, in turn, performs additional processing for the extensions that it supports, and returns the CBOR authenticator extension output for each as specified by the extension. Part of the client extension processing for authenticator extensions is to use the authenticator extension output as an input to creating the client extension output.
All WebAuthn extensions are optional for both clients and authenticators. Thus, any extensions requested by a Relying Party may be ignored by the client browser or OS and not passed to the authenticator at all, or they may be ignored by the authenticator. Ignoring an extension is never considered a failure in WebAuthn API processing, so when Relying Parties include extensions with any API calls, they must be prepared to handle cases where some or all of those extensions are ignored.
Clients wishing to support the widest possible range of extensions may choose to pass through any extensions that they do not recognize to authenticators, generating the authenticator extension input by simply encoding the client extension input in CBOR. All WebAuthn extensions MUST be defined in such a way that this implementation choice does not endanger the user’s security or privacy. For instance, if an extension requires client processing, it could be defined in a manner that ensures such a naïve pass-through will produce a semantically invalid authenticator extension input value, resulting in the extension being ignored by the authenticator. Since all extensions are optional, this will not cause a functional failure in the API operation. Likewise, clients can choose to produce a client extension output value for an extension that it does not understand by encoding the authenticator extension output value into JSON, provided that the CBOR output uses only types present in JSON.
The IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries] should be consulted for an up-to-date list of registered WebAuthn Extensions.
89.1. Extension Identifiers
Extensions are identified by a string, called an extension identifier, chosen by the extension author.
Extension identifiers SHOULD be registered per [WebAuthn-Registries] "Registries for Web Authentication (WebAuthn)". All registered extension identifiers are unique amongst themselves as a matter of course.
Unregistered extension identifiers should aim to be globally unique, e.g., by including the defining entity such as myCompany_extension
.
All extension identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote, i.e., VCHAR as defined in [RFC5234] but without %x22 and %x5c. Implementations MUST match WebAuthn extension identifiers in a case-sensitive fashion.
Extensions that may exist in multiple versions should take care to include a version in their identifier. In effect, different versions are thus treated as different extensions, e.g., myCompany_extension_01
§9 §10 Defined Extensions defines an initial set of extensions and their identifiers. See the IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries] for an up-to-date list of registered WebAuthn Extension Identifiers.
89.2. Defining extensions
A definition of an extension must specify an extension identifier, a client extension input argument to be sent via the get()
or create()
call, the client extension processing rules, and a client extension output value. If the extension communicates with the authenticator (meaning it is an authenticator extension), it must also specify the CBOR authenticator extension input argument sent via the authenticatorGetAssertion or authenticatorMakeCredential call, the authenticator extension processing rules, and the CBOR authenticator extension output value.
Any client extension that is processed by the client MUST return a client extension output value so that the Relying Party knows that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST return an authenticator extension output to let the Relying Party know that the extension was honored by the authenticator. If an extension does not otherwise require any result values, it SHOULD be defined as returning a JSON Boolean client extension output result, set to true
to signify that the extension was understood and processed. Likewise, any authenticator extension that does not otherwise require any result values MUST return a value and SHOULD return a CBOR Boolean authenticator extension output result, set to true
to signify that the extension was understood and processed.
9.3. Extending request parameters
An extension defines one or two request arguments. The client extension input, which is a value that can be encoded in JSON, is passed from the Relying Party to the client in the get()
or create()
call, while the CBOR authenticator extension input is passed from the client to the authenticator for authenticator extensions during the processing of these calls.
A Relying Party simultaneously requests the use of an extension and sets its client extension input by including an entry in the extensions
option to the create()
or get()
call. The entry key is the extension identifier and the value is the client extension input.
var assertionPromise = navigator.credentials.get({ publicKey: { // The challenge: "...",
must be produced by the server, see the Security Considerations challenge: new Uint8Array([4,99,22 /* 29 more random bytes generated by the server */]), extensions: { "webauthnExample_foobar": 42 } } });
Extension definitions MUST specify the valid values for their client extension input. Clients SHOULD ignore extensions with an invalid client extension input. If an extension does not require any parameters from the Relying Party, it SHOULD be defined as taking a Boolean client argument, set to true
to signify that the extension is requested by the Relying Party.
Extensions that only affect client processing need not specify authenticator extension input. Extensions that have authenticator processing MUST specify the method of computing the authenticator extension input from the client extension input. For extensions that do not require input parameters and are defined as taking a Boolean client extension input value set to true
, this method SHOULD consist of passing an authenticator extension input value of true
(CBOR major type 7, value 21).
Note: Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate over low-bandwidth links such as Bluetooth Low-Energy or NFC.
89.4. Client extension processing
Extensions may define additional processing requirements on the client platform during the creation of credentials or the generation of an assertion. The client extension input for the extension is used an input to this client processing. Supported client extensions are recorded as a dictionary in the client data with the key clientExtensions
. For each such extension, the client adds an entry to this dictionary with the extension identifier as the key, and the extension’s client extension input as the value.
Likewise, the client extension outputs are represented as a dictionary in the clientExtensionResults
result of getClientExtensionResults()
with extension identifiers as keys, and the client extension output value of each extension as the value. Like the client extension input, the client extension output is a value that can be encoded in JSON.
Extensions that require authenticator processing MUST define the process by which the client extension input can be used to determine the CBOR authenticator extension input and the process by which the CBOR authenticator extension output can be used to determine the client extension output.
89.5. Authenticator extension processing
As specified in §5.1 Authenticator data, the The CBOR authenticator extension input value of each processed authenticator extension is included in the extensions data part of the authenticator datarequest. This part is a CBOR map, with CBOR extension identifier values as keys, and the CBOR authenticator extension input value of each extension as the value.
Likewise, the extension output is represented in the authenticator data as a CBOR map with CBOR extension identifiers as keys, and the CBOR authenticator extension output value of each extension as the value.
The authenticator extension processing rules are used create the authenticator extension output from the authenticator extension input, and possibly also other inputs, for each extension.
89.6. Example Extension
This section is not normative.
To illustrate the requirements above, consider a hypothetical registration extension and authentication extension "Geo". This extension, if supported, enables a geolocation location to be returned from the authenticator or client to the Relying Party.
The extension identifier is chosen as webauthnExample_geo
. The client extension input is the constant value true
, since the extension does not require the Relying Party to pass any particular information to the client, other than that it requests the use of the extension. The Relying Party sets this value in its request for an assertion:
var assertionPromise = navigator.credentials.get({ publicKey: { // The challenge: "SGFuIFNvbG8gc2hvdCBmaXJzdC4", must be produced by the server, see the Security Considerations challenge: new Uint8Array([11,103,35 /* 29 more random bytes generated by the server */]), allowCredentials: [], /* Empty filter */ extensions: { 'webauthnExample_geo': true } } });
The extension also requires the client to set the authenticator parameter to the fixed value true
.
The extension requires the authenticator to specify its geolocation in the authenticator extension output, if known. The extension e.g. specifies that the location shall be encoded as a two-element array of floating point numbers, encoded with CBOR. An authenticator does this by including it in the authenticator data. As an example, authenticator data may be as follows (notation taken from [RFC7049]):
81 (hex) -- Flags, ED and UP both set. 20 05 58 1F -- Signature counter A1 -- CBOR map of one element 73 -- Key 1: CBOR text string of 19 bytes 77 65 62 61 75 74 68 6E 45 78 61 6D 70 6C 65 5F 67 65 6F -- "webauthnExample_geo" [=UTF-8 encoded=] string 82 -- Value 1: CBOR array of two elements FA 42 82 1E B3 -- Element 1: Latitude as CBOR encoded float FA C1 5F E3 7F -- Element 2: Longitude as CBOR encoded float
The extension defines the client extension output to be the geolocation information, if known, as a GeoJSON [GeoJSON] point. The client constructs the following client data:
{ ..., 'extensions': { 'webauthnExample_geo': { 'type': 'Point', 'coordinates': [65.059962, -13.993041] } } }9
10. Defined Extensions
This section defines the initial set of extensions to be registered in the IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries]. These are recommended for implementation by user agents targeting broad interoperability.
910.1. FIDO AppId Extension (appid)
This authentication extension allows Relying Parties that have previously registered a credential using the legacy FIDO JavaScript APIs to request an assertion. Specifically, this extension allows Relying Parties to specify an appId [FIDO-APPID] to overwrite the otherwise computed rpId. This extension is only valid if used during the get()
call; other usage will result in client error.
- Extension identifier
-
appid
- Client extension input
-
A single JSON string specifying a FIDO appId.
- Client extension processing
-
If
rpId
is present, reject promise with return a DOMException whose name is "NotAllowedError
", and terminate this algorithm . Replace (§5.1.4.1 PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) method).Otherwise, replace the calculation of rpId in Step 3 6 of §4§5.1.4 Use an existing credential to make an assertion - .1 PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) method with the following procedure: The client uses the value of appid to perform the AppId validation procedure (as defined by [FIDO-APPID]). If valid, the value of rpId for all client processing should be replaced by the value of appid.
- Client extension output
-
Returns the JSON value
true
to indicate to the RP that the extension was acted upon - Authenticator extension input
-
None.
- Authenticator extension processing
-
None.
- Authenticator extension output
-
None.
10.2. Simple Transaction Authorization Extension (txAuthSimple)
This registration extension and authentication extension allows for a simple form of transaction authorization. A Relying Party can specify a prompt string, intended for display on a trusted device on the authenticator.
- Extension identifier
-
txAuthSimple
- Client extension input
-
A single JSON string prompt.
- Client extension processing
-
None, except creating the authenticator extension input from the client extension input.
- Client extension output
-
Returns the authenticator extension output string UTF-8 decoded into a JSON string
- Authenticator extension input
-
The client extension input encoded as a CBOR text string (major type 3).
- Authenticator extension processing
-
The authenticator MUST display the prompt to the user before performing either user verification or test of user presence. The authenticator may insert line breaks if needed.
- Authenticator extension output
-
A single CBOR string, representing the prompt as displayed (including any eventual line breaks).
10.3. Generic Transaction Authorization Extension (txAuthGeneric)
This registration extension and authentication extension allows images to be used as transaction authorization prompts as well. This allows authenticators without a font rendering engine to be used and also supports a richer visual appearance.
- Extension identifier
-
txAuthGeneric
- Client extension input
-
A CBOR map defined as follows:
txAuthGenericArg = { contentType: text, ; MIME-Type of the content, e.g. "image/png" content: bytes }
- Client extension processing
-
None, except creating the authenticator extension input from the client extension input.
- Client extension output
-
Returns the base64url encoding of the authenticator extension output value as a JSON string
- Authenticator extension input
-
The client extension input encoded as a CBOR map.
- Authenticator extension processing
-
The authenticator MUST display the
content
to the user before performing either user verification or test of user presence. The authenticator may add other information below thecontent
. No changes are allowed to thecontent
itself, i.e., insidecontent
boundary box. - Authenticator extension output
-
The hash value of the
content
which was displayed. The authenticator MUST use the same hash algorithm as it uses for the signature itself.
10.4. Authenticator Selection Extension (authnSel)
This registration extension allows a Relying Party to guide the selection of the authenticator that will be leveraged when creating the credential. It is intended primarily for Relying Parties that wish to tightly control the experience around credential creation.
- Extension identifier
-
authnSel
- Client extension input
-
A sequence of AAGUIDs:
typedef sequence<AAGUID>
AuthenticatorSelectionList
;Each AAGUID corresponds to an authenticator model that is acceptable to the Relying Party for this credential creation. The list is ordered by decreasing preference.
An AAGUID is defined as an array containing the globally unique identifier of the authenticator model being sought.
typedef BufferSource
AAGUID
; - Client extension processing
-
This extension can only be used during
create()
. If the client supports the Authenticator Selection Extension, it MUST use the first available authenticator whose AAGUID is present in theAuthenticatorSelectionList
. If none of the available authenticators match a provided AAGUID, the client MUST select an authenticator from among the available authenticators to generate the credential. - Client extension output
-
Returns the JSON value
true
to indicate to the RP that the extension was acted upon - Authenticator extension input
-
None.
- Authenticator extension processing
-
None.
- Authenticator extension output
-
None.
10.5. Supported Extensions Extension (exts)
This registration extension enables the Relying Party to determine which extensions the authenticator supports.
- Extension identifier
-
exts
- Client extension input
-
The Boolean value
true
to indicate that this extension is requested by the Relying Party. - Client extension processing
-
None, except creating the authenticator extension input from the client extension input.
- Client extension output
-
Returns the list of supported extensions as a JSON array of extension identifier strings
- Authenticator extension input
-
The Boolean value
true
, encoded in CBOR (major type 7, value 21). - Authenticator extension processing
-
The authenticator sets the authenticator extension output to be a list of extensions that the authenticator supports, as defined below. This extension can be added to attestation objects.
- Authenticator extension output
-
The SupportedExtensions extension is a list (CBOR array) of extension identifier (UTF-8 encoded strings).
10.6. User Verification Index Extension (uvi)
This registration extension and authentication extension enables use of a user verification index.
- Extension identifier
-
uvi
- Client extension input
-
The Boolean value
true
to indicate that this extension is requested by the Relying Party. - Client extension processing
-
None, except creating the authenticator extension input from the client extension input.
- Client extension output
-
Returns a JSON string containing the base64url encoding of the authenticator extension output
- Authenticator extension input
-
The Boolean value
true
, encoded in CBOR (major type 7, value 21). - Authenticator extension processing
-
The authenticator sets the authenticator extension output to be a user verification index indicating the method used by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions.
- Authenticator extension output
-
The user verification index (UVI) is a value uniquely identifying a user verification data record. The UVI is encoded as CBOR byte string (type 0x58). Each UVI value MUST be specific to the related key (in order to provide unlinkability). It also must contain sufficient entropy that makes guessing impractical. UVI values MUST NOT be reused by the Authenticator (for other biometric data or users).
The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data as the initial key generation. This allows the detection and prevention of "friendly fraud".
As an example, the UVI could be computed as SHA256(KeyID || SHA256(rawUVI)), where
||
represents concatenation, and the rawUVI reflects (a) the biometric reference data, (b) the related OS level user ID and (c) an identifier which changes whenever a factory reset is performed for the device, e.g. rawUVI = biometricReferenceData || OSLevelUserID || FactoryResetCounter.Servers supporting UVI extensions MUST support a length of up to 32 bytes for the UVI value.
Example for authenticator data containing one UVI extension
... -- [=RP ID=] hash (32 bytes) 81 -- UP and ED set 00 00 00 01 -- (initial) signature counter ... -- all public key alg etc. A1 -- extension: CBOR map of one element 63 -- Key 1: CBOR text string of 3 bytes 75 76 69 -- "uvi" [=UTF-8 encoded=] string 58 20 -- Value 1: CBOR byte string with 0x20 bytes 00 43 B8 E3 BE 27 95 8C -- the UVI value itself 28 D5 74 BF 46 8A 85 CF 46 9A 14 F0 E5 16 69 31 DA 4B CF FF C1 BB 11 32 82
10.7. Location Extension (loc)
The location registration extension and authentication extension provides the client device’s current location to the WebAuthn Relying Party.
- Extension identifier
-
loc
- Client extension input
-
The Boolean value
true
to indicate that this extension is requested by the Relying Party. - Client extension processing
-
None, except creating the authenticator extension input from the client extension input.
- Client extension output
-
Returns a JSON object that encodes the location information in the authenticator extension output as a Coordinates value, as defined by The W3C Geolocation API Specification.
- Authenticator extension input
-
The Boolean value
true
, encoded in CBOR (major type 7, value 21). - Authenticator extension processing
-
If the authenticator does not support the extension, then the authenticator MUST ignore the extension request. If the authenticator accepts the extension, then the authenticator SHOULD only add this extension data to a packed attestation or assertion.
- Authenticator extension output
-
If the authenticator accepts the extension request, then authenticator extension output SHOULD provide location data in the form of a CBOR-encoded map, with the first value being the extension identifier and the second being an array of returned values. The array elements SHOULD be derived from (key,value) pairings for each location attribute that the authenticator supports. The following is an example of authenticator data where the returned array is comprised of a {longitude, latitude, altitude} triplet, following the coordinate representation defined in The W3C Geolocation API Specification.
... -- [=RP ID=] hash (32 bytes) 81 -- UP and ED set 00 00 00 01 -- (initial) signature counter ... -- all public key alg etc. A1 -- extension: CBOR map of one element 63 -- Value 1: CBOR text string of 3 bytes 6C 6F 63 -- "loc" [=UTF-8 encoded=] string 86 -- Value 2: array of 6 elements 68 -- Element 1: CBOR text string of 8 bytes 6C 61 74 69 74 75 64 65 -- “latitude” [=UTF-8 encoded=] string FB ... -- Element 2: Latitude as CBOR encoded double-precision float 69 -- Element 3: CBOR text string of 9 bytes 6C 6F 6E 67 69 74 75 64 65 -- “longitude” [=UTF-8 encoded=] string FB ... -- Element 4: Longitude as CBOR encoded double-precision float 68 -- Element 5: CBOR text string of 8 bytes 61 6C 74 69 74 75 64 65 -- “altitude” [=UTF-8 encoded=] string FB ... -- Element 6: Altitude as CBOR encoded double-precision float
10.8. User Verification Method Extension (uvm)
This registration extension and authentication extension enables use of a user verification method.
- Extension identifier
-
uvm
- Client extension input
-
The Boolean value true to indicate that this extension is requested by the WebAuthn Relying Party.
- Client extension processing
-
None, except creating the authenticator extension input from the client extension input.
- Client extension output
-
Returns a JSON array of 3-element arrays of numbers that encodes the factors in the authenticator extension output
- Authenticator extension input
-
The Boolean value
true
, encoded in CBOR (major type 7, value 21). - Authenticator extension processing
-
The authenticator sets the authenticator extension output to be a one or more user verification index methods indicating the method(s) used by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions.
- Authenticator extension output
-
Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance, using the CBOR syntax defined below:
uvmFormat = [ 1*3 uvmEntry ] uvmEntry = [ userVerificationMethod: uint .size 4, keyProtectionType: uint .size 2, matcherProtectionType: uint .size 2 ]
The semantics of the fields in each
uvmEntry
are as follows:- userVerificationMethod
-
The authentication method/factor used by the authenticator to verify the user. Available values are defined in [FIDOReg], "User Verification Methods" section.
- keyProtectionType
-
The method used by the authenticator to protect the FIDO registration private key material. Available values are defined in [FIDOReg], "Key Protection Types" section.
- matcherProtectionType
-
The method used by the authenticator to protect the matcher that performs user verification. Available values are defined in [FIDOReg], "Matcher Protection Types" section.
If >3 factors can be used in an authentication instance the authenticator vendor must select the 3 factors it believes will be most relevant to the Server to include in the UVM.
Example for authenticator data containing one UVM extension for a multi-factor authentication instance where 2 factors were used:
... -- [=RP ID=] hash (32 bytes) 81 -- UP and ED set 00 00 00 01 -- (initial) signature counter ... -- all public key alg etc. A1 -- extension: CBOR map of one element 63 -- Key 1: CBOR text string of 3 bytes 75 76 6d -- "uvm" [=UTF-8 encoded=] string 82 -- Value 1: CBOR array of length 2 indicating two factor usage 83 -- Item 1: CBOR array of length 3 02 -- Subitem 1: CBOR integer for User Verification Method Fingerprint 04 -- Subitem 2: CBOR short for Key Protection Type TEE 02 -- Subitem 3: CBOR short for Matcher Protection Type TEE 83 -- Item 2: CBOR array of length 3 04 -- Subitem 1: CBOR integer for User Verification Method Passcode 01 -- Subitem 2: CBOR short for Key Protection Type Software 01 -- Subitem 3: CBOR short for Matcher Protection Type Software
11. IANA Considerations
1011.1. WebAuthn Attestation Statement Format Identifier Registrations
This section registers the attestation statement formats defined in Section §7 §8 Defined Attestation Statement Formats in the IANA "WebAuthn Attestation Statement Format Identifier" registry established by [WebAuthn-Registries].
-
WebAuthn Attestation Statement Format Identifier: packed
-
Description: The "packed" attestation statement format is a WebAuthn-optimized format for attestation data. It uses a very compact but still extensible encoding method. This format is implementable by authenticators with limited resources (e.g., secure elements).
-
Specification Document: Section §7§8.2 Packed Attestation Statement Format of this specification
-
WebAuthn Attestation Statement Format Identifier: tpm
-
Description: The TPM attestation statement format returns an attestation statement in the same format as the packed attestation statement format, although the the rawData and signature fields are computed differently.
-
Specification Document: Section §7§8.3 TPM Attestation Statement Format of this specification
-
WebAuthn Attestation Statement Format Identifier: android-key
-
Description: Platform-provided authenticators based on Android versions "N", and later, may provide this proprietary "hardware attestation" statement.
-
Specification Document: Section §7§8.4 Android Key Attestation Statement Format of this specification
-
WebAuthn Attestation Statement Format Identifier: android-safetynet
-
Description: Android-based, platform-provided authenticators may produce an attestation statement based on the Android SafetyNet API.
-
Specification Document: Section §7§8.5 Android SafetyNet Attestation Statement Format of this specification
-
WebAuthn Attestation Statement Format Identifier: fido-u2f
-
Description: Used with FIDO U2F authenticators
-
Specification Document: Section §7§8.6 FIDO U2F Attestation Statement Format of this specification
11.2. WebAuthn Extension Identifier Registrations
This section registers the extension identifier values defined in Section §8 §9 WebAuthn Extensions in the IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries].
-
WebAuthn Extension Identifier: appid
-
Description: This authentication extension allows Relying Parties that have previously registered a credential using the legacy FIDO JavaScript APIs to request an assertion.
-
Specification Document: Section §9§10.1 FIDO AppId Extension (appid) of this specification
-
WebAuthn Extension Identifier: txAuthSimple
-
Description: This registration extension and authentication extension allows for a simple form of transaction authorization. A WebAuthn Relying Party can specify a prompt string, intended for display on a trusted device on the authenticator
-
Specification Document: Section §9§10.2 Simple Transaction Authorization Extension (txAuthSimple) of this specification
-
WebAuthn Extension Identifier: txAuthGeneric
-
Description: This registration extension and authentication extension allows images to be used as transaction authorization prompts as well. This allows authenticators without a font rendering engine to be used and also supports a richer visual appearance than accomplished with the webauthn.txauth.simple extension.
-
Specification Document: Section §9§10.3 Generic Transaction Authorization Extension (txAuthGeneric) of this specification
-
WebAuthn Extension Identifier: authnSel
-
Description: This registration extension allows a WebAuthn Relying Party to guide the selection of the authenticator that will be leveraged when creating the credential. It is intended primarily for WebAuthn Relying Parties that wish to tightly control the experience around credential creation.
-
Specification Document: Section §9§10.4 Authenticator Selection Extension (authnSel) of this specification
-
WebAuthn Extension Identifier: exts
-
Description: This registration extension enables the Relying Party to determine which extensions the authenticator supports. The extension data is a list (CBOR array) of extension identifiers encoded as UTF-8 Strings. This extension is added automatically by the authenticator. This extension can be added to attestation statements.
-
Specification Document: Section §9§10.5 Supported Extensions Extension (exts) of this specification
-
WebAuthn Extension Identifier: uvi
-
Description: This registration extension and authentication extension enables use of a user verification index. The user verification index is a value uniquely identifying a user verification data record. The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data as the initial key generation. This allows the detection and prevention of "friendly fraud".
-
Specification Document: Section §9§10.6 User Verification Index Extension (uvi) of this specification
-
WebAuthn Extension Identifier: loc
-
Description: The location registration extension and authentication extension provides the client device’s current location to the WebAuthn relying party, if supported by the client device and subject to user consent.
-
Specification Document: Section §9§10.7 Location Extension (loc) of this specification
-
WebAuthn Extension Identifier: uvm
-
Description: This registration extension and authentication extension enables use of a user verification method. The user verification method extension returns to the Webauthn relying party which user verification methods (factors) were used for the WebAuthn operation.
-
Specification Document: Section §9§10.8 User Verification Method Extension (uvm) of this specification
11.3. COSE Algorithm Registrations
This section registers identifiers for RSASSA-PKCS1-v1_5 [RFC8017] algorithms using SHA-2 and SHA-1 hash functions in the IANA COSE Algorithms registry [IANA-COSE-ALGS-REG]. It also registers identifiers for ECDAA algorithms.
-
Name: RS256
-
Value: -257
-
Description: RSASSA-PKCS1-v1_5 w/ SHA-256
-
Reference: Section 8.2 of [RFC8017]
-
Recommended: No
-
Name: RS384
-
Value: -258
-
Description: RSASSA-PKCS1-v1_5 w/ SHA-384
-
Reference: Section 8.2 of [RFC8017]
-
Recommended: No
-
Name: RS512
-
Value: -259
-
Description: RSASSA-PKCS1-v1_5 w/ SHA-512
-
Reference: Section 8.2 of [RFC8017]
-
Recommended: No
-
-
Name: ED256
-
Value: -260
-
Description: TPM_ECC_BN_P256 curve w/ SHA-256
-
Reference: Section 4.2 of [FIDOEcdaaAlgorithm]
-
Recommended: Yes
-
Name: ED512
-
Value: -261
-
Description: ECC_BN_ISOP512 curve w/ SHA-512
-
Reference: Section 4.2 of [FIDOEcdaaAlgorithm]
-
Recommended: Yes
-
Name: RS1
-
Value: -262
-
Description: RSASSA-PKCS1-v1_5 w/ SHA-1
-
Reference: Section 8.2 of [RFC8017]
-
Recommended: No
12. Sample scenarios
This section is not normative.
In this section, we walk through some events in the lifecycle of a public key credential, along with the corresponding sample code for using this API. Note that this is an example flow, and does not limit the scope of how the API can be used.
As was the case in earlier sections, this flow focuses on a use case involving an external first-factor authenticator with its own display. One example of such an authenticator would be a smart phone. Other authenticator types are also supported by this API, subject to implementation by the platform. For instance, this flow also works without modification for the case of an authenticator that is embedded in the client platform. The flow also works for the case of an authenticator without its own display (similar to a smart card) subject to specific implementation considerations. Specifically, the client platform needs to display any prompts that would otherwise be shown by the authenticator, and the authenticator needs to allow the client platform to enumerate all the authenticator’s credentials so that the client can have information to show appropriate prompts.
1112.1. Registration
This is the first-time flow, in which a new credential is created and registered with the server. In this flow, the Relying Party does not have a preference for platform authenticator or roaming authenticators.
-
The user visits example.com, which serves up a script. At this point, the user may already be logged in using a legacy username and password, or additional authenticator, or other means acceptable to the Relying Party. Or the user may be in the process of creating a new account.
-
The Relying Party script runs the code snippet below.
-
The client platform searches for and locates the authenticator.
-
The client platform connects to the authenticator, performing any pairing actions if necessary.
-
The authenticator shows appropriate UI for the user to select the authenticator on which the new credential will be created, and obtains a biometric or other authorization gesture from the user.
-
The authenticator returns a response to the client platform, which in turn returns a response to the Relying Party script. If the user declined to select an authenticator or provide authorization, an appropriate error is returned.
-
If a new credential was created,
-
The Relying Party script sends the newly generated credential public key to the server, along with additional information such as attestation regarding the provenance and characteristics of the authenticator.
-
The server stores the credential public key in its database and associates it with the user as well as with the characteristics of authentication indicated by attestation, also storing a friendly name for later use.
-
The script may store data such as the credential ID in local storage, to improve future UX by narrowing the choice of credential for the user.
-
The sample code for generating and registering a new key follows:
))if (!PublicKeyCredential) { /* Platform not capable. Handle error. */ } var publicKey = { // The challenge must be produced by the server, see the Security Considerations challenge: new Uint8Array.from(window.atob("PGifxAoBwCkWkm4b1CiIl5otCphiIh6MijdjbWFjomA="), c=>c.charCodeAt(0
([21,31,105 /* 29 more random bytes generated by the server */]), // Relying Party: rp: { name: "Acme" }, // User: user: { id:"1098237235409872"
Uint8Array.from(window.atob("MIIBkzCCATigAwIBAjCCAZMwggE4oAMCAQIwggGTMII="), c=>c.charCodeAt(0)), name: "john.p.smith@example.com", displayName: "John P. Smith", icon: "https://pics.acme.com/00/p/aBjjjpqPb.png" }, // This Relying Party will accept either an ES256 or RS256 credential, but // prefers an ES256 credential. pubKeyCredParams: [ { type: "public-key", alg: -7 // "ES256" as registered in the IANA COSE Algorithms registry }, { type: "public-key", alg: -257 // Value registered by this specification for "RS256" } ], timeout: 60000, // 1 minute excludeCredentials: [], // No exclude list of PKCredDescriptors extensions: {"webauthn.location
loc": true} // Include location information // in attestation }; // Note: The following call will cause the authenticator to display UI. navigator.credentials.create({ publicKey }) .then(function (newCredentialInfo) { // Send new credential info to server for verification and registration. }).catch(function (err) { // No acceptable authenticator or user refused consent. Handle appropriately. });11
12.2. Registration Specifically with User Verifying Platform Authenticator
This is flow for when the Relying Party is specifically interested in creating a public key credential with a user-verifying platform authenticator.
-
The user visits example.com and clicks on the login button, which redirects the user to login.example.com.
-
The user enters a username and password to log in. After successful login, the user is redirected back to example.com.
-
The Relying Party script runs the code snippet below.
-
The user agent asks the user whether they are willing to register with the Relying Party using an available platform authenticator.
-
If the user is not willing, terminate this flow.
-
The user is shown appropriate UI and guided in creating a credential using one of the available platform authenticators. Upon successful credential creation, the RP script conveys the new credential to the server.
if (!PublicKeyCredential) { /* Platform not capable of the API. Handle error. */ } PublicKeyCredential.
isPlatformAuthenticatorAvailableisUserVerifyingPlatformAuthenticatorAvailable() .then(function (userIntent) { // If the user has affirmed willingness to register with RP using an available platform authenticator if (userIntent) { var publicKeyOptions = { /* Public key credential creation options. */}; // Create and register credentials. return navigator.credentials.create({ "publicKey": publicKeyOptions }); } else { // Record that the user does not intend to use a platform authenticator // and default the user to a password-based flow in the future. } }).then(function (newCredentialInfo) { // Send new credential info to server for verification and registration. }).catch( function(err) { // Something went wrong. Handle appropriately. });
12.3. Authentication
This is the flow when a user with an already registered credential visits a website and wants to authenticate using the credential.
-
The user visits example.com, which serves up a script.
-
The script asks the client platform for an Authentication Assertion, providing as much information as possible to narrow the choice of acceptable credentials for the user. This may be obtained from the data that was stored locally after registration, or by other means such as prompting the user for a username.
-
The Relying Party script runs one of the code snippets below.
-
The client platform searches for and locates the authenticator.
-
The client platform connects to the authenticator, performing any pairing actions if necessary.
-
The authenticator presents the user with a notification that their attention is required. On opening the notification, the user is shown a friendly selection menu of acceptable credentials using the account information provided when creating the credentials, along with some information on the origin that is requesting these keys.
-
The authenticator obtains a biometric or other authorization gesture from the user.
-
The authenticator returns a response to the client platform, which in turn returns a response to the Relying Party script. If the user declined to select a credential or provide an authorization, an appropriate error is returned.
-
If an assertion was successfully generated and returned,
-
The script sends the assertion to the server.
-
The server examines the assertion, extracts the credential ID, looks up the registered credential public key it is database, and verifies the assertion’s authentication signature. If valid, it looks up the identity associated with the assertion’s credential ID; that identity is now authenticated. If the credential ID is not recognized by the server (e.g., it has been deregistered due to inactivity) then the authentication has failed; each Relying Party will handle this in its own way.
-
The server now does whatever it would otherwise do upon successful authentication -- return a success page, set authentication cookies, etc.
-
If the Relying Party script does not have any hints available (e.g., from locally stored data) to help it narrow the list of credentials, then the sample code for performing such an authentication might look like this:
if (!PublicKeyCredential) { /* Platform not capable. Handle error. */ } var options = { // The challenge must be produced by the server, see the Security Considerations challenge: newTextEncoder().encode("climb a mountain"
Uint8Array([4,101,15 /* 29 more random bytes generated by the server */]), timeout: 60000, // 1 minute allowCredentials: [{ type: "public-key" }] }; navigator.credentials.get({ "publicKey": options }) .then(function (assertion) { // Send assertion to server for verification }).catch(function (err) { // No acceptable credential or user refused consent. Handle appropriately. });
On the other hand, if the Relying Party script has some hints to help it narrow the list of credentials, then the sample code for performing such an authentication might look like the following. Note that this sample also demonstrates how to use the extension for transaction authorization.
if (!PublicKeyCredential) { /* Platform not capable. Handle error. */ } var encoder = new TextEncoder(); var acceptableCredential1 = { type: "public-key", id: encoder.encode("!!!!!!!hi there!!!!!!!\n") }; var acceptableCredential2 = { type: "public-key", id: encoder.encode("roses are red, violets are blue\n") }; var options = { // The challenge: encoder.encode("climb a mountain"
must be produced by the server, see the Security Considerations challenge: new Uint8Array([8,18,33 /* 29 more random bytes generated by the server */]), timeout: 60000, // 1 minute allowCredentials: [acceptableCredential1, acceptableCredential2];
, extensions: { 'webauthn.txauth.simple
txAuthSimple': "Wave your hands in the air like you just don’t care" };
}; navigator.credentials.get({ "publicKey": options }) .then(function (assertion) { // Send assertion to server for verification }).catch(function (err) { // No acceptable credential or user refused consent. Handle appropriately. });11.4.
12.4. Aborting Authentication Operations
The below example shows how a developer may use the AbortSignal parameter to abort a credential registration operation. A similiar procedure applies to an authentication operation.
const authAbortController = new AbortController(); const authAbortSignal = authAbortController.signal; authAbortSignal.onabort = function () { // Once the page knows the abort started, inform user it is attempting to abort. } var options = { // A list of options. } navigator.credentials.create({ publicKey: options, signal: authAbortSignal}) .then(function (attestation) { // Register the user. }).catch(function (error) { if (error == "AbortError") { // Inform user the credential hasn’t been created. // Let the server know a key hasn’t been created. } }); // Assume widget shows up whenever auth occurs. if (widget == "disappear") { authAbortSignal.abort(); }
12.5. Decommissioning
The following are possible situations in which decommissioning a credential might be desired. Note that all of these are handled on the server side and do not need support from the API specified here.
-
Possibility #1 -- user reports the credential as lost.
-
User goes to server.example.net, authenticates and follows a link to report a lost/stolen device.
-
Server returns a page showing the list of registered credentials with friendly names as configured during registration.
-
User selects a credential and the server deletes it from its database.
-
In future, the Relying Party script does not specify this credential in any list of acceptable credentials, and assertions signed by this credential are rejected.
-
-
Possibility #2 -- server deregisters the credential due to inactivity.
-
Server deletes credential from its database during maintenance activity.
-
In the future, the Relying Party script does not specify this credential in any list of acceptable credentials, and assertions signed by this credential are rejected.
-
-
Possibility #3 -- user deletes the credential from the device.
-
User employs a device-specific method (e.g., device settings UI) to delete a credential from their device.
-
From this point on, this credential will not appear in any selection prompts, and no assertions can be generated with it.
-
Sometime later, the server deregisters this credential due to inactivity.
-
13. Security Considerations
13.1. Cryptographic Challenges
As a cryptographic protocol, Web Authentication is dependent upon randomized challenges to avoid replay attacks. Therefore, both {MakePublicKeyCredentialOptions/challenge}}'s andchallenge
's value, MUST be randomly generated by the Relying Party in an environment they trust (e.g., on the server-side), and the challenge in the client’s response must match what was generated. This should be done in a fashion that does not rely upon a client’s behavior; e.g.: the Relying Party should store the challenge temporarily until the operation is complete. Tolerating a mismatch will compromise the security of the protocol.