firstDaisy Diff compare report.
Click on the changed parts for a detailed description. Use the left and right arrow keys to walk through the modifications.
last 

Jump to Table of Contents Pop Out Sidebar

W3C W3C

Web Authentication: An API for accessing Scoped Credentials

W3C Working Draft,

This version:
https://www.w3.org/TR/20162017/WD-webauthn-2016120720170216/
Latest published version:
https://www.w3.org/TR/webauthn/
Editor's Draft:
https://w3c.github.io/webauthn/
Previous Versions:
https://www.w3.org/TR/2016/WD-webauthn-20161207/
https://www.w3.org/TR/2016/WD-webauthn-20160928/
https://www.w3.org/TR/2016/WD-webauthn-20160902/
https://www.w3.org/TR/2016/WD-webauthn-20160531/
Issue Tracking:
Github
Editors:
(Microsoft)
(PayPal)
(Google)
(Google)
(Google)
(PayPal)
(Microsoft)
(Nok Nok Labs)
(Mozilla)

Abstract

This specification defines an API enabling the creation and use of strong, attested, cryptographic scoped credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to scoped credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

Status of this document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

This document was published by the Web Authentication Working Group as a Working Draft. This document is intended to become a W3C Recommendation. Feedback and comments on this specification are welcome. Please use Github issues. Discussions may also be found in the public-webauthn@w3.org archives.

Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 1 September 2015 W3C Process Document.

1. Introduction

This section is not normative.

This specification defines an API enabling the creation and use of strong, attested, cryptographic scoped credentials by web applications, for the purpose of strongly authenticating users. A scoped credential is created and stored by an authenticator at the behest of a Relying Party, subject to user consent. Subsequently, the scoped credential can only be accessed by origins belonging to that Relying Party. This scoping is enforced jointly by conforming User Agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties.

Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user. The first is Registration, where a scoped credential is created on an authenticator, and associated by a Relying Party with the present user’s account (the account may already exist or may be created at this time). The second is Authentication, where the Relying Party is presented with a WebAuthn an Authentication Assertion proving the presence and consent of the user who registered the scoped credential. Functionally, the Web Authentication API comprises two methods (along with associated data structures): makeCredential() and getAssertion(). The former is used during Registration and the latter during Authentication.

Broadly, compliant authenticators protect scoped credentials, and interact with user agents to implement the Web Authentication API. Some authenticators may run on the same computing device (e.g., smart phone, tablet, desktop PC) as the user agent is running on. For instance, such an authenticator might consist of a Trusted Execution Environment (TEE) applet, a Trusted Platform Module (TPM), or a Secure Element (SE) integrated into the computing device in conjunction with some means for user verification, along with appropriate platform software to mediate access to these components' functionality. Other authenticators may operate autonomously from the computing device running the user agent, and be accessed over a transport such as Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field Communications (NFC).

1.1. Use Cases

The below use case scenarios illustrate use of two very different types of authenticators, as well as outline further scenarios. Additional scenarios, including sample code, are given later in §10 §11 Sample scenarios.

1.1.1. Registration

1.1.2. Authentication

1.1.3. Other use cases and configurations

A variety of additional use cases and configurations are also possible, including (but not limited to):

2. Conformance

This specification defines criteria for a Conforming User Agent: A User Agent MUST behave as described in this specification in order to be considered conformant. Conforming User Agents MAY implement algorithms given in this specification in any way desired, so long as the end result is indistinguishable from the result that would be obtained by the specification’s algorithms. A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this specification, as described in the “Web IDL” specification. [WebIDL-1]

This specification also defines a model of a conformant authenticator (see §5 WebAuthn Authenticator model). This is a set of functional and security requirements for an authenticator to be usable by a Conforming User Agent. As described in §1.1 Use Cases, an authenticator may be implemented in the operating system underlying the User Agent, or in external hardware, or a combination of both.

2.1. Dependencies

This specification relies on several other underlying specifications.

Base64url encoding

The term Base64url Encoding refers to the base64 encoding using the URL- and filename-safe character set defined in Section 5 of [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the inclusion of any line breaks, whitespace, or other additional characters.

CBOR

A number of structures in this specification, including attestation statements and extensions, are encoded using the Compact Binary Object Representation (CBOR) [RFC7049].

CDDL

This specification describes the syntax of all CBOR-encoded data using the CBOR Data Definition Language (CDDL) [CDDL].

DOM

DOMException and the DOMException values used in this specification are defined in [DOM4].

HTML

The concepts of current settings object, origin, opaque origin, relaxing the same-origin restriction, and the Navigator interface are defined in [HTML51].

Web Cryptography API

The AlgorithmIdentifier type and the method for normalizing an algorithm are defined in Web Cryptography API §algorithm-dictionary.

Web IDL

Many of the interface definitions and all of the IDL in this specification depend on [WebIDL-1]. This updated version of the Web IDL standard adds support for Promises, which are now the preferred mechanism for asynchronous interaction in all new web APIs.

DOM

DOMException and the DOMException values used in this specification are defined in [DOM4].

Web Cryptography API

The

AlgorithmIdentifier type and the method for normalizing an algorithm are defined in Web Cryptography API §algorithm-dictionary.

Base64url encoding

The term Base64url Encoding refers to the base64 encoding using the URL- and filename-safe character set defined in Section 5 of [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the inclusion of any line breaks, whitespace, or other additional characters. This is the same encoding as used by JSON Web Signature (JWS) [RFC7515].

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

3. Terminology

ASCII case-insensitive match

A method of testing two strings for equality by comparing them exactly, code point for code point, except that the codepoints in the range U+0041 .. U+005A (i.e. LATIN CAPITAL LETTER A to LATIN CAPITAL LETTER Z) and the corresponding codepoints in the range U+0061 .. U+007A (i.e. LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are also considered to match.

Assertion

See WebAuthn Authentication Assertion.

Attestation

Generally, a statement that serves to bear witness, confirm, or authenticate. In the WebAuthn context, attestation is employed to attest to the provenance of an authenticator and the data it emits; including, for example: credential IDs, credential key pairs, signature counters, etc. Attestation information is conveyed in attestation statementsobjects. See also attestation statement format, and attestation type.

Attestation Certificate

A X.509 Certificate for the attestation key pair used by an Authenticator to attest to its manufacture and capabilities. At registration time, the authenticator uses the attestation private key to sign the Relying Party-specific credential public key (and additional data) that it generates and returns via the authenticatorMakeCredential operation. Relying Parties use the attestation public key conveyed in the attestation certificate to verify the attestation signature. Note that in the case of self attestation, the authenticator has no distinct attestation key pair nor attestation certificate, see self attestation for details.

Authentication

The ceremony where a user, and the user’s computing device(s) (containing at least one authenticator) work in concert to cryptographically prove to an Relying Party that the user controls the private key associated with a previously-registered scoped credential (see Registration). Note that this includes employing user verification.

Authentication Assertion

The cryptographically signed AuthenticationAssertion object returned by an authenticator as the result of a authenticatorGetAssertion operation.

Authenticator

A cryptographic device used by a WebAuthn Client to (i) generate a scoped credential and register it with a Relying Party, and (ii) subsequently used to cryptographically sign and return, in the form of an WebAuthn Authentication Assertion, a challenge and other data presented by a Relying Party (in concert with the WebAuthn Client) in order to effect authentication.

Authorization Gesture

Essentially the same as user verification.

Ceremony

The concept of a ceremony [Ceremony] is an extension of the concept of a network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony. In this specification, Registration, Authentication, and user verification are ceremonies.

Client

See Conforming User Agent.

Conforming User Agent

A user agent implementing, in conjunction with the underlying platform, the Web Authentication API and algorithms given in this specification, and handling communication between Authenticators and Relying Parties.

Credential Public Key

The public key portion of an Relying Party-specific credential key pair, generated by an authenticator and returned to an Relying Party at registration time (see also scoped credential). The private key portion of the credential key pair is known as the credential private key. Note that in the case of self attestation, the credential key pair is also used as the attestation key pair, see self attestation for details.

Registration

The ceremony where a user, a Relying Party, and the user’s computing device(s) (containing at least one authenticator) work in concert to create a scoped credential and associate it with the user’s Relying Party account. Note that this includes employing user verification.

Relying Party

The entity whose web application utilizes the Web Authentication API to register and authenticate users. See Registration and Authentication, respectively.

Note: While the term Relying Party is used in other contexts (e.g., X.509 and OAuth), an entity acting as a Relying Party in one context is not necessarily a Relying Party in other contexts.

Relying Party Identifier

RP ID

An identifier for the Relying Party on whose behalf a given registration or authentication ceremony is being performed. Scoped credentials can only be used for authentication by the same entity (as identified by RP ID) that created and registered them. By default, the RP ID for a WebAuthn operation is set to the current settings object’s origin. This default can be overridden by the caller subject to certain restrictions, as specified in §4.1.1 Create a new credential (- makeCredential() method) and §4.1.2 Use an existing credential (- getAssertion() method).

Scoped Credential

Generically, a credential is data one entity presents to another in order to authenticate the former’s identity [RFC4949]. A WebAuthn scoped credential is a { identifier, type } pair identifying authentication information established by the authenticator and the Relying Party, together, at registration time. The authentication information consists of an asymmetric key pair, where the public key portion is returned to the Relying Party, which stores it in conjunction with the present user’s account. The authenticator maps the private key to the Relying Party’s RP ID and stores it. Subsequently, only that Relying Party, as identified by its RP ID, is able to employ the scoped credential in authentication ceremonies, via the getAssertion() method. The Relying Party uses its copy of the stored public key to verify the resultant WebAuthn Authentication Assertion.

User Consent

User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts. User verification encompasses the means employed by the user to indicate consent.

User Verification

The process by which an authenticator locally authorizes the invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations, for example through a touch plus pin code, a password, a gesture (e.g., presenting a fingerprint), or other modality. Note that invocation of said operations implies use of key material managed by the authenticator.

WebAuthn Assertion

The cryptographically signed WebAuthnAssertion object returned by an authenticator as the result of a authenticatorGetAssertion operation.

WebAuthn Client

See Conforming User Agent.

4. Web Authentication API

This section normatively specifies the API for creating and using scoped credentials. Support for deleting credentials is deliberately omitted; this is expected to be done through platform-specific user interfaces rather than from a script. The basic idea is that the credentials belong to the user and are managed by an authenticator, with which the Relying Party interacts through the client (consisting of the browser and underlying OS platform). Scripts can (with the user’s consent) request the browser to create a new credential for future use by the Relying Party. Scripts can also request the user’s permission to perform authentication operations with an existing credential. All such operations are performed in the authenticator and are mediated by the browser and/or platform on the user’s behalf. At no point does the script get access to the credentials themselves; it only gets information about the credentials in the form of objects.

In addition to the above script interface, the authenticator may implement (or come with client software that implements) a user interface for management. Such an interface may be used, for example, to reset the authenticator to a clean state or to inspect the current state of the authenticator. In other words, such an interface is similar to the user interfaces provided by browsers for managing user state such as history, saved passwords and cookies. Authenticator management actions such as credential deletion are considered to be the responsibility of such a user interface and are deliberately omitted from the API exposed to scripts.

The security properties of this API are provided by the client and the authenticator working together. The authenticator, which holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against a different origin, by incorporating the origin in its responses. Specifically, as defined in §5.2 Signature FormatAuthenticator operations, the full origin of the requester is included, and signed over, in the attestation statement object produced when a new credential is created as well as in all assertions produced by WebAuthn credentials.

Additionally, to maintain user privacy and prevent malicious Relying Parties from probing for the presence of credentials belonging to other Relying Parties, each credential is also associated with a Relying Party Identifier, or RP ID. This RP ID is provided by the client to the authenticator for all operations, and the authenticator ensures that credentials created by a Relying Party can only be used in operations requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases where a single Relying Party maintains multiple origins.

The client facilitates these security measures by providing correct origins and RP IDs to the authenticator for each operation. Since this is an integral part of the WebAuthn security model, user agents MUST only expose this API to callers in secure contexts, as defined in [secure-contexts].

The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL listing is given in the IDL Index. The API is defined as a part of the Navigator interface:

partial interface Navigator {
    readonly attribute WebAuthentication authentication;
};

4.1. WebAuthentication Interface

[SecureContext]
interface WebAuthentication {
    Promise < ScopedCredentialInfo > makeCredential (
        Account                                 accountInformation,
        sequence < ScopedCredentialParameters > cryptoParameters,
        BufferSource                            attestationChallenge,
        optional ScopedCredentialOptions        options
    );

    Promise < WebAuthnAssertion AuthenticationAssertion> getAssertion (
        BufferSource                    assertionChallenge,
        optional AssertionOptions       options
    );
};

This interface has two methods, which are described in the following subsections.

4.1.1. Create a new credential (- makeCredential() method)

With this method, a script can request the User Agent to create a new credential of a given type and persist it to the underlying platform, which may involve data storage managed by the browser or the OS. The user agent will prompt the user to approve this operation. On success, the promise will be resolved with a ScopedCredentialInfo object describing the newly created credential.

This method takes the following parameters:

attestation statement of the
credential

When this method is invoked, the user agent MUST execute the following algorithm:

  1. If

timeoutSeconds was specified
  1. the timeout member of options is present, check if its value lies within a reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set adjustedTimeout to this adjusted value. If

timeoutSeconds
  1. timeout was not specified, then set adjustedTimeout to a platform-specific default.

  2. Let promise be a new Promise. Return promise and start a timer for adjustedTimeout

seconds
  1. milliseconds. Then asynchronously continue executing the following steps. If any fatal error is encountered in this process other than the ones enumerated below, cancel the timer, reject promise with a DOMException whose name is "UnknownError", and terminate this algorithm.

  2. Set callerOrigin to the current settings object’s origin. If callerOrigin is an opaque origin, reject promise with a DOMException whose name is "NotAllowedError", and terminate this algorithm. Otherwise,

specified
    • present, then set rpId to callerOrigin

, and rpIdHash to the SHA-256 hash of rpId
specified
    • present, then invoke the procedure used for relaxing the same-origin restriction by setting the document.domain attribute, using rpId as the given value but without changing the current document’s domain. If no errors are thrown, set rpId to the value of host as computed by this procedure

, and rpIdHash to the SHA-256 hash of rpId
    • . Otherwise, reject promise with a DOMException whose name is "SecurityError", and terminate this algorithm.

  1. Process each element of cryptoParameters using the following steps, to produce a new sequence normalizedParameters.

using the procedure defined in
    • [WebCryptoAPI], with alg set to current.algorithm and op set to 'generateKey'. If an error occurs during this procedure, then stop processing current and move on to the next element in cryptoParameters.

    • Add a new object of type ScopedCredentialParameters to normalizedParameters, with type set to current.type and algorithm set to normalizedAlgorithm.

  1. If normalizedAlgorithm is empty and cryptoParameters was not empty, cancel the timer started in step 2, reject promise with a DOMException whose name is "NotSupportedError", and terminate this algorithm.

  2. If

excludeList is undefined, set it to
  1. the

empty list.If extensions was specified
  1. extensions member of options is present, process any extensions supported by this client platform, to produce the extension data that needs to be sent to the authenticator. If an error is encountered while processing an extension, skip that extension and do not produce any extension data for it. Call the result of this processing clientExtensions.

  2. Use attestationChallenge, callerOrigin and rpId, along with the token binding key associated with callerOrigin (if any), to create a ClientData structure representing this request. Choose a hash algorithm for hashAlg and compute the clientDataJSON and its clientDataHash.

  3. Initialize issuedRequests and currentlyAvailableAuthenticators to

an
  1. empty

list
  1. lists.

  2. For each authenticator currently available on this platform, add the authenticator to currentlyAvailableAuthenticators unless the attachment member of options is present. In that case, let attachment be attachment, and add the authenticator to currentlyAvailableAuthenticators if its attachment modality matches attachment.

  3. For each authenticator in currentlyAvailableAuthenticators: asynchronously invoke the authenticatorMakeCredential operation on that authenticator with

rpIdHash
  1. rpId, clientDataHash, accountInformation, normalizedParameters, excludeList and clientExtensions as parameters. Add a corresponding entry to issuedRequests.

    • For each credential C in the excludeList member of options that has a non-empty transports list, optionally use only the specified transports to test for the existence of C.

  2. While issuedRequests is not empty, perform the following actions depending upon the adjustedTimeout timer and responses from the authenticators:

    • If the adjustedTimeout timer expires, then for each entry in issuedRequests invoke the authenticatorCancel operation on that authenticator and remove its entry from the list.

    • If any authenticator returns a status indicating that the user cancelled the operation, delete that authenticator’s entry from issuedRequests. For each remaining entry in issuedRequests invoke the authenticatorCancel operation on that authenticator and remove its entry from the list.

    • If any authenticator returns an error status, delete the corresponding entry from issuedRequests.

    • If any authenticator indicates success:

      • Remove this authenticator’s entry from issuedRequests.

      • Create a new ScopedCredentialInfo object named value and populate its fields with the values returned from the authenticator as well as the clientDataJSON computed earlier.

      • For each remaining entry in issuedRequests invoke the authenticatorCancel operation on that authenticator and remove its entry from the list.

      • Resolve promise with value and terminate this algorithm.

  3. Reject promise with a DOMException whose name is "NotAllowedError", and terminate this algorithm.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and authorizing an authenticator.

4.1.2. Use an existing credential (- getAssertion() method)

This method is used to discover and use an existing scoped credential, with the user’s consent. The script optionally specifies some criteria to indicate what credentials are acceptable to it. The user agent and/or platform locates credentials matching the specified criteria, and guides the user to pick one that the script should be allowed to use. The user may choose not to provide a credential even if one is present, for example to maintain privacy.

This method takes the following parameters:

When this method is invoked, the user agent MUST execute the following algorithm:

  1. If

timeoutSeconds was specified
  1. the timeout member of options is present, check if its value lies within a reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set adjustedTimeout to this adjusted value. If

timeoutSeconds
  1. timeout was not specified, then set adjustedTimeout to a platform-specific default.

  2. Let promise be a new Promise. Return promise and start a timer for adjustedTimeout

seconds
  1. milliseconds. Then asynchronously continue executing the following steps. If any fatal error is encountered in this process other than the ones enumerated below, cancel the timer, reject promise with a DOMException whose name is "UnknownError", and terminate this algorithm.

  2. Set callerOrigin to the current settings object’s origin. If callerOrigin is an opaque origin, reject promise with a DOMException whose name is "NotAllowedError", and terminate this algorithm. Otherwise,

specified
    • present, then set rpId to callerOrigin

, and rpIdHash to the SHA-256 hash of rpId
specified
    • present, then invoke the procedure used for relaxing the same-origin restriction by setting the document.domain attribute, using rpId as the given value but without changing the current document’s domain. If no errors are thrown, set rpId to the value of host as computed by this procedure

, and rpIdHash to the SHA-256 hash of rpId
    • . Otherwise, reject promise with a DOMException whose name is "SecurityError", and terminate this algorithm.

  1. If

extensions was specified
  1. the extensions member of options is present, process any extensions supported by this client platform, to produce the extension data that needs to be sent to the authenticator. If an error is encountered while processing an extension, skip that extension and do not produce any extension data for it. Call the result of this processing clientExtensions.

  2. Use assertionChallenge, callerOrigin and rpId, along with the token binding key associated with callerOrigin (if any), to create a ClientData structure representing this request. Choose a hash algorithm for hashAlg and compute the clientDataJSON and clientDataHash.

  3. Initialize issuedRequests to an empty list.

  4. For each authenticator currently available on this platform, perform the following steps:

undefined or
    • empty, let credentialList be an empty list. Otherwise, execute a platform-specific procedure to determine which, if any, credentials listed in allowList might be present on this authenticator, and set credentialList to this filtered list. If no such filtering is possible, set credentialList to an empty list.

    • For each credential C within the credentialList that has a non-empty transports list, optionally use only the specified transports to get assertions using credential C.

    • If the above filtering process concludes that none of the credentials on the allowList can possibly be on this authenticator, do not perform any of the following steps for this authenticator, and proceed to the next authenticator (if any).

    • Asynchronously invoke the authenticatorGetAssertion operation on this authenticator with

rpIdHash
    • rpId, clientDataHash, credentialList, and clientExtensions as parameters.

    • Add an entry to issuedRequests, corresponding to this request.

  1. While issuedRequests is not empty, perform the following actions depending upon the adjustedTimeout timer and responses from the authenticators:

    • If the timer for adjustedTimeout expires, then for each entry in issuedRequests invoke the authenticatorCancel operation on that authenticator and remove its entry from the list.

    • If any authenticator returns a status indicating that the user cancelled the operation, delete that authenticator’s entry from issuedRequests. For each remaining entry in issuedRequests invoke the authenticatorCancel operation on that authenticator, and remove its entry from the list.

    • If any authenticator returns an error status, delete the corresponding entry from issuedRequests.

    • If any authenticator returns success:

      • Remove this authenticator’s entry from issuedRequests.

      • Create a new

WebAuthnAssertion
      • AuthenticationAssertion object named value and populate its fields with the values returned from the authenticator as well as the clientDataJSON computed earlier.

      • For each remaining entry in issuedRequests invoke the authenticatorCancel operation on that authenticator and remove its entry from the list.

      • Resolve promise with value and terminate this algorithm.

  1. Reject promise with a DOMException whose name is "NotAllowedError", and terminate this algorithm.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and authorizing an authenticator with which to complete the operation.

4.2. Information about Scoped Credential (interface ScopedCredentialInfo)

[SecureContext]
interface ScopedCredentialInfo {
    readonly attribute ScopedCredential  attribute ArrayBuffer  credential clientDataJSON;
    readonly    attribute WebAuthnAttestationArrayBuffer  attestation attestationObject;
};
This interface represents a newly-created scoped credential. It contains information about the credential that can be used to locate it later for use, and also contains metadata that can be used by the Relying Party to assess the strength of the credential during registration.

The credential clientDataJSON attribute contains a unique identifier for the credential represented by this object.The attestation attribute contains an attestation statement returned by the authenticator. This provides information about the credential and the authenticator it is held in, such as the credential public key and the level of security assurance provided by the authenticator.the clientDataJSON (see §5.3 Credential Attestation) passed to the authenticator by the client in order to generate this credential. The exact JSON serialization must be preserved as a cryptographic hash (clientDataHash) has been computed over it.

The attestationObject attribute contains an attestation object. The contents of this object are determined by the attestation statement format used by the authenticator. This object is opaque to, and cryptographically protected against tampering by, the client. It contains the credential’s unique identifier, credential public key, and attestation statement. It also contains any additional information that the Relying Party’s server requires to validate the attestation statement, as well as to decode and validate the bindings of both the client and authenticator data. For more details, see §5.3 Credential Attestation.

4.3. User Account Information (dictionary Account)

dictionary Account {
    required DOMString rpDisplayName;
    required DOMString displayName;
    required DOMString id;
    DOMString          name;
    DOMString          imageURL;
};
This dictionary is used by the caller to specify information about the user account and Relying Party with which a credential is to be associated. It is intended to help the authenticator in providing a friendly credential selection interface for the user.

The rpDisplayName member contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or "Awesome Site".

The displayName member contains the friendly name associated with the user account by the Relying Party, such as "John P. Smith".

The id member contains an identifier for the account, specified by the Relying Party. This is not meant to be displayed to the user. It is used by the Relying Party to control the number of credentials - an authenticator will never contain more than one credential for a given Relying Party under the same id.

The name member contains a detailed name for the account, such as "john.p.smith@example.com".

The imageURL member contains a URL that resolves to the user’s account image. This may be a URL that can be used to retrieve an image containing the user’s current avatar, or a data URI that contains the image data.

4.4. Parameters for Credential Generation (dictionary ScopedCredentialParameters)

dictionary ScopedCredentialParameters {
    required ScopedCredentialType  type;
    required AlgorithmIdentifier   algorithm;
};
This dictionary is used to supply additional parameters when creating a new credential.

The type member specifies the type of credential to be created.

The algorithm member specifies the cryptographic signature algorithm with which the newly generated credential will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.

4.5. Additional options for Credential Generation (dictionary ScopedCredentialOptions)

dictionary ScopedCredentialOptions {
    unsigned long                        timeout;
    timeoutSeconds;USVString     USVString                       rpId;
    sequence<ScopedCredentialDescriptor> excludeList = [];
 rpId;   Attachment  sequence < ScopedCredentialDescriptor >  excludeList;     WebAuthnExtensions               attachment;
    AuthenticationExtensions             extensions;
};
This dictionary is used to supply additional options when creating a new credential. All these parameters are optional.

4.5.1. Credential Attachment enumeration (enum Attachment)

enum Attachment {
    "platform",
    "cross-platform"
};

Clients may communicate with authenticators using a variety of mechanisms. For example, a client may use a platform-specific API to communicate with an authenticator which is physically bound to a platform. On the other hand, a client may use a variety of standardized cross-platform transport protocols such as Bluetooth (see §4.9.5 Credential Transport enumeration (enum ExternalTransport)) to discover and communicate with cross-platform attached authenticators. We define authenticators that are part of the client’s platform as having a platform attachment, and refer to them as platform authenticators. While those that are reachable via cross-platform transport protocols are defined as having cross-platform attachment, and refer to them as roaming authenticators.

This distinction is important because there are use-cases where only platform authenticators are acceptable to a Relying Party, and conversely ones where only roaming authenticators are employed. As a concrete example of the former, a credential on a platform authenticator may be used by Relying Parties to quickly and conveniently reauthenticate the user with a minimum of friction, e.g., the user will not have to dig around in their pocket for their key fob or phone. As a concrete example of the latter, when the user is accessing the Relying Party from a given client for the first time, they may be required to use a roaming authenticator which was originally registered with the Relying Party using a different client.

4.6. Web Authentication Assertion (interface WebAuthnAssertion AuthenticationAssertion)

[SecureContext]
interface WebAuthnAssertionAuthenticationAssertion {
    readonly attribute ScopedCredential  credential;
    readonly attribute ArrayBuffer       clientDataclientDataJSON;
    readonly attribute ArrayBuffer       authenticatorData;
    readonly attribute ArrayBuffer       signature;
};

Scoped credentials produce a cryptographic signature that provides proof of possession of a private key as well as evidence of user consent to a specific transaction. The structure of these signatures is defined as follows.

The credential member attribute represents the credential that was used to generate this assertion.

The clientData member clientDataJSON attribute contains the parameters sent to the authenticator by the client, in serialized form. See §4.109.1 Client data used in WebAuthn signatures (dictionary ClientData) for the format of this parameter and how it is generated.

The authenticatorData member attribute contains the serialized data returned by the authenticator. See §5.2.1 Authenticator data.

The signature member attribute contains the raw signature returned from the authenticator. See §5.2.2 Generating a signatureThe authenticatorGetAssertion operation.

4.7. Additional options for Assertion Generation (dictionary AssertionOptions)

dictionary AssertionOptions {
    unsigned long                            timeoutSecondstimeout;
    USVString                                rpId;
    sequence < ScopedCredentialDescriptor > allowList; = [];
  WebAuthnExtensions  AuthenticationExtensions                     extensions;
};
This dictionary is used to supply additional options when generating an assertion. All these parameters are optional.

4.8. WebAuthn Authentication Assertion Extensions (dictionary WebAuthnExtensions AuthenticationExtensions)

dictionary WebAuthnExtensionsAuthenticationExtensions {
};

This is a dictionary containing zero or more extensions as defined in §7 §8 WebAuthn Extensions. An extension is an additional parameter that can be passed to the getAssertion() method and triggers some additional processing by the client platform and/or the authenticator.

If the caller wishes to pass extensions to the platform, it MUST do so by adding one entry per extension to this dictionary with the extension identifier as the key, and the extension’s value as the value (see §7 §8 WebAuthn Extensions for details).

4.9.

Credential Attestation Structure (interface WebAuthnAttestation)
[SecureContext]
interface WebAuthnAttestation {
    readonly    attribute USVString     format;
    readonly    attribute ArrayBuffer   clientData;
    readonly    attribute ArrayBuffer   authenticatorData;
    readonly    attribute any           attestation;
};

Authenticators must also provide some form of attestation. The basic requirement is that the authenticator can produce, for each credential public key, attestation information that can be verified by a Relying Party. Typically, this information contains a signature by an attestation private key over the attested credential public key and a challenge, as well as a certificate or similar information providing provenance information for the attestation public key, enabling a trust decision to be made. However, if an attestation key pair is not available, then the authenticator MUST perform self attestation of the credential public key with the corresponding credential private key.

The format member specifies the format of attestation statement contained in this structure. Attestation formats are defined in §5.3.1 Attestation Formats. This specification supports a number of attestation formats, in §6 Defined Attestation Formats. Other attestation formats may be defined in later versions of this specification. The clientData member contains the clientDataJSON (see §5.2 Signature Format). The exact JSON encoding must be preserved as the hash (clientDataHash) has been computed over it.

The authenticatorData member contains the serialized data returned by the authenticator. See §5.2.1 Authenticator data.

The attestation element contains the actual attestation statement. The structure of this object depends on the attestation format. For more details, see §5.3 Credential Attestation Statements.

This attestation structure is delivered to the Relying Party by the Relying Party’s script running on the client, using methods outside the scope of this specification. It contains all the information that the Relying Party’s server requires to validate the statement, as well as to decode and validate the bindings of both the client and authenticator data.

4.10.

Supporting Data Structures

The scoped credential type uses certain data structures that are specified in supporting specifications. These are as follows.

4.

10

9.1. Client data used in WebAuthn signatures (dictionary ClientData)

The client data represents the contextual bindings of both the Relying Party and the client platform. It is a key-value mapping with string-valued keys. Values may be any type that has a valid encoding in JSON. Its structure is defined by the following Web IDL.

dictionary ClientData {
    required DOMString           challenge;
    required DOMString           origin;
    required AlgorithmIdentifier hashAlg;
    DOMString                    tokenBinding;
    WebAuthnExtensionsAuthenticationExtensions           extensions;
};
The challenge member contains the base64url encoding of the challenge provided by the RP.

The origin member contains the fully qualified origin of the requester, as provided to the authenticator by the client, in the syntax defined by [RFC6454].

The hashAlg member specifies the hash algorithm used to compute clientDataHash (see §5. 2.2 Generating a signature). Use "S256" for SHA-256, "S384" for SHA384, "S512" for SHA512, and "SM3" for SM3 (see §9 §10 IANA Considerations). This algorithm is chosen by the client at its sole discretion.

The tokenBinding member contains the base64url encoding of the Token Binding ID that this client uses for the Token Binding protocol when communicating with the Relying Party. This can be omitted if no Token Binding has been negotiated between the client and the Relying Party.

The optional extensions member contains additional parameters generated by processing the extensions passed in by the Relying Party. WebAuthn extensions are detailed in Section §7 §8 WebAuthn Extensions.

This structure is used by the client to compute the following quantities:

clientDataJSON

This is the UTF-8 encoded JSON serialization [RFC7159] of a ClientData dictionary. Any valid JSON serialization may be used by the client. This specification imposes no canonicalization requirements. Instead, the ScopedCredentialInfo and AuthenticationAssertion structures contain the actual serializations used by the client to generate them.

clientDataHash

This is the hash (computed using hashAlg) of clientDataJSON, as constructed by the client.

4.

10

9.2. Credential Type enumeration (enum ScopedCredentialType)

enum ScopedCredentialType {
    "ScopedCred"
};
This enumeration defines the valid credential types. It is an extension point; values may be added to it in the future, as more credential types are defined. The values of this enumeration are used for versioning the WebAuthn assertion Authentication Assertion and attestation structures according to the type of the authenticator.

Currently one credential type is defined, namely "ScopedCred".

4.

10

9.3. Unique Identifier for Credential (interface ScopedCredential)

[SecureContext]
interface ScopedCredential {
    readonly attribute ScopedCredentialType type;
    readonly attribute ArrayBuffer          id;
};

This interface contains the attributes that are returned to the caller when a new credential is created, and can be used later by the caller to select a credential for use.

The type attribute contains a value of type ScopedCredentialType, indicating the specification and version that this credential conforms to.

The id attribute contains an identifier for the credential, chosen by the platform with help from the authenticator. This identifier is used to look up credentials for use, and is therefore expected to be globally unique with high probability across all credentials of the same type, across all authenticators. This API does not constrain the format or length of this identifier, except that it must be sufficient for the platform to uniquely select a key. For example, an authenticator without on-board storage may create identifiers that consist of the key material wrapped with a key that is burned into the authenticator.

4.

10

9.4. Credential Descriptor (dictionary ScopedCredentialDescriptor)

dictionary ScopedCredentialDescriptor {
    required ScopedCredentialType type;
    required BufferSource   id;
    sequence < Transport >   transports;
};

This dictionary contains the attributes that are specified by a caller when referring to a credential as an input parameter to the makeCredential() or getAssertion() method. It mirrors the fields of the ScopedCredential object returned by these methods.

The type attribute member contains the type of the credential the caller is referring to.

The id attribute member contains the identifier of the credential that the caller is referring to.

4.

10

9.5. Credential Transport enumeration (enum ExternalTransport)

enum Transport {
    "usb",
    "nfc",
    "ble"
};
Authenticators may communicate with Clients using a variety of transports. This enumeration defines a hint as to how Clients might communicate with a particular Authenticator in order to obtain an assertion for a specific credential. Note that these hints represent the Relying Party’s best belief as to how an Authenticator may be reached. A Relying Party may obtain a list of transports hints from some attestation statement formats or via some out-of-band mechanism; it is outside the scope of this specification to define that mechanism.

4.

10

9.6. Cryptographic Algorithm Identifier (type AlgorithmIdentifier)

A string or dictionary identifying a cryptographic algorithm and optionally a set of parameters for that algorithm. This type is defined in [WebCryptoAPI].

5. WebAuthn Authenticator model

The API defined in this specification implies a specific abstract functional model for an authenticator. This section describes the authenticator model.

Client platforms may implement and expose this abstract model in any way desired. However, the behavior of the client’s Web Authentication API implementation, when operating on the authenticators supported by that platform, MUST be indistinguishable from the behavior specified in §4 Web Authentication API.

For authenticators, this model defines the logical operations that they must support, and the data formats that they expose to the client and the Relying Party. However, it does not define the details of how authenticators communicate with the client platform, unless they are required for interoperability with Relying Parties. For instance, this abstract model does not define protocols for connecting authenticators to clients over transports such as USB or NFC. Similarly, this abstract model does not define specific error codes or methods of returning them; however, it does define error behavior in terms of the needs of the client. Therefore, specific error codes are mentioned as a means of showing which error conditions must be distinguishable (or not) from each other in order to enable a compliant and secure client implementation. The overall requirement is that the behavior of the client’s Web Authentication API implementation, when operating on the authenticators supported by that platform, MUST be indistinguishable from the behavior specified in §4 Web Authentication API.In this abstract model, each

In this abstract model, the authenticator provides key management and cryptographic signatures. It may be embedded in the WebAuthn client, or housed in a separate device entirely. The authenticator may itself contain a cryptographic module which operates at a higher security level than the rest of the authenticator. This is particularly important for authenticators that are embedded in the WebAuthn client, as in those cases this cryptographic module (which may, for example, be a TPM) could be considered more trustworthy than the rest of the authenticator.

Each authenticator stores some number of scoped credentials. Each scoped credential has an identifier which is unique (or extremely unlikely to be duplicated) among all scoped credentials. Each credential is also associated with a Relying Party, whose identity is represented by a Relying Party Identifier (RP ID).

Each authenticator has an AAGUID, which is a 128-bit identifier that indicates the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators made by that manufacturer, and different (with probability 1-2-128 or greater) from the AAGUIDs of all other types of authenticators. The RP MAY use the AAGUID to infer certain properties of the authenticator, such as certification level and strength of key protection, using information from other sources.

The primary function of the authenticator is to provide WebAuthn signatures, which are bound to various contextual data. These data are observed, and added at different levels of the stack as a signature request passes from the server to the authenticator. In verifying a signature, the server checks these bindings against expected values. These contextual bindings are divided in two: Those added by the RP or the client, referred to as client data; and those added by the authenticator, referred to as the authenticator data. The authenticator signs over the client data, but is otherwise not interested in its contents. To save bandwidth and processing requirements on the authenticator, the client hashes the ClientData and sends only the result to the authenticator. The authenticator signs over the combination of this clientDataHash, and its own authenticator data.

The goals of this design can be summarized as follows.

Authenticators produce cryptographic signatures for two distinct purposes:

  1. An attestation signature is produced when a new credential is created, and provides cryptographic proof of certain properties of the credential and the authenticator. For instance, an attestation signature asserts the type of authenticator (as denoted by its AAGUID) and the public key of the credential. The attestation signature is signed by an attestation key, which is chosen depending on the type of attestation desired. For more details on attestation, see §5.3 Credential Attestation.

  2. An assertion signature is produced when the authenticatorGetAssertion method is invoked. It represents an assertion by the authenticator that the user has consented to a specific transaction, such as logging in, or completing a purchase. Thus, an assertion signature asserts that the authenticator which possesses a particular credential private key has established, to the best of its ability, that the human who is requesting this transaction is the same human who consented to creating that particular credential. It also provides additional information that might be useful to the caller, such as the means by which user consent was provided, and the prompt that was shown to the user by the authenticator.

The formats of these signatures, as well as the procedures for generating them, are specified below.

5.1. Authenticator data

The authenticator data structure, authenticatorData, encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the Relying Party’s assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the ClientData. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.

The authenticator data has a compact but extensible encoding. This is desired since authenticators can be devices with limited capabilities and low power requirements, with much simpler software stacks than the client platform components.

The encoding of authenticator data is a byte array of 37 bytes or more, as follows.

Length (in bytes) Description
32 SHA-256 hash of the RP ID associated with the credential.
1 Flags (bit 0 is the least significant bit):
  • Bit 0: Test of User Presence (TUP) result.

  • Bits 1-5: Reserved for future use (RFU).

  • Bit 6: Attestation data included (AT). Indicates whether the authenticator added attestation data.

  • Bit 7: Extension data included (ED). Indicates if the authenticator data has extensions.

4 Signature counter (signCount), 32-bit unsigned big-endian integer.
variable (if present) Attestation data (if present). See §5.3.1 Attestation data for details. Its length depends on the length of the credential public key and credential ID being attested.
variable (if present) Extension-defined authenticator data. This is a CBOR [RFC7049] map with extension identifiers as keys, and extension authenticator data values as values. See §8 WebAuthn Extensions for details.

The RP ID is originally received from the client when the credential is created, and again when an assertion is generated. However, it differs from other client data in some important ways. First, unlike the client data, the RP ID of a credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is validated by the authenticator during the authenticatorGetAssertion operation, by verifying that the RP ID associated with the requested credential exactly matches the RP ID supplied by the client.

The TUP flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The RFU bits in the flags byte SHALL be set to zero.

For attestation signatures, the authenticator MUST set the AT flag and include the attestation data. For authentication signatures, the AT flag MUST NOT be set and the attestation data MUST NOT be included.

If the authenticator does not include any extension data, it MUST set the ED flag in the first byte to zero, and to one if extension data is included.

The figure below shows a visual representation of the authenticator data structure.

authenticatorData layout.

Note that the authenticatorData describes its own length: If the AT and ED flags are not set, it is always 37 bytes long. The attestation data (which is only present if the AT flag is set) describes its own length. If the ED flag is set, then the total length is 37 bytes plus the length of the attestation data, plus the length of the CBOR map that follows.

5.2. Authenticator operations

A client must connect to an authenticator in order to invoke any of the operations of that authenticator. This connection defines an authenticator session. An authenticator must maintain isolation between sessions. It may do this by only allowing one session to exist at any particular time, or by providing more complicated session management.

The following operations can be invoked by the client in an authenticator session.

5.

1

2.1. The authenticatorMakeCredential operation

This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following input parameters:

When this operation is invoked, the authenticator must perform the following procedure:

On successful completion of this operation, the authenticator must return returns the following attestation object to the client:

The type and unique identifier of the new credential

.

  • The new credential public key.

  • The fields of the attestation structure WebAuthnAttestation, including information about the attestation format used.

  • 5.

    1

    2.2. The authenticatorGetAssertion operation

    This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following input parameters:

    When this method is invoked, the authenticator must perform the following procedure:

    Generating a signature on the authenticator.

    On successful completion, the authenticator must return returns to the user agent:

    If the authenticator cannot find any credential corresponding to the specified Relying Party that matches the specified criteria, it terminates the operation and returns an error.

    If the user refuses consent, the authenticator returns an appropriate error status to the client.

    5.

    1

    2.3. The authenticatorCancel operation

    This operation takes no input parameters and returns no result.

    When this operation is invoked by the client in an authenticator session, it has the effect of terminating any authenticatorMakeCredential or authenticatorGetAssertion operation currently in progress in that authenticator session. The authenticator stops prompting for, or accepting, any user input related to authorizing the canceled operation. The client ignores any further responses from the authenticator for the canceled operation.

    This operation is ignored if it is invoked in an authenticator session which does not have an authenticatorMakeCredential or authenticatorGetAssertion operation currently in progress.

    5.

    2

    3.

    Signature Format

    WebAuthn signatures are bound to various contextual data. These data are observed, and added at different levels of the stack as a signature request passes from the server to the authenticator. In verifying a signature, the server checks these bindings against expected values.

    The components of a system using WebAuthn can be divided into three layers:

    1. The Relying Party (RP), which uses the WebAuthn services. The RP consists of a server component and a web-application running in a browser.

    2. The WebAuthn Client platform, which consists of the User Agent and the OS and device on which it executes.

    3. The Authenticator itself, which provides key management and cryptographic signatures. This may be embedded in the WebAuthn client, or housed in a separate device entirely. In the latter case, the interface between the WebAuthn client and the authenticator is a separately-defined protocol. The authenticator may itself contain a cryptographic module which operates at a higher security level than the rest of the authenticator. This is particularly important for authenticators that are embedded in the WebAuthn client, as in those cases this cryptographic module (which may, for example, be a TPM) could be considered more trustworthy than the rest of the authenticator.

    This specification defines the common signature format shared by all the above layers. This includes how the different contextual bindings are encoded, signed over, and delivered to the RP.

    The goals of this design can be summarized as follows.

    The contextual bindings are divided in two: Those added by the RP or the client platform, referred to as client data; and those added by the authenticator, referred to as the authenticator data. The client data must be signed over, but an authenticator is otherwise not interested in its contents. To save bandwidth and processing requirements on the authenticator, the client platform hashes the ClientData and sends only the result to the authenticator. The authenticator signs over the combination of this clientDataHash, and its own authenticator data.

    5.2.1. Authenticator data

    The authenticator data, authenticatorData, encodes contextual bindings made by the authenticator itself. These bindings are controlled by the authenticator itself, and derive their trust from the Relying Party’s assessment of the security of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the ClientData. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.

    The authenticator data has a compact but extensible encoding. This is desired since authenticators can be devices with limited capabilities and low power requirements, with much simpler software stacks than the client platform components.

    The encoding of authenticator data is a byte array of 37 bytes or more, as follows.

    Length (in bytes) Description
    32 SHA-256 hash of the RP ID associated with the credential.
    1 Flags (bit 0 is the least significant bit):
    • Bit 0: Test of User Presence (TUP) result.

    • Bits 1-5: Reserved for future use (RFU).

    • Bit 6: Attestation data included (AT). Indicates whether the authenticator added attestation data.

    • Bit 7: Extension data included (ED). Indicates if the authenticator data has extensions.

    4 Signature counter (signCount), 32-bit unsigned big-endian integer.
    variable (if present) Attestation data (if present). See §5.3.3 Generating an Attestation Statement for details. Its length n depends on the length of the credential public key and credential ID being attested.
    variable (if present) Extension-defined authenticator data. This is a CBOR [RFC7049] map with extension identifiers as keys, and extension authenticator data values as values. See §7 WebAuthn Extensions for details.

    The RP ID hash is originally received from the client when the credential is created, and again when an assertion is generated. However, it differs from other client data in some important ways. First, unlike the client data, the RP ID of a credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is validated by the authenticator during the authenticatorGetAssertion operation, by making sure that the RP ID hash associated with the requested credential exactly matches the RP ID hash supplied by the client. These differences also explain why the RP ID hash is always a SHA-256 hash instead of being crypto-agile like the clientDataHash; for a given RP ID, we need the hash to be computed the same way by all clients for all operations so that authenticators can roam among clients without losing interoperability.

    The TUP flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The RFU bits in the flags byte SHALL be set to zero.

    For attestation signatures, the authenticator MUST set the AT flag and include the attestation data. For authentication signatures, the AT flag MUST NOT be set and the attestation data MUST NOT be included.

    If the authenticator does not include any extension data, it MUST set the ED flag in the first byte to zero, and to one if extension data is included.

    The figure below shows a visual representation of the authenticator data structure.

    authenticatorData layout.

    Note that the authenticatorData describes its own length: If the AT and ED flags are not set, it is always 37 bytes long. The attestation data (which is only present if the AT flag is set) describes its own length. If the ED flag is set, then the total length is 37 bytes plus the length of the attestation data, plus the length of the CBOR map that follows.

    5.2.2. Generating a signature

    A raw cryptographic signature must assert the integrity of both the client data and the authenticator data. Thus, an authenticator SHALL compute a signature over the concatenation of the authenticatorData and the clientDataHash.

    Generating a signature on the authenticator.

    A simple, undelimited concatenation is safe to use here because the authenticatorData describes its own length. The clientDataHash (which potentially has a variable length) is always the last element.

    The authenticator MUST return both the authenticatorData and the raw signature back to the client. The client, in turn, MUST return clientDataJSON, authenticatorData and the signature to the RP. The first two are returned in the clientData and authenticatorData members respectively of the WebAuthnAssertion and WebAuthnAttestation structures.

    5.2.3. Verifying a signature

    This section specifies the algorithm for verifying a signature assertion.

    Upon receiving a signature assertion in the form of a WebAuthnAssertion structure, the Relying Party shall:

    1. Perform JSON decoding to extract the ClientData used for the assertion from the clientData.

    2. Verify that the challenge in the ClientData matches the challenge that was sent to the authenticator.

    3. Verify that the origin in the ClientData matches the Relying Party’s origin.

    4. Verify that the tokenBinding (if present) in the ClientData matches the token binding public key for the TLS connection over which the attestation was obtained.

    5. Verify that the extensions in the ClientData is a proper subset of the extensions requested by the RP.

    6. Verify that the RP ID hash in the authenticatorData is indeed the SHA-256 hash of the RP ID expected by the RP.

    7. Compute the clientDataHash, i.e. hash of clientData.

    8. Look up the previously registered public key associated with the credential (see makeCredential()) and verify the signature in signature computed over the binary concatenation of authenticatorData and clientDataHash.

    If all the above steps succeed, then the signature is valid, otherwise it is invalid.

    5.3. Credential Attestation StatementsA credential attestation statement

    Credential Attestation

    Authenticators must also provide some form of attestation. The basic requirement is that the authenticator can produce, for each credential public key, attestation information that can be verified by a Relying Party. Typically, this information contains a signature by an attestation private key over the attested credential public key and a challenge, as well as a certificate or similar information providing provenance information for the attestation public key, enabling a trust decision to be made. However, if an attestation key pair is not available, then the authenticator MUST perform self attestation of the credential public key with the corresponding credential private key. All this information is returned by the authenticator any time a new credential is generated, in the form of an attestation object. The relationship of authenticator data and the attestation data, attestation object, and attestation statement data structures is illustrated in the figure below.

    Relationship of authenticator data and attestation data structures.

    An important component of the attestation object is the credential attestation statement. This is a specific type of signed data object, containing statements about a credential itself and the authenticator that created it. It is contains an attestation signature created using the process described in §5.2 Signature Format, with the important difference that the signature is generated not using the private key associated with the credential but using the key of the attesting authority (except for the case of self attestation, when it is created using the private key associated with the credential). In order to correctly interpret an attestation statement, a Relying Party needs to understand two aspects of the attestation:

    1. The attestation statement format is the manner in which the signature is represented and the various contextual bindings are incorporated into the attestation statement by the authenticator. In other words, this defines the syntax of the statement. Various existing devices and platforms (such as TPMs and the Android OS) have previously defined attestation statement formats. This specification supports a variety of such formats in an extensible way, as defined in §5.3.1 2 Attestation Statement Formats.

    2. The attestation type defines the semantics of the attestation statement and its underlying trust model. It defines how a Relying Party establishes trust in a particular attestation statement, after verifying that it is cryptographically valid. This specification supports a number of attestation types, as described in §5.3.3 Attestation Types.

    In general, there is no simple mapping between attestation statement formats and attestation types. For example the "packed" attestation statement format defined in §6§7.2 Packed Attestation Statement Format can be used in conjunction with all attestation types, while other formats and types have more limited applicability.

    The privacy, security and operational characteristics of attestation depend on:

    It is expected that most authenticators will support a small number of attestation types and attestation statement formats, while Relying Parties will decide what attestation types are acceptable to them by policy. Relying Parties will also need to understand the characteristics of the authenticators that they trust, based on information they have about these authenticators. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to access such information.

    5.3.1. Attestation data

    Attestation data is added to the authenticatorData when generating an attestation object for a given credential. It has the following format:

    Length (in bytes) Description
    16 The AAGUID of the authenticator.
    2 Byte length L of Credential ID
    L Credential ID
    variable Credential public key encoded in CBOR format. This is a CBOR map defined by the following CDDL rules:
                pubKey = $pubKeyFmt
    
                ; All public key formats must include an alg name
                pubKeyTemplate = { alg: text }
                pubKeyTemplate .within $pubKeyFmt
    
                pubKeyFmt /= rsaPubKey
                rsaPubKey = { alg: rsaAlgName, n: biguint, e: uint }
                rsaAlgName = "RS256" / "RS384" / "RS512" / "PS256" / "PS384" / "PS512"
    
                pubKeyFmt /= eccPubKey
                eccPubKey = { alg: eccAlgName, x: biguint, y: biguint }
                eccAlgName = "ES256" / "ES384" / "ES512"
    
    

    Thus, each public key type is a CBOR map starting with an entry named alg, which contains a text string that specifies the name of the signature algorithm associated with the credential private key, using values defined in [RFC7518] section 3.1. The semantics and naming of the other fields (though not their encoding) follows the definitions in [RFC7518] section 6. Specifically, for ECC keys, the semantics of the x and y fields are defined in [RFC7518] sections 6.2.1.2 and 6.2.1.3, while for RSA keys, the semantics of the n and e fields are defined in [RFC7518] sections 6.3.1.1 and 6.3.1.2.

    5.3.2. Attestation Statement Formats

    As described above, an attestation statement format is a data format which represents a cryptographic signature by an authenticator over a set of contextual bindings. Each attestation statement format is defined by the following attributes:

    The initial list of supported attestation statement formats is in §6 §7 Defined Attestation Statement Formats.

    5.3.

    2

    3. Attestation Types

    WebAuthn supports multiple attestation types:

    Basic Attestation

    In the case of basic attestation [UAFProtocol], the authenticator’s attestation key pair is specific to an authenticator model. Thus, authenticators of the same model often share the same attestation key pair. See §5.3.5.1 Privacy for futher information.

    Self Attestation

    In the case of self attestation, also known as surrogate basic attestation [UAFProtocol], the Authenticator doesn’t have any specific attestation key. Instead it uses the authentication key itself to sign create the attestation statementsignature. Authenticators without meaningful protection measures for an attestation private key typically use this attestation type.

    Privacy CA

    In this case, the Authenticator owns an authenticator-specific (endorsement) key. This key is used to securely communicate with a trusted third party, the Privacy CA. The Authenticator can generate multiple attestation key pairs and asks the Privacy CA to issue an attestation certificate for it. Using this approach, the Authenticator can limit the exposure of the endorsement key (which is a global correlation handle) to Privacy CA(s). Attestation keys can be requested for each scoped credential individually.

    Note: This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently is called "active".

    Direct Anonymous Attestation (DAA)

    In this case, the Authenticator receives DAA credentials from a single DAA-Issuer. These DAA credentials are used along with blinding to sign the attestation data. The concept of blinding avoids the DAA credentials being misused as global correlation handle. WebAuthn supports DAA using elliptic curve cryptography and bilinear pairings, called ECDAA (see [FIDOEcdaaAlgorithm]) in this specification.

    5.3.

    3

    4. Generating an Attestation

    Statement

    Object

    This section specifies the algorithm for generating an attestation statement, independent of attestation object for any attestation statement format.

    When requested In order to generate construct an attestation statement object for a given credential using a particular attestation statement format, the authenticator MUST first generate an authenticatorData structure, with the attestation data field populated as follows:

    Length (in bytes) Description 16 The AAGUID of the authenticator

    .

    2 Byte length l of Credential ID (length) Credential ID (l bytes) 2 Public key algorithm and encoding (16-bit big-endian value). Allowed values are:
    1. 0x0100. This is raw ANSI X9.62 formatted Elliptic Curve public key [SEC1], i.e., [0x04, X (n bytes), Y (n bytes)], where the byte 0x04 denotes the uncompressed point compression method and n denotes the key length in bytes.

    2. 0x0102. Raw encoded RSA PKCS1 or RSASSA-PSS public key [RFC3447]. In the case of RSASSA-PSS, the default parameters according to [RFC4055] MUST be assumed, i.e.,

      • Mask Generation Algorithm MGF1 with SHA256

      • Salt Length of 32 bytes, i.e., the length of a SHA256 hash value.

      • Trailer Field value of 1, which represents the trailer field with hexadecimal value 0xBC.

      That is, [modulus (256 bytes), e (m-n bytes)], where m is the total length of the field. This total length should be taken from the object containing this key

    2 Byte length m of following credential public key bytes (16 bit value with most significant byte first). (length)

    The

    credential public key (m bytes) according to the encoding denoted before.

    The authenticator MUST then concatenate this authenticatorData and the client-supplied clientDataHash as specified in §5.2.2 Generating a signature to form attToBeSigned. It must then run the signing procedure for the desired attestation statement format , with attToBeSigned as input.

    5.3.4. Verifying an Attestation Statement

    This section specifies the algorithm for verifying an attestation statement, independent of attestation format.

    Upon receiving an attestation statement in the form of a WebAuthnAttestation structure, the Relying Party shall:

    1. Perform JSON decoding to extract the ClientData used for the attestation from the clientData.

    2. Verify that the challenge in the ClientData matches the challenge that was sent to the authenticator.

    3. Verify that the origin in the ClientData matches the Relying Party’s origin.

    4. Verify that the tokenBinding in the ClientData matches the token binding ID for the TLS connection over which the attestation was obtained.

    5. Verify that the extensions in the ClientData is a proper subset of the extensions requested by the RP.

    6. Verify that the RP ID hash in the authenticatorData is indeed the SHA-256 hash of the RP ID expected by the RP.

    7. Perform an ASCII case-insensitive match on format to determine the attestation format.

    8. Look up the attestation root certificate or DAA root key from a trusted source. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to access such information. The AAGUID in the authenticatorData can be used for this lookup.

    9. Using the verification process for the above attestation format, validate that the attestation attestation is valid for the given authenticatorData, clientData and the above trust anchor.

    The Relying Party MAY take any of the below actions when verification of an attestation statement fails, according to its policy:

    Verification of attestation statements requires that the Relying Party has a trusted method of determining the trust anchor in Step 8 above. Also, if certificates are being used, the Relying Party must have access to certificate status information for the intermediate CA certificates. The Relying Party must also be able to build the attestation certificate chain if the client didn’t provide this chain in the attestation informationwith this authenticatorData and the client-supplied clientDataHash as input, and use this to construct an attestation statement in that attestation statement format.

    Finally, the authenticator MUST construct the attestation object as a CBOR map with the following syntax:

    attObj = {
                authData: bytes,
                $$attStmtType
             }
    
    attStmtTemplate = (
                          fmt: text,
                          attStmt: bytes
                      )
    
    ; Every attestation statement format must have the above fields
    attStmtTemplate .within $$attStmtType
    
    

    The semantics of the fields in the attestation object are as follows:

    fmt

    The attestation statement format identifier associated with the attestation statement. Each attestation statement format defines its identifier.

    authData

    The authenticator data used to generate the attestation statement.

    attStmt

    The attestation statement constructed above. The syntax of this is defined by the attestation statement format used.

    5.3.5. Security Considerations

    5.3.5.1. Privacy

    Attestation keys may be used to track users or link various online identities of the same user together. This may be mitigated in several ways, including:

    5.3.5.2. Attestation Certificate and Attestation Certificate CA Compromise

    When an intermediate CA or a root CA used for issuing attestation certificates is compromised, WebAuthn Authenticator attestation keys are still safe although their certificates can no longer be trusted. A WebAuthn Authenticator manufacturer that has recorded the public attestation keys for their devices can issue new attestation certificates for these keys from a new intermediate CA or from a new root CA. If the root CA changes, the Relying Parties must update their trusted root certificates accordingly.

    A WebAuthn Authenticator attestation certificate must be revoked by the issuing CA if its key has been compromised. A WebAuthn Authenticator manufacturer may need to ship a firmware update and inject new attestation keys and certificates into already manufactured WebAuthn Authenticators, if the exposure was due to a firmware flaw. (The process by which this happens is out of scope for this specification.) If the WebAuthn Authenticator manufacturer does not have this capability, then it may not be possible for Relying Parties to trust any further valid attestation statements from the affected WebAuthn Authenticators.

    If attestation certificate validation fails due to a revoked intermediate attestation CA certificate, and the Relying Party’s policy requires rejecting the registration/authentication request in these situations, then it is recommended that the Relying Party also un-registers (or marks with a trust level equivalent to "self attestation") scoped credentials that were registered after the CA compromise date using an attestation certificate chaining up to the same intermediate CA. It is thus recommended that Relying Parties remember intermediate attestation CA certificates during Authenticator registration in order to un-register related Scoped Credentials if the registration was performed after revocation of such certificates.

    If a DAA attestation key has been compromised, it can be added to the RogueList (i.e., the list of revoked authenticators) maintained by the related DAA-Issuer. The Relying Party should verify whether an authenticator belongs to the RogueList when performing DAA-Verify. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to access such information.

    5.3.5.3. Attestation Certificate Hierarchy

    A 3-tier hierarchy for attestation certificates is recommended (i.e., Attestation Root, Attestation Issuing CA, Attestation Certificate). It is also recommended that for each WebAuthn Authenticator device line (i.e., model), a separate issuing CA is used to help facilitate isolating problems with a specific version of a device.

    If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID should be specified in the attestation certificate itself, so that it can be verified against the authenticatorData.

    6. Relying Party Operations

    Upon successful execution of a makeCredential() or getAssertion() call, the Relying Party’s script receives a ScopedCredentialInfo or AuthenticationAssertion structure respectively from the client. It must then deliver the contents of this structure to the Relying Party, using methods outside the scope of this specification. This section describes the operations that the Relying Party must perform upon receipt of these structures.

    6.1. Registering a new credential

    When requested to register a new credential, represented by a ScopedCredentialInfo structure, as part of a registration ceremony, a Relying Party MUST proceed as follows:

    1. Perform JSON deserialization on the clientDataJSON field of the ScopedCredentialInfo object to extract the ClientData C claimed to have been used for the credential’s attestation.

    2. Verify that the challenge in C matches the challenge that was sent to the authenticator in the makeCredential() call.

    3. Verify that the origin in C matches the Relying Party’s origin.

    4. Verify that the tokenBinding in C matches the token binding ID for the TLS connection over which the attestation was obtained.

    5. Verify that the extensions in C is a proper subset of the extensions requested by the RP.

    6. Compute the clientDataHash over clientDataJSON using the hashAlg algorithm found in C.

    7. Perform CBOR decoding on the attestationObject field of the ScopedCredentialInfo structure to obtain the attestation statement format fmt, the authenticator data authData, and the attestation statement attStmt.

    8. Verify that the RP ID hash in authData is indeed the SHA-256 hash of the RP ID expected by the RP.

    9. Determine the attestation statement format by performing an ASCII case-insensitive match on fmt against the set of WebAuthn Attestation Statement Format Identifiers given in the IANA Registry of the same name [WebAuthn-Registries].

    10. Verify that attStmt is a correct, validly-signed attestation statement, using the attestation statement format fmt’s verification procedure given authenticator data authData and the clientDataHash computed in step 6.

    11. If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or DAA root keys) for that attestation type and attestation statement format fmt, from a trusted source or from policy. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the AAGUID in the attestation data contained in authData.

    12. Assess the attestation trustworthiness using the outputs of the verification procedure in step 10, as follows:

      • If self-attestation was used, check if self-attestation is acceptable under Relying Party policy.

      • If DAA was used, verify that the DAA key used is in the set of acceptable trust anchors obtained in step 11.

      • Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key correctly chains up to an acceptable root certificate.

    13. If the attestation statement attStmt verified successfully and is found to be trustworthy, then register the new credential with the account that was denoted in the accountInformation passed to makeCredential(), by associating it with the credential ID and credential public key contained in authData’s attestation data, as appropriate for the Relying Party’s systems.

    14. If the attestation statement attStmt successfully verified but is not trustworthy per step 12 above, the Relying Party SHOULD fail the registration ceremony.

      NOTE: However, if permitted by policy, the Relying Party MAY register the credential ID and credential public key but treat the credential as one with self-attestation (see §5.3.3 Attestation Types). If doing so, the Relying Party is asserting there is no cryptographic proof that the Scoped Credential has been generated by a particular Authenticator model. See [FIDOSecRef] and [UAFProtocol] for a more detailed discussion.

    15. If verification of the attestation statement failed, the Relying Party MUST fail the registration ceremony.

    Verification of attestation objects requires that the Relying Party has a trusted method of determining acceptable trust anchors in step 11 above. Also, if certificates are being used, the Relying Party must have access to certificate status information for the intermediate CA certificates. The Relying Party must also be able to build the attestation certificate chain if the client did not provide this chain in the attestation information.

    To avoid ambiguity during authentication, the Relying Party SHOULD check that each credential is registered to no more than one user. If registration is requested for a credential that is already registered to a different user, the Relying Party SHOULD fail this ceremony, or it MAY decide to accept the registration, e.g. while deleting the older registration.

    6.2. Verifying an authentication assertion

    When requested to authenticate a given AuthenticationAssertion structure as part of an authentication ceremony, the Relying Party MUST proceed as follows:

    1. Using the id attribute contained in the credential attribute of the given AuthenticationAssertion structure, look up the corresponding credential public key.

    2. Let cData, aData and sig denote the clientDataJSON, authenticatorData and signature attributes of the given AuthenticationAssertion structure, respectively.

    3. Perform JSON deserialization on cData to extract the ClientData C used for the signature.

    4. Verify that the challenge member of C matches the challenge that was sent to the authenticator in the getAssertion() call.

    5. Verify that the origin member of C matches the Relying Party’s origin.

    6. Verify that the tokenBinding member of C (if present) matches the token binding ID for the TLS connection over which the signature was obtained.

    7. Verify that the extensions member of C is a proper subset of the extensions requested by the RP.

    8. Verify that the RP ID hash in aData is the SHA-256 hash of the RP ID expected by the RP.

    9. Let hash be the result of computing a hash over the cData using the algorithm represented by the hashAlg member of C.

    10. Using the credential public key looked up in step 1, verify that sig is a valid signature over the binary concatenation of aData and hash.

    11. If all the above steps are successful, continue with the authentication ceremony as appropriate. Otherwise, fail the authentication ceremony.

    7. Defined Attestation Statement Formats

    WebAuthn supports pluggable attestation data statement formats. This section defines an initial set of such formats.

    6

    7.1. Attestation Statement Format Identifiers

    Attestation statement formats are identified by a string, called a attestation statement format identifier, chosen by the author of the attestation statement format author.

    Attestation statement format identifiers SHOULD be registered per [WebAuthn-Registries] "Registries for Web Authentication (WebAuthn)". All registered attestation statement format identifiers are unique amongst themselves as a matter of course.

    Unregistered attestation statement format identifiers SHOULD use reverse domain-name naming, using a domain name registered by the attestation type developer, in order to assure uniqueness of the identifier. All attestation statement format identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, i.e., VCHAR as defined in [RFC5234] (note: this means attestation statement format identifiers based on domain names MUST incorporate only LDH Labels [RFC5890]). Implementations MUST match WebAuthn attestation statement format identifiers in a case-insensitive fashion.

    Attestation statement formats that may exist in multiple versions SHOULD include a version in their identifier. In effect, different versions are thus treated as different extensionsformats, e.g., packed2 as a new version of the packed attestation statement format.

    The following sections present a set of currently-defined and registered attestation statement formats and their identifiers. See the WebAuthn Attestation Statement Format Identifier Registry defined in [WebAuthn-Registries] for an up-to-date list of registered WebAuthn Attestation Formatsattestation statement formats.

    6

    7.2. Packed Attestation Statement Format

    Packed attestation This is a WebAuthn optimized attestation statement format of attestation data. It uses a very compact but still extensible encoding method. Encoding this format can even be implemented It is implementable by authenticators with very limited resources (e.g., secure elements).

    Attestation statement format identifier

    packed

    Attestation types supported

    All

    Syntax

    A The syntax of a Packed Attestation statement has is defined by the following formatCDDL:

    interface
     
    
    PackedAttestation
       $$attStmtType //= (
                              fmt: "packed",
                              attStmt: packedStmtFormat
                          )
    
        packedStmtFormat = {
        
    
    readonly
        
    
    attribute
     
    
    ArrayBuffer
       
    
    x5c; readonly attribute ArrayBuffer daaKey;
                   alg: rsaAlgName / eccAlgName,
                               sig: bytes,
                               x5c: [ attestnCert: bytes, * (caCert: bytes) ]
              
    
    readonly
        
    
    attribute
     
    
    DOMString
         
    
    alg; readonly
       } //
                           {
                               alg: "ED256" / "ED512",
         
    
    attribute
     
    
    ArrayBuffer
       
    
    signature; }; The x5c attribute contains the attestation certificate and its certificate chain as described in [RFC7515] section 4.1.6. The alg element contains
                      sig: bytes,
                               daaKey: eccPubKey
                           }
    
    

    The semantics of the fields are as follows:

    alg

    A text string containing the name of the algorithm used to generate the attestation signature

    according to [RFC7518] section

    . The types rsaAlgName and eccAlgName are as defined in §5.3.1

    . The following algorithms are supported:
    1. "ES256" [RFC7518]

    2. "RS256" [RFC7518]

    3. "PS256" [RFC7518]

    4. "ED256" [FIDOEcdaaAlgorithm]

    5. "ED512" [FIDOEcdaaAlgorithm]

    The signature element contains the attestation signature.

    Signing procedure

    The authenticator signs the attToBeSigned using the attestation private key.

    Verification procedure

    Attestation data. "ED256" and "ED512" refer to algorithms defined in [FIDOEcdaaAlgorithm].

    sig

    A byte string containing the attestation signature.

    x5c

    The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format. The attestation certificate must be the first element in the array.

    daaKey

    The DAA root key. The syntax for eccPubKey is defined in §5.3.1 Attestation data.

    Signing procedure

    The signing procedure for this attestation statement format is similar to the procedure for generating assertion signatures.

    If Basic or Privacy CA attestation is in use, the authenticator produces the sig by concatenating the given authenticatorData and clientDataHash, and signing the result using an attestation private key selected through an authenticator-specific mechanism. It sets x5c to the certificate chain of the attestation public key and alg to the algorithm of the attestation private key.

    If DAA is in use, the authenticator produces sig by concatenating the given authenticatorData and clientDataHash, and signing the result using DAA-Sign with a DAA root key selected through an authenticator-specific mechanism (see [FIDOEcdaaAlgorithm]). It sets alg to the algorithm of the DAA root key and daaKey to the DAA root key.

    If self attestation is in use, the authenticator produces sig by concatenating the given authenticatorData and clientDataHash, and signing the result using the credential private key. It sets alg to the algorithm of the credential private key, and omits the other fields.

    Verification procedure

    Verify that the given attestation statement is valid CBOR conforming to the syntax defined above.

    If x5c is present, this indicates that the attestation type is not DAA. In this case:

    daaKey is present, then the attestation type is DAA. In this case:
    • Verify that alg is "ED256" or "ED512".

    • Perform DAA-Verify on signature (see [FIDOEcdaaAlgorithm]).

    • If x5c contains an extension with OID 1 3 6 1 4 1 45724 1 1 4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the AAGUID in the claimed authenticatorData.

    • If successful, return attestation type Basic and trust path x5c.

    If daaKey is present, then the attestation type is DAA. In this case:

    If neither x5c nor daaKey is present, self attestation is in use.

    • Verify the signature using Validate that alg matches the algorithm of the credential public private key in the claimed authenticatorData.

    • Validate that alg matches the algorithm in authenticatorData.

    6.
    • Verify that sig is a valid signature over the concatenation of the given authenticatorData and clientDataHash using the credential public key with alg.

    • If successful, return attestation type Self and empty trust path.

    7.2.1. Packed attestation statement certificate requirements

    The attestation certificate MUST have the following fields/extensions:

    6

    7.3. TPM Attestation Statement Format

    This attestation statement format is generally used by authenticators that use a Trusted Platform Model Module as their cryptographic engine.

    Attestation statement format identifier

    tpm

    Attestation types supported

    Privacy CA, DAA

    Syntax

    A The syntax of a TPM Attestation statement has the following formatis as follows:

    interface
     
    
    TpmAttestation
       $$attStmtType // = (
                               fmt: "tpm",
                               attStmt: tpmStmtFormat
                           )
        
        tpmStmtFormat = {
        
    
    readonly
        
    
    attribute
     
    
    DOMString
         
    
    tpmVersion;
         
    
    readonly
        
    
    attribute
     
    
    ArrayBuffer x5c; readonly attribute ArrayBuffer daaKey;
    ver: "2.0",
                            (
                                alg: rsaAlgName / eccAlgName,
                                x5c: [ aikCert: bytes, * (caCert: bytes) ]
              
    
    readonly
        
    
    attribute
     
    
    ArrayBuffer
       
    
    certifyInfo;
         
    
    readonly
     ) //
     
    
    attribute
     
    
    DOMString
         
    
    alg; readonly
                     (
                                alg:  "ED256" / "ED512",
        
    
    attribute
     
    
    ArrayBuffer
       
    
    signature; }; The tpmVersion field contains the
                        daaKey: eccPubKey
                            ),
                            sig: bytes,
                            certInfo: bytes,
                            pubArea: bytes
                        }
    
    

    The semantics of the above fields are as follows:

    ver

    The version of the TPM specification to which the signature conforms.

    Currently supported versions are "1.2" and "2.0". The x5c attribute contains the attestation certificate and its certificate chain as described in [RFC7515] section 4.1.6. This will be an AIK certificate.The alg element contains the name of the algorithm used to generate the attestation signature according to [RFC7518] section 3.1. The following algorithms are supported:
    1. "RSA1_5" [RFC7518] (TPM v1.2 only)

    2. "ES256" [RFC7518] (TPM v2.0 only)

    3. "RS256" [RFC7518] (TPM v2.0 only)

    4. "PS256" [RFC7518] (TPM v2.0 only)

    5. "ED256" [FIDOEcdaaAlgorithm] (TPM v2.0 only)

    6. "ED512" [FIDOEcdaaAlgorithm] (TPM v2.0 only)

    The signature element contains the attestation signature.

    Signing procedure

    If using TPM version 1.2, generate a signature using the procedure specified in [TPMv1-2-Part3] Section 13.8 or Section 13.9, using the attestation private key and setting the antiReplay parameter to the SHA-1 hash of attToBeSigned.

    If using TPM version 2.0, generate

    alg

    The name of the algorithm used to generate the attestation signature. The types rsaAlgName and eccAlgNAme are as defined in §5.3.1 Attestation data. The types "ED256" and "ED512" refer to the algorithms specified in [FIDOEcdaaAlgorithm].

    x5c

    The AIK certificate used for the attestation and its certificate chain, in X.509 encoding.

    daaKey

    The DAA root key. The syntax for eccPubKey is defined in §5.3.1 Attestation data.

    sig

    The attestation signature, in the form of a TPMT_SIGNATURE structure as specified in [TPMv2-Part2] section 11.3.4.

    certInfo

    The TPMS_ATTEST structure over which the above signature was computed, as specified in [TPMv2-Part2] section 10.12.8.

    pubArea

    The TPMT_PUBLIC structure (see [TPMv2-Part2] section 12.2.4) used by the TPM to represent the credential public key.

    Signing procedure

    Concatenate the given authenticatorData and clientDataHash to form attToBeSigned.

    Generate a signature using the procedure specified in [TPMv2-Part3] Section 18.2, using the attestation private key and setting the qualifyingData parameter to attToBeSigned.

    In both the above cases, return the certifyInfo output parameter along with the signatureSet the pubArea field to the public area of the credential public key, the certInfo field to the output parameter of the same name, and the sig field to the signature obtained from the above procedure.

    Verification procedure

    If x5c is present, this indicates Verify that the given attestation type is not DAA. In this case:

    If daaKey is present, then the attestation type is DAA.

  • Verify that alg is "ED256" or "ED512".

  • Perform DAA-Verify on signature to verify that it is over the certifyInfo (see [FIDOEcdaaAlgorithm]).

  • Verify that certifyInfo is a TPMS_ATTEST structure with the extraData field set to the concatenation of authenticatorData and clientData.

    statement is valid CBOR conforming to the syntax defined above.

    Verify that the public key specified by the parameters and unique fields of pubArea is identical to the public key contained in the attestation data inside the claimed authenticatorData

    Concatenate the given authenticatorData and clientDataHash to form attToBeSigned.

    Validate that certInfo is valid:

    • Verify that magic is set to TPM_GENERATED_VALUE.

    • Verify that type is set to TPM_ST_ATTEST_CERTIFY.

    • Verify that extraData is set to attToBeSigned.

    • Verify that attested contains a TPMS_CERTIFY_INFO structure, whose name field contains a valid Name for pubArea, as computed using the algorithm in the nameAlg field of pubArea using the procedure specified in [TPMv2-Part1] section 16.

    If x5c is present, this indicates that the attestation type is not DAA. In this case:

    • Verify the sig is a valid signature over certInfo using the attestation public key in x5c with the algorithm specified in alg.

    • Verify that x5c meets the requirements in §7.3.1 TPM attestation statement certificate requirements.

    • If x5c contains an extension with OID 1 3 6 1 4 1 45724 1 1 4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the AAGUID in the claimed authenticatorData.

    6.
    • If successful, return attestation type Privacy CA and trust path x5c.

    If daaKey is present, then the attestation type is DAA.

    • Perform DAA-Verify on sig to verify that it is a valid signature over certInfo (see [FIDOEcdaaAlgorithm]).

    • If successful, return attestation type DAA and trust path daaKey.

    7.3.1. TPM attestation statement certificate requirements

    TPM attestation certificate MUST have the following fields/extensions:

    6

    7.4. Android Key Attestation Statement Format

    When the Authenticator in question is a platform-provided Authenticator on the Android "N" or later platform, the attestation statement is based on the Android key attestation. In these cases, the attestation statement is produced by a component running in a secure operating environment, but the authenticatorData is produced outside this environment. The Relying Party is expected to check that the contents of authenticatorData are consistent with the fields of the attestation certificate’s extension data.

    Attestation statement format identifier

    android-key

    Attestation types supported

    Basic

    Syntax

    An Android key Attestation attestation statement has the following format:

    [SecureContext] interface AndroidKeyAttestation { readonly attribute ArrayBuffer signature; }; The signature field contains the

    consists simply of the Android attestation statement, which is a series of DER encoded X.509 certificates. See the Android developer documentation. Its syntax is defined as follows:

        $$attStmtType //= (
                              fmt: "android-key",
                              attStmt: androidStmtFormat
                          )
    
        androidStmtFormat = bytes
    
    

    Signing procedure

    Concatenate the given authenticatorData and clientDataHash to form attToBeSigned.

    Request a Android Key Attestation (i.e., by calling "keyStore.getCertificateChain(myKeyUUID)") providing attToBeSigned as the challenge value (e.g., by using "[ setAttestationChallenge] (https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder.html#setAttestationChallenge(byte[]))" ), and set signature the attestation statement to the returned value.

    Verification procedure

    Verification is performed as follows:

    • Verify that signature is a valid certificate chain, consisting of a time-valid X.509 certificate chaining up to a trusted attestation root key.Verify that the public key in the first certificate , in the series of certificates represented by the signature matches the credential public key in the attestation data field of the given authenticatorData.

    • Verify that in the attestation certificate extension data:

      • The value of the attestationChallenge field is identical to attToBeSignedthe concatenation of the claimed authenticatorData and clientDataHash.

      • The AuthorizationList.allApplications field is not present, since ScopedCredentials must be bound to the RP ID.

      • The value in the AuthorizationList.origin field is equal to KM_TAG_GENERATED.

      • The value in the AuthorizationList.purpose field is equal to KM_PURPOSE_SIGN.

    6.
    • If successful, return attestation type Basic with the trust path set to the entire attestation statement.

    7.5. Android SafetyNet Attestation Statement Format

    When the Authenticator in question is a platform-provided Authenticator on certain Android platforms, the attestation statement is based on the SafetyNet API. In this case the authenticator data is completely controlled by the caller of the SafetyNet API (typically an application running on the Android platform) and the attestation statement only provides some statements about the health of the platform and thehref the identity of the calling application.

    Attestation statement format identifier

    android-safetynet

    Attestation types supported

    Basic

    Syntax

    An The syntax of an Android Attestation statement has the following formatis defined as follows:

    interface
     
    
    AndroidSafetyNetAttestation
       $$attStmtType //= (
                              fmt: "android-safetynet",
                              attStmt: safetynetStmtFormat
                          )
    
        safetynetStmtFormat = {
        
    
    readonly
     
    
    attribute
     
    
    unsigned
     
    
    long
     
    
    version;
         
    
    readonly
     
    
    attribute
     
    
    DOMString
         
    
    safetyNetResponse; }; The version element is set to the
              ver: text,
                                  response: bytes
                              }
    
    

    The semantics of the above fields are as follows:

    ver

    The version number of Google Play Services responsible for providing the SafetyNet API.

    response

    The

    safetyNetResponse element contains the

    value returned by the above SafetyNet API. This value is a JWS [RFC7515] object (see SafetyNet online documentation) in Compact Serialization.

    Signing procedure

    Concatenate the given authenticatorData and clientDataHash to form attToBeSigned.

    Request a SafetyNet attestation, providing attToBeSigned as the nonce value. Set response to the result, and ver to the version of Google Play Services running in the authenticator.

    Verification procedure

    Verification is performed as follows:

    • Verify that safetyNetResponse is the given attestation statement is valid CBOR conforming to the syntax defined above.

    • Verify that response is a valid SafetyNet response of version version ver.

    • Verify that the nonce in the safetyNetResponse response is identical to attToBeSignedthe concatenation of the claimed authenticatorData and clientDataHash.

    • Verify that the attestation certificate is issued to the hostname "attest.android.com" (see SafetyNet online documentation).

    • Verify that the ctsProfileMatch attribute in the payload of the safetyNetResponse response is true.

    • If successful, return attestation type Basic with the trust path set to the above attestation certificate.

    7.6. FIDO U2F Attestation Statement Format

    This attestation statement format is used with FIDO U2F authenticators using the formats defined in [FIDO-U2F-Message-Formats].

    Attestation statement format identifier

    fido-u2f

    Attestation types supported

    Basic

    Syntax

    The syntax of a FIDO U2F attestation statement is defined as follows:

        $$attStmtType //= (
                              fmt: "fido-u2f",
                              attStmt: u2fStmtFormat
                          )
    
        u2fStmtFormat = {
                            x5c: [ attestnCert: bytes, * (caCert: bytes) ],
                            sig: bytes
                        }
    
    

    The semantics of the above fields are as follows:

    x5c

    The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format. The attestation certificate must be the first element in the array.

    sig

    The attestation signature.

    Signing procedure

    If the credential public key of the given credential is not of algorithm "ES256", stop and return an error.

    If the given clientDataHash is 256 bits long, set tbsHash to this value. Otherwise set tbsHash to the SHA-256 hash of the given clientDataHash.

    Generate a signature as specified in [FIDO-U2F-Message-Formats] section 4.3, with the application parameter set to the SHA-256 hash of the RP ID associated with the given credential, the challenge parameter set to tbsHash, and the key handle parameter set to the credential ID of the given credential. Set this as sig and set the attestation certificate of the attestation public key as x5c.

    Verification procedure

    Verification is performed as follows:

    • Verify that the given attestation statement is valid CBOR conforming to the syntax defined above.

    • If x5c is not a certificate for an ECDSA public key over the P-256 curve, stop verification and return an error.

    • If the given clientDataHash is 256 bits long, set tbsHash to this value. Otherwise set tbsHash to the SHA-256 hash of the given clientDataHash.

    • From the given authenticatorData, extract the claimed RP ID hash, the claimed credential ID and the claimed credential public key.

    • Generate the claimed to-be-signed data as specified in [FIDO-U2F-Message-Formats] section 4.3, with the application parameter set to the claimed RP ID hash, the challenge parameter set to tbsHash, the key handle parameter set to the claimed credential ID of the given credential, and the user public key parameter set to the claimed credential public key.

    • Verify that the sig is a valid ECDSA P-256 signature over the to-be-signed data constructed above.

    • If successful, return attestation type Basic with the trust path set to x5c.

    8. WebAuthn Extensions

    The mechanism for generating scoped credentials, as well as requesting and generating WebAuthn Authentication assertions, as defined in §4 Web Authentication API, can be extended to suit particular use cases. Each case is addressed by defining a registration extension and/or an authentication extension. Extensions can define additions to the following steps and data:

    When requesting an assertion for a scoped credential, a Relying Party can list a set of extensions to be used, if they are supported by the client and/or the authenticator. It sends the client arguments for each extension in the getAssertion() call (for authentication extensions) or makeCredential() call (for registration extensions) to the client platform. The client platform performs additional processing for each extension that it supports, and augments ClientData as required by the extension. In addition, the client collects the authenticator arguments for the above extensions, and passes them to the authenticator in the authenticatorMakeCredential call (for registration extensions) or authenticatorGetAssertion call (for authentication extensions). These authenticator arguments are passed as name-value pairs, with the extension identifier as the name, and the corresponding authenticator argument as the value. The authenticator, in turn, performs additional processing for the extensions that it supports, and augments authenticatorData as specified by the extension.

    All WebAuthn extensions are optional for both clients and authenticators. Thus, any extensions requested by a Relying Party may be ignored by the client browser or OS and not passed to the authenticator at all, or they may be ignored by the authenticator. Ignoring an extension is never considered a failure in WebAuthn API processing, so when Relying Parties include extensions with any API calls, they must be prepared to handle cases where some or all of those extensions are ignored.

    Clients wishing to support the widest possible range of extensions may choose to pass through any extensions that they do not recognize to authenticators, generating the authenticator argument by simply encoding the client argument in CBOR. All WebAuthn extensions MUST be defined in such a way that this implementation choice does not endanger the user’s security or privacy. For instance, if an extension requires client processing, it could be defined in a manner that ensures such a naïve pass-through will produce a semantically invalid authenticator argument, resulting in the extension being ignored by the authenticator. Since all extensions are optional, this will not cause a functional failure in the API operation.

    7

    8.1. Extension Identifiers

    Extensions are identified by a string, called an extension identifier, chosen by the extension author.

    Extension identifiers SHOULD be registered per [WebAuthn-Registries] "Registries for Web Authentication (WebAuthn)". All registered extension identifiers are unique amongst themselves as a matter of course.

    Unregistered extension identifiers should aim to be globally unique, e.g., by including the defining entity such as myCompany_extension.

    All extension identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, i.e., VCHAR as defined in [RFC5234]. Implementations MUST match WebAuthn extension identifiers in a case-insensitive fashion.

    Extensions that may exist in multiple versions should take care to include a version in their identifier. In effect, different versions are thus treated as different extensions, e.g., myCompany_extension_01

    Extensions defined in this specification use a fixed prefix of webauthn for the extension identifiers. This prefix should not be used for extensions not defined by the W3C.

    §8 §9 Pre-defined extensions defines an initial set of currently-defined and registered extensions their identifiers. See the WebAuthn Extension Identifiers Registry defined in [WebAuthn-Registries] for an up-to-date list of registered WebAuthn Extension Identifiers.

    7

    8.2. Defining extensions

    A definition of an extension must specify, at minimum, an extension identifier and an extension client argument sent via the getAssertion() or makeCredential() call. Additionally, extensions may specify additional values in ClientData, authenticatorData (in the case of authentication extensions), or both. Finally, if the extension requires any authenticator processing, it must also specify an authenticator argument to be sent via the authenticatorGetAssertion or authenticatorMakeCredential call.

    Any extension that requires client processing MUST specify a method of augmenting ClientData that unambiguously lets the Relying Party know that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST specify a method of augmenting authenticatorData to let the Relying Party know that the extension was honored by the authenticator.

    7

    8.3. Extending request parameters

    An extension defines up to two request arguments. The client argument is passed from the Relying Party to the client in the getAssertion() or makeCredential() call, while the authenticator argument is passed from the client to the authenticator during the processing of these calls.

    A Relying Party simultaneously requests the use of an extension and sets its client argument by including an entry in the extensions option to the makeCredential() or getAssertion() call. The entry key MUST be the extension identifier, and the value MUST be the client argument.

    var assertionPromise = credentials.getAssertion(..., /* extensions */ {
        "webauthnExample_foobar": 42
    });
    
    

    Extension definitions MUST specify the valid values for their client argument. Clients SHOULD ignore extensions with an invalid client argument. If an extension does not require any parameters from the Relying Party, it SHOULD be defined as taking a Boolean client argument, set to true to signify that the extension is requested by the Relying Party.

    Extensions that only affect client processing need not specify an authenticator argument. Extensions that affect authenticator processing MUST specify a method of computing the authenticator argument from the client argument. For extensions that do not require additional parameters, and are defined as taking a Boolean client argument set to true, this method SHOULD consist of passing an authenticator argument of true (CBOR major type 7, value 21).

    Note: Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate over low-bandwidth links such as Bluetooth Low-Energy or NFC.

    7

    8.4. Extending client processing

    Extensions may define additional processing requirements on the client platform during the creation of credentials or the generation of an assertion. In order for the Relying Party to verify the processing took place, or if the processing has a result value that the Relying Party needs to be aware of, the extension should specify a client data value to be included in the ClientData structure.

    The client data value may be any value that can be encoded using JSON. If any extension processed by a client defines such a value, the client SHOULD include a dictionary in ClientData with the key extensions. For each such extension, the client SHOULD add an entry to this dictionary with the extension identifier as the key, and the extension’s client data value.

    Extensions that require authenticator processing MUST define the process by which the client argument can be used to determine the authenticator argument.

    7

    8.5. Extending authenticator processing

    Extensions that define additional authenticator processing may similarly define an authenticator data value. The value may be any data that can be encoded in CBOR. An authenticator that processes an authentication extension that defines such a value must include it in the authenticatorData.

    As specified in §5.2.1 Authenticator data, the authenticator data value of each processed extension is included in the extended data part of the authenticatorData. This part is a CBOR map, with extension identifiers as keys, and the authenticator data value of each extension as the value.

    7

    8.6. Example extension

    This section is not normative.

    To illustrate the requirements above, consider a hypothetical extension "Geo". This extension, if supported, lets both clients and authenticators embed their geolocation in assertions.

    The extension identifier is chosen as webauthnExample_geo. The client argument is the constant value true, since the extension does not require the Relying Party to pass any particular information to the client, other than that it requests the use of the extension. The Relying Party sets this value in its request for an assertion:

    var assertionPromise =
        credentials.getAssertion("SGFuIFNvbG8gc2hvdCBmaXJzdC4",
            {}, /* Empty filter */
            { 'webauthnExample_geo': true });
    
    

    The extension defines the additional client data to be the client’s location, if known, as a GeoJSON [GeoJSON] point. The client constructs the following client data:

    {
        ...,
        'extensions': {
            'webauthnExample_geo': {
                'type': 'Point',
                'coordinates': [65.059962, -13.993041]
            }
        }
    }
    
    

    The extension also requires the client to set the authenticator parameter to the fixed value true.

    Finally, the extension requires the authenticator to specify its geolocation in the authenticator data, if known. The extension e.g. specifies that the location shall be encoded as a two-element array of floating point numbers, encoded with CBOR. An authenticator does this by including it in the authenticatorData. As an example, authenticator data may be as follows (notation taken from [RFC7049]):

    81 (hex)                                    -- Flags, ED and TUP both set.
    20 05 58 1F                                 -- Signature counter
    A1                                          -- CBOR map of one element
        73                                      -- Key 1: CBOR text string of 19 bytes
            77 65 62 61 75 74 68 6E 45 78 61
            6D 70 6C 65 5F 67 65 6F             -- "webauthnExample_geo" UTF-8 encoded string
        82                                      -- Value 1: CBOR array of two elements
            FA 42 82 1E B3                      -- Element 1: Latitude as CBOR encoded float
            FA C1 5F E3 7F                      -- Element 2: Longitude as CBOR encoded float
    
    
    8

    9. Pre-defined extensions

    This section defines an initial set of extensions. These are recommended for implementation by user agents targeting broad interoperability.

    8

    9.1. FIDO AppId

    This authentication extension allows Relying Parties who have previously registered a credential using the legacy FIDO JavaScript APIs to request an assertion. Specifically, this extension allows Relying Parties to specify an appId [FIDO-APPID] to overwrite the otherwise computed rpId. This extension is only valid if used during the getAssertion() call; other usage will result in client error.

    Extension identifier

    fido_appid

    Client argument

    A single UTF-8 encoded string specifying a FIDO appId.

    Client processing

    If rpId is present, reject promise with a DOMException whose name is "NotAllowedError", and terminate this algorithm. Replace the calculation of rpId in Step 3 of §4.1.2 Use an existing credential (- getAssertion() method) with the following procedure: The client uses the value of fido_appid to perform the AppId validation procedure (as defined by [FIDO-APPID]). If valid, the value of rpId for all client processing should be replaced by the value of fido_appid.

    Authenticator argument

    none

    Authenticator processing

    none

    Authenticator data

    none

    8

    9.2. Transaction authorization

    This authentication extension allows for a simple form of transaction authorization. A Relying Party can specify a prompt string, intended for display on a trusted device on the authenticator.

    Extension identifier

    webauthn_txAuthSimple

    Client argument

    A single UTF-8 encoded string prompt.

    Client processing

    None, except default forwarding of client argument to authenticator argument.

    Authenticator argument

    The client argument encoded as a CBOR text string (major type 3).

    Authenticator processing

    The authenticator MUST display the prompt to the user before performing the user verification / test of user presence. The authenticator may insert line breaks if needed.

    Authenticator data

    A single UTF-8 encoded string, representing the prompt as displayed (including any eventual line breaks).

    The generic version of this extension allows images to be used as prompts as well. This allows authenticators without a font rendering engine to be used and also supports a richer visual appearance.

    Extension identifier

    webauthn_txAuthGeneric

    Client argument

    A CBOR map with one pair of data items (CBOR tagged as 0xa1). The pair of data items consists of

    one UTF-8 encoded string contentType, containing the MIME-Type of the content, e.g. "image/png"and the content itself, encoded as CBOR byte array.

    defined as follows:

        txAuthGenericArg = {
                               contentType: text,   ; MIME-Type of the content, e.g. "image/png"
                               content: bytes
                           }
    
    

    Client processing

    None, except default forwarding of client argument to authenticator argument.

    Authenticator argument

    The client argument encoded as a CBOR map.

    Authenticator processing

    The authenticator MUST display the content to the user before performing the user verification / test of user presence. The authenticator may add other information below the content. No changes are allowed to the content itself, i.e., inside content boundary box.

    Authenticator data

    The hash value of the content which was displayed. The authenticator MUST use the same hash algorithm as it uses for the signature itself.

    8

    9.3. Authenticator Selection Extension

    This registration extension allows a Relying Party to guide the selection of the authenticator that will be leveraged when creating the credential. It is intended primarily for Relying Parties that wish to tightly control the experience around credential creation.

    Extension identifier

    webauthn_authnSel

    Client argument

    A sequence of AAGUIDs:

    typedef sequence < AAGUID > AuthenticatorSelectionList;
    

    Each AAGUID corresponds to an authenticator model that is acceptable to the Relying Party for this credential creation. The list is ordered by decreasing preference.

    An AAGUID is defined as an array containing the globally unique identifier of the authenticator model being sought.

    typedef BufferSource AAGUID;
    

    Client processing

    This extension can only be used during makeCredential(). If the client supports the Authenticator Selection Extension, it MUST use the first available authenticator whose AAGUID is present in the AuthenticatorSelectionList. If none of the available authenticators match a provided AAGUID, the client MUST select an authenticator from among the available authenticators to generate the credential.

    Authenticator argument

    There is no authenticator argument.

    Authenticator processing

    None.

    8

    9.4. SupportedExtensions Extension

    Extension identifier

    webauthn_exts

    Client argument

    The Boolean value true to indicate that this extension is requested by the Relying Party.

    Client processing

    None, except default forwarding of client argument to authenticator argument.

    Authenticator argument

    The Boolean value true, encoded in CBOR (major type 7, value 21).

    Authenticator processing

    The authenticator augments the authenticator data with a list of extensions that the authenticator supports, as defined below. This extension can be added to attestation statementsobjects.

    Authenticator data

    The SupportedExtensions extension is a list (CBOR array) of extension identifiers (UTF-8 encoded strings).

    8

    9.5. User Verification Index (UVI) Extension

    Extension identifier

    webauthn_uvi

    Client argument

    The Boolean value true to indicate that this extension is requested by the Relying Party.

    Client processing

    None, except default forwarding of client argument to authenticator argument.

    Authenticator argument

    The Boolean value true, encoded in CBOR (major type 7, value 21).

    Authenticator processing

    The authenticator augments the authenticator data with a user verification index indicating the method used by the user to authorize the operation, as defined below. This extension can be added to attestation statements objects and assertions.

    Authenticator data

    The user verification index (UVI) is a value uniquely identifying a user verification data record. The UVI is encoded as CBOR byte string (type 0x58). Each UVI value MUST be specific to the related key (in order to provide unlinkability). It also must contain sufficient entropy that makes guessing impractical. UVI values MUST NOT be reused by the Authenticator (for other biometric data or users).

    The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data as the initial key generation. This allows the detection and prevention of "friendly fraud".

    As an example, the UVI could be computed as SHA256(KeyID | SHA256(rawUVI)), where the rawUVI reflects (a) the biometric reference data, (b) the related OS level user ID and (c) an identifier which changes whenever a factory reset is performed for the device, e.g. rawUVI = biometricReferenceData | OSLevelUserID | FactoryResetCounter.

    Servers supporting UVI extensions MUST support a length of up to 32 bytes for the UVI value.

    Example for authenticatorData containing one UVI extension

    ...                                         -- RP ID hash (32 bytes)
    81                                          -- TUP and ED set
    00 00 00 01                                 -- (initial) signature counter
    ...                                         -- all public key alg etc.
    A1                                          -- extension: CBOR map of one element
        6C                                      -- Key 1: CBOR text string of 11 bytes
            77 65 62 61 75 74 68 6E 5F 75 76 69 -- "webauthn_uvi" UTF-8 encoded string
        58 20                                   -- Value 1: CBOR byte string with 0x20 bytes
            00 43 B8 E3 BE 27 95 8C             -- the UVI value itself
            28 D5 74 BF 46 8A 85 CF
            46 9A 14 F0 E5 16 69 31
            DA 4B CF FF C1 BB 11 32
            82
    
    
    8

    9.6. Location Extension

    Extension identifier

    webauthn_loc

    Client argument

    The Boolean value true to indicate that this extension is requested by the Relying Party.

    Client processing

    None, except default forwarding of client argument to authenticator argument.

    Authenticator argument

    The Boolean value true, encoded in CBOR (major type 7, value 21).

    Authenticator processing

    If the authenticator does not support the extension, then the authenticator MUST ignore the extension request. If the authenticator accepts the extension, then the authenticator SHOULD only add this extension data to a packed attestation or assertion.

    Authenticator data

    If the authenticator accepts the extension request, then authenticator data SHOULD provide location data in the form of a CBOR-encoded map, with the first value being the extension identifier and the second being an array of returned values. The array elements SHOULD be derived from (key,value) pairings for each location attribute that the authenticator supports. The following is an example of authenticatorData where the returned array is comprised of a {longitude, latitude, altitude} triplet, following the coordinate representation defined in The W3C Geolocation API Specification.

    ...                                         -- RP ID hash (32 bytes)
    81                                          -- TUP and ED set
    00 00 00 01                                 -- (initial) signature counter
    ...                                         -- all public key alg etc.
    A1                                          -- extension: CBOR map of one element
        6C                                      -- Value 1: CBOR text string of 11 bytes
            77 65 62 61 75 74 68 6E 5F 6C 6F 63 -- "webauthn_loc" UTF-8 encoded string
        86                                      -- Value 2: array of 6 elements
            68                  -- Element 1:  CBOR text string of 8 bytes
               6C 61 74 69 74 75 64 65          -- “latitude” UTF-8 encoded string
            FB ...                  -- Element 2:  Latitude as CBOR encoded double-precision float
            69                  -- Element 3:  CBOR text string of 9 bytes
               6C 6F 6E 67 69 74 75 64 65       -- “longitude” UTF-8 encoded string
            FB ...                  -- Element 4:  Longitude as CBOR encoded double-precision float
            68                  -- Element 5:  CBOR text string of 8 bytes
              61 6C 74 69 74 75 64 65           -- “altitude” UTF-8 encoded string
            FB ...                  -- Element 6:  Altitude as CBOR encoded double-precision float
    
    
    8

    9.7. User Verification Mode (UVM) Extension

    Extension identifier

    webauthn_uvm

    Client argument

    The Boolean value true to indicate that this extension is requested by the WebAuthn Relying Party.

    Client processing

    None, except default forwarding of client argument to authenticator argument.

    Authenticator argument

    The Boolean value true, encoded in CBOR (major type 7, value 21).

    Authenticator processing

    The authenticator augments the authenticator data with a user verification index indicating the method used by the user to authorize the operation, as defined below. This extension can be added to attestation statements objects and assertions.

    Authenticator data

    Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance. To accommodate this possibility the UVM is encoded as CBOR array (major type 4) with a maximum allowed length of 3 -

    • Type 0x81 – only 1 factor was used for authentication.

    • Type 0x82 – 2 factors were used.

    • Type 0x83 – 3 or more factors were used.

    Each data item is in turn a CBOR array of length 3 (type 0x83) with the following data items:

    Data Item 1 – User Verification Method. This is the

    , using the CBOR syntax defined below:

        uvmFormat = [ 1*3 uvmEntry ]
        uvmEntry = [
                       userVerificationMethod: uint .size 4,
                       keyProtectionType: uint .size 2,
                       matcherProtectionType: uint .size 2
                   ]
    
    

    The semantics of the fields in each uvmEntry are as follows:

    userVerificationMethod

    The authentication method/factor used by the authenticator to verify the user. Available values are defined in [FIDOReg], "User Verification Methods" section.

    It is encoded as a CBOR unsigned integer (Major type 0).Data Item 2 – Key Protection Type. This is the

    keyProtectionType

    The method used by the authenticator to protect the FIDO registration private key material. Available values are defined in [FIDOReg], "Key Protection Types" section.

    It is encoded as a CBOR 2 byte unsigned short (Major type 0).Data Item 3 – Matcher Protection Type. This is the

    matcherProtectionType

    The method used by the authenticator to protect the matcher that performs user verification. Available values are defined in [FIDOReg], "Matcher Protection Types" section.

    It is encoded as a CBOR 2 byte unsigned short (Major type 0).

    This is repeated for each factor used in the authentication instance.

    If >3 factors can be used in an authentication instance the authenticator vendor must select the 3 factors it believes will be most relevant to the Server to include in the UVM.

    Servers supporting the UVM extension MUST support a length up to 36 bytes for a 3 factor maximum UVM value.

    Example for authenticatorData containing one UVM extension for a multi-factor authentication instance where 2 factors were used:

    ...                    -- RP ID hash (32 bytes)
    81                     -- TUP and ED set
    00 00 00 01            -- (initial) signature counter
    ...                    -- all public key alg etc.
    A1                     -- extension: CBOR map of one element
        6C                 -- Key 1: CBOR text string of 12 bytes
            77 65 62 61 75 74 68 6E 2E 75 76 6d -- "webauthn_uvm" UTF-8 encoded string
        82                 -- Value 1: CBOR array of length 2 indicating two factor usage
            83              -- Item 1: CBOR array of length 3
                02           -- Subitem 1: CBOR integer for User Verification Method Fingerprint
                04           -- Subitem 2: CBOR short for Key Protection Type TEE
                02           -- Subitem 3: CBOR short for Matcher Protection Type TEE
            83              -- Item 2: CBOR array of length 3
                04           -- Subitem 1: CBOR integer for User Verification Method Passcode
                01           -- Subitem 2: CBOR short for Key Protection Type Software
                01           -- Subitem 3: CBOR short for Matcher Protection Type Software
    
    
    9

    10. IANA Considerations

    This specification registers the algorithm names "S256", "S384", "S512", and "SM3" with the IANA JSON Web Algorithms registry as defined in section "Cryptographic Algorithms for Digital Signatures and MACs" in [RFC7518].

    These names follow the naming strategy in draft-ietf-oauth-spop-15.

    Algorithm Name "S256"
    Algorithm Description The SHA256 hash algorithm.
    Algorithm Usage Location(s) "alg", i.e., used with JWS.
    JOSE Implementation Requirements Optional+
    Change Controller FIDO Alliance
    Specification Documents [FIPS-180-4]
    Algorithm Analysis Document(s) [SP800-107r1]
    Algorithm Name "S384"
    Algorithm Description The SHA384 hash algorithm.
    Algorithm Usage Location(s) "alg", i.e., used with JWS.
    JOSE Implementation Requirements Optional
    Change Controller FIDO Alliance
    Specification Documents [FIPS-180-4]
    Algorithm Analysis Document(s) [SP800-107r1]
    Algorithm Name "S512"
    Algorithm Description The SHA512 hash algorithm.
    Algorithm Usage Location(s) "alg", i.e., used with JWS.
    JOSE Implementation Requirements Optional+
    Change Controller FIDO Alliance
    Specification Documents [FIPS-180-4]
    Algorithm Analysis Document(s) [SP800-107r1]
    Algorithm Name "SM3"
    Algorithm Description The SM3 hash algorithm.
    Algorithm Usage Location(s) "alg", i.e., used with JWS.
    JOSE Implementation Requirements Optional
    Change Controller FIDO Alliance
    Specification Documents [OSCCA-SM3]
    Algorithm Analysis Document(s) N/A
    10

    11. Sample scenarios

    This section is not normative.

    In this section, we walk through some events in the lifecycle of a scoped credential, along with the corresponding sample code for using this API. Note that this is an example flow, and does not limit the scope of how the API can be used.

    As was the case in earlier sections, this flow focuses on a use case involving an external first-factor authenticator with its own display. One example of such an authenticator would be a smart phone. Other authenticator types are also supported by this API, subject to implementation by the platform. For instance, this flow also works without modification for the case of an authenticator that is embedded in the client platform. The flow also works for the case of an authenticator without its own display (similar to a smart card) subject to specific implementation considerations. Specifically, the client platform needs to display any prompts that would otherwise be shown by the authenticator, and the authenticator needs to allow the client platform to enumerate all the authenticator’s credentials so that the client can have information to show appropriate prompts.

    10

    11.1. Registration

    This is the first-time flow, in which a new credential is created and registered with the server.

    1. The user visits example.com, which serves up a script. At this point, the user must already be logged in using a legacy username and password, or additional authenticator, or other means acceptable to the Relying Party.

    2. The Relying Party script runs the code snippet below.

    3. The client platform searches for and locates the authenticator.

    4. The client platform connects to the authenticator, performing any pairing actions if necessary.

    5. The authenticator shows appropriate UI for the user to select the authenticator on which the new credential will be created, and obtains a biometric or other authorization gesture from the user.

    6. The authenticator returns a response to the client platform, which in turn returns a response to the Relying Party script. If the user declined to select an authenticator or provide authorization, an appropriate error is returned.

    7. If a new credential was created,

      • The Relying Party script sends the newly generated credential public key to the server, along with additional information such as attestation regarding the provenance and characteristics of the authenticator.

      • The server stores the credential public key in its database and associates it with the user as well as with the characteristics of authentication indicated by attestation, also storing a friendly name for later use.

      • The script may store data such as the credential ID in local storage, to improve future UX by narrowing the choice of credential for the user.

    The sample code for generating and registering a new key follows:

    var webauthnAPI = navigator.authentication;
    
    if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
    
    var userAccountInformation = {
        rpDisplayName: "Acme",
        displayName: "John P. Smith",
        name: "johnpsmith@example.com",
        id: "1098237235409872",
        imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
    };
    
    // This Relying Party will accept either an ES256 or RS256 credential, but
    // prefers an ES256 credential.
    var cryptoParams = [
        {
            type: "ScopedCred",
            algorithm: "ES256"
        },
        {
            type: "ScopedCred",
            algorithm: "RS256"
        }
    ];
    
    var challenge = 
    
    "Y2xpbWIgYSBtb3VudGFpbg"
    new TextEncoder().encode("climb a mountain");
    var options = { 
    
    timeoutSeconds
    timeout: 
    
    300
    60000,  // 
    
    5
    1 
    
    minutes
    minute
                    excludeList: [],      // No excludeList
                    extensions: {"webauthn.location": true}  // Include location information
                                                   // in attestation
    };
    
    // Note: The following call will cause the authenticator to display UI.
    webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge, options)
        .then(function (newCredentialInfo) {
        // Send new credential info to server for verification and registration.
    }).catch(function (err) {
        // No acceptable authenticator or user refused consent. Handle appropriately.
    });
    
    
    10

    11.2. Authentication

    This is the flow when a user with an already registered credential visits a website and wants to authenticate using the credential.

    1. The user visits example.com, which serves up a script.

    2. The script asks the client platform for a WebAuthn identity assertionan Authentication Assertion, providing as much information as possible to narrow the choice of acceptable credentials for the user. This may be obtained from the data that was stored locally after registration, or by other means such as prompting the user for a username.

    3. The Relying Party script runs one of the code snippets below.

    4. The client platform searches for and locates the authenticator.

    5. The client platform connects to the authenticator, performing any pairing actions if necessary.

    6. The authenticator presents the user with a notification that their attention is required. On opening the notification, the user is shown a friendly selection menu of acceptable credentials using the account information provided when creating the credentials, along with some information on the origin that is requesting these keys.

    7. The authenticator obtains a biometric or other authorization gesture from the user.

    8. The authenticator returns a response to the client platform, which in turn returns a response to the Relying Party script. If the user declined to select a credential or provide an authorization, an appropriate error is returned.

    9. If an assertion was successfully generated and returned,

      • The script sends the assertion to the server.

      • The server examines the assertion and validates that it was correctly generated. If so, extracts the credential ID, looks up the registered credential public key it is database, and verifies the assertion’s authentication signature. If valid, it looks up the identity associated with the associated public keyassertion’s credential ID; that identity is now authenticated. If the public key credential ID is not recognized by the server (e.g., it has been deregistered by server due to inactivity) then the authentication has failed; each Relying Party will handle this in its own way.

      • The server now does whatever it would otherwise do upon successful authentication -- return a success page, set authentication cookies, etc.

    If the Relying Party script does not have any hints available (e.g., from locally stored data) to help it narrow the list of credentials, then the sample code for performing such an authentication might look like this:

    var webauthnAPI = navigator.authentication;
    
    if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
    
    var challenge = 
    
    "Y2xpbWIgYSBtb3VudGFpbg"
    new TextEncoder().encode("climb a mountain");
    var options = {
                    
    
    timeoutSeconds
    timeout = 
    
    300
    60000,  // 
    
    5
    1 
    
    minutes
    minute
                    allowList: [{ type: "ScopedCred" }]
                  };
    
    webauthnAPI.getAssertion(challenge, options)
        .then(function (assertion) {
        // Send assertion to server for verification
    }).catch(function (err) {
        // No acceptable credential or user refused consent. Handle appropriately.
    });
    
    

    On the other hand, if the Relying Party script has some hints to help it narrow the list of credentials, then the sample code for performing such an authentication might look like the following. Note that this sample also demonstrates how to use the extension for transaction authorization.

    var webauthnAPI = navigator.authentication;
    
    if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
    
    var encoder = new TextEncoder();
    var challenge = 
    
    "Y2xpbWIgYSBtb3VudGFpbg"
    encoder.encode("climb a mountain");
    var acceptableCredential1 = {
        type: "ScopedCred",
        id: 
    
    "ISEhISEhIWhpIHRoZXJlISEhISEhIQo="
    encoder.encode("!!!!!!!hi there!!!!!!!\n")
    };
    var acceptableCredential2 = {
        type: "ScopedCred",
        id: 
    
    "cm9zZXMgYXJlIHJlZCwgdmlvbGV0cyBhcmUgYmx1ZQo="
    encoder.encode("roses are red, violets are blue\n")
    };
    
    var options = {
                    
    
    timeoutSeconds
    timeout: 
    
    300
    60000,  // 
    
    5
    1 
    
    minutes
    minute
                    allowList: [acceptableCredential1, acceptableCredential2];
                    extensions: { 'webauthn.txauth.simple':
                       "Wave your hands in the air like you just don’t care" };
                  };
    
    webauthnAPI.getAssertion(challenge, options)
        .then(function (assertion) {
        // Send assertion to server for verification
    }).catch(function (err) {
        // No acceptable credential or user refused consent. Handle appropriately.
    });
    
    
    10

    11.3. Decommissioning

    The following are possible situations in which decommissioning a credential might be desired. Note that all of these are handled on the server side and do not need support from the API specified here.

    11

    12. Acknowledgements

    We thank the following for their contributions to, and thorough review of, this specification: Domenic Denicola, Rahul Ghosh, Brad Hill, Jing Jin, Anne van Kesteren, Giridhar Mandyam, Axel Nennker, Yaron Sheffer, Mike West, Boris Zbarsky.

    Index

    Terms defined by this specification

    Terms defined by reference

    References

    Normative References

    [CDDL]
    C. Vigano; H. Birkholz. CBOR data definition language (CDDL): a notational convention to express CBOR data structures. 21 September 2016. Internet Draft (work in progress). URL: https://tools.ietf.org/html/draft-greevenbosch-appsawg-cbor-cddl
    [DOM4]
    Anne van Kesteren. DOM Standard. Living Standard. URL: https://dom.spec.whatwg.org/
    [FIDOEcdaaAlgorithm]
    R. Lindemann; A. Edgington; R. Urian. FIDO ECDAA Algorithm. FIDO Alliance Proposed Standard (To Be Published).
    [FIDOReg]
    R. Lindemann; D. Baghdasaryan; B. Hill. FIDO UAF Registry of Predefined Values. FIDO Alliance Proposed Standard. URL: https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-reg-v1.0-ps-20141208.html
    [FIPS-180-4]
    FIPS PUB 180-4 Secure Hash Standard. URL: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
    [HTML]
    Anne van Kesteren; et al. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
    [HTML51]
    Steve Faulkner; et al. HTML 5.1. 1 November 2016. REC. URL: https://www.w3.org/TR/html51/
    [OSCCA-SM3]
    SM3 Cryptographic Hash Algorithm. December 2010. URL: http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
    [RFC2119]
    S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119
    [RFC4648]
    S. Josefsson. The Base16, Base32, and Base64 Data Encodings. October 2006. Proposed Standard. URL: https://tools.ietf.org/html/rfc4648
    [RFC5234]
    D. Crocker, Ed.; P. Overell. Augmented BNF for Syntax Specifications: ABNF. January 2008. Internet Standard. URL: https://tools.ietf.org/html/rfc5234
    [RFC5890]
    J. Klensin. Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework. August 2010. Proposed Standard. URL: https://tools.ietf.org/html/rfc5890
    [
    RFC7515
    RFC7049]
    MC. JonesBormann; JP. Bradley; N. Sakimura. JSON Web Signature (JWS). May 2015Hoffman. Concise Binary Object Representation (CBOR). October 2013. Proposed Standard. URL: https://tools.ietf.org/html/rfc7515rfc7049
    [RFC7518]
    M. Jones. JSON Web Algorithms (JWA). May 2015. Proposed Standard. URL: https://tools.ietf.org/html/rfc7518
    [
    SEC1] SEC1: Elliptic Curve Cryptography, Version 2.0. URL: http
    WebCryptoAPI]
    Mark Watson. Web Cryptography API. 15 December 2016. PR. URL: https://www.secgw3.org/sec1-v2.pdf
    [WebCryptoAPI]
    Ryan Sleevi; Mark Watson. Web Cryptography API. 11 December 2014. CRTR/WebCryptoAPI/
    [WebIDL]
    Cameron McCormack; Boris Zbarsky; Tobie Langel. Web IDL. 15 December 2016. WD. URL: https://www.w3.org/TR/WebCryptoAPIWebIDL-1/
    [WebIDL-1]
    Cameron McCormack; Boris Zbarsky; Tobie Langel. Web IDL. WebIDL Level 1. 15 September December 2016. WDREC. URL: https://www.w3.org/TR/2016/REC-WebIDL-1-20161215/
    [WHATWG-ENCODING]
    Anne van Kesteren. Encoding Standard. Living Standard. URL: https://encoding.spec.whatwg.org/

    Informative References

    [Ceremony]
    Carl Ellison. Ceremony Design and Analysis. 2007. URL: https://eprint.iacr.org/2007/399.pdf
    [FIDO-APPID]
    D. Balfanz; et al. FIDO AppID and Facet Specification. 14 May 2015Facets. FIDO Alliance Review Draft. URL: https://fidoalliance.org/specs/fido-uaf-v1.1-rd-20161005/fido-appid-and-facets-ps-20150514.pdf
    [
    v1.1-rd-20161005.html
    [FIDO-U2F-Message-Formats]
    D. Balfanz; J. Ehrensvard; J. Lang. FIDO U2F Raw Message Formats. FIDO Alliance Implementation Draft. URL: https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html
    [FIDOMetadataService]
    R. Lindemann; B. Hill; D. Baghdasaryan. FIDO Metadata Service v1.0. FIDO Alliance Proposed Standard. URL: https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-metadata-service-v1.0-ps-20141208.html
    [FIDOSecRef]
    R. Lindemann; D. Baghdasaryan; B. Hill. FIDO Security Reference. FIDO Alliance Proposed Standard. URL: https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-security-ref-v1.0-ps-20141208.html
    [GeoJSON]
    The GeoJSON Format Specification. URL: http://geojson.org/geojson-spec.html
    [
    RFC3447]
    J. Jonsson; B. Kaliski. Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. February 2003. Informational. URL: https://tools.ietf.org/html/rfc3447
    [RFC4055]
    J. Schaad; B. Kaliski; R. Housley. Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. June 2005. Proposed Standard. URL: https://tools.ietf.org/html/rfc4055
    [RFC4949]
    R. Shirey. Internet Security Glossary, Version 2. August 2007. Informational. URL: https://tools.ietf.org/html/rfc4949
    [RFC5280]
    D. Cooper; et al. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. May 2008. Proposed Standard. URL: https://tools.ietf.org/html/rfc5280
    [RFC6454]
    A. Barth. The Web Origin Concept. December 2011. Proposed Standard. URL: https://tools.ietf.org/html/rfc6454
    [
    RFC7049
    RFC7159]
    C. Bormann; P. Hoffman. Concise Binary Object Representation (CBOR). October 2013T. Bray, Ed.. The JavaScript Object Notation (JSON) Data Interchange Format. March 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7049rfc7159
    [
    RFC7159
    RFC7515]
    T. Bray, Ed.. The JavaScript Object Notation (JSON) Data Interchange Format. March 2014M. Jones; J. Bradley; N. Sakimura. JSON Web Signature (JWS). May 2015. Proposed Standard. URL: https://tools.ietf.org/html/rfc7159rfc7515
    [SECURE-CONTEXTS]
    Mike West. Secure Contexts. 15 September 2016. CR. URL: https://www.w3.org/TR/secure-contexts/
    [SP800-107r1]
    Quynh Dang. NIST Special Publication 800-107: Recommendation for Applications Using Approved Hash Algorithms. August 2012. URL: http://csrc.nist.gov/publications/nistpubs/800-107-rev1/sp800-107-rev1.pdf
    [
    TPMv1
    TPMv2-
    2
    EK-
    Credential-Profiles
    Profile]
    TCG EK Credential Profiles Profile for TPM Family 1. 2.0. URL: http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_ProfilesProfile_V1EK_V2.20_Level2R14_Revision8published.pdf
    [
    TPMv1
    TPMv2-
    2-Part3] TPM Main Part 3: TPM Commands
    Part1]
    Trusted Platform Module Library, Part 1: Architecture. URL: http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-MainRev-2.0-Part-31-TPMArchitecture-Commands_v1.2_rev116_0103201101.16-1.pdf
    [TPMv2-
    EK-Profile] TCG EK Credential Profile for TPM Family 2.0.
    Part2]
    Trusted Platform Module Library, Part 2: Structures. URL: http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.TPM-Rev-2.0-Part-2-Structures-01.16-1.pdf
    [TPMv2-Part3]
    Trusted Platform Module Library, Part 3: Commands. URL: http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.16-1.pdf
    [UAFProtocol]
    R. Lindemann; et al. FIDO UAF Protocol Specification v1.0. FIDO Alliance Proposed Standard. URL: https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html
    [WebAuthn-Registries]
    Jeff Hodges. Registries for Web Authentication (WebAuthn). June 2016. Active Internet-Draft. URL: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?modeAsFormat=html/ascii&url=https://raw.githubusercontent.com/w3c/webauthn/master/draft-hodges-webauthn-registries.xml#46923110554855074732

    IDL Index

    partial interface Navigator {
        readonly attribute WebAuthentication authentication;
    };
    
    [SecureContext]
    interface WebAuthentication {
        Promise < ScopedCredentialInfo > makeCredential (
            Account                                 accountInformation,
            sequence < ScopedCredentialParameters > cryptoParameters,
            BufferSource                            attestationChallenge,
            optional ScopedCredentialOptions        options
        );
    
        Promise < WebAuthnAssertion AuthenticationAssertion> getAssertion (
            BufferSource                    assertionChallenge,
            optional AssertionOptions       options
        );
    };
    
    [SecureContext]
    interface ScopedCredentialInfo {
        readonly attribute ScopedCredential  attribute ArrayBuffer  credential clientDataJSON;
        readonly    attribute WebAuthnAttestationArrayBuffer  attestation attestationObject;
    };
    
    dictionary Account {
        required DOMString rpDisplayName;
        required DOMString displayName;
        required DOMString id;
        DOMString          name;
        DOMString          imageURL;
    };
    
    dictionary ScopedCredentialParameters {
        required ScopedCredentialType  type;
        required AlgorithmIdentifier   algorithm;
    };
    
    dictionary ScopedCredentialOptions {
        unsigned long                        timeout;
        timeoutSeconds;USVString     USVString                       rpId;
        sequence<ScopedCredentialDescriptor> excludeList = [];
     rpId;   Attachment  sequence < ScopedCredentialDescriptor >  excludeList;     WebAuthnExtensions               attachment;
        AuthenticationExtensions             extensions;
    };
    
    enum Attachment {
        "platform",
        "cross-platform"
    };
    
    [SecureContext]
    interface WebAuthnAssertionAuthenticationAssertion {
        readonly attribute ScopedCredential  credential;
        readonly attribute ArrayBuffer       clientDataclientDataJSON;
        readonly attribute ArrayBuffer       authenticatorData;
        readonly attribute ArrayBuffer       signature;
    };
    
    dictionary AssertionOptions {
        unsigned long                            timeoutSecondstimeout;
        USVString                                rpId;
        sequence < ScopedCredentialDescriptor > allowList; = [];
      WebAuthnExtensions  AuthenticationExtensions                     extensions;
    };
    
    dictionary WebAuthnExtensionsAuthenticationExtensions {
    };
    
    [SecureContext]
    interface WebAuthnAttestation {
        readonly    attribute USVString     format;
        readonly    attribute ArrayBuffer   clientData;
        readonly    attribute ArrayBuffer   authenticatorData;
        readonly    attribute any           attestation;
    };
    
    dictionary ClientData {
        required DOMString           challenge;
        required DOMString           origin;
        required AlgorithmIdentifier hashAlg;
        DOMString                    tokenBinding;
        WebAuthnExtensionsAuthenticationExtensions           extensions;
    };
    
    enum ScopedCredentialType {
        "ScopedCred"
    };
    
    [SecureContext]
    interface ScopedCredential {
        readonly attribute ScopedCredentialType type;
        readonly attribute ArrayBuffer          id;
    };
    
    dictionary ScopedCredentialDescriptor {
        required ScopedCredentialType type;
        required BufferSource   id;
        sequence < Transport >   transports;
    };
    
    enum Transport {
        "usb",
        "nfc",
        "ble"
    };
    
    interface PackedAttestation {
        readonly    attribute ArrayBuffer   x5c;
        readonly    attribute ArrayBuffer   daaKey;
        readonly    attribute DOMString     alg;
        readonly    attribute ArrayBuffer   signature;
    };
    
    interface TpmAttestation {
        readonly    attribute DOMString     tpmVersion;
        readonly    attribute ArrayBuffer   x5c;
        readonly    attribute ArrayBuffer   daaKey;
        readonly    attribute ArrayBuffer   certifyInfo;
        readonly    attribute DOMString     alg;
        readonly    attribute ArrayBuffer   signature;
    };
    
    [SecureContext]
    interface AndroidKeyAttestation {
        readonly    attribute ArrayBuffer   signature;
    };
    
    interface AndroidSafetyNetAttestation {
        readonly attribute unsigned long version;
        readonly attribute DOMString     safetyNetResponse;
    };
    
    typedef sequence < AAGUID > AuthenticatorSelectionList;
    
    typedef BufferSource AAGUID;
    
    
    Formats Verifying Statement #attestation-public-key
  • 4.9. Credential Attestation Structure (interface WebAuthnAttestation)
  • (2) assertionReferenced in: getassertion assertionchallenge assertionchallenge 2. Use an existing credential (getAssertion() method) makecredential WebAuthentication Interface 10. 5. 3. Verifying a signature7 7 7 8 3. Authenticator Selection Extension Introduction
  • 3. Terminology
  • ( ) 8. WebAuthn Assertion Extensions (dictionary WebAuthnExtensions 10 4. Credential Descriptor ScopedCredentialDescriptor
  • 7. WebAuthn Extensions (2)
  • 7.2. Defining extensions
  • 7.3. Extending request parameters (2)
  • 8.1. FIDO AppId
  • WebAuthentication Interface4. 1. ( ) 4 2. Information about Scoped Credential (interface ScopedCredentialInfo) timeoutseconds ( ) #webauthnassertion ( ) WebAuthnAssertion 5 2 2. Generating a signature
  • 5.2.3. Verifying a signature
  • #dom-webauthnassertion-clientdata 5 3. Verifying a signature (2) webauthnassertion authenticatordata 5 3. Verifying a signature( 5 3.4. Verifying an Attestation Statement webauthnassertion 5 3. Verifying a signature timeoutseconds ( ) webauthnextensions WebAuthn WebAuthnExtensions 10 #clientdatajson 1.1. Create a new credential (makeCredential() method)( )
  • 4.1.2. Use an existing credential (getAssertion() method) (2)
  • 4.9. Credential Attestation Structure (interface WebAuthnAttestation 10
  • 5.2.2. Generating a signature
  • #clientdatahash ( ) ( ) 9 Attestation Structure WebAuthnAttestation 10 1. 1 Signature Format 2 1. Authenticator data5.2.2. Generating a signature 5 . Verifying a signature 5 3 1. Attestation Formats5.3.3. Generating an Attestation Statement #authenticatormakecredential 3. Terminology 4 1 Create a new credential (makeCredential() method) 1 3 authenticatorCancel #authenticatorgetassertionReferenced in: 3. Terminology
  • 7. WebAuthn Extensions
  • 7.2. Defining extensions
  • 4 1 2 Use existing credential (getAssertion() method) 1. The authenticatorCancel operation (2) 2.1. Authenticator data WebAuthn Extensions
  • 7.2. Defining extensions
  • #authenticatorcancelReferenced in: 4.1.1. Create a new credential (makeCredential() method) (
  • 4.1.2. Use an existing credential (getAssertion() method) (2) (3)
  • #attestation-format 9. Credential Attestation Structure (interface WebAuthnAttestation) 3 Generating an Attestation Statement #self-attestation (3) (4) 9. Credential Attestation Structure (interface WebAuthnAttestation)5. 1. The authenticatorMakeCredential operation
  • 5.3. Credential Attestation Statements
  • 5.3.5.2. Attestation Certificate and Attestation Certificate CA Compromise
  • #dom-packedattestation-algReferenced in: 6.2. Packed Attestation Format #dom packedattestation signature 6 Packed Attestation Format (2) #dom-tpmattestation-tpmversionReferenced in: 6.3. TPM Attestation Format #dom tpmattestation-x5c 6. TPM Attestation Format (2) (3) (4) (5) #dom-tpmattestation-daakey 6 TPM Attestation Format #dom-tpmattestation-certifyinfo 6. TPM Attestation Format (5) #dom-tpmattestation-algReferenced in: 6 TPM Format (2) #dom-tpmattestation-signatureReferenced in: 6 TPM Attestation Format (2) #dom-androidkeyattestation-signature 6 4. Android Key Attestation Format (2) (3) #dom-androidsafetynetattestation-version 6 Android SafetyNet Attestation Format #dom-androidsafetynetattestation-safetynetresponse 6.5. Android SafetyNet Attestation Format (2) (3)