Please check the errata for any errors or issues reported since publication.

This document is governed by the 1 February 2018 W3C Process Document .

This document was produced by a group operating under the W3C Patent Policy . W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy .

This document has been reviewed by W3C Members, by software developers, and by other W3C groups and interested parties, and is endorsed by the Director as a W3C Recommendation. It is a stable document and may be used as reference material or cited from another document. W3C 's role in making the Recommendation is to draw attention to the specification and to promote its widespread deployment. This enhances the functionality and interoperability of the Web.

By publishing this Recommendation, W3C expects the functionality specified in this Recommendation will not be affected by changes to Credential Management Level 1 as this specification proceeds to Recommendation.

This document was published by the Web Authentication Working Group as a W3C Recommendation. Feedback and comments on this specification are welcome. Please use Github issues . Discussions may also be found in the public-webauthn@w3.org archives .

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

Considerations for Self and None Attestation Types and Ignoring Attestation

Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method

1. Introduction

This section is not normative.

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. A public key credential is created and stored by an authenticator at the behest of a WebAuthn Relying Party, subject to user consent. Subsequently, the public key credential can only be accessed by origins belonging to that Relying Party. This scoping is enforced jointly by conforming User Agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties.

Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user. The first is Registration, where a public key credential is created on an authenticator, and scoped to a Relying Party with the present user’s account (the account might already exist or might be created at this time). The second is Authentication, where the Relying Party is presented with an Authentication Assertion proving the presence and consent of the user who registered the public key credential. Functionally, the Web Authentication API comprises a PublicKeyCredential which extends the Credential Management API [CREDENTIAL-MANAGEMENT-1], and infrastructure which allows those credentials to be used with navigator.credentials.create() and navigator.credentials.get() . The former is used during Registration, and the latter during Authentication.

Broadly, compliant authenticators protect public key credentials, and interact with user agents to implement the Web Authentication API. Implementing compliant authenticators is possible in software executing (a) on a general-purpose computing device, (b) on an on-device Secure Execution Environment, Trusted Platform Module (TPM), or a Secure Element (SE), or (c) off device. Authenticators being implemented on device are called platform authenticators. Authenticators being implemented off device (roaming authenticators) can be accessed over a transport such as Universal Serial Bus (USB), Bluetooth Low Energy (BLE), or Near Field Communications (NFC).

1.1. Specification Roadmap

While many W3C specifications are directed primarily to user agent developers and also to web application developers (i.e., "Web authors"), the nature of Web Authentication requires that this specification be correctly used by multiple audiences, as described below. All audiences ought to begin with §1.2 Use Cases, §12 Sample Scenarios, and §4 Terminology, and should also refer to [WebAuthnAPIGuide] for an overall tutorial.





1.2. Use Cases

The below use case scenarios illustrate use of two very different types of authenticators, as well as outline further scenarios. Additional scenarios, including sample code, are given later in §12 Sample Scenarios.

1.2.1. Registration

On a phone: User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using (possibly a legacy method such as a password), or creates a new account. The phone prompts, "Do you want to register this device with example.com?" User agrees. The phone prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user provides this. Website shows message, "Registration complete."



1.2.2. Authentication

On a laptop or desktop: User pairs their phone with the laptop or desktop via Bluetooth. User navigates to example.com in a browser and initiates signing in. User gets a message from the browser, "Please complete this action on your phone."

Next, on their phone: User sees a discrete prompt or notification, "Sign in to example.com." User selects this prompt / notification. User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob." User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.

Now, back on the laptop: Web page shows that the selected user is signed in, and navigates to the signed-in page.



1.2.3. New Device Registration

This use case scenario illustrates how a Relying Party can leverage a combination of a roaming authenticator (e.g., a USB security key fob) and a platform authenticator (e.g., a built-in fingerprint sensor) such that the user has:

Note: This approach of registering multiple authenticators for an account is also useful in account recovery use cases.

First, on a desktop computer (lacking a platform authenticator): User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using (possibly a legacy method such as a password), or creates a new account. User navigates to account security settings and selects "Register security key". Website prompts the user to plug in a USB security key fob; the user does. The USB security key blinks to indicate the user should press the button on it; the user does. Website shows message, "Registration complete." Note: Since this computer lacks a platform authenticator, the website may require the user to present their USB security key from time to time or each time the user interacts with the website. This is at the website’s discretion.

Later, on their laptop (which features a platform authenticator): User navigates to example.com in a browser and initiates signing in. Website prompts the user to plug in their USB security key. User plugs in the previously registered USB security key and presses the button. Website shows that the user is signed in, and navigates to the signed-in page. Website prompts, "Do you want to register this computer with example.com?" User agrees. Laptop prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user provides this. Website shows message, "Registration complete." User signs out.

Later, again on their laptop: User navigates to example.com in a browser and initiates signing in. Website shows message, "Please follow your computer’s prompts to complete sign in." Laptop prompts the user for an authorization gesture (PIN, biometric, etc.); the user provides this. Website shows that the user is signed in, and navigates to the signed-in page.



1.2.4. Other Use Cases and Configurations

A variety of additional use cases and configurations are also possible, including (but not limited to):

A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.

A user obtains a discrete, roaming authenticator, such as a "fob" with USB or USB+NFC/BLE connectivity options, loads example.com in their browser on a laptop or phone, and is guided though a flow to create and register a credential on the fob.

A Relying Party prompts the user for their authorization gesture in order to authorize a single transaction, such as a payment or other financial transaction.

1.3. Platform-Specific Implementation Guidance

This specification defines how to use Web Authentication in the general case. When using Web Authentication in connection with specific platform support (e.g. apps), it is recommended to see platform-specific documentation and guides for additional guidance and limitations.

2. Conformance

This specification defines three conformance classes. Each of these classes is specified so that conforming members of the class are secure against non-conforming or hostile members of the other classes.

2.1. User Agents

A User Agent MUST behave as described by §5 Web Authentication API in order to be considered conformant. Conforming User Agents MAY implement algorithms given in this specification in any way desired, so long as the end result is indistinguishable from the result that would be obtained by the specification’s algorithms.

A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this specification, as described in the “Web IDL” specification. [WebIDL]

2.2. Authenticators

An authenticator MUST provide the operations defined by §6 WebAuthn Authenticator Model, and those operations MUST behave as described there. This is a set of functional and security requirements for an authenticator to be usable by a Conforming User Agent.

As described in §1.2 Use Cases, an authenticator may be implemented in the operating system underlying the User Agent, or in external hardware, or a combination of both.

2.2.1. Backwards Compatibility with FIDO U2F

Authenticators that only support the §8.6 FIDO U2F Attestation Statement Format have no mechanism to store a user handle, so the returned userHandle will always be null.

2.3. WebAuthn Relying Parties

A WebAuthn Relying Party MUST behave as described in §7 WebAuthn Relying Party Operations to obtain all the security benefits offered by this specification. See §13.3 Security Benefits for WebAuthn Relying Parties for further discussion of this.

2.4. All Conformance Classes

All CBOR encoding performed by the members of the above conformance classes MUST be done using the CTAP2 canonical CBOR encoding form. All decoders of the above conformance classes SHOULD reject CBOR that is not validly encoded in the CTAP2 canonical CBOR encoding form and SHOULD reject messages with duplicate map keys.

3. Dependencies

This specification relies on several other underlying specifications, listed below and in Terms defined by reference.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

4. Terminology

5. Web Authentication API

This section normatively specifies the API for creating and using public key credentials. The basic idea is that the credentials belong to the user and are managed by an authenticator, with which the WebAuthn Relying Party interacts through the client platform. Relying Party scripts can (with the user’s consent) request the browser to create a new credential for future use by the Relying Party. See Figure 1, below.

Registration Flow

Scripts can also request the user’s permission to perform authentication operations with an existing credential. See Figure 2, below.

Authentication Flow

All such operations are performed in the authenticator and are mediated by the client platform on the user’s behalf. At no point does the script get access to the credentials themselves; it only gets information about the credentials in the form of objects.

In addition to the above script interface, the authenticator MAY implement (or come with client software that implements) a user interface for management. Such an interface MAY be used, for example, to reset the authenticator to a clean state or to inspect the current state of the authenticator. In other words, such an interface is similar to the user interfaces provided by browsers for managing user state such as history, saved passwords, and cookies. Authenticator management actions such as credential deletion are considered to be the responsibility of such a user interface and are deliberately omitted from the API exposed to scripts.

The security properties of this API are provided by the client and the authenticator working together. The authenticator, which holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against a different origin, by incorporating the origin in its responses. Specifically, as defined in §6.3 Authenticator Operations, the full origin of the requester is included, and signed over, in the attestation object produced when a new credential is created as well as in all assertions produced by WebAuthn credentials.

Additionally, to maintain user privacy and prevent malicious Relying Parties from probing for the presence of public key credentials belonging to other Relying Parties, each credential is also scoped to a Relying Party Identifier, or RP ID. This RP ID is provided by the client to the authenticator for all operations, and the authenticator ensures that credentials created by a Relying Party can only be used in operations requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases where a single Relying Party maintains multiple origins.

The client facilitates these security measures by providing the Relying Party's origin and RP ID to the authenticator for each operation. Since this is an integral part of the WebAuthn security model, user agents only expose this API to callers in secure contexts.

The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL listing is given in the IDL Index.

5.1. PublicKeyCredential Interface

The PublicKeyCredential interface inherits from Credential [CREDENTIAL-MANAGEMENT-1], and contains the attributes that are returned to the caller when a new credential is created, or a new assertion is requested.

[ SecureContext , Exposed = Window ] interface PublicKeyCredential : Credential { [ SameObject ] readonly attribute ArrayBuffer rawId ; [ SameObject ] readonly attribute AuthenticatorResponse response ; AuthenticationExtensionsClientOutputs getClientExtensionResults (); };

PublicKeyCredential 's interface object inherits Credential 's implementation of [[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors) , and defines its own implementation of [[Create]](origin, options, sameOriginWithAncestors) , [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) , and [[Store]](credential, sameOriginWithAncestors) .

5.1.1. CredentialCreationOptions Dictionary Extension

To support registration via navigator.credentials.create() , this document extends the CredentialCreationOptions dictionary as follows:

partial dictionary CredentialCreationOptions { PublicKeyCredentialCreationOptions publicKey ; };

5.1.2. CredentialRequestOptions Dictionary Extension

To support obtaining assertions via navigator.credentials.get() , this document extends the CredentialRequestOptions dictionary as follows:

partial dictionary CredentialRequestOptions { PublicKeyCredentialRequestOptions publicKey ; };

5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method

5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method

WebAuthn Relying Parties call navigator.credentials.get({publicKey:..., ...}) to discover and use an existing public key credential, with the user’s consent. Relying Party script optionally specifies some criteria to indicate what credential sources are acceptable to it. The client platform locates credential sources matching the specified criteria, and guides the user to pick one that the script will be allowed to use. The user may choose to decline the entire interaction even if a credential source is present, for example to maintain privacy. If the user picks a credential source, the user agent then uses §6.3.3 The authenticatorGetAssertion Operation to sign a Relying Party-provided challenge and other collected data into an assertion, which is used as a credential.

The get() implementation [CREDENTIAL-MANAGEMENT-1] calls PublicKeyCredential. [[CollectFromCredentialStore]]() to collect any credentials that should be available without user mediation (roughly, this specification’s authorization gesture), and if it does not find exactly one of those, it then calls PublicKeyCredential. [[DiscoverFromExternalSource]]() to have the user select a credential source.

Since this specification requires an authorization gesture to create any credentials, the PublicKeyCredential. [[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors) internal method inherits the default behavior of Credential.[[CollectFromCredentialStore]]() , of returning an empty set.

This navigator.credentials.get() operation can be aborted by leveraging the AbortController ; see DOM §3.3 Using AbortController and AbortSignal objects in APIs for detailed instructions.

5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method

5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method

5.1.6. Preventing Silent Access to an Existing Credential - PublicKeyCredential’s [[preventSilentAccess]](credential, sameOriginWithAncestors) Method

Calling the [[preventSilentAccess]](credential, sameOriginWithAncestors) method will have no effect on authenticators that require an authorization gesture, but setting that flag may potentially exclude authenticators that can operate without user intervention. This internal method accepts no arguments.

WebAuthn Relying Parties use this method to determine whether they can create a new credential using a user-verifying platform authenticator. Upon invocation, the client employs a client platform-specific procedure to discover available user-verifying platform authenticators. If any are discovered, the promise is resolved with the value of true . Otherwise, the promise is resolved with the value of false . Based on the result, the Relying Party can take further actions to guide the user to create a credential. This method has no arguments and returns a Boolean value. partial interface PublicKeyCredential { static Promise < boolean > isUserVerifyingPlatformAuthenticatorAvailable (); };

5.2. Authenticator Responses (interface AuthenticatorResponse )

Authenticators respond to Relying Party requests by returning an object derived from the AuthenticatorResponse interface:

[ SecureContext , Exposed = Window ] interface AuthenticatorResponse { [ SameObject ] readonly attribute ArrayBuffer clientDataJSON ; };

clientDataJSON , of type ArrayBuffer , readonly This attribute contains a JSON serialization of the client data passed to the authenticator by the client in its call to either create() or get() .

5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse )

The AuthenticatorAttestationResponse interface represents the authenticator's response to a client’s request for the creation of a new public key credential. It contains information about the new credential that can be used to identify it for later use, and metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential during registration.

[ SecureContext , Exposed = Window ] interface AuthenticatorAttestationResponse : AuthenticatorResponse { [ SameObject ] readonly attribute ArrayBuffer attestationObject ; };

5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse )

The AuthenticatorAssertionResponse interface represents an authenticator's response to a client’s request for generation of a new authentication assertion given the WebAuthn Relying Party's challenge and OPTIONAL list of credentials it is aware of. This response contains a cryptographic signature proving possession of the credential private key, and optionally evidence of user consent to a specific transaction.

[ SecureContext , Exposed = Window ] interface AuthenticatorAssertionResponse : AuthenticatorResponse { [ SameObject ] readonly attribute ArrayBuffer authenticatorData ; [ SameObject ] readonly attribute ArrayBuffer signature ; [ SameObject ] readonly attribute ArrayBuffer ? userHandle ; };

5.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters )

dictionary PublicKeyCredentialParameters { required PublicKeyCredentialType type ; required COSEAlgorithmIdentifier alg ; };

type , of type PublicKeyCredentialType This member specifies the type of credential to be created. alg , of type COSEAlgorithmIdentifier This member specifies the cryptographic signature algorithm with which the newly generated credential will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve. This dictionary is used to supply additional parameters when creating a new credential. Note: we use "alg" as the latter member name, rather than spelling-out "algorithm", because it will be serialized into a message to the authenticator, which may be sent over a low-bandwidth link.

5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions )

5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity )

The PublicKeyCredentialEntity dictionary describes a user account, or a WebAuthn Relying Party, which a public key credential is associated with or scoped to, respectively.

dictionary PublicKeyCredentialEntity { required DOMString name ; USVString icon ; };

5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity )

The PublicKeyCredentialRpEntity dictionary is used to supply additional Relying Party attributes when creating a new credential.

dictionary PublicKeyCredentialRpEntity : PublicKeyCredentialEntity { DOMString id ; };

id , of type DOMString A unique identifier for the Relying Party entity, which sets the RP ID.

5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity )

The PublicKeyCredentialUserEntity dictionary is used to supply additional user account attributes when creating a new credential.

dictionary PublicKeyCredentialUserEntity : PublicKeyCredentialEntity { required BufferSource id ; required DOMString displayName ; };

id , of type BufferSource The user handle of the user account entity. To ensure secure operation, authentication and authorization decisions MUST be made on the basis of this id member, not the displayName nor name members. See Section 6.1 of [RFC8266]. displayName , of type DOMString A human-palatable name for the user account, intended only for display. For example, "Alex P. Müller" or "田中 倫". The Relying Party SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary. Relying Parties SHOULD perform enforcement, as prescribed in Section 2.3 of [RFC8266] for the Nickname Profile of the PRECIS FreeformClass [RFC8264], when setting displayName 's value, or displaying the value to the user.

Clients SHOULD perform enforcement, as prescribed in Section 2.3 of [RFC8266] for the Nickname Profile of the PRECIS FreeformClass [RFC8264], on displayName 's value prior to displaying the value to the user or including the value as a parameter of the authenticatorMakeCredential operation. When clients, client platforms, or authenticators display a displayName 's value, they should always use UI elements to provide a clear boundary around the displayed value, and not allow overflow into other elements [css-overflow-3]. Authenticators MUST accept and store a 64-byte minimum length for a displayName member’s value. Authenticators MAY truncate a displayName member’s value to a length equal to or greater than 64 bytes.

5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria )

WebAuthn Relying Parties may use the AuthenticatorSelectionCriteria dictionary to specify their requirements regarding authenticator attributes.

dictionary AuthenticatorSelectionCriteria { AuthenticatorAttachment authenticatorAttachment ; boolean requireResidentKey = false ; UserVerificationRequirement userVerification = "preferred"; };

5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment )

This enumeration’s values describe authenticators' attachment modalities. Relying Parties use this for two purposes:

platform This value indicates platform attachment. cross-platform This value indicates cross-platform attachment.

Note: An authenticator attachment modality selection option is available only in the [[Create]](origin, options, sameOriginWithAncestors) operation. The Relying Party may use it to, for example, ensure the user has a roaming credential for authenticating on another client device; or to specifically register a platform credential for easier reauthentication using a particular client device. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) operation has no authenticator attachment modality selection option, so the Relying Party SHOULD accept any of the user’s registered credentials. The client and user will then use whichever is available and convenient at the time.

5.4.6. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference )

WebAuthn Relying Parties may use AttestationConveyancePreference to specify their preference regarding attestation conveyance during credential generation.

5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions )

The PublicKeyCredentialRequestOptions dictionary supplies get() with the data it needs to generate an assertion. Its challenge member MUST be present, while its other members are OPTIONAL.

5.6. Abort Operations with AbortSignal

Developers are encouraged to leverage the AbortController to manage the [[Create]](origin, options, sameOriginWithAncestors) and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) operations. See DOM §3.3 Using AbortController and AbortSignal objects in APIs section for detailed instructions.

Note: DOM §3.3 Using AbortController and AbortSignal objects in APIs section specifies that web platform APIs integrating with the AbortController must reject the promise immediately once the aborted flag is set. Given the complex inheritance and parallelization structure of the [[Create]](origin, options, sameOriginWithAncestors) and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) methods, the algorithms for the two APIs fulfills this requirement by checking the aborted flag in three places. In the case of [[Create]](origin, options, sameOriginWithAncestors) , the aborted flag is checked first in Credential Management 1 §2.5.4 Create a Credential immediately before calling [[Create]](origin, options, sameOriginWithAncestors) , then in §5.1.3 Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method right before authenticator sessions start, and finally during authenticator sessions. The same goes for [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) .

The visibility and focus state of the Window object determines whether the [[Create]](origin, options, sameOriginWithAncestors) and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) operations should continue. When the Window object associated with the [Document loses focus, [[Create]](origin, options, sameOriginWithAncestors) and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) operations SHOULD be aborted.

The WHATWG HTML WG is discussing whether to provide a hook when a browsing context gains or loses focuses. If a hook is provided, developers should use it to determine the focus state. See WHATWG HTML WG Issue #2711 for more details.

5.7. AuthenticationExtensionsClientInputs ) Authentication Extensions Client Inputs (typedef

dictionary AuthenticationExtensionsClientInputs { };

This is a dictionary containing the client extension input values for zero or more WebAuthn extensions, as defined in §9 WebAuthn Extensions.

5.8. AuthenticationExtensionsClientOutputs ) Authentication Extensions Client Outputs (typedef

dictionary AuthenticationExtensionsClientOutputs { };

This is a dictionary containing the client extension output values for zero or more WebAuthn extensions, as defined in §9 WebAuthn Extensions.

5.9. AuthenticationExtensionsAuthenticatorInputs ) Authentication Extensions Authenticator Inputs (typedef

typedef record < DOMString , DOMString > AuthenticationExtensionsAuthenticatorInputs ;

This is a dictionary containing the authenticator extension input values for zero or more WebAuthn extensions, as defined in §9 WebAuthn Extensions.

5.10. Supporting Data Structures

The public key credential type uses certain data structures that are specified in supporting specifications. These are as follows.

5.10.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData )

The client data represents the contextual bindings of both the WebAuthn Relying Party and the client. It is a key-value mapping whose keys are strings. Values can be any type that has a valid encoding in JSON. Its structure is defined by the following Web IDL.

Note: The CollectedClientData may be extended in the future. Therefore it’s critical when parsing to be tolerant of unknown keys and of any reordering of the keys.

dictionary CollectedClientData { required DOMString type ; required DOMString challenge ; required DOMString origin ; TokenBinding tokenBinding ; }; dictionary TokenBinding { required TokenBindingStatus status ; DOMString id ; }; enum TokenBindingStatus { "present" , "supported" };

5.10.2. Credential Type Enumeration (enum PublicKeyCredentialType )

This enumeration defines the valid credential types. It is an extension point; values can be added to it in the future, as more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and attestation structures according to the type of the authenticator. Currently one credential type is defined, namely " public-key ".

5.10.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor )

dictionary PublicKeyCredentialDescriptor { required PublicKeyCredentialType type ; required BufferSource id ; sequence < AuthenticatorTransport > transports ; };

This dictionary contains the attributes that are specified by a caller when referring to a public key credential as an input parameter to the create() or get() methods. It mirrors the fields of the PublicKeyCredential object returned by the latter methods.

5.10.4. Authenticator Transport Enumeration (enum AuthenticatorTransport )

5.10.5. COSEAlgorithmIdentifier ) Cryptographic Algorithm Identifier (typedef

typedef long COSEAlgorithmIdentifier ;

COSEAlgorithmIdentifier 's value is a number identifying a cryptographic algorithm. The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry -7 for "ES256" and -257 for "RS256". 's value is a number identifying a cryptographic algorithm. The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry [IANA-COSE-ALGS-REG] , for instance,for "ES256" andfor "RS256".

5.10.6. User Verification Requirement Enumeration (enum UserVerificationRequirement )

A WebAuthn Relying Party may require user verification for some of its operations but not for others, and may use this type to express its needs.

required This value indicates that the Relying Party requires user verification for the operation and will fail the operation if the response does not have the UV flag set. preferred This value indicates that the Relying Party prefers user verification for the operation if possible, but will not fail the operation if the response does not have the UV flag set. discouraged This value indicates that the Relying Party does not want user verification employed during the operation (e.g., in the interest of minimizing disruption to the user interaction flow).

6. WebAuthn Authenticator Model

The Web Authentication API implies a specific abstract functional model for an authenticator. This section describes that authenticator model.

Client platforms MAY implement and expose this abstract model in any way desired. However, the behavior of the client’s Web Authentication API implementation, when operating on the authenticators supported by that client platform, MUST be indistinguishable from the behavior specified in §5 Web Authentication API.

Note: [FIDO-CTAP] is an example of a concrete instantiation of this model, but it is one in which there are differences in the data it returns and those expected by the WebAuthn API's algorithms. The CTAP2 response messages are CBOR maps constructed using integer keys rather than the string keys defined in this specification for the same objects. The client is expected to perform any needed transformations on such data. The [FIDO-CTAP] specification details the mapping between CTAP2 integer keys and WebAuthn string keys, in section §6.2. Responses.

For authenticators, this model defines the logical operations that they MUST support, and the data formats that they expose to the client and the WebAuthn Relying Party. However, it does not define the details of how authenticators communicate with the client device, unless they are necessary for interoperability with Relying Parties. For instance, this abstract model does not define protocols for connecting authenticators to clients over transports such as USB or NFC. Similarly, this abstract model does not define specific error codes or methods of returning them; however, it does define error behavior in terms of the needs of the client. Therefore, specific error codes are mentioned as a means of showing which error conditions MUST be distinguishable (or not) from each other in order to enable a compliant and secure client implementation.

Relying Parties may influence authenticator selection, if they deem necessary, by stipulating various authenticator characteristics when creating credentials and/or when generating assertions, through use of credential creation options or assertion generation options, respectively. The algorithms underlying the WebAuthn API marshal these options and pass them to the applicable authenticator operations defined below.

In this abstract model, the authenticator provides key management and cryptographic signatures. It can be embedded in the WebAuthn client or housed in a separate device entirely. The authenticator itself can contain a cryptographic module which operates at a higher security level than the rest of the authenticator. This is particularly important for authenticators that are embedded in the WebAuthn client, as in those cases this cryptographic module (which may, for example, be a TPM) could be considered more trustworthy than the rest of the authenticator.

Each authenticator stores a credentials map , a map from (rpId, [userHandle]) to public key credential source.

Additionally, each authenticator has an AAGUID, which is a 128-bit identifier indicating the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators made by that manufacturer, and different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type of authenticator SHOULD be randomly generated to ensure this. The Relying Party MAY use the AAGUID to infer certain properties of the authenticator, such as certification level and strength of key protection, using information from other sources.

The primary function of the authenticator is to provide WebAuthn signatures, which are bound to various contextual data. These data are observed and added at different levels of the stack as a signature request passes from the server to the authenticator. In verifying a signature, the server checks these bindings against expected values. These contextual bindings are divided in two: Those added by the Relying Party or the client, referred to as client data; and those added by the authenticator, referred to as the authenticator data. The authenticator signs over the client data, but is otherwise not interested in its contents. To save bandwidth and processing requirements on the authenticator, the client hashes the client data and sends only the result to the authenticator. The authenticator signs over the combination of the hash of the serialized client data, and its own authenticator data.

The goals of this design can be summarized as follows.

The scheme for generating signatures should accommodate cases where the link between the client device and authenticator is very limited, in bandwidth and/or latency. Examples include Bluetooth Low Energy and Near-Field Communication.

The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators should not have to parse high-level encodings such as JSON.

Both the client and the authenticator should have the flexibility to add contextual bindings as needed.

The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.

Authenticators produce cryptographic signatures for two distinct purposes:

The formats of these signatures, as well as the procedures for generating them, are specified below.

6.1. Authenticator Data

The authenticator data structure encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party's assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.

The authenticator data has a compact but extensible encoding. This is desired since authenticators can be devices with limited capabilities and low power requirements, with much simpler software stacks than the client platform.

The authenticator data structure is a byte array of 37 bytes or more, laid out as shown in Table 1.

The RP ID is originally received from the client when the credential is created, and again when an assertion is generated. However, it differs from other client data in some important ways. First, unlike the client data, the RP ID of a credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is validated by the authenticator during the authenticatorGetAssertion operation, by verifying that the RP ID that the requested credential is scoped to exactly matches the RP ID supplied by the client.

Authenticators perform the following steps to generate an authenticator data structure :

The figure below shows a visual representation of the authenticator data structure.

6.1.1. Signature Counter Considerations

Authenticators SHOULD implement a signature counter feature. The signature counter is incremented for each successful authenticatorGetAssertion operation by some positive value, and its value is returned to the WebAuthn Relying Party within the authenticator data. The signature counter's purpose is to aid Relying Parties in detecting cloned authenticators. Clone detection is more important for authenticators with limited protection measures.

A Relying Party stores the signature counter of the most recent authenticatorGetAssertion operation. Upon a new authenticatorGetAssertion operation, the Relying Party compares the stored signature counter value with the new signCount value returned in the assertion’s authenticator data. If this new signCount value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.

Detecting a signature counter mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator. Relying Parties should address this situation appropriately relative to their individual situations, i.e., their risk tolerance.

Authenticators:

SHOULD implement per credential signature counters. This prevents the signature counter value from being shared between Relying Parties and being possibly employed as a correlation handle for the user. Authenticators may implement a global signature counter, i.e., on a per-authenticator basis, but this is less privacy-friendly for users.

SHOULD ensure that the signature counter value does not accidentally decrease (e.g., due to hardware failures).

6.1.2. FIDO U2F Signature Format Compatibility

The format for assertion signatures, which sign over the concatenation of an authenticator data structure and the hash of the serialized client data, are compatible with the FIDO U2F authentication signature format (see Section 5.4 of [FIDO-U2F-Message-Formats]).

This is because the first 37 bytes of the signed data in a FIDO U2F authentication response message constitute a valid authenticator data structure, and the remaining 32 bytes are the hash of the serialized client data. In this authenticator data structure, the rpIdHash is the FIDO U2F application parameter, all flags except UP are always zero, and the attestedCredentialData and extensions are never present. FIDO U2F authentication signatures can therefore be verified by the same procedure as other assertion signatures generated by the authenticatorMakeCredential operation.

6.2. Authenticator Taxonomy

Authenticator types vary along several different dimensions: authenticator attachment modality, employed transport(s), credential storage modality, and authentication factor capability. The combination of these dimensions defines an authenticator's authenticator type , which in turn determines the broad use cases the authenticator supports. Table 2 defines names for some authenticator types.

These types can be further broken down into subtypes, such as which transport(s) a roaming authenticator supports. The following sections define the terms authenticator attachment modality, credential storage modality and authentication factor capability.

6.2.1. Authenticator Attachment Modality

Clients can communicate with authenticators using a variety of mechanisms. For example, a client MAY use a client device-specific API to communicate with an authenticator which is physically bound to a client device. On the other hand, a client can use a variety of standardized cross-platform transport protocols such as Bluetooth (see §5.10.4 Authenticator Transport Enumeration (enum AuthenticatorTransport)) to discover and communicate with cross-platform attached authenticators. We refer to authenticators that are part of the client device as platform authenticators , while those that are reachable via cross-platform transport protocols are referred to as roaming authenticators .

Some platform authenticators could possibly also act as roaming authenticators depending on context. For example, a platform authenticator integrated into a mobile device could make itself available as a roaming authenticator via Bluetooth. In this case the client would recognize it only as a roaming authenticator, and not as a platform authenticator.

A primary use case for platform authenticators is to register a particular client device as a "trusted device" available as a something you have authentication factor for future authentication. This gives the user the convenience benefit of not needing a roaming authenticator for future authentication ceremonies, e.g., the user will not have to dig around in their pocket for their key fob or phone.

A primary use case for roaming authenticators is for initial authentication on a new client device, or on client devices that are rarely used or do not include a platform authenticator; or when policy or preference dictates that the authenticator be kept separate from the clients it is used with. A roaming authenticator can also be used to hold backup credentials in case another authenticator is lost.

6.2.2. Credential Storage Modality

An authenticator can store a public key credential source in one of two ways:

Which of these storage strategies an authenticator supports defines the authenticator's credential storage modality as follows:

Note that a resident credential capable authenticator MAY support both storage strategies. In this case, the authenticator MAY at its discretion use different storage strategies for different credentials, though subject to the requireResidentKey option of create() .

6.2.3. Authentication Factor Capability

There are three broad classes of authentication factors that can be used to prove an identity during an authentication ceremony: something you have, something you know and something you are. Examples include a physical key, a password, and a fingerprint, respectively.

All WebAuthn authenticators belong to the something you have class, but an authenticator that supports user verification can also act as one or two additional kinds of authentication factor. For example, if the authenticator can verify a PIN, the PIN is something you know, and a biometric authenticator can verify something you are. Therefore, an authenticator that supports user verification is multi-factor capable . Conversely, an authenticator that is not multi-factor capable is single-factor capable . Note that a single multi-factor capable authenticator could support several modes of user verification, meaning it could act as all three kinds of authentication factor.

Although user verification is performed locally on the authenticator and not by the Relying Party, the authenticator indicates if user verification was performed by setting the UV flag in the signed response returned to the Relying Party. The Relying Party can therefore use the UV flag to verify that additional authentication factors were used in a registration or authentication ceremony. The authenticity of the UV flag can in turn be assessed by inspecting the authenticator's attestation statement.

6.3. Authenticator Operations

A WebAuthn Client MUST connect to an authenticator in order to invoke any of the operations of that authenticator. This connection defines an authenticator session . An authenticator must maintain isolation between sessions. It may do this by only allowing one session to exist at any particular time, or by providing more complicated session management.

The following operations can be invoked by the client in an authenticator session.

6.3.1. Lookup Credential Source by Credential ID Algorithm

The result of looking up a credential id credentialId in an authenticator authenticator is the result of the following algorithm:

6.3.2. The authenticatorMakeCredential Operation

It takes the following input parameters:

Note: Before performing this operation, all other operations in progress in the authenticator session MUST be aborted by running the authenticatorCancel operation.

When this operation is invoked, the authenticator MUST perform the following procedure:

On successful completion of this operation, the authenticator returns the attestation object to the client.

6.3.3. The authenticatorGetAssertion Operation

It takes the following input parameters:

Note: Before performing this operation, all other operations in progress in the authenticator session MUST be aborted by running the authenticatorCancel operation.

When this method is invoked, the authenticator MUST perform the following procedure:

If the authenticator cannot find any credential corresponding to the specified Relying Party that matches the specified criteria, it terminates the operation and returns an error.

6.3.4. The authenticatorCancel Operation

This operation takes no input parameters and returns no result.

When this operation is invoked by the client in an authenticator session, it has the effect of terminating any authenticatorMakeCredential or authenticatorGetAssertion operation currently in progress in that authenticator session. The authenticator stops prompting for, or accepting, any user input related to authorizing the canceled operation. The client ignores any further responses from the authenticator for the canceled operation.

This operation is ignored if it is invoked in an authenticator session which does not have an authenticatorMakeCredential or authenticatorGetAssertion operation currently in progress.

6.4. Attestation

Authenticators MUST also provide some form of attestation. The basic requirement is that the authenticator can produce, for each credential public key, an attestation statement verifiable by the WebAuthn Relying Party. Typically, this attestation statement contains a signature by an attestation private key over the attested credential public key and a challenge, as well as a certificate or similar data providing provenance information for the attestation public key, enabling the Relying Party to make a trust decision. However, if an attestation key pair is not available, then the authenticator MUST perform self attestation of the credential public key with the corresponding credential private key. All this information is returned by authenticators any time a new public key credential is generated, in the overall form of an attestation object . The relationship of the attestation object with authenticator data (containing attested credential data) and the attestation statement is illustrated in figure 5, below.

An important component of the attestation object is the attestation statement . This is a specific type of signed data object, containing statements about a public key credential itself and the authenticator that created it. It contains an attestation signature created using the key of the attesting authority (except for the case of self attestation, when it is created using the credential private key). In order to correctly interpret an attestation statement, a Relying Party needs to understand these two aspects of attestation:

The attestation statement format is the manner in which the signature is represented and the various contextual bindings are incorporated into the attestation statement by the authenticator. In other words, this defines the syntax of the statement. Various existing components and OS platforms (such as TPMs and the Android OS) have previously defined attestation statement formats. This specification supports a variety of such formats in an extensible way, as defined in §6.4.2 Attestation Statement Formats. The attestation type defines the semantics of attestation statements and their underlying trust models. Specifically, it defines how a Relying Party establishes trust in a particular attestation statement, after verifying that it is cryptographically valid. This specification supports a number of attestation types, as described in §6.4.3 Attestation Types.

In general, there is no simple mapping between attestation statement formats and attestation types. For example, the "packed" attestation statement format defined in §8.2 Packed Attestation Statement Format can be used in conjunction with all attestation types, while other formats and types have more limited applicability.

The privacy, security and operational characteristics of attestation depend on:

The attestation type, which determines the trust model,

The attestation statement format, which MAY constrain the strength of the attestation by limiting what can be expressed in an attestation statement, and

The characteristics of the individual authenticator, such as its construction, whether part or all of it runs in a secure operating environment, and so on.

It is expected that most authenticators will support a small number of attestation types and attestation statement formats, while Relying Parties will decide what attestation types are acceptable to them by policy. Relying Parties will also need to understand the characteristics of the authenticators that they trust, based on information they have about these authenticators. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to access such information.

6.4.1. Attested Credential Data

Attested credential data is a variable-length byte array added to the authenticator data when generating an attestation object for a given credential. Its format is shown in Table 3.

6.4.1.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format

This section provides examples of COSE_Key-encoded Elliptic Curve and RSA public keys for the ES256, PS256, and RS256 signature algorithms. These examples adhere to the rules defined above for the credentialPublicKey value, and are presented in [CDDL] for clarity.

[RFC8152] Section 7 defines the general framework for all COSE_Key-encoded keys. Specific key types for specific algorithms are defined in other sections of [RFC8152] as well as in other specifications, as noted below.

Below is an example of a COSE_Key-encoded Elliptic Curve public key in EC2 format (see [RFC8152] Section 13.1), on the P-256 curve, to be used with the ES256 signature algorithm (ECDSA w/ SHA-256, see [RFC8152] Section 8.1):

{ 1: 2, ; kty: EC2 key type 3: -7, ; alg: ES256 signature algorithm -1: 1, ; crv: P-256 curve -2: x, ; x-coordinate as byte string 32 bytes in length ; e.g., in hex: 65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c08551d -3: y ; y-coordinate as byte string 32 bytes in length ; e.g., in hex: 1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd0084d19c }

Below is the above Elliptic Curve public key encoded in the CTAP2 canonical CBOR encoding form, whitespace and line breaks are included here for clarity and to match the [CDDL] presentation above:

A 5 01 02 03 26 20 01 21 58 20 65 eda 5 a 12577 c 2 bae 829437 fe 338701 a 10 aaa 375e1 bb 5 b 5 de 108 de 439 c 08551 d 22 58 20 1e52 ed 75701163 f 7 f 9e40 ddf 9 f 341 b 3 dc 9 ba 860 af 7e0 ca 7 ca 7e9 eecd 0084 d 19 c

Below is an example of a COSE_Key-encoded 2048-bit RSA public key (see [RFC8230] Section 4), to be used with the PS256 signature algorithm (RSASSA-PSS with SHA-256, see [RFC8230] Section 2):

{ 1: 3, ; kty: RSA key type 3: -37, ; alg: PS256 -1: n, ; n: RSA modulus n byte string 256 bytes in length ; e.g., in hex (middle bytes elided for brevity): DB5F651550...6DC6548ACC3 -2: e ; e: RSA public exponent e byte string 3 bytes in length ; e.g., in hex: 010001 }

Below is an example of the same COSE_Key-encoded RSA public key as above, to be used with the RS256 signature algorithm (RSASSA-PKCS1-v1_5 with SHA-256, see §11.3 COSE Algorithm Registrations):

{ 1: 3, ; kty: RSA key type 3:-257, ; alg: RS256 -1: n, ; n: RSA modulus n byte string 256 bytes in length ; e.g., in hex (middle bytes elided for brevity): DB5F651550...6DC6548ACC3 -2: e ; e: RSA public exponent e byte string 3 bytes in length ; e.g., in hex: 010001 }

6.4.2. Attestation Statement Formats

As described above, an attestation statement format is a data format which represents a cryptographic signature by an authenticator over a set of contextual bindings. Each attestation statement format MUST be defined using the following template:

The initial list of specified attestation statement formats is in §8 Defined Attestation Statement Formats.

6.4.3. Attestation Types

WebAuthn supports several attestation types, defining the semantics of attestation statements and their underlying trust models:

Note: This specification does not define any data structures explicitly expressing the attestation types employed by authenticators. Relying Parties engaging in attestation statement verification — i.e., when calling navigator.credentials.create() they select an attestation conveyance other than none and verify the received attestation statement — will determine the employed attestation type as a part of verification. See the "Verification procedure" subsections of §8 Defined Attestation Statement Formats. See also §14.4 Attestation Privacy.

6.4.4. Generating an Attestation Object

To generate an attestation object (see: Figure 5) given:

the authenticator MUST:

Let attStmt be the result of running attestationFormat ’s signing procedure given authData and hash . Let fmt be attestationFormat ’s attestation statement format identifier Return the attestation object as a CBOR map with the following syntax, filled in with variables initialized by this algorithm: attObj = { authData: bytes, $$attStmtType } attStmtTemplate = ( fmt: text, attStmt: { * tstr => any } ; Map is filled in by each concrete attStmtType ) ; Every attestation statement format must have the above fields attStmtTemplate .within $$attStmtType

6.4.5. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures

For COSEAlgorithmIdentifier -7 (ES256), and other ECDSA-based algorithms, a signature value is encoded as an ASN.1 DER Ecdsa-Sig-Value, as defined in [RFC3279] section 2.2.3. Example: 30 44 ; SEQUENCE (68 Bytes) 02 20 ; INTEGER (32 Bytes) | 3d 46 28 7b 8c 6e 8c 8c 26 1c 1b 88 f2 73 b0 9a | 32 a6 cf 28 09 fd 6e 30 d5 a7 9f 26 37 00 8f 54 02 20 ; INTEGER (32 Bytes) | 4e 72 23 6e a3 90 a9 a1 7b cf 5f 7a 09 d6 3a b2 | 17 6c 92 bb 8e 36 c0 41 98 a2 7b 90 9b 6e 8f 13 Note: As CTAP1/U2F authenticators are already producing signatures values in this format, CTAP2 authenticators will also produce signatures values in the same format, for consistency reasons. It is recommended that any new attestation formats defined not use ASN.1 encodings, but instead represent signatures as equivalent fixed-length byte arrays without internal structure, using the same representations as used by COSE signatures as defined in [RFC8152] and [RFC8230].

For COSEAlgorithmIdentifier -257 (RS256), sig contains the signature generated using the RSASSA-PKCS1-v1_5 signature scheme defined in section 8.2.1 in [RFC8017] with SHA-256 as the hash function. The signature is not ASN.1 wrapped.

For COSEAlgorithmIdentifier -37 (PS256), sig contains the signature generated using the RSASSA-PSS signature scheme defined in section 8.1.1 in [RFC8017] with SHA-256 as the hash function. The signature is not ASN.1 wrapped.

A registration or authentication ceremony begins with the WebAuthn Relying Party creating a PublicKeyCredentialCreationOptions or PublicKeyCredentialRequestOptions object, respectively, which encodes the parameters for the ceremony. The Relying Party SHOULD take care to not leak sensitive information during this stage; see §14.10 Username Enumeration for details.

Upon successful execution of create() or get() , the Relying Party's script receives a PublicKeyCredential containing an AuthenticatorAttestationResponse or AuthenticatorAssertionResponse structure, respectively, from the client. It must then deliver the contents of this structure to the Relying Party server, using methods outside the scope of this specification. This section describes the operations that the Relying Party must perform upon receipt of these structures.

7.1. Registering a New Credential

When registering a new credential, represented by an AuthenticatorAttestationResponse structure response and an AuthenticationExtensionsClientOutputs structure clientExtensionResults , as part of a registration ceremony, a Relying Party MUST proceed as follows:

Verification of attestation objects requires that the Relying Party has a trusted method of determining acceptable trust anchors in step 15 above. Also, if certificates are being used, the Relying Party MUST have access to certificate status information for the intermediate CA certificates. The Relying Party MUST also be able to build the attestation certificate chain if the client did not provide this chain in the attestation information.

7.2. Verifying an Authentication Assertion

When verifying a given PublicKeyCredential structure ( credential ) and an AuthenticationExtensionsClientOutputs structure clientExtensionResults , as part of an authentication ceremony, the Relying Party MUST proceed as follows:

8. Defined Attestation Statement Formats

WebAuthn supports pluggable attestation statement formats. This section defines an initial set of such formats.

8.1. Attestation Statement Format Identifiers

Attestation statement formats are identified by a string, called an attestation statement format identifier , chosen by the author of the attestation statement format.

Attestation statement format identifiers SHOULD be registered per [WebAuthn-Registries] "Registries for Web Authentication (WebAuthn)". All registered attestation statement format identifiers are unique amongst themselves as a matter of course.

Unregistered attestation statement format identifiers SHOULD use lowercase reverse domain-name naming, using a domain name registered by the developer, in order to assure uniqueness of the identifier. All attestation statement format identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote, i.e., VCHAR as defined in [RFC5234] but without %x22 and %x5c.

Note: This means attestation statement format identifiers based on domain names MUST incorporate only LDH Labels [RFC5890].

Implementations MUST match WebAuthn attestation statement format identifiers in a case-sensitive fashion.

Attestation statement formats that may exist in multiple versions SHOULD include a version in their identifier. In effect, different versions are thus treated as different formats, e.g., packed2 as a new version of the packed attestation statement format.

The following sections present a set of currently-defined and registered attestation statement formats and their identifiers. The up-to-date list of registered WebAuthn Extensions is maintained in the IANA "WebAuthn Attestation Statement Format Identifier" registry established by [WebAuthn-Registries].

8.2. Packed Attestation Statement Format

This is a WebAuthn optimized attestation statement format. It uses a very compact but still extensible encoding method. It is implementable by authenticators with limited resources (e.g., secure elements).

8.2.1. Packed Attestation Statement Certificate Requirements

The attestation certificate MUST have the following fields/extensions:

Version MUST be set to 3 (which is indicated by an ASN.1 INTEGER with value 2).

Subject field MUST be set to: Subject-C ISO 3166 code specifying the country where the Authenticator vendor is incorporated (PrintableString) Subject-O Legal name of the Authenticator vendor (UTF8String) Subject-OU Literal string “Authenticator Attestation” (UTF8String) Subject-CN A UTF8String of the vendor’s choosing

If the related attestation root certificate is used for multiple authenticator models, the Extension OID 1.3.6.1.4.1.45724.1.1.4 ( id-fido-gen-ce-aaguid ) MUST be present, containing the AAGUID as a 16-byte OCTET STRING. The extension MUST NOT be marked as critical. Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING. Thus, the AAGUID MUST be wrapped in two OCTET STRINGS to be valid. Here is a sample, encoded Extension structure: 30 21 -- SEQUENCE 06 0b 2b 06 01 04 01 82 e5 1c 01 01 04 -- 1.3.6.1.4.1.45724.1.1.4 04 12 -- OCTET STRING 04 10 -- OCTET STRING cd 8c 39 5c 26 ed ee de -- AAGUID 65 3b 00 79 7d 03 ca 3c

The Basic Constraints extension MUST have the CA component set to false .

An Authority Information Access (AIA) extension with entry id-ad-ocsp and a CRL Distribution Point extension [RFC5280] are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata services. See, for example, the FIDO Metadata Service [FIDOMetadataService].

8.3. TPM Attestation Statement Format

This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic engine.

8.3.1. TPM Attestation Statement Certificate Requirements

TPM attestation certificate MUST have the following fields/extensions:

Version MUST be set to 3.

Subject field MUST be set to empty.

The Subject Alternative Name extension MUST be set as defined in [TPMv2-EK-Profile] section 3.2.9.

The Extended Key Usage extension MUST contain the "joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)" OID.

The Basic Constraints extension MUST have the CA component set to false .

An Authority Information Access (AIA) extension with entry id-ad-ocsp and a CRL Distribution Point extension [RFC5280] are both OPTIONAL as the status of many attestation certificates is available through metadata services. See, for example, the FIDO Metadata Service [FIDOMetadataService].

8.4. Android Key Attestation Statement Format

When the authenticator in question is a platform-provided Authenticator on the Android "N" or later platform, the attestation statement is based on the Android key attestation. In these cases, the attestation statement is produced by a component running in a secure operating environment, but the authenticator data for the attestation is produced outside this environment. The WebAuthn Relying Party is expected to check that the authenticator data claimed to have been used for the attestation is consistent with the fields of the attestation certificate’s extension data.

8.4.1. Android Key Attestation Statement Certificate Requirements

Android Key Attestation attestation certificate's android key attestation certificate extension data is identified by the OID "1.3.6.1.4.1.11129.2.1.17".

8.5. Android SafetyNet Attestation Statement Format

When the authenticator in question is a platform-provided Authenticator on certain Android platforms, the attestation statement is based on the SafetyNet API. In this case the authenticator data is completely controlled by the caller of the SafetyNet API (typically an application running on the Android platform) and the attestation statement only provides some statements about the health of the platform and the identity of the calling application. This attestation does not provide information regarding provenance of the authenticator and its associated data. Therefore platform-provided authenticators SHOULD make use of the Android Key Attestation when available, even if the SafetyNet API is also present.

8.6. FIDO U2F Attestation Statement Format

This attestation statement format is used with FIDO U2F authenticators using the formats defined in [FIDO-U2F-Message-Formats].

8.7. None Attestation Statement Format

The none attestation statement format is used to replace any authenticator-provided attestation statement when a WebAuthn Relying Party indicates it does not wish to receive attestation information, see §5.4.6 Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference).

Attestation statement format identifier none Attestation types supported None Syntax The syntax of a none attestation statement is defined as follows: $$attStmtType //= ( fmt: "none", attStmt: emptyMap ) emptyMap = {} Signing procedure Return the fixed attestation statement defined above. Verification procedure Return implementation-specific values representing attestation type None and an empty attestation trust path.

9. WebAuthn Extensions

The mechanism for generating public key credentials, as well as requesting and generating Authentication assertions, as defined in §5 Web Authentication API, can be extended to suit particular use cases. Each case is addressed by defining a registration extension and/or an authentication extension .

Every extension is a client extension , meaning that the extension involves communication with and processing by the client. Client extensions define the following steps and data:

When creating a public key credential or requesting an authentication assertion, a WebAuthn Relying Party can request the use of a set of extensions. These extensions will be invoked during the requested operation if they are supported by the client and/or the authenticator. The Relying Party sends the client extension input for each extension in the get() call (for authentication extensions) or create() call (for registration extensions) to the client. The client performs client extension processing for each extension that the client platform supports, and augments the client data as specified by each extension, by including the extension identifier and client extension output values.

An extension can also be an authenticator extension , meaning that the extension involves communication with and processing by the authenticator. Authenticator extensions define the following steps and data:

For authenticator extensions, as part of the client extension processing, the client also creates the CBOR authenticator extension input value for each extension (often based on the corresponding client extension input value), and passes them to the authenticator in the create() call (for registration extensions) or the get() call (for authentication extensions). These authenticator extension input values are represented in CBOR and passed as name-value pairs, with the extension identifier as the name, and the corresponding authenticator extension input as the value. The authenticator, in turn, performs additional processing for the extensions that it supports, and returns the CBOR authenticator extension output for each as specified by the extension. Part of the client extension processing for authenticator extensions is to use the authenticator extension output as an input to creating the client extension output.

All WebAuthn extensions are OPTIONAL for both clients and authenticators. Thus, any extensions requested by a Relying Party MAY be ignored by the client browser or OS and not passed to the authenticator at all, or they MAY be ignored by the authenticator. Ignoring an extension is never considered a failure in WebAuthn API processing, so when Relying Parties include extensions with any API calls, they MUST be prepared to handle cases where some or all of those extensions are ignored.

Clients wishing to support the widest possible range of extensions MAY choose to pass through any extensions that they do not recognize to authenticators, generating the authenticator extension input by simply encoding the client extension input in CBOR. All WebAuthn extensions MUST be defined in such a way that this implementation choice does not endanger the user’s security or privacy. For instance, if an extension requires client processing, it could be defined in a manner that ensures such a naïve pass-through will produce a semantically invalid authenticator extension input value, resulting in the extension being ignored by the authenticator. Since all extensions are OPTIONAL, this will not cause a functional failure in the API operation. Likewise, clients can choose to produce a client extension output value for an extension that it does not understand by encoding the authenticator extension output value into JSON, provided that the CBOR output uses only types present in JSON.

When clients choose to pass through extensions they do not recognize, the JavaScript values in the client extension inputs are converted to CBOR values in the authenticator extension inputs. When the JavaScript value is an %ArrayBuffer%, it is converted to a CBOR byte array. When the JavaScript value is a non-integer number, it is converted to a 64-bit CBOR floating point number. Otherwise, when the JavaScript type corresponds to a JSON type, the conversion is done using the rules defined in Section 4.2 of [RFC7049] (Converting from JSON to CBOR), but operating on inputs of JavaScript type values rather than inputs of JSON type values. Once these conversions are done, canonicalization of the resulting CBOR MUST be performed using the CTAP2 canonical CBOR encoding form.

Likewise, when clients receive outputs from extensions they have passed through that they do not recognize, the CBOR values in the authenticator extension outputs are converted to JavaScript values in the client extension outputs. When the CBOR value is a byte string, it is converted to a JavaScript %ArrayBuffer% (rather than a base64url-encoded string). Otherwise, when the CBOR type corresponds to a JSON type, the conversion is done using the rules defined in Section 4.1 of [RFC7049] (Converting from CBOR to JSON), but producing outputs of JavaScript type values rather than outputs of JSON type values.

Note that some clients may choose to implement this pass-through capability under a feature flag. Supporting this capability can facilitate innovation, allowing authenticators to experiment with new extensions and Relying Parties to use them before there is explicit support for them in clients.

The IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries] can be consulted for an up-to-date list of registered WebAuthn Extensions.

9.1. Extension Identifiers

Extensions are identified by a string, called an extension identifier , chosen by the extension author.

Extension identifiers SHOULD be registered per [WebAuthn-Registries] "Registries for Web Authentication (WebAuthn)". All registered extension identifiers are unique amongst themselves as a matter of course.

Unregistered extension identifiers SHOULD aim to be globally unique, e.g., by including the defining entity such as myCompany_extension .

All extension identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote, i.e., VCHAR as defined in [RFC5234] but without %x22 and %x5c. Implementations MUST match WebAuthn extension identifiers in a case-sensitive fashion.

Extensions that may exist in multiple versions should take care to include a version in their identifier. In effect, different versions are thus treated as different extensions, e.g., myCompany_extension_01

§10 Defined Extensions defines an initial set of extensions and their identifiers. See the IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries] for an up-to-date list of registered WebAuthn Extension Identifiers.

9.2. Defining Extensions

A definition of an extension MUST specify an extension identifier, a client extension input argument to be sent via the get() or create() call, the client extension processing rules, and a client extension output value. If the extension communicates with the authenticator (meaning it is an authenticator extension), it MUST also specify the CBOR authenticator extension input argument sent via the authenticatorGetAssertion or authenticatorMakeCredential call, the authenticator extension processing rules, and the CBOR authenticator extension output value.

Any client extension that is processed by the client MUST return a client extension output value so that the WebAuthn Relying Party knows that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST return an authenticator extension output to let the Relying Party know that the extension was honored by the authenticator. If an extension does not otherwise require any result values, it SHOULD be defined as returning a JSON Boolean client extension output result, set to true to signify that the extension was understood and processed. Likewise, any authenticator extension that does not otherwise require any result values MUST return a value and SHOULD return a CBOR Boolean authenticator extension output result, set to true to signify that the extension was understood and processed.

9.3. Extending Request Parameters

An extension defines one or two request arguments. The client extension input , which is a value that can be encoded in JSON, is passed from the WebAuthn Relying Party to the client in the get() or create() call, while the CBOR authenticator extension input is passed from the client to the authenticator for authenticator extensions during the processing of these calls.

A Relying Party simultaneously requests the use of an extension and sets its client extension input by including an entry in the extensions option to the create() or get() call. The entry key is the extension identifier and the value is the client extension input.

var assertionPromise = navigator . credentials . get ({ publicKey : { // The challenge is produced by the server; see the Security Considerations challenge : new Uint8Array ([ 4 , 99 , 22 /* 29 more random bytes generated by the server */ ]), extensions : { "webauthnExample_foobar" : 42 } } });

Extension definitions MUST specify the valid values for their client extension input. Clients SHOULD ignore extensions with an invalid client extension input. If an extension does not require any parameters from the Relying Party, it SHOULD be defined as taking a Boolean client argument, set to true to signify that the extension is requested by the Relying Party.

Extensions that only affect client processing need not specify authenticator extension input. Extensions that have authenticator processing MUST specify the method of computing the authenticator extension input from the client extension input. For extensions that do not require input parameters and are defined as taking a Boolean client extension input value set to true , this method SHOULD consist of passing an authenticator extension input value of true (CBOR major type 7, value 21).

Note: Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate over low-bandwidth links such as Bluetooth Low-Energy or NFC.

9.4. Client Extension Processing

Extensions MAY define additional processing requirements on the client during the creation of credentials or the generation of an assertion. The client extension input for the extension is used as an input to this client processing. For each supported client extension, the client adds an entry to the clientExtensions map with the extension identifier as the key, and the extension’s client extension input as the value.

Likewise, the client extension outputs are represented as a dictionary in the result of getClientExtensionResults() with extension identifiers as keys, and the client extension output value of each extension as the value. Like the client extension input, the client extension output is a value that can be encoded in JSON. There MUST NOT be any values returned for ignored extensions.

Extensions that require authenticator processing MUST define the process by which the client extension input can be used to determine the CBOR authenticator extension input and the process by which the CBOR authenticator extension output can be used to determine the client extension output.

9.5. Authenticator Extension Processing

The CBOR authenticator extension input value of each processed authenticator extension is included in the extensions parameter of the authenticatorMakeCredential and authenticatorGetAssertion operations. The extensions parameter is a CBOR map where each key is an extension identifier and the corresponding value is the authenticator extension input for that extension.

Likewise, the extension output is represented in the extensions part of the authenticator data. The extensions part of the authenticator data is a CBOR map where each key is an extension identifier and the corresponding value is the authenticator extension output for that extension.

For each supported extension, the authenticator extension processing rule for that extension is used create the authenticator extension output from the authenticator extension input and possibly also other inputs. There MUST NOT be any values returned for ignored extensions.

10. Defined Extensions

This section defines the initial set of extensions to be registered in the IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries]. These MAY be implemented by user agents targeting broad interoperability.

10.1. FIDO AppID Extension (appid)

This extension allows WebAuthn Relying Parties that have previously registered a credential using the legacy FIDO JavaScript APIs to request an assertion. The FIDO APIs use an alternative identifier for Relying Parties called an AppID [FIDO-APPID], and any credentials created using those APIs will be scoped to that identifier. Without this extension, they would need to be re-registered in order to be scoped to an RP ID.

This extension does not allow FIDO-compatible credentials to be created. Thus, credentials created with WebAuthn are not backwards compatible with the FIDO JavaScript APIs.

Note: In practice, several implementations do not implement steps four and onward of the algorithm for determining if a caller’s FacetID is authorized for an AppID. Instead, in step three, the comparison on the host is relaxed to accept hosts on the same site.

Client extension output Returns the value of output . If true, the AppID was used and thus, when verifying an assertion, the Relying Party MUST expect the rpIdHash to be the hash of the AppID , not the RP ID. partial dictionary AuthenticationExtensionsClientOutputs { boolean appid ; }; Authenticator extension input None. Authenticator extension processing None. Authenticator extension output None.

10.2. Simple Transaction Authorization Extension (txAuthSimple)

This extension allows for a simple form of transaction authorization. A Relying Party can specify a prompt string, intended for display on a trusted device on the authenticator.

Extension identifier txAuthSimple Operation applicability Authentication Client extension input A single USVString prompt. partial dictionary AuthenticationExtensionsClientInputs { USVString txAuthSimple ; }; Client extension processing None, except creating the authenticator extension input from the client extension input. Client extension output Returns the authenticator extension output string UTF-8 decoded into a USVString. partial dictionary AuthenticationExtensionsClientOutputs { USVString txAuthSimple ; }; Authenticator extension input The client extension input encoded as a CBOR text string (major type 3).

CDDL: txAuthSimpleInput = (tstr)

Authenticator extension processing The authenticator MUST display the prompt to the user before performing either user verification or test of user presence. The authenticator MAY insert line breaks if needed. Authenticator extension output A single CBOR string, representing the prompt as displayed (including any eventual line breaks).

CDDL: txAuthSimpleOutput = (tstr)

10.3. Generic Transaction Authorization Extension (txAuthGeneric)

This extension allows images to be used as transaction authorization prompts as well. This allows authenticators without a font rendering engine to be used and also supports a richer visual appearance.

Extension identifier txAuthGeneric Operation applicability Authentication Client extension input A JavaScript object defined as follows: dictionary txAuthGenericArg { required USVString contentType ; // MIME-Type of the content, e.g., "image/png" required ArrayBuffer content ; }; partial dictionary AuthenticationExtensionsClientInputs { txAuthGenericArg txAuthGeneric ; }; Client extension processing None, except creating the authenticator extension input from the client extension input. Client extension output Returns the authenticator extension output value as an ArrayBuffer. partial dictionary AuthenticationExtensionsClientOutputs { ArrayBuffer txAuthGeneric ; }; Authenticator extension input The client extension input encoded as a CBOR map. Authenticator extension processing The authenticator MUST display the content to the user before performing either user verification or test of user presence. The authenticator MAY add other information below the content . No changes are allowed to the content itself, i.e., inside content boundary box. Authenticator extension output The hash value of the content which was displayed. The authenticator MUST use the same hash algorithm as it uses for the signature itself.

10.4. Authenticator Selection Extension (authnSel)

This extension allows a WebAuthn Relying Party to guide the selection of the authenticator that will be leveraged when creating the credential. It is intended primarily for Relying Parties that wish to tightly control the experience around credential creation.

Extension identifier authnSel Operation applicability Registration Client extension input A sequence of AAGUIDs: typedef sequence < AAGUID > AuthenticatorSelectionList ; partial dictionary AuthenticationExtensionsClientInputs { AuthenticatorSelectionList authnSel ; }; Each AAGUID corresponds to an authenticator model that is acceptable to the Relying Party for this credential creation. The list is ordered by decreasing preference. An AAGUID is defined as an array containing the globally unique identifier of the authenticator model being sought. typedef BufferSource AAGUID ; Client extension processing If the client supports the Authenticator Selection Extension, it MUST use the first available authenticator whose AAGUID is present in the AuthenticatorSelectionList . If none of the available authenticators match a provided AAGUID, the client MUST select an authenticator from among the available authenticators to generate the credential. Client extension output Returns the value true to indicate to the Relying Party that the extension was acted upon. partial dictionary AuthenticationExtensionsClientOutputs { boolean authnSel ; }; Authenticator extension input None. Authenticator extension processing None. Authenticator extension output None.

10.5. Supported Extensions Extension (exts)

This extension enables the WebAuthn Relying Party to determine which extensions the authenticator supports.

Extension identifier exts Operation applicability Registration Client extension input The Boolean value true to indicate that this extension is requested by the Relying Party. partial dictionary AuthenticationExtensionsClientInputs { boolean exts ; }; Client extension processing None, except creating the authenticator extension input from the client extension input. Client extension output Returns the list of supported extensions as an array of extension identifier strings. typedef sequence < USVString > AuthenticationExtensionsSupported ; partial dictionary AuthenticationExtensionsClientOutputs { AuthenticationExtensionsSupported exts ; }; Authenticator extension input The Boolean value true , encoded in CBOR (major type 7, value 21). Authenticator extension processing The authenticator sets the authenticator extension output to be a list of extensions that the authenticator supports, as defined below. This extension can be added to attestation objects. Authenticator extension output The SupportedExtensions extension is a list (CBOR array) of extension identifier (UTF-8 encoded) strings.

10.6. User Verification Index Extension (uvi)

This extension enables use of a user verification index.

Extension identifier uvi Operation applicability Registration and Authentication Client extension input The Boolean value true to indicate that this extension is requested by the Relying Party. partial dictionary AuthenticationExtensionsClientInputs { boolean uvi ; }; Client extension processing None, except creating the authenticator extension input from the client extension input. Client extension output Returns the authenticator extension output as an ArrayBuffer. partial dictionary AuthenticationExtensionsClientOutputs { ArrayBuffer uvi ; }; Authenticator extension input The Boolean value true , encoded in CBOR (major type 7, value 21). Authenticator extension processing The authenticator sets the authenticator extension output to be a user verification index indicating the method used by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions. Authenticator extension output The user verification index (UVI) is a value uniquely identifying a user verification data record. The UVI is encoded as CBOR byte string (type 0x58). Each UVI value MUST be specific to the related key (in order to provide unlinkability). It also MUST contain sufficient entropy that makes guessing impractical. UVI values MUST NOT be reused by the Authenticator (for other biometric data or users). The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data as the initial key generation. This allows the detection and prevention of "friendly fraud". As an example, the UVI could be computed as SHA256(KeyID || SHA256(rawUVI)), where || represents concatenation, and the rawUVI reflects (a) the biometric reference data, (b) the related OS level user ID and (c) an identifier which changes whenever a factory reset is performed for the authenticator, e.g. rawUVI = biometricReferenceData || OSLevelUserID || FactoryResetCounter. Example of authenticator data containing one UVI extension ... -- RP ID hash (32 bytes) 81 -- UP and ED set 00 00 00 01 -- (initial) signature counter ... -- all public key alg etc. A1 -- extension: CBOR map of one element 63 -- Key 1: CBOR text string of 3 bytes 75 76 69 -- "uvi" [=UTF-8 encoded=] string 58 20 -- Value 1: CBOR byte string with 0x20 bytes 43 B8 E3 BE 27 95 8C 28 -- the UVI value itself D5 74 BF 46 8A 85 CF 46 9A 14 F0 E5 16 69 31 DA 4B CF FF C1 BB 11 32 82

10.7. Location Extension (loc)

This extension provides the authenticator's current location to the WebAuthn WebAuthn Relying Party.

Extension identifier loc Operation applicability Registration and Authentication Client extension input The Boolean value true to indicate that this extension is requested by the Relying Party. partial dictionary AuthenticationExtensionsClientInputs { boolean loc ; }; Client extension processing None, except creating the authenticator extension input from the client extension input. Client extension output Returns a JavaScript object that encodes the location information in the authenticator extension output as a Coordinates value, as defined by [Geolocation-API]. partial dictionary AuthenticationExtensionsClientOutputs { Coordinates loc ; }; Authenticator extension input The Boolean value true , encoded in CBOR (major type 7, value 21). Authenticator extension processing Determine the Geolocation value. Authenticator extension output A [Geolocation-API] Coordinates record encoded as a CBOR map. Values represented by the "double" type in JavaScript are represented as 64-bit CBOR floating point numbers. Per the Geolocation specification, the "latitude", "longitude", and "accuracy" values are REQUIRED and other values such as "altitude" are OPTIONAL.

10.8. User Verification Method Extension (uvm)

This extension enables use of a user verification method.

Extension identifier uvm Operation applicability Registration and Authentication Client extension input The Boolean value true to indicate that this extension is requested by the Relying Party. partial dictionary AuthenticationExtensionsClientInputs { boolean uvm ; }; Client extension processing None, except creating the authenticator extension input from the client extension input. Client extension output Returns a JSON array of 3-element arrays of numbers that encodes the factors in the authenticator extension output. typedef sequence < unsigned long > UvmEntry ; typedef sequence < UvmEntry > UvmEntries ; partial dictionary AuthenticationExtensionsClientOutputs { UvmEntries uvm ; }; Authenticator extension input The Boolean value true , encoded in CBOR (major type 7, value 21). Authenticator extension processing The authenticator sets the authenticator extension output to be one or more user verification methods indicating the method(s) used by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions. Authenticator extension output Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance, using the CBOR syntax defined below: uvmFormat = [ 1*3 uvmEntry ] uvmEntry = [ userVerificationMethod: uint .size 4, keyProtectionType: uint .size 2, matcherProtectionType: uint .size 2 ] The semantics of the fields in each uvmEntry are as follows: userVerificationMethod The authentication method/factor used by the authenticator to verify the user. Available values are defined in Section 3.1 User Verification Methods of [FIDO-Registry]. keyProtectionType The method used by the authenticator to protect the FIDO registration private key material. Available values are defined in Section 3.2 Key Protection Types of [FIDO-Registry]. matcherProtectionType The method used by the authenticator to protect the matcher that performs user verification. Available values are defined in Section 3.3 Matcher Protection Types of [FIDO-Registry]. If >3 factors can be used in an authentication instance the authenticator vendor MUST select the 3 factors it believes will be most relevant to the Server to include in the UVM. Example for authenticator data containing one UVM extension for a multi-factor authentication instance where 2 factors were used: ... -- RP ID hash (32 bytes) 81 -- UP and ED set 00 00 00 01 -- (initial) signature counter ... -- all public key alg etc. A1 -- extension: CBOR map of one element 63 -- Key 1: CBOR text string of 3 bytes 75 76 6d -- "uvm" [=UTF-8 encoded=] string 82 -- Value 1: CBOR array of length 2 indicating two factor usage 83 -- Item 1: CBOR array of length 3 02 -- Subitem 1: CBOR integer for User Verification Method Fingerprint 04 -- Subitem 2: CBOR short for Key Protection Type TEE 02 -- Subitem 3: CBOR short for Matcher Protection Type TEE 83 -- Item 2: CBOR array of length 3 04 -- Subitem 1: CBOR integer for User Verification Method Passcode 01 -- Subitem 2: CBOR short for Key Protection Type Software 01 -- Subitem 3: CBOR short for Matcher Protection Type Software

10.9. Biometric Authenticator Performance Bounds Extension (biometricPerfBounds)

This extension allows WebAuthn Relying Parties to specify the desired performance bounds for selecting biometric authenticators as candidates to be employed in a registration ceremony.

Extension identifier biometricPerfBounds Operation applicability Registration Client extension input Biometric performance bounds: dictionary authenticatorBiometricPerfBounds { float FAR ; float FRR ; }; The FAR is the maximum false acceptance rate for a biometric authenticator allowed by the Relying Party. The FRR is the maximum false rejection rate for a biometric authenticator allowed by the Relying Party. Client extension processing If the client supports this extension, it MUST NOT use a biometric authenticator whose FAR or FRR does not match the bounds as provided. The client can obtain information about the biometric authenticator’s performance from authoritative sources such as the FIDO Metadata Service [FIDOMetadataService] (see Sec. 3.2 of [FIDOUAFAuthenticatorMetadataStatements]). Client extension output Returns the JSON value true to indicate to the Relying Party that the extension was acted upon Authenticator extension input None. Authenticator extension processing None. Authenticator extension output None.

11. IANA Considerations

11.1. WebAuthn Attestation Statement Format Identifier Registrations

This section registers the attestation statement formats defined in Section §8 Defined Attestation Statement Formats in the IANA "WebAuthn Attestation Statement Format Identifier" registry established by [WebAuthn-Registries].

WebAuthn Attestation Statement Format Identifier: packed

Description: The "packed" attestation statement format is a WebAuthn-optimized format for attestation. It uses a very compact but still extensible encoding method. This format is implementable by authenticators with limited resources (e.g., secure elements).

Specification Document: Section §8.2 Packed Attestation Statement Format of this specification





WebAuthn Attestation Statement Format Identifier: tpm

Description: The TPM attestation statement format returns an attestation statement in the same format as the packed attestation statement format, although the rawData and signature fields are computed differently.

Specification Document: Section §8.3 TPM Attestation Statement Format of this specification





WebAuthn Attestation Statement Format Identifier: android-key

Description: Platform-provided authenticators based on versions "N", and later, may provide this proprietary "hardware attestation" statement.

Specification Document: Section §8.4 Android Key Attestation Statement Format of this specification





WebAuthn Attestation Statement Format Identifier: android-safetynet

Description: Android-based, platform-provided authenticators MAY produce an attestation statement based on the Android SafetyNet API.

Specification Document: Section §8.5 Android SafetyNet Attestation Statement Format of this specification





WebAuthn Attestation Statement Format Identifier: fido-u2f

Description: Used with FIDO U2F authenticators

Specification Document: Section §8.6 FIDO U2F Attestation Statement Format of this specification

11.2. WebAuthn Extension Identifier Registrations

This section registers the extension identifier values defined in Section §9 WebAuthn Extensions in the IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries].

11.3. COSE Algorithm Registrations

This section registers identifiers for the following ECDAA algorithms in the IANA COSE Algorithms registry [IANA-COSE-ALGS-REG]. Note that [WebAuthn-COSE-Algs] also registers RSASSA-PKCS1-v1_5 [RFC8017] algorithms using SHA-2 and SHA-1 hash functions in the IANA COSE Algorithms registry [IANA-COSE-ALGS-REG], such as registering -257 for "RS256".

Name: ED256

Value: TBD (requested assignment -260)

Description: TPM_ECC_BN_P256 curve w/ SHA-256

Reference: Section 4.2 of [FIDOEcdaaAlgorithm]

Recommended: Yes





Name: ED512

Value: TBD (requested assignment -261)

Description: ECC_BN_ISOP512 curve w/ SHA-512

Reference: Section 4.2 of [FIDOEcdaaAlgorithm]

Recommended: Yes

12. Sample Scenarios

This section is not normative.

In this sectio