Attestation
Attestation is a step within the registration flow that allows a relying party to establish whether an authenticator is authentic and can be trusted.
This is achieved through the attestation statement sent by the authenticator back through to the relying party. The attestation statement contains a signature which is the combination of the credential public key and the provided challenge, and optionally a certificate which contains the attestation public key. There are several types of attestations which indicate how the signature was generated:
- Basic Attestation
- The attestation key pair is specific to the authenticator model, and authenticators of the same model may share the same key pair.
- Self Attestation
- The authenticator may not have an attestation key pair, so the credential private key is used.
- Attestation CA
- The authenticator can generate multiple attestation key pairs from an Attestation CA, a trusted third party.
- Elliptic Curve based Direct Anonymous Attestation (ECDAA)
- The authenticator receives direct anonymous attestation (DAA) credentials from a single DAA-Issuer. The DAA credentials are used with blinding to sign the attested credential data.
- No attestation statement (None)
- No attestation information is made available.
During registration the relying party can indicate a preference regarding how the attestation statement is generated. There are attestation statement formats which indicate the syntax of the statement:
- Packed Attestation Statement Format
- Attestation Type supported: Basic, Self, AttCA
This is a WebAuthn optimized attestation format. Packed attestation statement format uses a very compact but still extensible encoding method.
- TPM Attestation Statement Format
- Attestation Types supported: AttCA
The TPM statement format is for authenticators that use a Trusted Platform Module as their cryptographic engine.
- Android Key Attestation Statement Format
- Attestation Types Supported: Basic
This attestation statement format is for when the authenticator is provided by the Android platform, version āNā and later. In this case the attestation statement is produced by a component in a secure operating environment, but the authenticator data for the attestation is produced outside this environment.
- Android SafetyNet Attestation Statement Format
- Attestation Types Supported: Basic
This attestation statement format is for when the authenticator is provided by certain Android platforms and is based on the SafetyNet API. With this statement format the authenticator data is completely controlled by the Android application which invokes the SafetyNet API.
- FIDO U2F Attestation Statement Format
- Attestation Types Supported: Basic, AttCA
This attestation statement format is user with FIDO U2F authenticators using formats defined in the FIDO U2F specification.
- None Attestation Statement Format
- Attestation Types Supported: None
Used to replace any authenticator-provided attestation statement when a Relying Party indicates it does not require attestation information.
Parent topic: Concepts