1. Introduction
This section is not normative.
This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. A public key credential is created and stored by a WebAuthn Authenticator at the behest of a WebAuthn Relying Party, subject to user consent. Subsequently, the public key credential can only be accessed by origins belonging to that Relying Party. This scoping is enforced jointly by conforming User Agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties.
Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user. The first
is Registration, where a public key credential is created on an authenticator, and scoped to a Relying Party with the present user’s account (the account might already exist or might be created at this time). The second is Authentication, where the Relying Party is presented with an Authentication Assertion proving the presence
and consent of the user who registered the public key credential. Functionally, the Web Authentication
API comprises a PublicKeyCredential
which extends the Credential Management API [CREDENTIAL-MANAGEMENT-1], and
infrastructure which allows those credentials to be used with navigator.credentials.create()
and navigator.credentials.get()
. The former is used during Registration, and the
latter during Authentication.
Broadly, compliant authenticators protect public key credentials, and interact with user agents to implement the Web Authentication API. Implementing compliant authenticators is possible in software executing (a) on a general-purpose computing device, (b) on an on-device Secure Execution Environment, Trusted Platform Module (TPM), or a Secure Element (SE), or (c) off device. Authenticators being implemented on device are called platform authenticators. Authenticators being implemented off device (roaming authenticators) can be accessed over a transport such as Universal Serial Bus (USB), Bluetooth Low Energy (BLE), or Near Field Communications (NFC).
1.1. Specification Roadmap
While many W3C specifications are directed primarily to user agent developers and also to web application developers (i.e., "Web authors"), the nature of Web Authentication requires that this specification be correctly used by multiple audiences, as described below.
All audiences ought to begin with § 1.2 Use Cases, § 1.3 Sample API Usage Scenarios, and § 4 Terminology, and should also refer to [WebAuthnAPIGuide] for an overall tutorial. Beyond that, the intended audiences for this document are the following main groups:
-
Relying Party web application developers, especially those responsible for Relying Party web application login flows, account recovery flows, user account database content, etc.
-
Web framework developers
-
The above two audiences should in particular refer to § 7 WebAuthn Relying Party Operations. The introduction to § 5 Web Authentication API may be helpful, though readers should realize that the § 5 Web Authentication API section is targeted specifically at user agent developers, not web application developers. Additionally, if they intend to verify authenticator attestations, then § 6.5 Attestation and § 8 Defined Attestation Statement Formats will also be relevant. § 9 WebAuthn Extensions, and § 10 Defined Extensions will be of interest if they wish to make use of extensions. Finally, they should read § 13.4 Security considerations for Relying Parties and § 14.6 Privacy considerations for Relying Parties and consider which challenges apply to their application and users.
-
-
User agent developers
-
OS platform developers, responsible for OS platform API design and implementation in regards to platform-specific authenticator APIs, platform WebAuthn Client instantiation, etc.
-
The above two audiences should read § 5 Web Authentication API very carefully, along with § 9 WebAuthn Extensions if they intend to support extensions. They should also carefully read § 14.5 Privacy considerations for clients.
-
-
Authenticator developers. These readers will want to pay particular attention to § 6 WebAuthn Authenticator Model, § 8 Defined Attestation Statement Formats, § 9 WebAuthn Extensions, and § 10 Defined Extensions. They should also carefully read § 13.3 Security considerations for authenticators and § 14.4 Privacy considerations for authenticators.
It is important for Web Authentication deployments' end-to-end security that the role of each component—the Relying Party server, the client, and the authenticator— as well as § 13 Security Considerations and § 14 Privacy Considerations, are understood by all audiences.
1.2. Use Cases
The below use case scenarios illustrate use of two very different types of authenticators, as well as outline further scenarios. Additional scenarios, including sample code, are given later in § 1.3 Sample API Usage Scenarios.
1.2.1. Registration
-
On a phone:
-
User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using (possibly a legacy method such as a password), or creates a new account.
-
The phone prompts, "Do you want to register this device with example.com?"
-
User agrees.
-
The phone prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user provides this.
-
Website shows message, "Registration complete."
-
1.2.2. Authentication
-
On a laptop or desktop:
-
User pairs their phone with the laptop or desktop via Bluetooth.
-
User navigates to example.com in a browser and initiates signing in.
-
User gets a message from the browser, "Please complete this action on your phone."
-
-
Next, on their phone:
-
User sees a discrete prompt or notification, "Sign in to example.com."
-
User selects this prompt / notification.
-
User is shown a list of their example.com identities, e.g., "Sign in as Mohamed / Sign in as 张三".
-
User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.
-
-
Now, back on the laptop:
-
Web page shows that the selected user is signed in, and navigates to the signed-in page.
-
1.2.3. New Device Registration
This use case scenario illustrates how a Relying Party can leverage a combination of a roaming authenticator (e.g., a USB security key fob) and a platform authenticator (e.g., a built-in fingerprint sensor) such that the user has:
-
a "primary" roaming authenticator that they use to authenticate on new-to-them client devices (e.g., laptops, desktops) or on such client devices that lack a platform authenticator, and
-
a low-friction means to strongly re-authenticate on client devices having platform authenticators.
Note: This approach of registering multiple authenticators for an account is also useful in account recovery use cases.
-
First, on a desktop computer (lacking a platform authenticator):
-
User navigates to
example.com
in a browser and signs in to an existing account using whatever method they have been using (possibly a legacy method such as a password), or creates a new account. -
User navigates to account security settings and selects "Register security key".
-
Website prompts the user to plug in a USB security key fob; the user does.
-
The USB security key blinks to indicate the user should press the button on it; the user does.
-
Website shows message, "Registration complete."
Note: Since this computer lacks a platform authenticator, the website may require the user to present their USB security key from time to time or each time the user interacts with the website. This is at the website’s discretion.
-
-
Later, on their laptop (which features a platform authenticator):
-
User navigates to example.com in a browser and initiates signing in.
-
Website prompts the user to plug in their USB security key.
-
User plugs in the previously registered USB security key and presses the button.
-
Website shows that the user is signed in, and navigates to the signed-in page.
-
Website prompts, "Do you want to register this computer with example.com?"
-
User agrees.
-
Laptop prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user provides this.
-
Website shows message, "Registration complete."
-
User signs out.
-
-
Later, again on their laptop:
-
User navigates to example.com in a browser and initiates signing in.
-
Website shows message, "Please follow your computer’s prompts to complete sign in."
-
Laptop prompts the user for an authorization gesture (PIN, biometric, etc.); the user provides this.
-
Website shows that the user is signed in, and navigates to the signed-in page.
-
1.2.4. Other Use Cases and Configurations
A variety of additional use cases and configurations are also possible, including (but not limited to):
-
A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.
-
A user obtains a discrete, roaming authenticator, such as a "fob" with USB or USB+NFC/BLE connectivity options, loads example.com in their browser on a laptop or phone, and is guided through a flow to create and register a credential on the fob.
-
A Relying Party prompts the user for their authorization gesture in order to authorize a single transaction, such as a payment or other financial transaction.
1.3. Sample API Usage Scenarios
This section is not normative.
In this section, we walk through some events in the lifecycle of a public key credential, along with the corresponding sample code for using this API. Note that this is an example flow and does not limit the scope of how the API can be used.
As was the case in earlier sections, this flow focuses on a use case involving a passkey roaming authenticator with its own display. One example of such an authenticator would be a smart phone. Other authenticator types are also supported by this API, subject to implementation by the client platform. For instance, this flow also works without modification for the case of an authenticator that is embedded in the client device. The flow also works for the case of an authenticator without its own display (similar to a smart card) subject to specific implementation considerations. Specifically, the client platform needs to display any prompts that would otherwise be shown by the authenticator, and the authenticator needs to allow the client platform to enumerate all the authenticator’s credentials so that the client can have information to show appropriate prompts.
1.3.1. Registration
This is the first-time flow, in which a new credential is created and registered with the server. In this flow, the WebAuthn Relying Party does not have a preference for platform authenticator or roaming authenticators.
-
The user visits example.com, which serves up a script. At this point, the user may already be logged in using a legacy username and password, or additional authenticator, or other means acceptable to the Relying Party. Or the user may be in the process of creating a new account.
-
The Relying Party script runs the code snippet below.
-
The client platform searches for and locates the authenticator.
-
The client connects to the authenticator, performing any pairing actions if necessary.
-
The authenticator shows appropriate UI for the user to provide a biometric or other authorization gesture.
-
The authenticator returns a response to the client, which in turn returns a response to the Relying Party script. If the user declined to select an authenticator or provide authorization, an appropriate error is returned.
-
If a new credential was created,
-
The Relying Party script sends the newly generated credential public key to the server, along with additional information such as attestation regarding the provenance and characteristics of the authenticator.
-
The server stores the credential public key in its database and associates it with the user as well as with the characteristics of authentication indicated by attestation, also storing a friendly name for later use.
-
The script may store data such as the credential ID in local storage, to improve future UX by narrowing the choice of credential for the user.
-
The sample code for generating and registering a new key follows:
if ( ! window. PublicKeyCredential) { /* Client not capable. Handle error. */ } var publicKey= { // The challenge is produced by the server; see the Security Considerations challenge: new Uint8Array([ 21 , 31 , 105 /* 29 more random bytes generated by the server */ ]), // Relying Party: rp: { name: "ACME Corporation" }, // User: user: { id: Uint8Array. from ( window. atob( "MIIBkzCCATigAwIBAjCCAZMwggE4oAMCAQIwggGTMII=" ), c=> c. charCodeAt( 0 )), name: "alex.mueller@example.com" , displayName: "Alex Müller" , }, // This Relying Party will accept either an ES256 or RS256 credential, but // prefers an ES256 credential. pubKeyCredParams: [ { type: "public-key" , alg: - 7 // "ES256" as registered in the IANA COSE Algorithms registry }, { type: "public-key" , alg: - 257 // Value registered by this specification for "RS256" } ], authenticatorSelection: { // Try to use UV if possible. This is also the default. userVerification: "preferred" }, timeout: 300000 , // 5 minutes excludeCredentials: [ // Don’t re-register any authenticator that has one of these credentials { "id" : Uint8Array. from ( window. atob( "ufJWp8YGlibm1Kd9XQBWN1WAw2jy5In2Xhon9HAqcXE=" ), c=> c. charCodeAt( 0 )), "type" : "public-key" }, { "id" : Uint8Array. from ( window. atob( "E/e1dhZc++mIsz4f9hb6NifAzJpF1V4mEtRlIPBiWdY=" ), c=> c. charCodeAt( 0 )), "type" : "public-key" } ], // Make excludeCredentials check backwards compatible with credentials registered with U2F extensions: { "appidExclude" : "https://acme.example.com" } }; // Note: The following call will cause the authenticator to display UI. navigator. credentials. create({ publicKey}) . then( function ( newCredentialInfo) { // Send new credential info to server for verification and registration. }). catch ( function ( err) { // No acceptable authenticator or user refused consent. Handle appropriately. });
1.3.2. Registration Specifically with User-Verifying Platform Authenticator
This is an example flow for when the WebAuthn Relying Party is specifically interested in creating a public key credential with a user-verifying platform authenticator.
-
The user visits example.com and clicks on the login button, which redirects the user to login.example.com.
-
The user enters a username and password to log in. After successful login, the user is redirected back to example.com.
-
The Relying Party script runs the code snippet below.
-
The user agent checks if a user-verifying platform authenticator is available. If not, terminate this flow.
-
The Relying Party asks the user if they want to create a credential with it. If not, terminate this flow.
-
The user agent and/or operating system shows appropriate UI and guides the user in creating a credential using one of the available platform authenticators.
-
Upon successful credential creation, the Relying Party script conveys the new credential to the server.
-
if ( ! window. PublicKeyCredential) { /* Client not capable of the API. Handle error. */ } PublicKeyCredential. isUserVerifyingPlatformAuthenticatorAvailable() . then( function ( uvpaAvailable) { // If there is a user-verifying platform authenticator if ( uvpaAvailable) { // Render some RP-specific UI and get a Promise for a Boolean value return askIfUserWantsToCreateCredential(); } }). then( function ( userSaidYes) { // If there is a user-verifying platform authenticator // AND the user wants to create a credential if ( userSaidYes) { var publicKeyOptions= { /* Public key credential creation options. */ }; return navigator. credentials. create({ "publicKey" : publicKeyOptions}); } }). then( function ( newCredentialInfo) { if ( newCredentialInfo) { // Send new credential info to server for verification and registration. } }). catch ( function ( err) { // Something went wrong. Handle appropriately. });
1.3.3. Authentication
This is the flow when a user with an already registered credential visits a website and wants to authenticate using the credential.
-
The user visits example.com, which serves up a script.
-
The script asks the client for an Authentication Assertion, providing as much information as possible to narrow the choice of acceptable credentials for the user. This can be obtained from the data that was stored locally after registration, or by other means such as prompting the user for a username.
-
The Relying Party script runs one of the code snippets below.
-
The client platform searches for and locates the authenticator.
-
The client connects to the authenticator, performing any pairing actions if necessary.
-
The authenticator presents the user with a notification that their attention is needed. On opening the notification, the user is shown a friendly selection menu of acceptable credentials using the account information provided when creating the credentials, along with some information on the origin that is requesting these keys.
-
The authenticator obtains a biometric or other authorization gesture from the user.
-
The authenticator returns a response to the client, which in turn returns a response to the Relying Party script. If the user declined to select a credential or provide an authorization, an appropriate error is returned.
-
If an assertion was successfully generated and returned,
-
The script sends the assertion to the server.
-
The server examines the assertion, extracts the credential ID, looks up the registered credential public key in its database, and verifies the assertion signature. If valid, it looks up the identity associated with the assertion’s credential ID; that identity is now authenticated. If the credential ID is not recognized by the server (e.g., it has been deregistered due to inactivity) then the authentication has failed; each Relying Party will handle this in its own way.
-
The server now does whatever it would otherwise do upon successful authentication -- return a success page, set authentication cookies, etc.
-
If the Relying Party script does not have any hints available (e.g., from locally stored data) to help it narrow the list of credentials, then the sample code for performing such an authentication might look like this:
if ( ! window. PublicKeyCredential) { /* Client not capable. Handle error. */ } // credentialId is generated by the authenticator and is an opaque random byte array var credentialId= new Uint8Array([ 183 , 148 , 245 /* more random bytes previously generated by the authenticator */ ]); var options= { // The challenge is produced by the server; see the Security Considerations challenge: new Uint8Array([ 4 , 101 , 15 /* 29 more random bytes generated by the server */ ]), timeout: 300000 , // 5 minutes allowCredentials: [{ type: "public-key" , id: credentialId}] }; navigator. credentials. get({ "publicKey" : options}) . then( function ( assertion) { // Send assertion to server for verification }). catch ( function ( err) { // No acceptable credential or user refused consent. Handle appropriately. });
On the other hand, if the Relying Party script has some hints to help it narrow the list of credentials, then the sample code for performing such an authentication might look like the following. Note that this sample also demonstrates how to use the Credential Properties Extension.
if ( ! window. PublicKeyCredential) { /* Client not capable. Handle error. */ } var encoder= new TextEncoder(); var acceptableCredential1= { type: "public-key" , id: encoder. encode( "BA44712732CE" ) }; var acceptableCredential2= { type: "public-key" , id: encoder. encode( "BG35122345NF" ) }; var options= { // The challenge is produced by the server; see the Security Considerations challenge: new Uint8Array([ 8 , 18 , 33 /* 29 more random bytes generated by the server */ ]), timeout: 300000 , // 5 minutes allowCredentials: [ acceptableCredential1, acceptableCredential2], extensions: { 'credProps' : true } }; navigator. credentials. get({ "publicKey" : options}) . then( function ( assertion) { // Send assertion to server for verification }). catch ( function ( err) { // No acceptable credential or user refused consent. Handle appropriately. });
1.3.4. Aborting Authentication Operations
The below example shows how a developer may use the AbortSignal parameter to abort a credential registration operation. A similar procedure applies to an authentication operation.
const authAbortController= new AbortController(); const authAbortSignal= authAbortController. signal; authAbortSignal. onabort= function () { // Once the page knows the abort started, inform user it is attempting to abort. } var options= { // A list of options. } navigator. credentials. create({ publicKey: options, signal: authAbortSignal}) . then( function ( attestation) { // Register the user. }). catch ( function ( error) { if ( error== "AbortError" ) { // Inform user the credential hasn’t been created. // Let the server know a key hasn’t been created. } }); // Assume widget shows up whenever authentication occurs. if ( widget== "disappear" ) { authAbortController. abort(); }
1.3.5. Decommissioning
The following are possible situations in which decommissioning a credential might be desired. Note that all of these are handled on the server side and do not need support from the API specified here.
-
Possibility #1 -- user reports the credential as lost.
-
User goes to server.example.net, authenticates and follows a link to report a lost/stolen authenticator.
-
Server returns a page showing the list of registered credentials with friendly names as configured during registration.
-
User selects a credential and the server deletes it from its database.
-
In the future, the Relying Party script does not specify this credential in any list of acceptable credentials, and assertions signed by this credential are rejected.
-
-
Possibility #2 -- server deregisters the credential due to inactivity.
-
Server deletes credential from its database during maintenance activity.
-
In the future, the Relying Party script does not specify this credential in any list of acceptable credentials, and assertions signed by this credential are rejected.
-
-
Possibility #3 -- user deletes the credential from the authenticator.
-
User employs a authenticator-specific method (e.g., device settings UI) to delete a credential from their authenticator.
-
From this point on, this credential will not appear in any selection prompts, and no assertions can be generated with it.
-
Sometime later, the server deregisters this credential due to inactivity.
-
1.4. Platform-Specific Implementation Guidance
This specification defines how to use Web Authentication in the general case. When using Web Authentication in connection with specific platform support (e.g. apps), it is recommended to see platform-specific documentation and guides for additional guidance and limitations.
2. Conformance
This specification defines three conformance classes. Each of these classes is specified so that conforming members of the class are secure against non-conforming or hostile members of the other classes.
2.1. User Agents
A User Agent MUST behave as described by § 5 Web Authentication API in order to be considered conformant. Conforming User Agents MAY implement algorithms given in this specification in any way desired, so long as the end result is indistinguishable from the result that would be obtained by the specification’s algorithms.
A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this specification, as described in the “Web IDL” specification. [WebIDL]
2.1.1. Enumerations as DOMString types
Enumeration types are not referenced by other parts of the Web IDL because that
would preclude other values from being used without updating this specification
and its implementations. It is important for backwards compatibility that client platforms and Relying Parties handle unknown values. Enumerations for this
specification exist here for documentation and as a registry. Where the
enumerations are represented elsewhere, they are typed as DOMString
s, for
example in transports
.
2.2. Authenticators
A WebAuthn Authenticator MUST provide the operations defined by § 6 WebAuthn Authenticator Model, and those operations MUST behave as described there. This is a set of functional and security requirements for an authenticator to be usable by a Conforming User Agent.
As described in § 1.2 Use Cases, an authenticator may be implemented in the operating system underlying the User Agent, or in external hardware, or a combination of both.
2.2.1. Backwards Compatibility with FIDO U2F
Authenticators that only support the § 8.6 FIDO U2F Attestation Statement Format have no mechanism to store a user handle, so the returned userHandle
will always be null.
2.3. WebAuthn Relying Parties
A WebAuthn Relying Party MUST behave as described in § 7 WebAuthn Relying Party Operations to obtain all the security benefits offered by this specification. See § 13.4.1 Security Benefits for WebAuthn Relying Parties for further discussion of this.
2.4. All Conformance Classes
All CBOR encoding performed by the members of the above conformance classes MUST be done using the CTAP2 canonical CBOR encoding form. All decoders of the above conformance classes SHOULD reject CBOR that is not validly encoded in the CTAP2 canonical CBOR encoding form and SHOULD reject messages with duplicate map keys.
3. Dependencies
This specification relies on several other underlying specifications, listed below and in Terms defined by reference.
- Base64url encoding
-
The term Base64url Encoding refers to the base64 encoding using the URL- and filename-safe character set defined in Section 5 of [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the inclusion of any line breaks, whitespace, or other additional characters.
- CBOR
-
A number of structures in this specification, including attestation statements and extensions, are encoded using the CTAP2 canonical CBOR encoding form of the Compact Binary Object Representation (CBOR) [RFC8949], as defined in [FIDO-CTAP].
- CDDL
-
This specification describes the syntax of all CBOR-encoded data using the CBOR Data Definition Language (CDDL) [RFC8610].
- COSE
-
CBOR Object Signing and Encryption (COSE) [RFC9052] [RFC9053]. The IANA COSE Algorithms registry [IANA-COSE-ALGS-REG] originally established by [RFC8152] and updated by these specifications is also used.
- Credential Management
-
The API described in this document is an extension of the
Credential
concept defined in [CREDENTIAL-MANAGEMENT-1]. - DOM
-
DOMException
and the DOMException values used in this specification are defined in [DOM4]. - ECMAScript
-
%ArrayBuffer% is defined in [ECMAScript].
- URL
-
The concepts of domain, host, port, scheme, valid domain and valid domain string are defined in [URL].
- Web IDL
-
Many of the interface definitions and all of the IDL in this specification depend on [WebIDL]. This updated version of the Web IDL standard adds support for
Promise
s, which are now the preferred mechanism for asynchronous interaction in all new web APIs. - FIDO AppID
-
The algorithms for determining the FacetID of a calling application and determining if a caller’s FacetID is authorized for an AppID (used only in the AppID extension) are defined by [FIDO-APPID].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
4. Terminology
- Attestation
-
Generally, attestation is a statement that serves to bear witness, confirm, or authenticate. In the WebAuthn context, attestation is employed to provide verifiable evidence as to the origin of an authenticator and the data it emits. This includes such things as credential IDs, credential key pairs, signature counters, etc.
An attestation statement is provided within an attestation object during a registration ceremony. See also § 6.5 Attestation and Figure 6. Whether or how the client conveys the attestation statement and aaguid portions of the attestation object to the Relying Party is described by attestation conveyance.
- Attestation Certificate
-
An X.509 Certificate for the attestation key pair used by an authenticator to attest to its manufacture and capabilities. At registration time, the authenticator uses the attestation private key to sign the Relying Party-specific credential public key (and additional data) that it generates and returns via the authenticatorMakeCredential operation. Relying Parties use the attestation public key conveyed in the attestation certificate to verify the attestation signature. Note that in the case of self attestation, the authenticator has no distinct attestation key pair nor attestation certificate, see self attestation for details.
- Authentication
- Authentication Ceremony
-
The ceremony where a user, and the user’s client platform (containing or connected to at least one authenticator) work in concert to cryptographically prove to a Relying Party that the user controls the credential private key of a previously-registered public key credential (see Registration). Note that this includes a test of user presence or user verification.
The WebAuthn authentication ceremony is defined in § 7.2 Verifying an Authentication Assertion, and is initiated by the Relying Party invoking a
operation with anavigator.credentials.get()
publicKey
argument. See § 5 Web Authentication API for an introductory overview and § 1.3.3 Authentication for implementation examples. - Authentication Assertion
- Assertion
-
The cryptographically signed
AuthenticatorAssertionResponse
object returned by an authenticator as the result of an authenticatorGetAssertion operation.This corresponds to the [CREDENTIAL-MANAGEMENT-1] specification’s single-use credentials.
- Authenticator
- WebAuthn Authenticator
-
A cryptographic entity, existing in hardware or software, that can register a user with a given Relying Party and later assert possession of the registered public key credential, and optionally verify the user to the Relying Party. Authenticators can report information regarding their type and security characteristics via attestation during registration and assertion.
A WebAuthn Authenticator could be a roaming authenticator, a dedicated hardware subsystem integrated into the client device, or a software component of the client or client device. A WebAuthn Authenticator is not necessarily confined to operating in a local context, and can generate or store a credential key pair in a server outside of client-side hardware.
In general, an authenticator is assumed to have only one user. If multiple natural persons share access to an authenticator, they are considered to represent the same user in the context of that authenticator. If an authenticator implementation supports multiple users in separated compartments, then each compartment is considered a separate authenticator with a single user with no access to other users' credentials.
- Authorization Gesture
-
An authorization gesture is a physical interaction performed by a user with an authenticator as part of a ceremony, such as registration or authentication. By making such an authorization gesture, a user provides consent for (i.e., authorizes) a ceremony to proceed. This MAY involve user verification if the employed authenticator is capable, or it MAY involve a simple test of user presence.
- Backed Up
-
Public Key Credential Sources may be backed up in some fashion such that they may become present on an authenticator other than their generating authenticator. Backup can occur via mechanisms including but not limited to peer-to-peer sync, cloud sync, local network sync, and manual import/export. See also § 6.1.3 Credential Backup State.
- Backup Eligibility
- Backup Eligible
-
A Public Key Credential Source's generating authenticator determines at creation time whether the public key credential source is allowed to be backed up. Backup eligibility is signaled in authenticator data's flags along with the current backup state. Backup eligibility is a credential property and is permanent for a given public key credential source. A backup eligible public key credential source is referred to as a multi-device credential whereas one that is not backup eligible is referred to as a single-device credential. See also § 6.1.3 Credential Backup State.
- Backup State
-
The current backup state of a multi-device credential as determined by the current managing authenticator. Backup state is signaled in authenticator data's flags and can change over time. See also backup eligibility and § 6.1.3 Credential Backup State.
- Biometric Authenticator
-
Any authenticator that implements biometric recognition.
- Biometric Recognition
-
The automated recognition of individuals based on their biological and behavioral characteristics [ISOBiometricVocabulary].
- Bound credential
- "Authenticator contains a credential"
- "Credential created on an authenticator"
- "Authenticator contains a credential"
-
A public key credential source or public key credential is said to be bound to its managing authenticator. This means that only the managing authenticator can generate assertions for the public key credential sources bound to it.
This may also be expressed as "the managing authenticator contains the bound credential", or "the bound credential was created on its managing authenticator". Note, however, that a server-side credential might not be physically stored in persistent memory inside the authenticator, hence "bound to" is the primary term. See § 6.2.2 Credential Storage Modality.
- Ceremony
-
The concept of a ceremony [Ceremony] is an extension of the concept of a network protocol, with human nodes alongside computer nodes and with communication links that include user interface(s), human-to-human communication, and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony. In this specification, Registration and Authentication are ceremonies, and an authorization gesture is often a component of those ceremonies.
- Client
- WebAuthn Client
-
Also referred to herein as simply a client. See also Conforming User Agent. A WebAuthn Client is an intermediary entity typically implemented in the user agent (in whole, or in part). Conceptually, it underlies the Web Authentication API and embodies the implementation of the
[[Create]](origin, options, sameOriginWithAncestors)
and[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
internal methods. It is responsible for both marshalling the inputs for the underlying authenticator operations, and for returning the results of the latter operations to the Web Authentication API's callers.The WebAuthn Client runs on, and is distinct from, a WebAuthn Client Device.
- Client Device
- WebAuthn Client Device
-
The hardware device on which the WebAuthn Client runs, for example a smartphone, a laptop computer or a desktop computer, and the operating system running on that hardware.
The distinctions between a WebAuthn Client device and a client are:
-
a single client device MAY support running multiple clients, i.e., browser implementations, which all have access to the same authenticators available on that client device, and
-
platform authenticators are bound to a client device rather than a WebAuthn Client.
A client device and a client together constitute a client platform.
-
- Client Platform
-
A client device and a client together make up a client platform. A single hardware device MAY be part of multiple distinct client platforms at different times by running different operating systems and/or clients.
- Client-Side
-
This refers in general to the combination of the user’s client platform, authenticators, and everything gluing it all together.
- Client-side discoverable Public Key Credential Source
- Client-side discoverable Credential
- Discoverable Credential
- Passkey
- [DEPRECATED] Resident Credential
- [DEPRECATED] Resident Key
- Client-side discoverable Credential
-
Note: Historically, client-side discoverable credentials have been known as resident credentials or resident keys. Due to the phrases
ResidentKey
andresidentKey
being widely used in both the WebAuthn API and also in the Authenticator Model (e.g., in dictionary member names, algorithm variable names, and operation parameters) the usage ofresident
within their names has not been changed for backwards compatibility purposes. Also, the term resident key is defined here as equivalent to a client-side discoverable credential.A Client-side discoverable Public Key Credential Source, or Discoverable Credential for short, is a public key credential source that is discoverable and usable in authentication ceremonies where the Relying Party does not provide any credential IDs, i.e., the Relying Party invokes
navigator.credentials.get()
with an emptyallowCredentials
argument. This means that the Relying Party does not necessarily need to first identify the user.As a consequence, a discoverable credential capable authenticator can generate an assertion signature for a discoverable credential given only an RP ID, which in turn necessitates that the public key credential source is stored in the authenticator or client platform. This is in contrast to a Server-side Public Key Credential Source, which requires that the authenticator is given both the RP ID and the credential ID but does not require client-side storage of the public key credential source.
See also: client-side credential storage modality and non-discoverable credential.
Note: Client-side discoverable credentials are also usable in authentication ceremonies where credential IDs are given, i.e., when calling
navigator.credentials.get()
with a non-emptyallowCredentials
argument. - Conforming User Agent
-
A user agent implementing, in cooperation with the underlying client device, the Web Authentication API and algorithms given in this specification, and handling communication between authenticators and Relying Parties.
- Credential ID
-
A probabilistically-unique byte sequence identifying a public key credential source and its authentication assertions. At most 1023 bytes long.
Credential IDs are generated by authenticators in two forms:
-
At least 16 bytes that include at least 100 bits of entropy, or
-
The public key credential source, without its Credential ID or mutable items, encrypted so only its managing authenticator can decrypt it. This form allows the authenticator to be nearly stateless, by having the Relying Party store any necessary state.
Note: [FIDO-UAF-AUTHNR-CMDS] includes guidance on encryption techniques under "Security Guidelines".
Relying Parties do not need to distinguish these two Credential ID forms.
-
- Credential Key Pair
- Credential Private Key
- Credential Public Key
- User Public Key
- User Credential
- Credential Private Key
-
A credential key pair is a pair of asymmetric cryptographic keys generated by an authenticator and scoped to a specific WebAuthn Relying Party. It is the central part of a public key credential.
A credential public key is the public key portion of a credential key pair. The credential public key is returned to the Relying Party during a registration ceremony.
A credential private key is the private key portion of a credential key pair. The credential private key is bound to a particular authenticator - its managing authenticator - and is expected to never be exposed to any other party, not even to the owner of the authenticator.
Note that in the case of self attestation, the credential key pair is also used as the attestation key pair, see self attestation for details.
Note: The credential public key is referred to as the user public key in FIDO UAF [UAFProtocol], and in FIDO U2F [FIDO-U2F-Message-Formats] and some parts of this specification that relate to it.
- Credential Properties
-
A credential property is some characteristic property of a public key credential source, such as whether it is a client-side discoverable credential or a server-side credential.
- Credential Record
-
In order to implement the algorithms defined in § 7 WebAuthn Relying Party Operations, the Relying Party MUST store some properties of registered public key credential sources. The credential record struct is an abstraction of these properties stored in a user account. A credential record is created during a registration ceremony and used in subsequent authentication ceremonies. Relying Parties MAY delete credential records as necessary or when requested by users.
The following items are RECOMMENDED in order to implement all steps of § 7.1 Registering a New Credential and § 7.2 Verifying an Authentication Assertion as defined:
- type
-
The type of the public key credential source.
- id
-
The Credential ID of the public key credential source.
- publicKey
-
The credential public key of the public key credential source.
- signCount
-
The latest value of the signature counter in the authenticator data from any ceremony using the public key credential source.
- transports
-
The value returned from
getTransports()
when the public key credential source was registered.Note: Modifying or removing items from the value returned from
getTransports()
could negatively impact user experience, or even prevent use of the corresponding credential. - uvInitialized
-
A Boolean value indicating whether any credential from this public key credential source has had the UV flag set.
When this is
true
, the Relying Party MAY consider the UV flag as an authentication factor in authentication ceremonies. For example, a Relying Party might skip a password prompt if uvInitialized istrue
and the UV flag is set, even when user verification was not required.When this is
false
, including an authentication ceremony where it would be updated totrue
, the UV flag MUST NOT be relied upon as an authentication factor. This is because the first time a public key credential source sets the UV flag to 1, there is not yet any trust relationship established between the Relying Party and the authenticator's user verification. Therefore, updating uvInitialized fromfalse
totrue
SHOULD require authorization by an additional authentication factor equivalent to WebAuthn user verification. - backupEligible
-
The value of the BE flag when the public key credential source was created.
- backupState
-
The latest value of the BS flag in the authenticator data from any ceremony using the public key credential source.
The following items are OPTIONAL:
- attestationObject
-
The value of the
attestationObject
attribute when the public key credential source was registered. Storing this enables the Relying Party to reference the credential’s attestation statement at a later time. - attestationClientDataJSON
-
The value of the
clientDataJSON
attribute when the public key credential source was registered. Storing this in combination with the above attestationObject item enables the Relying Party to re-verify the attestation signature at a later time. - authenticatorDisplayName
-
A human-palatable description of the public key credential source.
If used, the Relying Party SHOULD use this to describe the credential record in the user’s account settings. The Relying Party SHOULD allow the user to choose this value, and MAY allow the user to modify it at will.
The Credential Properties Extension defines the credential property
authenticatorDisplayName
which, when available, MAY be offered as a default for this value. The Relying Party MAY also derive a default value from the authenticator’s attestation statement, if any.
WebAuthn extensions MAY define additional items needed to process the extension. Relying Parties MAY also include any additional items as needed, and MAY omit any items not needed for their implementation.
The credential descriptor for a credential record is a
PublicKeyCredentialDescriptor
value with the contents:type
-
The type of the credential record.
id
-
The id of the credential record.
transports
-
The transports of the credential record.
- Generating Authenticator
-
The Generating Authenticator is the authenticator involved in the authenticatorMakeCredential operation resulting in the creation of a given public key credential source. The generating authenticator is the same as the managing authenticator for single-device credentials. For multi-device credentials, the generating authenticator may or may not be the same as the current managing authenticator participating in a given authentication operation.
- Human Palatability
-
An identifier that is human-palatable is intended to be rememberable and reproducible by typical human users, in contrast to identifiers that are, for example, randomly generated sequences of bits [EduPersonObjectClassSpec].
- Non-Discoverable Credential
-
This is a credential whose credential ID must be provided in
allowCredentials
when callingnavigator.credentials.get()
because it is not client-side discoverable. See also server-side credentials. - Registrable Origin Label
-
The first domain label of the registrable domain of a domain, or null if the registrable domain is null. For example, the registrable origin label of both
example.co.uk
andwww.example.de
isexample
if bothco.uk
andde
are public suffixes. - Public Key Credential
-
Generically, a credential is data one entity presents to another in order to authenticate the former to the latter [RFC4949]. The term public key credential refers to one of: a public key credential source, the possibly-attested credential public key corresponding to a public key credential source, or an authentication assertion. Which one is generally determined by context.
Note: This is a willful violation of [RFC4949]. In English, a "credential" is both a) the thing presented to prove a statement and b) intended to be used multiple times. It’s impossible to achieve both criteria securely with a single piece of data in a public key system. [RFC4949] chooses to define a credential as the thing that can be used multiple times (the public key), while this specification gives "credential" the English term’s flexibility. This specification uses more specific terms to identify the data related to an [RFC4949] credential:- "Authentication information" (possibly including a private key)
- "Signed value"
- [RFC4949] "credential"
At registration time, the authenticator creates an asymmetric key pair, and stores its private key portion and information from the Relying Party into a public key credential source. The public key portion is returned to the Relying Party, which then stores it in the active user account. Subsequently, only that Relying Party, as identified by its RP ID, is able to employ the public key credential in authentication ceremonies, via the
get()
method. The Relying Party uses its stored copy of the credential public key to verify the resultant authentication assertion. - Public Key Credential Source
-
A credential source ([CREDENTIAL-MANAGEMENT-1]) used by an authenticator to generate authentication assertions. A public key credential source consists of a struct with the following items:
- type
-
whose value is of
PublicKeyCredentialType
, defaulting topublic-key
. - id
- privateKey
- rpId
-
The Relying Party Identifier, for the Relying Party this public key credential source is scoped to. This is determined by the
parameter of therp
.id
create()
operation. - userHandle
-
The user handle associated when this public key credential source was created. This item is nullable, however user handle MUST always be populated for discoverable credentials.
- otherUI
-
OPTIONAL other information used by the authenticator to inform its UI. For example, this might include the user’s
displayName
. otherUI is a mutable item and SHOULD NOT be bound to the public key credential source in a way that prevents otherUI from being updated.
The authenticatorMakeCredential operation creates a public key credential source bound to a managing authenticator and returns the credential public key associated with its credential private key. The Relying Party can use this credential public key to verify the authentication assertions created by this public key credential source.
- Rate Limiting
-
The process (also known as throttling) by which an authenticator implements controls against brute force attacks by limiting the number of consecutive failed authentication attempts within a given period of time. If the limit is reached, the authenticator should impose a delay that increases exponentially with each successive attempt, or disable the current authentication modality and offer a different authentication factor if available. Rate limiting is often implemented as an aspect of user verification.
- Registration
- Registration Ceremony
-
The ceremony where a user, a Relying Party, and the user’s client platform (containing or connected to at least one authenticator) work in concert to create a public key credential and associate it with a user account. Note that this includes employing a test of user presence or user verification. After a successful registration ceremony, the user can be authenticated by an authentication ceremony.
The WebAuthn registration ceremony is defined in § 7.1 Registering a New Credential, and is initiated by the Relying Party invoking a
operation with anavigator.credentials.create()
publicKey
argument. See § 5 Web Authentication API for an introductory overview and § 1.3.1 Registration for implementation examples. - Relying Party
- WebAuthn Relying Party
-
The entity whose web application utilizes the Web Authentication API to register and authenticate users.
A Relying Party implementation typically consists of both some client-side script that invokes the Web Authentication API in the client, and a server-side component that executes the Relying Party operations and other application logic. Communication between the two components MUST use HTTPS or equivalent transport security, but is otherwise beyond the scope of this specification.
Note: While the term Relying Party is also often used in other contexts (e.g., X.509 and OAuth), an entity acting as a Relying Party in one context is not necessarily a Relying Party in other contexts. In this specification, the term WebAuthn Relying Party is often shortened to be just Relying Party, and explicitly refers to a Relying Party in the WebAuthn context. Note that in any concrete instantiation a WebAuthn context may be embedded in a broader overall context, e.g., one based on OAuth.
- Relying Party Identifier
- RP ID
-
In the context of the WebAuthn API, a relying party identifier is a valid domain string identifying the WebAuthn Relying Party on whose behalf a given registration or authentication ceremony is being performed. A public key credential can only be used for authentication with the same entity (as identified by RP ID) it was registered with.
By default, the RP ID for a WebAuthn operation is set to the caller’s origin's effective domain. This default MAY be overridden by the caller, as long as the caller-specified RP ID value is a registrable domain suffix of or is equal to the caller’s origin's effective domain. See also § 5.1.3 Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method and § 5.1.4 Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method.
Note: An RP ID is based on a host's domain name. It does not itself include a scheme or port, as an origin does. The RP ID of a public key credential determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows:-
The RP ID must be equal to the origin's effective domain, or a registrable domain suffix of the origin's effective domain.
-
One of the following must be true:
For example, given a Relying Party whose origin is
https://login.example.com:1337
, then the following RP IDs are valid:login.example.com
(default) andexample.com
, but notm.login.example.com
and notcom
. Another example of a valid origin ishttp://localhost:8000
, due to the origin beinglocalhost
.This is done in order to match the behavior of pervasively deployed ambient credentials (e.g., cookies, [RFC6265]). Please note that this is a greater relaxation of "same-origin" restrictions than what document.domain's setter provides.
These restrictions on origin values apply to WebAuthn Clients.
Other specifications mimicking the WebAuthn API to enable WebAuthn public key credentials on non-Web platforms (e.g. native mobile applications), MAY define different rules for binding a caller to a Relying Party Identifier. Though, the RP ID syntaxes MUST conform to either valid domain strings or URIs [RFC3986] [URL].
-
- Server-side Public Key Credential Source
- Server-side Credential
- [DEPRECATED] Non-Resident Credential
- Server-side Credential
-
Note: Historically, server-side credentials have been known as non-resident credentials. For backwards compatibility purposes, the various WebAuthn API and Authenticator Model components with various forms of
resident
within their names have not been changed.A Server-side Public Key Credential Source, or Server-side Credential for short, is a public key credential source that is only usable in an authentication ceremony when the Relying Party supplies its credential ID in
navigator.credentials.get()
'sallowCredentials
argument. This means that the Relying Party must manage the credential’s storage and discovery, as well as be able to first identify the user in order to discover the credential IDs to supply in thenavigator.credentials.get()
call.Client-side storage of the public key credential source is not required for a server-side credential. This is in contrast to a client-side discoverable credential, which instead does not require the user to first be identified in order to provide the user’s credential IDs to a
navigator.credentials.get()
call.See also: server-side credential storage modality and non-discoverable credential.
- Test of User Presence
-
A test of user presence is a simple form of authorization gesture and technical process where a user interacts with an authenticator by (typically) simply touching it (other modalities may also exist), yielding a Boolean result. Note that this does not constitute user verification because a user presence test, by definition, is not capable of biometric recognition, nor does it involve the presentation of a shared secret such as a password or PIN.
- User Account
-
In the context of this specification, a user account denotes the mapping of a set of credentials [CREDENTIAL-MANAGEMENT-1] to a (sub)set of a Relying Party's resources, as maintained and authorized by the Relying Party. The Relying Party maps a given public key credential to a user account by assigning a user account-specific value to the credential’s user handle and storing a credential record for the credential in the user account. This mapping, the set of credentials, and their authorizations, may evolve over time. A given user account might be accessed by one or more natural persons (also known as "users"), and one natural person might have access to one or more user accounts, depending on actions of the user(s) and the Relying Party.
- User Consent
-
User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts. An authorization gesture is a ceremony component often employed to indicate user consent.
- User Handle
-
A user handle is an identifier for a user account, specified by the Relying Party as
during registration. Discoverable credentials store this identifier and MUST return it asuser
.id
in authentication ceremonies started with an emptyresponse
.userHandle
argument.allowCredentials
The main use of the user handle is to identify the user account in such authentication ceremonies, but the credential ID could be used instead. The main differences are that the credential ID is chosen by the authenticator and is unique for each credential, while the user handle is chosen by the Relying Party and ought to be the same for all credentials registered to the same user account.
Authenticators map pairs of RP ID and user handle to public key credential sources. As a consequence, an authenticator will store at most one discoverable credential per user handle per Relying Party. Therefore a secondary use of the user handle is to allow authenticators to know when to replace an existing discoverable credential with a new one during the registration ceremony.
A user handle is an opaque byte sequence with a maximum size of 64 bytes, and is not meant to be displayed to the user. It MUST NOT contain personally identifying information, see § 14.6.1 User Handle Contents.
- User Present
-
Upon successful completion of a user presence test, the user is said to be "present".
- User Verification
-
The technical process by which an authenticator locally authorizes the invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations. User verification MAY be instigated through various authorization gesture modalities; for example, through a touch plus pin code, password entry, or biometric recognition (e.g., presenting a fingerprint) [ISOBiometricVocabulary]. The intent is to distinguish individual users. See also § 6.2.3 Authentication Factor Capability.
Note that user verification does not give the Relying Party a concrete identification of the user, but when 2 or more ceremonies with user verification have been done with that credential it expresses that it was the same user that performed all of them. The same user might not always be the same natural person, however, if multiple natural persons share access to the same authenticator.
Note: Distinguishing natural persons depends in significant part upon the client platform's and authenticator's capabilities. For example, some devices are intended to be used by a single individual, yet they may allow multiple natural persons to enroll fingerprints or know the same PIN and thus access the same user account(s) using that device.
Note: Invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations implies use of key material managed by the authenticator.Also, for security, user verification and use of credential private keys must all occur within the logical security boundary defining the authenticator.
User verification procedures MAY implement rate limiting as a protection against brute force attacks.
- User Verified
-
Upon successful completion of a user verification process, the user is said to be "verified".
5. Web Authentication API
This section normatively specifies the API for creating and using public key credentials. The basic idea is that the credentials belong to the user and are managed by a WebAuthn Authenticator, with which the WebAuthn Relying Party interacts through the client platform. Relying Party scripts can (with the user’s consent) request the browser to create a new credential for future use by the Relying Party. See Figure , below.
Scripts can also request the user’s permission to perform authentication operations with an existing credential. See Figure , below.
All such operations are performed in the authenticator and are mediated by the client platform on the user’s behalf. At no point does the script get access to the credentials themselves; it only gets information about the credentials in the form of objects.
In addition to the above script interface, the authenticator MAY implement (or come with client software that implements) a user interface for management. Such an interface MAY be used, for example, to reset the authenticator to a clean state or to inspect the current state of the authenticator. In other words, such an interface is similar to the user interfaces provided by browsers for managing user state such as history, saved passwords, and cookies. Authenticator management actions such as credential deletion are considered to be the responsibility of such a user interface and are deliberately omitted from the API exposed to scripts.
The security properties of this API are provided by the client and the authenticator working together. The authenticator, which holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against a different origin, by incorporating the origin in its responses. Specifically, as defined in § 6.3 Authenticator Operations, the full origin of the requester is included, and signed over, in the attestation object produced when a new credential is created as well as in all assertions produced by WebAuthn credentials.
Additionally, to maintain user privacy and prevent malicious Relying Parties from probing for the presence of public key credentials belonging to other Relying Parties, each credential is also scoped to a Relying Party Identifier, or RP ID. This RP ID is provided by the client to the authenticator for all operations, and the authenticator ensures that credentials created by a Relying Party can only be used in operations requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases where a single Relying Party maintains multiple origins.
The client facilitates these security measures by providing the Relying Party's origin and RP ID to the authenticator for each operation. Since this is an integral part of the WebAuthn security model, user agents only expose this API to callers in secure contexts. For web contexts in particular, this only includes those accessed via a secure transport (e.g., TLS) established without errors.
The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL listing is given in the IDL Index.
5.1. PublicKeyCredential
Interface
The PublicKeyCredential
interface inherits from Credential
[CREDENTIAL-MANAGEMENT-1], and contains the attributes
that are returned to the caller when a new credential is created, or a new assertion is requested.
[SecureContext ,Exposed =Window ]interface PublicKeyCredential :Credential { [SameObject ]readonly attribute ArrayBuffer ; [
rawId SameObject ]readonly attribute AuthenticatorResponse response ;readonly attribute DOMString ?authenticatorAttachment ;AuthenticationExtensionsClientOutputs ();
getClientExtensionResults static Promise <boolean >();
isConditionalMediationAvailable PublicKeyCredentialJSON (); };
toJSON
id
-
This attribute is inherited from
Credential
, thoughPublicKeyCredential
overridesCredential
's getter, instead returning the base64url encoding of the data contained in the object’s[[identifier]]
internal slot. rawId
-
This attribute returns the
ArrayBuffer
contained in the[[identifier]]
internal slot. response
, of type AuthenticatorResponse, readonly-
This attribute contains the authenticator's response to the client’s request to either create a public key credential, or generate an authentication assertion. If the
PublicKeyCredential
is created in response tocreate()
, this attribute’s value will be anAuthenticatorAttestationResponse
, otherwise, thePublicKeyCredential
was created in response toget()
, and this attribute’s value will be anAuthenticatorAssertionResponse
. authenticatorAttachment
, of type DOMString, readonly, nullable-
This attribute reports the authenticator attachment modality in effect at the time the
navigator.credentials.create()
ornavigator.credentials.get()
methods successfully complete. The attribute’s value SHOULD be a member ofAuthenticatorAttachment
. Relying Parties SHOULD treat unknown values as if the value were null.Note: If, as the result of a registration or authentication ceremony,authenticatorAttachment
's value is "cross-platform" and concurrentlyisUserVerifyingPlatformAuthenticatorAvailable
returnstrue
, then the user employed a roaming authenticator for this ceremony while there is an available platform authenticator. Thus the Relying Party has the opportunity to prompt the user to register the available platform authenticator, which may enable more streamlined user experience flows.An authenticator’s attachment modality could change over time. For example, a mobile phone might at one time only support platform attachment but later receive updates to support cross-platform attachment as well.
getClientExtensionResults()
-
This operation returns the value of
[[clientExtensionsResults]]
, which is a map containing extension identifier → client extension output entries produced by the extension’s client extension processing. isConditionalMediationAvailable()
-
PublicKeyCredential
overrides this method to indicate availability forconditional
mediation duringnavigator.credentials.get()
. WebAuthn Relying Parties SHOULD verify availability before attempting to setoptions.
tomediation
conditional
.Upon invocation, a promise is returned that resolves with a value of
true
ifconditional
user mediation is available, orfalse
otherwise.This method has no arguments and returns a promise to a Boolean value.
The
conditionalGet
capability is equivalent to this promise resolving totrue
.Note: If this method is not present,
conditional
user mediation is not available fornavigator.credentials.get()
.Note: This method does _not_ indicate whether or not
conditional
user mediation is available innavigator.credentials.create()
. For that, see theconditionalCreate
capability ingetClientCapabilities()
. toJSON()
-
This operation returns
RegistrationResponseJSON
orAuthenticationResponseJSON
, which are JSON type representations mirroringPublicKeyCredential
, suitable for submission to a Relying Party server as anapplication/json
payload. The client is in charge of serializing values to JSON types as usual, but MUST take additional steps to first encode anyArrayBuffer
values toDOMString
values using base64url encoding.The
RegistrationResponseJSON.clientExtensionResults
orAuthenticationResponseJSON.clientExtensionResults
member MUST be set to the output ofgetClientExtensionResults()
, with anyArrayBuffer
values encoded toDOMString
values using base64url encoding. This MAY includeArrayBuffer
values from extensions registered in the IANA "WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] but not defined in § 9 WebAuthn Extensions.The
AuthenticatorAttestationResponseJSON.transports
member MUST be set to the output ofgetTransports()
.The
AuthenticatorAttestationResponseJSON.publicKey
member MUST be set to the output ofgetPublicKey()
.The
AuthenticatorAttestationResponseJSON.publicKeyAlgorithm
member MUST be set to the output ofgetPublicKeyAlgorithm()
.
typedef DOMString ; // The structure of this object will be either // RegistrationResponseJSON or AuthenticationResponseJSON
Base64URLString typedef object ;
PublicKeyCredentialJSON dictionary {
RegistrationResponseJSON required DOMString ;
id required Base64URLString ;
rawId required AuthenticatorAttestationResponseJSON ;
response DOMString ;
authenticatorAttachment required AuthenticationExtensionsClientOutputsJSON ;
clientExtensionResults required DOMString ; };
type dictionary {
AuthenticatorAttestationResponseJSON required Base64URLString ;
clientDataJSON required Base64URLString ;
authenticatorData required sequence <DOMString >; // The publicKey field will be missing if pubKeyCredParams was used to // negotiate a public-key algorithm that the user agent doesn't // understand. (See section “Easily accessing credential data” for a // list of which algorithms user agents must support.) If using such an // algorithm then the public key must be parsed directly from // attestationObject or authenticatorData.
transports Base64URLString ;
publicKey required COSEAlgorithmIdentifier ; // This value contains copies of some of the fields above. See // section “Easily accessing credential data”.
publicKeyAlgorithm required Base64URLString ; };
attestationObject dictionary {
AuthenticationResponseJSON required DOMString ;
id required Base64URLString ;
rawId required AuthenticatorAssertionResponseJSON ;
response DOMString ;
authenticatorAttachment required AuthenticationExtensionsClientOutputsJSON ;
clientExtensionResults required DOMString ; };
type dictionary {
AuthenticatorAssertionResponseJSON required Base64URLString ;
clientDataJSON required Base64URLString ;
authenticatorData required Base64URLString ;
signature Base64URLString ; };
userHandle dictionary { };
AuthenticationExtensionsClientOutputsJSON
[[type]]
-
The
PublicKeyCredential
interface object's[[type]]
internal slot's value is the string "public-key
".Note: This is reflected via the
type
attribute getter inherited fromCredential
. [[discovery]]
-
The
PublicKeyCredential
interface object's[[discovery]]
internal slot's value is "remote
". [[identifier]]
-
This internal slot contains the credential ID, chosen by the authenticator. The credential ID is used to look up credentials for use, and is therefore expected to be globally unique with high probability across all credentials of the same type, across all authenticators.
Note: This API does not constrain the format or length of this identifier, except that it MUST be sufficient for the authenticator to uniquely select a key. For example, an authenticator without on-board storage may create identifiers containing a credential private key wrapped with a symmetric key that is burned into the authenticator.
[[clientExtensionsResults]]
-
This internal slot contains the results of processing client extensions requested by the Relying Party upon the Relying Party's invocation of either
navigator.credentials.create()
ornavigator.credentials.get()
.
PublicKeyCredential
's interface object inherits Credential
's implementation of [[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)
, and defines its own
implementation of each of [[Create]](origin, options, sameOriginWithAncestors)
, [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
, and [[Store]](credential, sameOriginWithAncestors)
.
Calling CredentialsContainer
's preventSilentAccess()
method
will have no effect on PublicKeyCredential
credentials, since they always require user interaction.
5.1.1. CredentialCreationOptions
Dictionary Extension
To support registration via navigator.credentials.create()
, this document extends
the CredentialCreationOptions
dictionary as follows:
partial dictionary CredentialCreationOptions {PublicKeyCredentialCreationOptions ; };
publicKey
5.1.2. CredentialRequestOptions
Dictionary Extension
To support obtaining assertions via navigator.credentials.get()
, this document extends the CredentialRequestOptions
dictionary as follows:
partial dictionary CredentialRequestOptions {PublicKeyCredentialRequestOptions ; };
publicKey
5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors)
Method
PublicKeyCredential
's interface object's implementation of the [[Create]](origin,
options, sameOriginWithAncestors)
internal method [CREDENTIAL-MANAGEMENT-1] allows WebAuthn Relying Party scripts to call navigator.credentials.create()
to request the creation of a new public key credential source, bound to an authenticator.
By setting options.
to mediation
conditional
, Relying Parties can indicate that they would like to register a credential without prominent modal UI if the user has already consented to create a credential.
The Relying Party SHOULD first use getClientCapabilities()
to check that the client supports the conditionalCreate
capability
in order to prevent a user-visible error in case this feature is not available.
The client MUST set BOTH requireUserPresence and requireUserVerification to FALSE when options.
is set to mediation
conditional
unless they may explicitly performed during the ceremony.
Any navigator.credentials.create()
operation can be aborted by leveraging the AbortController
;
see DOM § 3.3 Using AbortController and AbortSignal objects in APIs for detailed instructions.
This internal method accepts three arguments:
origin
-
This argument is the relevant settings object's origin, as determined by the calling
create()
implementation. options
-
This argument is a
CredentialCreationOptions
object whoseoptions.
member contains apublicKey
PublicKeyCredentialCreationOptions
object specifying the desired attributes of the to-be-created public key credential. sameOriginWithAncestors
-
This argument is a Boolean value which is
true
if and only if the caller’s environment settings object is same-origin with its ancestors. It isfalse
if caller is cross-origin.Note: Invocation of this internal method indicates that it was allowed by permissions policy, which is evaluated at the [CREDENTIAL-MANAGEMENT-1] level. See § 5.9 Permissions Policy integration.
Note: This algorithm is synchronous: the Promise
resolution/rejection is handled by navigator.credentials.create()
.
Note: All BufferSource
objects used in this algorithm must be snapshotted when the algorithm begins, to
avoid potential synchronization issues. The algorithm implementations should get a copy of the bytes held
by the buffer source and use that copy for relevant portions of the algorithm.
When this method is invoked, the user agent MUST execute the following algorithm:
-
Assert:
options.
is present.publicKey
-
If sameOriginWithAncestors is
false
:-
If
options.
is present with the valuemediation
conditional
:-
Throw a "
NotAllowedError
"DOMException
-
-
If the relevant global object, as determined by the calling
create()
implementation, does not have transient activation:-
Throw a "
NotAllowedError
"DOMException
.
-
NOTE: The client SHOULD make it clear to the user in the case where the origin that is creating a credential is different from the top-level origin of the relevant global object (i.e., is a different origin than the user can see in the address bar).
-
-
Let pkOptions be the value of
options.
.publicKey
-
If
pkOptions.
is present, check if its value lies within a reasonable range as defined by the client and if not, correct it to the closest value lying within that range. Set a timer lifetimeTimer to this adjusted value. Iftimeout
pkOptions.
is not present, then set lifetimeTimer to a client-specific default.timeout
See the recommended range and default for a WebAuthn ceremony timeout for guidance on deciding a reasonable range and default for
pkOptions.
.timeout
Note: The user agent should take cognitive guidelines into considerations regarding timeout for users with special needs.
-
If the length of
pkOptions.
is not between 1 and 64 bytes (inclusive) then throw auser
.id
TypeError
. -
Let callerOrigin be
origin
. If callerOrigin is an opaque origin, throw a "NotAllowedError
"DOMException
. -
Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, then throw a "
SecurityError
"DOMException
.Note: An effective domain may resolve to a host, which can be represented in various manners, such as domain, ipv4 address, ipv6 address, opaque host, or empty host. Only the domain format of host is allowed here. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security.
-
- is present
-
If
pkOptions.
is not a registrable domain suffix of and is not equal to effectiveDomain, and if the clientrp
.id
- supports related origin requests
-
-
Run the related origins validation procedure with arguments callerOrigin and rpIdRequested. If the result is
false
, throw a "SecurityError
"DOMException
.
- does not support related origin requests
-
throw a "
SecurityError
"DOMException
.
- is not present
Note:
pkOptions.
represents the caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly setrp
.id
pkOptions.
when callingrp
.id
create()
. -
Let credTypesAndPubKeyAlgs be a new list whose items are pairs of
PublicKeyCredentialType
and aCOSEAlgorithmIdentifier
. -
If
pkOptions.
’s sizepubKeyCredParams
- is zero
-
Append the following pairs of
PublicKeyCredentialType
andCOSEAlgorithmIdentifier
values to credTypesAndPubKeyAlgs:-
public-key
and-7
("ES256"). -
public-key
and-257
("RS256").
-
- is non-zero
-
For each current of
pkOptions.
:pubKeyCredParams
-
If
current.
does not contain atype
PublicKeyCredentialType
supported by this implementation, then continue. -
Let alg be
current.
.alg
-
Append the pair of
current.
and alg to credTypesAndPubKeyAlgs.type
If credTypesAndPubKeyAlgs is empty, throw a "
NotSupportedError
"DOMException
. -
-
Let clientExtensions be a new map and let authenticatorExtensions be a new map.
-
If
pkOptions.
is present, then for each extensionId → clientExtensionInput ofextensions
pkOptions.
:extensions
-
If extensionId is not supported by this client platform or is not a registration extension, then continue.
-
Set clientExtensions[extensionId] to clientExtensionInput.
-
If extensionId is not an authenticator extension, then continue.
-
Let authenticatorExtensionInput be the (CBOR) result of running extensionId’s client extension processing algorithm on clientExtensionInput. If the algorithm returned an error, continue.
-
Set authenticatorExtensions[extensionId] to the base64url encoding of authenticatorExtensionInput.
-
-
Let collectedClientData be a new
CollectedClientData
instance whose fields are:type
-
The string "webauthn.create".
challenge
-
The base64url encoding of pkOptions.
challenge
. origin
-
The serialization of callerOrigin.
crossOrigin
-
The inverse of the value of the
sameOriginWithAncestors
argument passed to this internal method. topOrigin
-
The serialization of callerOrigin’s top-level origin if the
sameOriginWithAncestors
argument passed to this internal method isfalse
, elseundefined
.
-
Let clientDataJSON be the JSON-compatible serialization of client data constructed from collectedClientData.
-
Let clientDataHash be the hash of the serialized client data represented by clientDataJSON.
-
If
options.
is present and aborted, throw thesignal
options.
’s abort reason.signal
-
Let issuedRequests be a new ordered set.
-
Let authenticators represent a value which at any given instant is a set of client platform-specific handles, where each item identifies an authenticator presently available on this client platform at that instant.
Note: What qualifies an authenticator as "available" is intentionally unspecified; this is meant to represent how authenticators can be hot-plugged into (e.g., via USB) or discovered (e.g., via NFC or Bluetooth) by the client by various mechanisms, or permanently built into the client.
-
If
options.
is present with the valuemediation
conditional
:-
If the user agent has not recently mediated an authentication, the origin of said authentication is not callerOrigin, or the user does not consent to this type of credential creation, throw a "
NotAllowedError
"DOMException
.It is up to the user agent to decide when it believes an authentication ceremony has been completed. That authentication ceremony MAY be performed via other means than the Web Authentication API.
-
-
Consider the value of
hints
and craft the user interface accordingly, as the user-agent sees fit. -
Start lifetimeTimer.
-
While lifetimeTimer has not expired, perform the following actions depending upon lifetimeTimer,
and the state and response for each authenticator in authenticators:
- If lifetimeTimer expires,
-
For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests.
- If the user exercises a user agent user-interface option to cancel the process,
-
For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Throw a "
NotAllowedError
"DOMException
. - If
options.
is present and aborted,signal
-
For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Then throw the
options.
’s abort reason.signal
- If an authenticator becomes available on this client device,
-
Note: This includes the case where an authenticator was available upon lifetimeTimer initiation.
-
This authenticator is now the candidate authenticator.
-
If
pkOptions.
is present:authenticatorSelection
-
If
pkOptions.
is present and its value is not equal to authenticator’s authenticator attachment modality, continue.authenticatorSelection
.authenticatorAttachment
-
If
pkOptions.
authenticatorSelection
.residentKey
- is present and set to
required
-
If the authenticator is not capable of storing a client-side discoverable public key credential source, continue.
- is present and set to
preferred
ordiscouraged
-
No effect.
- is not present
-
if
pkOptions.
is set toauthenticatorSelection
.requireResidentKey
true
and the authenticator is not capable of storing a client-side discoverable public key credential source, continue.
- is present and set to
-
If
pkOptions.
is set toauthenticatorSelection
.userVerification
required
and the authenticator is not capable of performing user verification, continue.
-
-
Let requireResidentKey be the effective resident key requirement for credential creation, a Boolean value, as follows:
If
pkOptions.
authenticatorSelection
.residentKey
- is present and set to
required
-
Let requireResidentKey be
true
. - is present and set to
preferred
-
If the authenticator
- is capable of client-side credential storage modality
-
Let requireResidentKey be
true
. - is not capable of client-side credential storage modality, or if the client cannot determine authenticator capability,
-
Let requireResidentKey be
false
.
- is present and set to
discouraged
-
Let requireResidentKey be
false
. - is not present
-
Let requireResidentKey be the value of
pkOptions.
.authenticatorSelection
.requireResidentKey
- is present and set to
-
Let userVerification be the effective user verification requirement for credential creation, a Boolean value, as follows. If
pkOptions.
authenticatorSelection
.userVerification
- is set to
required
-
-
If
options.
is set tomediation
conditional
and user verification cannot be collected during the ceremony, throw aConstraintError
DOMException
. -
Let userVerification be
true
.
-
- is set to
preferred
-
If the authenticator
- is capable of user verification
-
Let userVerification be
true
. - is not capable of user verification
-
Let userVerification be
false
.
- is set to
discouraged
-
Let userVerification be
false
.
- is set to
-
Let enterpriseAttestationPossible be a Boolean value, as follows. If
pkOptions.
attestation
- is set to
enterprise
-
Let enterpriseAttestationPossible be
true
if the user agent wishes to support enterprise attestation forpkOptions.
(see step 8, above). Otherwiserp
.id
false
. - otherwise
-
Let enterpriseAttestationPossible be
false
.
- is set to
-
Let attestationFormats be a list of strings, initialized to the value of
pkOptions.
.attestationFormats
-
If
pkOptions.
attestation
- is set to
none
-
Set attestationFormats be the single-element list containing the string “none”
- is set to
-
Let excludeCredentialDescriptorList be a new list.
-
For each credential descriptor C in
pkOptions.
:excludeCredentials
-
If
C.
is not empty, and authenticator is connected over a transport not mentioned intransports
C.
, the client MAY continue.transports
Note: If the client chooses to continue, this could result in inadvertently registering multiple credentials bound to the same authenticator if the transport hints in
C.
are not accurate. For example, stored transport hints could become inaccurate as a result of software upgrades adding new connectivity options.transports
-
Otherwise, Append C to excludeCredentialDescriptorList.
-
- Invoke the authenticatorMakeCredential operation on authenticator with clientDataHash,
pkOptions.
,rp
pkOptions.
, requireResidentKey, userVerification, credTypesAndPubKeyAlgs, excludeCredentialDescriptorList, enterpriseAttestationPossible, attestationFormats, and authenticatorExtensions as parameters.user
-
Append authenticator to issuedRequests.
-
- If an authenticator ceases to be available on this client device,
-
Remove authenticator from issuedRequests.
- If any authenticator returns a status indicating that the user cancelled the operation,
-
-
Remove authenticator from issuedRequests.
-
For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.
Note: Authenticators may return an indication of "the user cancelled the entire operation". How a user agent manifests this state to users is unspecified.
-
- If any authenticator returns an error status equivalent to "
InvalidStateError
", -
-
Remove authenticator from issuedRequests.
-
For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.
-
Throw an "
InvalidStateError
"DOMException
.
Note: This error status is handled separately because the authenticator returns it only if excludeCredentialDescriptorList identifies a credential bound to the authenticator and the user has consented to the operation. Given this explicit consent, it is acceptable for this case to be distinguishable to the Relying Party.
-
- If any authenticator returns an error status not equivalent to "
InvalidStateError
", -
Remove authenticator from issuedRequests.
Note: This case does not imply user consent for the operation, so details about the error are hidden from the Relying Party in order to prevent leak of potentially identifying information. See § 14.5.1 Registration Ceremony Privacy for details.
- If any authenticator indicates success,
-
-
Remove authenticator from issuedRequests. This authenticator is now the selected authenticator.
-
Let credentialCreationData be a struct whose items are:
attestationObjectResult
-
whose value is the bytes returned from the successful authenticatorMakeCredential operation.
Note: this value is
attObj
, as defined in § 6.5.4 Generating an Attestation Object. clientDataJSONResult
-
whose value is the bytes of clientDataJSON.
attestationConveyancePreferenceOption
-
whose value is the value of pkOptions.
attestation
. clientExtensionResults
-
whose value is an
AuthenticationExtensionsClientOutputs
object containing extension identifier → client extension output entries. The entries are created by running each extension’s client extension processing algorithm to create the client extension outputs, for each client extension inpkOptions.
.extensions
-
Let constructCredentialAlg be an algorithm that takes a global object global, and whose steps are:
-
If
credentialCreationData.attestationConveyancePreferenceOption
’s value isnone
-
Replace potentially uniquely identifying information with non-identifying versions of the same:
-
If the aaguid in the attested credential data is 16 zero bytes,
credentialCreationData.attestationObjectResult.fmt
is "packed", and "x5c" is absent fromcredentialCreationData.attestationObjectResult
, then self attestation is being used and no further action is needed. -
Otherwise:
-
Set the value of
credentialCreationData.attestationObjectResult.fmt
to "none", and set the value ofcredentialCreationData.attestationObjectResult.attStmt
to be an empty CBOR map. (See § 8.7 None Attestation Statement Format and § 6.5.4 Generating an Attestation Object). -
If authenticator is not a platform authenticator then replace the aaguid in the attested credential data with 16 zero bytes.
-
-
indirect
-
The client MAY replace the aaguid and attestation statement with a more privacy-friendly and/or more easily verifiable version of the same data (for example, by employing an Anonymization CA).
direct
orenterprise
-
Convey the authenticator's AAGUID and attestation statement, unaltered, to the Relying Party.
-
Let attestationObject be a new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofcredentialCreationData.attestationObjectResult
’s value. -
Let id be
attestationObject.authData.attestedCredentialData.credentialId
. -
Let pubKeyCred be a new
PublicKeyCredential
object associated with global whose fields are:[[identifier]]
-
id
authenticatorAttachment
-
The
AuthenticatorAttachment
value matching the current authenticator attachment modality of authenticator. response
-
A new
AuthenticatorAttestationResponse
object associated with global whose fields are:clientDataJSON
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofcredentialCreationData.clientDataJSONResult
. attestationObject
-
attestationObject
[[transports]]
-
A sequence of zero or more unique
DOMString
s, in lexicographical order, that the authenticator is believed to support. The values SHOULD be members ofAuthenticatorTransport
, but client platforms MUST ignore unknown values.If a user agent does not wish to divulge this information it MAY substitute an arbitrary sequence designed to preserve privacy. This sequence MUST still be valid, i.e. lexicographically sorted and free of duplicates. For example, it may use the empty sequence. Either way, in this case the user agent takes the risk that Relying Party behavior may be suboptimal.
If the user agent does not have any transport information, it SHOULD set this field to the empty sequence.
Note: How user agents discover transports supported by a given authenticator is outside the scope of this specification, but may include information from an attestation certificate (for example [FIDO-Transports-Ext]), metadata communicated in an authenticator protocol such as CTAP2, or special-case knowledge about a platform authenticator.
[[clientExtensionsResults]]
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofcredentialCreationData.clientExtensionResults
.
-
Return pubKeyCred.
-
-
For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.
-
Return constructCredentialAlg and terminate this algorithm.
-
-
Throw a "
NotAllowedError
"DOMException
.
During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator. When options.
is set to mediation
conditional
, prominent modal UI should not be shown unless credential creation was previously consented to via means determined by the user agent.
5.1.3.1. Create Request Exceptions
This section is not normative.
WebAuthn Relying Parties can encounter a number of exceptions from a call to navigator.credentials.create()
.
Some exceptions can have multiple reasons for why they happened,
requiring the WebAuthn Relying Parties to infer the actual reason based on their use of WebAuthn.
Note: Exceptions that can be raised during processing of any WebAuthn Extensions, including ones defined outside of this specification, are not listed here.
The following DOMException
exceptions can be raised:
AbortError
-
The ceremony was cancelled by an
AbortController
. See § 5.6 Abort Operations with AbortSignal and § 1.3.4 Aborting Authentication Operations. ConstraintError
-
Either
residentKey
was set torequired
and no available authenticator supported resident keys, oruserVerification
was set torequired
and no available authenticator could perform user verification. InvalidStateError
-
The authenticator used in the ceremony recognized an entry in
excludeCredentials
after the user consented to registering a credential. NotSupportedError
-
No entry in
pubKeyCredParams
had atype
property ofpublic-key
, or the authenticator did not support any of the signature algorithms specified inpubKeyCredParams
. SecurityError
-
The effective domain was not a valid domain, or
was not equal to or a registrable domain suffix of the effective domain. In the latter case, the client does not support related origin requests or the related origins validation procedure failed.rp
.id
NotAllowedError
-
A catch-all error covering a wide range of possible reasons, including common ones like the user canceling out of the ceremony. Some of these causes are documented throughout this spec, while others are client-specific.
The following simple exceptions can be raised:
TypeError
-
The
options
argument was not a validCredentialCreationOptions
value, or the value of
was empty or was longer than 64 bytes.user
.id
5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options)
Method
WebAuthn Relying Parties call navigator.credentials.get({publicKey:..., ...})
to
discover and use an existing public key credential, with the user’s consent. Relying Party script optionally specifies some criteria
to indicate what public key credential sources are acceptable to it. The client platform locates public key credential sources matching the specified criteria, and guides the user to pick one that the script will be allowed to use. The user may choose to
decline the entire interaction even if a public key credential source is present, for example to maintain privacy. If the user picks a public key credential source, the user agent then uses § 6.3.3 The authenticatorGetAssertion Operation to sign a Relying Party-provided challenge and other collected data into an authentication assertion, which is used as a credential.
The navigator.credentials.get()
implementation [CREDENTIAL-MANAGEMENT-1] calls PublicKeyCredential.
to collect any credentials that
should be available without user mediation (roughly, this specification’s authorization gesture), and if it does not find
exactly one of those, it then calls [[CollectFromCredentialStore]]()
PublicKeyCredential.
to have
the user select a public key credential source.[[DiscoverFromExternalSource]]()
Since this specification requires an authorization gesture to create any assertions, the PublicKeyCredential.
internal method inherits the default behavior of [[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)
Credential.[[CollectFromCredentialStore]]()
, of returning an empty set.
In general, the user agent SHOULD show some UI to the user to guide them in selecting and authorizing an authenticator with which
to complete the operation. By setting options.
to mediation
conditional
, Relying Parties can indicate that a prominent modal UI should not be shown unless credentials are discovered.
The Relying Party SHOULD first use isConditionalMediationAvailable()
or getClientCapabilities()
to check that the client supports the conditionalGet
capability
in order to prevent a user-visible error in case this feature is not available.
Any navigator.credentials.get()
operation can be aborted by leveraging the AbortController
;
see DOM § 3.3 Using AbortController and AbortSignal objects in APIs for detailed instructions.
5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
Method
[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
This internal method accepts three arguments:
origin
-
This argument is the relevant settings object's origin, as determined by the calling
get()
implementation, i.e.,CredentialsContainer
's Request aCredential
abstract operation. options
-
This argument is a
CredentialRequestOptions
object whoseoptions.
member contains apublicKey
PublicKeyCredentialRequestOptions
object specifying the desired attributes of the public key credential to discover. sameOriginWithAncestors
-
This argument is a Boolean value which is
true
if and only if the caller’s environment settings object is same-origin with its ancestors. It isfalse
if caller is cross-origin.Note: Invocation of this internal method indicates that it was allowed by permissions policy, which is evaluated at the [CREDENTIAL-MANAGEMENT-1] level. See § 5.9 Permissions Policy integration.
Note: This algorithm is synchronous: the Promise
resolution/rejection is handled by navigator.credentials.get()
.
Note: All BufferSource
objects used in this algorithm must be snapshotted when the algorithm begins, to
avoid potential synchronization issues. The algorithm implementations should get a copy of the bytes held
by the buffer source and use that copy for relevant portions of the algorithm.
When this method is invoked, the user agent MUST execute the following algorithm:
-
Assert:
options.
is present.publicKey
-
Let pkOptions be the value of
options.
.publicKey
-
If
options.
is present with the valuemediation
conditional
:-
Let credentialIdFilter be the value of
pkOptions.
.allowCredentials
-
Set
pkOptions.
to empty.allowCredentials
Note: This prevents non-discoverable credentials from being used during
conditional
requests. -
Set a timer lifetimeTimer to a value of infinity.
Note: lifetimeTimer is set to a value of infinity so that the user has the entire lifetime of the Document to interact with any
input
form control tagged with a"webauthn"
autofill detail token. For example, upon the user clicking in such an input field, the user agent can render a list of discovered credentials for the user to select from, and perhaps also give the user the option to "try another way".
-
-
Else:
-
If
pkOptions.
is present, check if its value lies within a reasonable range as defined by the client and if not, correct it to the closest value lying within that range. Set a timer lifetimeTimer to this adjusted value. Iftimeout
pkOptions.
is not present, then set lifetimeTimer to a client-specific default.timeout
See the recommended range and default for a WebAuthn ceremony timeout for guidance on deciding a reasonable range and default for
pkOptions.
.timeout
Note: The user agent should take cognitive guidelines into considerations regarding timeout for users with special needs.
-
Let callerOrigin be
origin
. If callerOrigin is an opaque origin, throw a "NotAllowedError
"DOMException
. -
Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, then throw a "
SecurityError
"DOMException
.Note: An effective domain may resolve to a host, which can be represented in various manners, such as domain, ipv4 address, ipv6 address, opaque host, or empty host. Only the domain format of host is allowed here. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security.
-
If
pkOptions.
rpId
- is present
-
If
pkOptions.
is not a registrable domain suffix of and is not equal to effectiveDomain, and if the clientrpId
- supports related origin requests
-
-
Let rpIdRequested be the value of
pkOptions.
rpId
-
Run the related origins validation procedure with arguments callerOrigin and rpIdRequested. If the result is
false
, throw a "SecurityError
"DOMException
.
-
- does not support related origin requests
-
throw a "
SecurityError
"DOMException
.
- is not present
-
Set
pkOptions.
to effectiveDomain.rpId
Note: rpId represents the caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly set
pkOptions.
when callingrpId
get()
. -
Let clientExtensions be a new map and let authenticatorExtensions be a new map.
-
If
pkOptions.
is present, then for each extensionId → clientExtensionInput ofextensions
pkOptions.
:extensions
-
If extensionId is not supported by this client platform or is not an authentication extension, then continue.
-
Set clientExtensions[extensionId] to clientExtensionInput.
-
If extensionId is not an authenticator extension, then continue.
-
Let authenticatorExtensionInput be the (CBOR) result of running extensionId’s client extension processing algorithm on clientExtensionInput. If the algorithm returned an error, continue.
-
Set authenticatorExtensions[extensionId] to the base64url encoding of authenticatorExtensionInput.
-
-
Let collectedClientData be a new
CollectedClientData
instance whose fields are:type
-
The string "webauthn.get".
challenge
-
The base64url encoding of pkOptions.
challenge
origin
-
The serialization of callerOrigin.
crossOrigin
-
The inverse of the value of the
sameOriginWithAncestors
argument passed to this internal method. topOrigin
-
The serialization of callerOrigin’s top-level origin if the
sameOriginWithAncestors
argument passed to this internal method isfalse
, elseundefined
.
-
Let clientDataJSON be the JSON-compatible serialization of client data constructed from collectedClientData.
-
Let clientDataHash be the hash of the serialized client data represented by clientDataJSON.
-
If
options.
is present and aborted, throw thesignal
options.
’s abort reason.signal
-
Let issuedRequests be a new ordered set.
-
Let savedCredentialIds be a new map.
-
Let authenticators represent a value which at any given instant is a set of client platform-specific handles, where each item identifies an authenticator presently available on this client platform at that instant.
Note: What qualifies an authenticator as "available" is intentionally unspecified; this is meant to represent how authenticators can be hot-plugged into (e.g., via USB) or discovered (e.g., via NFC or Bluetooth) by the client by various mechanisms, or permanently built into the client.
-
Let silentlyDiscoveredCredentials be a new map whose entries are of the form: DiscoverableCredentialMetadata → authenticator.
-
Consider the value of
hints
and craft the user interface accordingly, as the user-agent sees fit. -
Start lifetimeTimer.
-
While lifetimeTimer has not expired, perform the following actions depending upon lifetimeTimer, and the state and response for each authenticator in authenticators:
- If lifetimeTimer expires,
-
For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests.
- If the user exercises a user agent user-interface option to cancel the process,
-
For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Throw a "
NotAllowedError
"DOMException
. - If
options.
is present and aborted,signal
-
For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Then throw the
options.
’s abort reason.signal
- If
options.
ismediation
conditional
and the user interacts with aninput
ortextarea
form control with anautocomplete
attribute whose non-autofill credential type is"webauthn"
, -
Note: The
"webauthn"
autofill detail token must appear immediately after the last autofill detail token of type "Normal" or "Contact". For example:-
"username webauthn"
-
"current-password webauthn"
-
If silentlyDiscoveredCredentials is not empty:
-
Prompt the user to optionally select a DiscoverableCredentialMetadata (credentialMetadata) from silentlyDiscoveredCredentials.
Note: The prompt shown SHOULD include values from credentialMetadata’s otherUI such as
name
anddisplayName
. -
If the user selects a credentialMetadata,
-
Let publicKeyOptions be a temporary copy of pkOptions.
-
Let authenticator be the value of silentlyDiscoveredCredentials[credentialMetadata].
-
Set
publicKeyOptions.
to be a list containing a singleallowCredentials
PublicKeyCredentialDescriptor
item whoseid
's value is set to credentialMetadata’s id's value and whoseid
value is set to credentialMetadata’s type. -
Execute the issuing a credential request to an authenticator algorithm with authenticator, savedCredentialIds, publicKeyOptions, rpId, clientDataHash, and authenticatorExtensions.
If this returns
false
, continue. -
Append authenticator to issuedRequests.
-
-
-
- If
options.
is notmediation
conditional
, issuedRequests is empty,pkOptions.
is not empty, and no authenticator will become available for any public key credentials therein,allowCredentials
-
Indicate to the user that no eligible credential could be found. When the user acknowledges the dialog, throw a "
NotAllowedError
"DOMException
.Note: One way a client platform can determine that no authenticator will become available is by examining the
members of the presenttransports
items ofPublicKeyCredentialDescriptor
pkOptions.
, if any. For example, if allallowCredentials
items list onlyPublicKeyCredentialDescriptor
, but all platform authenticators have been tried, then there is no possibility of satisfying the request. Alternatively, allinternal
items may listPublicKeyCredentialDescriptor
that the client platform does not support.transports
- If an authenticator becomes available on this client device,
-
Note: This includes the case where an authenticator was available upon lifetimeTimer initiation.
-
If
options.
ismediation
conditional
and the authenticator supports the silentCredentialDiscovery operation:-
Let collectedDiscoveredCredentialMetadata be the result of invoking the silentCredentialDiscovery operation on authenticator with rpId as parameter.
-
For each credentialMetadata of collectedDiscoveredCredentialMetadata:
-
If credentialIdFilter is empty or credentialIdFilter contains an item whose
id
's value is set to credentialMetadata’s id, set silentlyDiscoveredCredentials[credentialMetadata] to authenticator.Note: A request will be issued to this authenticator upon user selection of a credential via interaction with a particular UI context (see here for details).
-
-
-
Else:
-
Execute the issuing a credential request to an authenticator algorithm with authenticator, savedCredentialIds, pkOptions, rpId, clientDataHash, and authenticatorExtensions.
If this returns
false
, continue.Note: This branch is taken if
options.
ismediation
conditional
and the authenticator does not support the silentCredentialDiscovery operation to allow use of such authenticators during aconditional
user mediation request. -
Append authenticator to issuedRequests.
-
-
- If an authenticator ceases to be available on this client device,
-
Remove authenticator from issuedRequests.
- If any authenticator returns a status indicating that the user cancelled the operation,
-
-
Remove authenticator from issuedRequests.
-
For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.
Note: Authenticators may return an indication of "the user cancelled the entire operation". How a user agent manifests this state to users is unspecified.
-
- If any authenticator returns an error status,
-
Remove authenticator from issuedRequests.
- If any authenticator indicates success,
-
-
Remove authenticator from issuedRequests.
-
Let assertionCreationData be a struct whose items are:
credentialIdResult
-
If
savedCredentialIds[authenticator]
exists, set the value of credentialIdResult to be the bytes ofsavedCredentialIds[authenticator]
. Otherwise, set the value of credentialIdResult to be the bytes of the credential ID returned from the successful authenticatorGetAssertion operation, as defined in § 6.3.3 The authenticatorGetAssertion Operation. clientDataJSONResult
-
whose value is the bytes of clientDataJSON.
authenticatorDataResult
-
whose value is the bytes of the authenticator data returned by the authenticator.
signatureResult
-
whose value is the bytes of the signature value returned by the authenticator.
userHandleResult
-
If the authenticator returned a user handle, set the value of userHandleResult to be the bytes of the returned user handle. Otherwise, set the value of userHandleResult to null.
clientExtensionResults
-
whose value is an
AuthenticationExtensionsClientOutputs
object containing extension identifier → client extension output entries. The entries are created by running each extension’s client extension processing algorithm to create the client extension outputs, for each client extension inpkOptions.
.extensions
-
If credentialIdFilter is not empty and credentialIdFilter does not contain an item whose
id
's value is set to the value of credentialIdResult, continue. -
If credentialIdFilter is empty and userHandleResult is null, continue.
-
Let constructAssertionAlg be an algorithm that takes a global object global, and whose steps are:
-
Let pubKeyCred be a new
PublicKeyCredential
object associated with global whose fields are:[[identifier]]
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofassertionCreationData.credentialIdResult
. authenticatorAttachment
-
The
AuthenticatorAttachment
value matching the current authenticator attachment modality of authenticator. response
-
A new
AuthenticatorAssertionResponse
object associated with global whose fields are:clientDataJSON
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofassertionCreationData.clientDataJSONResult
. authenticatorData
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofassertionCreationData.authenticatorDataResult
. signature
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofassertionCreationData.signatureResult
. userHandle
-
If
assertionCreationData.userHandleResult
is null, set this field to null. Otherwise, set this field to a newArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofassertionCreationData.userHandleResult
.
[[clientExtensionsResults]]
-
A new
ArrayBuffer
, created using global’s %ArrayBuffer%, containing the bytes ofassertionCreationData.clientExtensionResults
.
-
Return pubKeyCred.
-
-
For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.
-
Return constructAssertionAlg and terminate this algorithm.
-
-
Throw a "
NotAllowedError
"DOMException
.
5.1.4.2. Issuing a Credential Request to an Authenticator
This sub-algorithm of [[DiscoverFromExternalSource]]()
encompasses the specific UI context-independent
steps necessary for requesting a credential from a given authenticator, using given PublicKeyCredentialRequestOptions
.
It is called by [[DiscoverFromExternalSource]]()
from various points depending on which user mediation the present authentication ceremony is subject to (e.g.: conditional
mediation).
This algorithm accepts the following arguments:
authenticator
-
A client platform-specific handle identifying an authenticator presently available on this client platform.
savedCredentialIds
-
A map containing authenticator → credential ID. This argument will be modified in this algorithm.
pkOptions
-
This argument is a
PublicKeyCredentialRequestOptions
object specifying the desired attributes of the public key credential to discover. rpId
-
The request RP ID.
clientDataHash
-
The hash of the serialized client data represented by clientDataJSON.
authenticatorExtensions
-
A map containing extension identifiers to the base64url encoding of the client extension processing output for authenticator extensions.
This algorithm returns false
if the client determines that the authenticator is not capable of handling the request, or true
if
the request was issued successfully.
The steps for issuing a credential request to an authenticator are as follows:
-
If
pkOptions.
is set touserVerification
required
and the authenticator is not capable of performing user verification, returnfalse
. -
Let userVerification be the effective user verification requirement for assertion, a Boolean value, as follows. If
pkOptions.
userVerification
- is set to
required
-
Let userVerification be
true
. - is set to
preferred
-
If the authenticator
- is capable of user verification
-
Let userVerification be
true
. - is not capable of user verification
-
Let userVerification be
false
.
- is set to
discouraged
-
Let userVerification be
false
.
- is set to
-
If
pkOptions.
allowCredentials
- is not empty
-
-
Let allowCredentialDescriptorList be a new list.
-
Execute a client platform-specific procedure to determine which, if any, public key credentials described by
pkOptions.
are bound to this authenticator, by matching with rpId,allowCredentials
pkOptions.
, andallowCredentials
.id
pkOptions.
. Set allowCredentialDescriptorList to this filtered list.allowCredentials
.type
-
If allowCredentialDescriptorList is empty, return
false
. -
Let distinctTransports be a new ordered set.
-
If allowCredentialDescriptorList has exactly one value, set
savedCredentialIds[authenticator]
toallowCredentialDescriptorList[0].id
’s value (see here in § 6.3.3 The authenticatorGetAssertion Operation for more information). -
For each credential descriptor C in allowCredentialDescriptorList, append each value, if any, of
C.
to distinctTransports.transports
Note: This will aggregate only distinct values of
transports
(for this authenticator) in distinctTransports due to the properties of ordered sets. -
If distinctTransports
- is not empty
-
The client selects one transport value from distinctTransports, possibly incorporating local configuration knowledge of the appropriate transport to use with authenticator in making its selection.
Then, using transport, invoke the authenticatorGetAssertion operation on authenticator, with rpId, clientDataHash, allowCredentialDescriptorList, userVerification, and authenticatorExtensions as parameters.
- is empty
-
Using local configuration knowledge of the appropriate transport to use with authenticator, invoke the authenticatorGetAssertion operation on authenticator with rpId, clientDataHash, allowCredentialDescriptorList, userVerification, and authenticatorExtensions as parameters.
-
- is empty
-
Using local configuration knowledge of the appropriate transport to use with authenticator, invoke the authenticatorGetAssertion operation on authenticator with rpId, clientDataHash, userVerification, and authenticatorExtensions as parameters.
Note: In this case, the Relying Party did not supply a list of acceptable credential descriptors. Thus, the authenticator is being asked to exercise any credential it may possess that is scoped to the Relying Party, as identified by rpId.
-
Return
true
.
5.1.4.3. Get Request Exceptions
This section is not normative.
WebAuthn Relying Parties can encounter a number of exceptions from a call to navigator.credentials.get()
.
Some exceptions can have multiple reasons for why they happened,
requiring the WebAuthn Relying Parties to infer the actual reason based on their use of WebAuthn.
Note: Exceptions that can be raised during processing of any WebAuthn Extensions, including ones defined outside of this specification, are not listed here.
The following DOMException
exceptions can be raised:
AbortError
-
The ceremony was cancelled by an
AbortController
. See § 5.6 Abort Operations with AbortSignal and § 1.3.4 Aborting Authentication Operations. SecurityError
-
The effective domain was not a valid domain, or
was not equal to or a registrable domain suffix of the effective domain. In the latter case, the client does not support related origin requests or the related origins validation procedure failed.rp
.id
NotAllowedError
-
A catch-all error covering a wide range of possible reasons, including common ones like the user canceling out of the ceremony. Some of these causes are documented throughout this spec, while others are client-specific.
The following simple exceptions can be raised:
TypeError
-
The
options
argument was not a validCredentialRequestOptions
value.
5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors)
Method
The [[Store]](credential, sameOriginWithAncestors)
method is not supported
for Web Authentication’s PublicKeyCredential
type,
so its implementation of the [[Store]](credential, sameOriginWithAncestors)
internal method always throws an error.
Note: This algorithm is synchronous; the Promise
resolution/rejection is handled by navigator.credentials.store()
.
This internal method accepts two arguments:
credential
-
This argument is a
PublicKeyCredential
object. sameOriginWithAncestors
-
This argument is a Boolean value which is
true
if and only if the caller’s environment settings object is same-origin with its ancestors.
When this method is invoked, the user agent MUST execute the following algorithm:
-
Throw a "
NotSupportedError
"DOMException
.
5.1.6. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable()
Method
WebAuthn Relying Parties use this method to determine whether they can create a new credential using a user-verifying platform authenticator.
Upon invocation, the client employs a client platform-specific procedure to discover available user-verifying platform authenticators.
If any are discovered, the promise is resolved with the value of true
.
Otherwise, the promise is resolved with the value of false
.
Based on the result, the Relying Party can take further actions to guide the user to create a credential.
This method has no arguments and returns a Boolean value.
partial interface PublicKeyCredential {static Promise <boolean >(); };
isUserVerifyingPlatformAuthenticatorAvailable
Note: Invoking this method from a browsing context where the Web Authentication API is "disabled" according to the allowed to use algorithm—i.e., by a permissions policy—will result in the promise being rejected with a DOMException
whose name is "NotAllowedError
". See also § 5.9 Permissions Policy integration.
5.1.7. Availability of client capabilities - PublicKeyCredential’s getClientCapabilities()
Method
WebAuthn Relying Parties use this method to determine the availability of a limited set of client capabilities to offer certain workflows and experiences to users. For example, an RP may offer a sign in button on clients where only hybrid
transport is available or where conditional
mediation is unavailable (instead of showing a username field).
Upon invocation, the client employs a client platform-specific procedure to discover availablity of these capabilities.
This method has no arguments and returns a record of capability keys to Boolean values.
partial interface PublicKeyCredential {static Promise <PublicKeyCredentialClientCapabilities >(); };
getClientCapabilities typedef record <DOMString ,boolean >;
PublicKeyCredentialClientCapabilities
Keys in PublicKeyCredentialClientCapabilities
MUST be sorted in ascending lexicographical order.
The set of keys SHOULD contain the set of enumeration values of ClientCapability
,
but the client MAY omit keys as it deems necessary; see § 14.5.4 Disclosing Client Capabilities.
When the value for a given capability is true
, the feature is known to be currently supported by the client.
When the value for a given capability is false
, the feature is known to be not currently supported by the client.
When a capability does not exist as a key, the availability of the client feature is not known.
The set of keys SHOULD also contain a key for each extension implemented by the client, where the key is formed by prefixing the string extension:
to the extension identifier. The associated value for each implemented extension SHOULD be true
. If getClientCapabilities()
is supported by a client, but an extension is not mapped to the value true
, then a Relying Party MAY assume that client processing steps for that extension will not be carried out by this client and that the extension MAY not be forwarded to the authenticator.
Note: Even if an extension is mapped to true
, the authenticator used for any given operation may not support that extension, so Relying Parties MUST NOT assume that the authenticator processing steps for that extension will be performed on that basis.
Note: Invoking this method from a browsing context where the Web Authentication API is "disabled" according to the allowed to use algorithm—i.e., by a permissions policy—will result in the promise being rejected with a DOMException
whose name is "NotAllowedError
". See also § 5.9 Permissions Policy integration.
5.1.8. Deserialize Registration ceremony options - PublicKeyCredential’s parseCreationOptionsFromJSON()
Method
WebAuthn Relying Parties use this method to convert JSON type representations of options for navigator.credentials.create()
into PublicKeyCredentialCreationOptions
.
Upon invocation, the client MUST convert the options
argument into a new,
identically-structured PublicKeyCredentialCreationOptions
object, using base64url encoding to decode any DOMString
attributes in PublicKeyCredentialCreationOptionsJSON
that correspond
to buffer source type attributes in PublicKeyCredentialCreationOptions
. This conversion MUST
also apply to any client extension inputs processed by the client.
AuthenticationExtensionsClientInputsJSON
MAY include extensions registered in the IANA
"WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] but not defined in § 9 WebAuthn Extensions.
If the client encounters any issues parsing any of the JSON type representations then it
MUST throw an "EncodingError
" DOMException
with a description of the incompatible
value and terminate the operation.
partial interface PublicKeyCredential {static PublicKeyCredentialCreationOptions (
parseCreationOptionsFromJSON PublicKeyCredentialCreationOptionsJSON ); };
options dictionary {
PublicKeyCredentialCreationOptionsJSON required PublicKeyCredentialRpEntity ;
rp required PublicKeyCredentialUserEntityJSON ;
user required Base64URLString ;
challenge required sequence <PublicKeyCredentialParameters >;
pubKeyCredParams unsigned long ;
timeout sequence <PublicKeyCredentialDescriptorJSON >= [];
excludeCredentials AuthenticatorSelectionCriteria ;
authenticatorSelection sequence <DOMString >= [];
hints DOMString = "none";
attestation sequence <DOMString >= [];
attestationFormats AuthenticationExtensionsClientInputsJSON ; };
extensions dictionary {
PublicKeyCredentialUserEntityJSON required Base64URLString ;
id required DOMString ;
name required DOMString ; };
displayName dictionary {
PublicKeyCredentialDescriptorJSON required DOMString ;
type required Base64URLString ;
id sequence <DOMString >; };
transports dictionary { };
AuthenticationExtensionsClientInputsJSON
5.1.9. Deserialize Authentication ceremony options - PublicKeyCredential’s parseRequestOptionsFromJSON()
Methods
WebAuthn Relying Parties use this method to convert JSON type representations of options for navigator.credentials.get()
into PublicKeyCredentialRequestOptions
.
Upon invocation, the client MUST convert the options
argument into a new,
identically-structured PublicKeyCredentialRequestOptions
object, using base64url encoding to decode any DOMString
attributes in PublicKeyCredentialRequestOptionsJSON
that correspond
to buffer source type attributes in PublicKeyCredentialRequestOptions
. This conversion MUST
also apply to any client extension inputs processed by the client.
AuthenticationExtensionsClientInputsJSON
MAY include extensions registered in the IANA
"WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] but not defined in § 9 WebAuthn Extensions.
If the client encounters any issues parsing any of the JSON type representations then it
MUST throw an "EncodingError
" DOMException
with a description of the incompatible
value and terminate the operation.
partial interface PublicKeyCredential {static PublicKeyCredentialRequestOptions (
parseRequestOptionsFromJSON PublicKeyCredentialRequestOptionsJSON ); };
options dictionary {
PublicKeyCredentialRequestOptionsJSON required Base64URLString ;
challenge unsigned long ;
timeout DOMString ;
rpId sequence <PublicKeyCredentialDescriptorJSON >= [];
allowCredentials DOMString = "preferred";
userVerification sequence <DOMString >= [];
hints AuthenticationExtensionsClientInputsJSON ; };
extensions
5.1.10. Signal Credential Changes to the Authenticator - PublicKeyCredential’s signal methods
partial interface PublicKeyCredential {static Promise <undefined >(
signalUnknownCredential UnknownCredentialOptions );
options static Promise <undefined >(
signalAllAcceptedCredentials AllAcceptedCredentialsOptions );
options static Promise <undefined >(
signalCurrentUserDetails CurrentUserDetailsOptions ); };
options dictionary {
UnknownCredentialOptions required DOMString ;
rpId required Base64URLString ; };
credentialId dictionary {
AllAcceptedCredentialsOptions required DOMString ;
rpId required Base64URLString ;
userId required sequence <Base64URLString >; };
allAcceptedCredentialIds dictionary {
CurrentUserDetailsOptions required DOMString ;
rpId required Base64URLString ;
userId required DOMString ;
name required DOMString ; };
displayName
WebAuthn Relying Parties may use these signal methods to inform authenticators of the state of public key credentials, so that incorrect or revoked
credentials may be updated, removed, or hidden. Clients provide this
functionality opportunistically, since an authenticator may not support updating
its credentials map or may not be attached at the time the request is
made. Furthermore, in order to avoid revealing information about a user’s
credentials without user consent, signal methods do not indicate whether
the operation succeeded. A successfully resolved promise only means that the options
object was well formed.
Each signal method includes authenticator actions. Authenticators MAY choose to deviate in their authenticator actions from the present specification, e.g. to ignore a change they have a reasonable belief would be contrary to the user’s wish, or to ask the user before making some change. Authenticator actions are thus provided as the recommended way to handle signal methods.
In cases where an authenticator does not have the capability to process an authenticator action, clients MAY choose to use existing
infrastructure such as [FIDO-CTAP]'s authenticatorCredentialManagement
command to achieve an equivalent effect.
Note: Signal methods intentionally avoid waiting for authenticators to complete executing the authenticator actions. This measure protects users from WebAuthn Relying Parties gaining information about availability of their credentials without user consent based on the timing of the request.
5.1.10.1. Asynchronous RP ID validation algorithm
The Asynchronous RP ID validation algorithm lets signal methods validate RP IDs in parallel. The algorithm takes a DOMString
rpId as input
and returns a promise that rejects if the validation fails. The steps are:
-
Let effectiveDomain be the relevant settings object's origin's effective domain. If effective domain is not a valid domain, then return a promise rejected with "
SecurityError
"DOMException
. -
If rpId is a registrable domain suffix of or is equal to effectiveDomain, return a promise resolved with undefined.
-
If the client does not support related origin requests, return a promise rejected with a "
SecurityError
"DOMException
. -
Let p be a new promise.
-
Execute the following steps in parallel:
-
If the result of running the related origins validation procedure with arguments callerOrigin and rpId is
true
, then resolve p. -
Otherwise, reject p with a "
SecurityError
"DOMException
.
-
-
Return p.
5.1.10.2. signalUnknownCredential(options)
The signalUnknownCredential
method signals that a credential id was not recognized by the WebAuthn Relying Party,
e.g. because it was deleted by the user. Unlike signalAllAcceptedCredentials(options)
, this
method does not require passing the entire list of accepted credential IDs and the userHandle, avoiding a privacy leak to an unauthenticated caller
(see § 14.6.3 Privacy leak via credential IDs).
Upon invocation of signalUnknownCredential(options)
,
the client executes these steps:
-
If the result of base64url decoding
options.
is an error, then return a promise rejected with acredentialId
TypeError
. -
Let p be the result of executing the Asynchronous RP ID validation algorithm with
options.
.rpId
-
Upon fulfillment of p, run the following steps in parallel:
-
For every authenticator presently available on this client platform, invoke the unknownCredentialId authenticator action with options as input.
-
-
Return p.
The unknownCredentialId authenticator action takes an UnknownCredentialOptions
options and is as follows:
-
For each public key credential source credential in the authenticator's credential map:
-
If the credential’s rpId equals
options.
and the credential’s id equals the result of base64url decodingrpId
options.
, remove credential from the credentials map or employ an authenticator-specific procedure to hide it from future authentication ceremonies.credentialId
-
A user deletes a credential on a WebAuthn Relying Party provided UI. Later, when trying
to authenticate to the WebAuthn Relying Party with an empty allowCredentials
, the authenticator UI
offers them the credential they previously deleted. The user selects that credential. After rejecting the sign-in attempt, the WebAuthn Relying Party runs:
PublicKeyCredential. signalUnknownCredential({ rpId: "example.com" , credentialId: "aabbcc" // credential id the user just tried, base64url });
The authenticator then deletes or hides the credential from future authentication ceremonies.
5.1.10.3. signalAllAcceptedCredentials(options)
Signals the complete list of credential ids for a given user. WebAuthn Relying Parties SHOULD prefer this method over signalUnknownCredential()
when the user is authenticated and therefore there is no privacy leak risk (see § 14.6.3 Privacy leak via credential IDs), since the list offers a full snapshot of
a user’s public key credentials and might reflect changes that haven’t yet
been reported to currently attached authenticators.
Upon invocation of signalAllAcceptedCredentials(options)
, the client executes these steps:
-
If the result of base64url decoding
options.
is an error, then return a promise rejected with auserId
TypeError
. -
For each credentialId in
options.
:allAcceptedCredentialIds
-
If the result of base64url decoding credentialId is an error, then return a promise rejected with a
TypeError
.
-
-
Let p be the result of executing the Asynchronous RP ID validation algorithm with
options.
.rpId
-
Upon fulfillment of p, run the following steps in parallel:
-
For every authenticator presently available on this client platform, invoke the allAcceptedCredentialIds authenticator action with options as input.
-
-
Return p.
The allAcceptedCredentialIds authenticator
actions take an AllAcceptedCredentialsOptions
options and are as
follows:
-
Let userId be result of base64url decoding
options.
.userId
-
Assertion: userId is not an error.
-
Let credential be
credentials map[options.
.rpId
, userId] -
If credential does not exist, abort these steps.
-
If
options.
does NOT contain the result of base64url encoding the credential’s id, then remove credential from the credentials map or employ an authenticator-specific procedure to hide it from future authentication ceremonies.allAcceptedCredentialIds
-
Else, if credential has been hidden by an authenticator-specific procecure, reverse the action so that credential is present in future authentication ceremonies.
A user has two credentials with credential ids that base64url encode to aa
and bb
. The user deletes the credential aa
on a WebAuthn Relying Party provided UI.
The WebAuthn Relying Party runs:
PublicKeyCredential. signalAllAcceptedCredentials({ rpId: "example.com" , userId: "aabbcc" , // user handle, base64url. allAcceptedCredentialIds: [ "bb" , ] });
If the authenticator is attached at the time of execution, it deletes or
hides the credential corresponding to aa
from future authentication
ceremonies.
Note: Authenticators may not be attached at the time signalAllAcceptedCredentials(options)
is executed.
Therefore, WebAuthn Relying Parties may choose to run signalAllAcceptedCredentials(options)
periodically,
e.g. on every sign in.
Note: Credentials not present in allAcceptedCredentialIds
will be removed or
hidden, potentially irreversibly. Relying parties must exercise care that
valid credential IDs are never omitted from the list. If a valid credential
ID were accidentally omitted, the relying party should immediately include
it in signalAllAcceptedCredentials(options)
as soon as
possible to "unhide" it, if supported by the authenticator.
Note: Authenticators should prefer hiding public key credentials for a period of time instead
of permanently removing them whenever possible to aid recovery if a WebAuthn Relying Party accidentally omits valid credential IDs from allAcceptedCredentialIds
.
5.1.10.4. signalCurrentUserDetails(options)
The signalCurrentUserDetails
method signals the user’s
current name
and displayName
.
Upon invocation of signalCurrentUserDetails(options)
, the client executes these steps:
-
If the result of base64url decoding
options.
is an error, then return a promise rejected with auserId
TypeError
. -
Let p be the result of executing the Asynchronous RP ID validation algorithm with
options.
.rpId
-
Upon fulfillment of p, run the following steps in parallel:
-
For every authenticator presently available on this client platform, invoke the currentUserDetails authenticator action with options as input.
-
-
Return p.
The currentUserDetails authenticator action takes a CurrentUserDetailsOptions
options and is as follows:
-
Let userId be result of base64url decoding
options.
.userId
-
Assertion: userId is not an error.
-
Let credential be
credentials map[options.
.rpId
, userId] -
If credential does not exist, abort these steps.
-
Update the credential’s otherUI to match
options.
andname
options.
.displayName
A user updates their name on a WebAuthn Relying Party provided UI. The WebAuthn Relying Party runs:
PublicKeyCredential. signalCurrentUserDetails({ rpId: "example.com" , userId: "aabbcc" , // user handle, base64url. name: "New user name" , displayName: "New display name" });
The authenticator then updates the otherUI of the matching credential.
Note: Authenticators may not be attached at the time signalCurrentUserDetails(options)
is executed.
Therefore, WebAuthn Relying Parties may choose to run signalCurrentUserDetails(options)
periodically, e.g. on
every sign in.
5.2. Authenticator Responses (interface AuthenticatorResponse
)
Authenticators respond to Relying Party requests by returning an object derived from the AuthenticatorResponse
interface:
[SecureContext ,Exposed =Window ]interface AuthenticatorResponse { [SameObject ]readonly attribute ArrayBuffer clientDataJSON ; };
clientDataJSON
, of type ArrayBuffer, readonly-
This attribute contains a JSON-compatible serialization of the client data, the hash of which is passed to the authenticator by the client in its call to either
create()
orget()
(i.e., the client data itself is not sent to the authenticator).
5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse
)
The AuthenticatorAttestationResponse
interface represents the authenticator's response to a client’s request
for the creation of a new public key credential. It contains information about the new credential that can be used to
identify it for later use, and metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential
during registration.
[SecureContext ,Exposed =Window ]interface AuthenticatorAttestationResponse :AuthenticatorResponse { [SameObject ]readonly attribute ArrayBuffer attestationObject ;sequence <DOMString >();
getTransports ArrayBuffer ();
getAuthenticatorData ArrayBuffer ?();
getPublicKey COSEAlgorithmIdentifier (); };
getPublicKeyAlgorithm
clientDataJSON
-
This attribute, inherited from
AuthenticatorResponse
, contains the JSON-compatible serialization of client data (see § 6.5 Attestation) passed to the authenticator by the client in order to generate this credential. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it. attestationObject
, of type ArrayBuffer, readonly-
This attribute contains an attestation object, which is opaque to, and cryptographically protected against tampering by, the client. The attestation object contains both authenticator data and an attestation statement. The former contains the AAGUID, a unique credential ID, and the credential public key. The contents of the attestation statement are determined by the attestation statement format used by the authenticator. It also contains any additional information that the Relying Party's server requires to validate the attestation statement, as well as to decode and validate the authenticator data along with the JSON-compatible serialization of client data. For more details, see § 6.5 Attestation, § 6.5.4 Generating an Attestation Object, and Figure 6.
getTransports()
-
This operation returns the value of
[[transports]]
. getAuthenticatorData()
-
This operation returns the authenticator data contained within
attestationObject
. See § 5.2.1.1 Easily accessing credential data. getPublicKey()
-
This operation returns the DER SubjectPublicKeyInfo of the new credential, or null if this is not available. See § 5.2.1.1 Easily accessing credential data.
getPublicKeyAlgorithm()
-
This operation returns the
COSEAlgorithmIdentifier
of the new credential. See § 5.2.1.1 Easily accessing credential data. [[transports]]
-
This internal slot contains a sequence of zero or more unique
DOMString
s in lexicographical order. These values are the transports that the authenticator is believed to support, or an empty sequence if the information is unavailable. The values SHOULD be members ofAuthenticatorTransport
but Relying Parties SHOULD accept and store unknown values.
5.2.1.1. Easily accessing credential data
Every user of the [[Create]](origin, options, sameOriginWithAncestors)
method will need to parse and store the returned credential public key in order to verify future authentication assertions. However, the credential public key is in COSE format [RFC9052], inside the credentialPublicKey member of the attestedCredentialData, inside the authenticator data, inside the attestation object conveyed by AuthenticatorAttestationResponse
.attestationObject
. Relying Parties wishing to use attestation are obliged to do the work of parsing the attestationObject
and obtaining the credential public key because that public key copy is the one the authenticator signed. However, many valid WebAuthn use cases do not require attestation. For those uses, user agents can do the work of parsing, expose the authenticator data directly, and translate the credential public key into a more convenient format.
The getPublicKey()
operation thus returns the credential public key as a SubjectPublicKeyInfo. This ArrayBuffer
can, for example, be passed to Java’s java.security.spec.X509EncodedKeySpec
, .NET’s System.Security.Cryptography.ECDsa.ImportSubjectPublicKeyInfo
, or Go’s crypto/x509.ParsePKIXPublicKey
.
Use of getPublicKey()
does impose some limitations: by using pubKeyCredParams
, a Relying Party can negotiate with the authenticator to use public key algorithms that the user agent may not understand. However, if the Relying Party does so, the user agent will not be able to translate the resulting credential public key into SubjectPublicKeyInfo format and the return value of getPublicKey()
will be null.
User agents MUST be able to return a non-null value for getPublicKey()
when the credential public key has a COSEAlgorithmIdentifier
value of:
-
-7 (ES256), where kty is 2 (with uncompressed points) and crv is 1 (P-256).
-
-257 (RS256).
-
-8 (EdDSA), where crv is 6 (Ed25519).
A SubjectPublicKeyInfo does not include information about the signing algorithm (for example, which hash function to use) that is included in the COSE public key. To provide this, getPublicKeyAlgorithm()
returns the COSEAlgorithmIdentifier
for the credential public key.
To remove the need to parse CBOR at all in many cases, getAuthenticatorData()
returns the authenticator data from attestationObject
. The authenticator data contains other fields that are encoded in a binary format. However, helper functions are not provided to access them because Relying Parties already need to extract those fields when getting an assertion. In contrast to credential creation, where signature verification is optional, Relying Parties should always be verifying signatures from an assertion and thus must extract fields from the signed authenticator data. The same functions used there will also serve during credential creation.
Note: getPublicKey()
and getAuthenticatorData()
were only added in level two of this spec. Relying Parties SHOULD use feature detection before using these functions by testing the value of 'getPublicKey' in AuthenticatorAttestationResponse.prototype
. Relying Parties that require this function to exist may not interoperate with older user-agents.
5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse
)
The AuthenticatorAssertionResponse
interface represents an authenticator's response to a client’s request for
generation of a new authentication assertion given the WebAuthn Relying Party's challenge and OPTIONAL list of credentials it is
aware of. This response contains a cryptographic signature proving possession of the credential private key, and
optionally evidence of user consent to a specific transaction.
[SecureContext ,Exposed =Window ]interface AuthenticatorAssertionResponse :AuthenticatorResponse { [SameObject ]readonly attribute ArrayBuffer authenticatorData ; [SameObject ]readonly attribute ArrayBuffer signature ; [SameObject ]readonly attribute ArrayBuffer ?userHandle ; };
clientDataJSON
-
This attribute, inherited from
AuthenticatorResponse
, contains the JSON-compatible serialization of client data (see § 5.8.1 Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)) passed to the authenticator by the client in order to generate this assertion. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it. authenticatorData
, of type ArrayBuffer, readonly-
This attribute contains the authenticator data returned by the authenticator. See § 6.1 Authenticator Data.
signature
, of type ArrayBuffer, readonly-
This attribute contains the raw signature returned from the authenticator. See § 6.3.3 The authenticatorGetAssertion Operation.
userHandle
, of type ArrayBuffer, readonly, nullable-
This attribute contains the user handle returned from the authenticator, or null if the authenticator did not return a user handle. See § 6.3.3 The authenticatorGetAssertion Operation. The authenticator MUST always return a user handle if the
allowCredentials
option used in the authentication ceremony is empty, and MAY return one otherwise.
5.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters
)
dictionary PublicKeyCredentialParameters {required DOMString type ;required COSEAlgorithmIdentifier alg ; };
type
, of type DOMString-
This member specifies the type of credential to be created. The value SHOULD be a member of
PublicKeyCredentialType
but client platforms MUST ignore unknown values, ignoring anyPublicKeyCredentialParameters
with an unknowntype
. alg
, of type COSEAlgorithmIdentifier-
This member specifies the cryptographic signature algorithm with which the newly generated credential will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.
Note: we use "alg" as the latter member name, rather than spelling-out "algorithm", because it will be serialized into a message to the authenticator, which may be sent over a low-bandwidth link.
5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions
)
dictionary PublicKeyCredentialCreationOptions {required PublicKeyCredentialRpEntity rp ;required PublicKeyCredentialUserEntity user ;required BufferSource challenge ;required sequence <PublicKeyCredentialParameters >pubKeyCredParams ;unsigned long timeout ;sequence <PublicKeyCredentialDescriptor >excludeCredentials = [];AuthenticatorSelectionCriteria authenticatorSelection ;sequence <DOMString >hints = [];DOMString attestation = "none";sequence <DOMString >attestationFormats = [];AuthenticationExtensionsClientInputs extensions ; };
rp
, of type PublicKeyCredentialRpEntity-
This member contains a name and an identifier for the Relying Party responsible for the request.
Its value’s
name
member is REQUIRED. See § 5.4.1 Public Key Entity Description (dictionary PublicKeyCredentialEntity) for further details.Its value’s
id
member specifies the RP ID the credential should be scoped to. If omitted, its value will be theCredentialsContainer
object’s relevant settings object's origin's effective domain. See § 5.4.2 Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity) for further details. user
, of type PublicKeyCredentialUserEntity-
This member contains names and an identifier for the user account performing the registration.
Its value’s
name
,displayName
andid
members are REQUIRED.id
can be returned as theuserHandle
in some future authentication ceremonies, and is used to overwrite existing discoverable credentials that have the same
andrp
.id
on the same authenticator.user
.id
name
anddisplayName
MAY be used by the authenticator and client in future authentication ceremonies to help the user select a credential, but are not returned to the Relying Party as a result of future authentication ceremoniesFor further details, see § 5.4.1 Public Key Entity Description (dictionary PublicKeyCredentialEntity) and § 5.4.3 User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity).
challenge
, of type BufferSource-
This member specifies a challenge that the authenticator signs, along with other data, when producing an attestation object for the newly created credential. See the § 13.4.3 Cryptographic Challenges security consideration.
pubKeyCredParams
, of type sequence<PublicKeyCredentialParameters>-
This member lists the key types and signature algorithms the Relying Party supports, ordered from most preferred to least preferred. The client and authenticator make a best-effort to create a credential of the most preferred type possible. If none of the listed types can be created, the
create()
operation fails.Relying Parties that wish to support a wide range of authenticators SHOULD include at least the following
COSEAlgorithmIdentifier
values:-
-8 (Ed25519)
-
-7 (ES256)
-
-257 (RS256)
Additional signature algorithms can be included as needed.
-
timeout
, of type unsigned long-
This OPTIONAL member specifies a time, in milliseconds, that the Relying Party is willing to wait for the call to complete. This is treated as a hint, and MAY be overridden by the client.
excludeCredentials
, of type sequence<PublicKeyCredentialDescriptor>, defaulting to[]
-
The Relying Party SHOULD use this OPTIONAL member to list any existing credentials mapped to this user account (as identified by
user
.id
). This ensures that the new credential is not created on an authenticator that already contains a credential mapped to this user account. If it would be, the client is requested to instead guide the user to use a different authenticator, or return an error if that fails. authenticatorSelection
, of type AuthenticatorSelectionCriteria-
The Relying Party MAY use this OPTIONAL member to specify capabilities and settings that the authenticator MUST or SHOULD satisfy to participate in the
create()
operation. See § 5.4.4 Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria). hints
, of type sequence<DOMString>, defaulting to[]
-
This OPTIONAL member contains zero or more elements from
PublicKeyCredentialHint
to guide the user agent in interacting with the user. Note that the elements have typeDOMString
despite being taken from that enumeration. See § 2.1.1 Enumerations as DOMString types. attestation
, of type DOMString, defaulting to"none"
-
The Relying Party MAY use this OPTIONAL member to specify a preference regarding attestation conveyance. Its value SHOULD be a member of
AttestationConveyancePreference
. Client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist.The default value is
none
. attestationFormats
, of type sequence<DOMString>, defaulting to[]
-
The Relying Party MAY use this OPTIONAL member to specify a preference regarding the attestation statement format used by the authenticator. Values SHOULD be taken from the IANA "WebAuthn Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809]. Values are ordered from most preferable to least preferable. This parameter is advisory and the authenticator MAY use an attestation statement not enumerated in this parameter.
The default value is the empty list, which indicates no preference.
extensions
, of type AuthenticationExtensionsClientInputs-
The Relying Party MAY use this OPTIONAL member to provide client extension inputs requesting additional processing by the client and authenticator. For example, the Relying Party may request that the client returns additional information about the credential that was created.
The extensions framework is defined in § 9 WebAuthn Extensions. Some extensions are defined in § 10 Defined Extensions; consult the IANA "WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809] for an up-to-date list of registered WebAuthn Extensions.
5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity
)
The PublicKeyCredentialEntity
dictionary describes a user account, or a WebAuthn Relying Party, which a public key credential is
associated with or scoped to, respectively.
dictionary PublicKeyCredentialEntity {required DOMString name ; };
name
, of type DOMString-
A human-palatable name for the entity. Its function depends on what the
PublicKeyCredentialEntity
represents:-
[DEPRECATED] When inherited by
PublicKeyCredentialRpEntity
it is a human-palatable identifier for the Relying Party, intended only for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "ОАО Примертех".This member is deprecated because many clients do not display it, but it remains a required dictionary member for backwards compatibility. Relying Parties MAY, as a safe default, set this equal to the RP ID.
-
Relying Parties SHOULD perform enforcement, as prescribed in Section 2.3 of [RFC8266] for the Nickname Profile of the PRECIS FreeformClass [RFC8264], when setting
name
's value, or displaying the value to the user. -
This string MAY contain language and direction metadata. Relying Parties SHOULD consider providing this information if setting the member to a value other than the RP ID. See § 6.4.2 Language and Direction Encoding about how this metadata is encoded.
-
Clients SHOULD perform enforcement, as prescribed in Section 2.3 of [RFC8266] for the Nickname Profile of the PRECIS FreeformClass [RFC8264], on
name
's value prior to displaying the value to the user or including the value as a parameter of the authenticatorMakeCredential operation.
-
-
When inherited by
PublicKeyCredentialUserEntity
, it is a human-palatable identifier for a user account. This identifier is the primary value displayed to users by Clients to help users understand with which user account a credential is associated.Examples of suitable values for this identifier include, "alexm", "+14255551234", "alex.mueller@example.com", "alex.mueller@example.com (prod-env)", or "alex.mueller@example.com (ОАО Примертех)".
-
The Relying Party MAY let the user choose this value. The Relying Party SHOULD perform enforcement, as prescribed in Section 3.4.3 of [RFC8265] for the UsernameCasePreserved Profile of the PRECIS IdentifierClass [RFC8264], when setting
name
's value, or displaying the value to the user. -
This string MAY contain language and direction metadata. Relying Parties SHOULD consider providing this information. See § 6.4.2 Language and Direction Encoding about how this metadata is encoded.
-
Clients SHOULD perform enforcement, as prescribed in Section 3.4.3 of [RFC8265] for the UsernameCasePreserved Profile of the PRECIS IdentifierClass [RFC8264], on
name
's value prior to displaying the value to the user or including the value as a parameter of the authenticatorMakeCredential operation.
-
When clients, client platforms, or authenticators display a
name
's value, they should always use UI elements to provide a clear boundary around the displayed value, and not allow overflow into other elements [css-overflow-3].When storing a
name
member’s value, the value MAY be truncated as described in § 6.4.1 String Truncation using a size limit greater than or equal to 64 bytes. -
5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity
)
The PublicKeyCredentialRpEntity
dictionary is used to supply additional Relying Party attributes when creating a new credential.
dictionary PublicKeyCredentialRpEntity :PublicKeyCredentialEntity {DOMString id ; };
id
, of type DOMString-
A unique identifier for the Relying Party entity, which sets the RP ID.
5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity
)
The PublicKeyCredentialUserEntity
dictionary is used to supply additional user account attributes when creating a new
credential.
dictionary PublicKeyCredentialUserEntity :PublicKeyCredentialEntity {required BufferSource id ;required DOMString displayName ; };
id
, of type BufferSource-
The user handle of the user account. A user handle is an opaque byte sequence with a maximum size of 64 bytes, and is not meant to be displayed to the user.
To ensure secure operation, authentication and authorization decisions MUST be made on the basis of this
id
member, not thedisplayName
norname
members. See Section 6.1 of [RFC8266].The user handle MUST NOT contain personally identifying information about the user, such as a username or e-mail address; see § 14.6.1 User Handle Contents for details. The user handle MUST NOT be empty.
Note: the user handle ought not be a constant value across different user accounts, even for non-discoverable credentials, because some authenticators always create discoverable credentials. Thus a constant user handle would prevent a user from using such an authenticator with more than one user account at the Relying Party.
displayName
, of type DOMString-
A human-palatable name for the user account, intended only for display. The Relying Party SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary. If no suitable or human-palatable name is available, the Relying Party SHOULD set this value to an empty string.
Examples of suitable values for this identifier include, "Alex Müller", "Alex Müller (ACME Co.)" or "田中倫".
-
Relying Parties SHOULD perform enforcement, as prescribed in Section 2.3 of [RFC8266] for the Nickname Profile of the PRECIS FreeformClass [RFC8264], when setting
displayName
's value to a non-empty string, or displaying a non-empty value to the user. -
This string MAY contain language and direction metadata. Relying Parties SHOULD consider providing this information. See § 6.4.2 Language and Direction Encoding about how this metadata is encoded.
-
Clients SHOULD perform enforcement, as prescribed in Section 2.3 of [RFC8266] for the Nickname Profile of the PRECIS FreeformClass [RFC8264], on
displayName
's value prior to displaying a non-empty value to the user or including a non-empty value as a parameter of the authenticatorMakeCredential operation.
When clients, client platforms, or authenticators display a
displayName
's value, they should always use UI elements to provide a clear boundary around the displayed value, and not allow overflow into other elements [css-overflow-3].When storing a
displayName
member’s value, the value MAY be truncated as described in § 6.4.1 String Truncation using a size limit greater than or equal to 64 bytes. -
5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria
)
WebAuthn Relying Parties may use the AuthenticatorSelectionCriteria
dictionary to specify their requirements regarding authenticator
attributes.
dictionary AuthenticatorSelectionCriteria {DOMString authenticatorAttachment ;DOMString residentKey ;boolean requireResidentKey =false ;DOMString userVerification = "preferred"; };
authenticatorAttachment
, of type DOMString-
If this member is present, eligible authenticators are filtered to be only those authenticators attached with the specified authenticator attachment modality (see also § 6.2.1 Authenticator Attachment Modality). If this member is absent, then any attachment modality is acceptable. The value SHOULD be a member of
AuthenticatorAttachment
but client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist.See also the
authenticatorAttachment
member ofPublicKeyCredential
, which can tell what authenticator attachment modality was used in a successfulcreate()
orget()
operation. residentKey
, of type DOMString-
Specifies the extent to which the Relying Party desires to create a client-side discoverable credential. For historical reasons the naming retains the deprecated “resident” terminology. The value SHOULD be a member of
ResidentKeyRequirement
but client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist. If no value is given then the effective value isrequired
ifrequireResidentKey
istrue
ordiscouraged
if it isfalse
or absent.See
ResidentKeyRequirement
for the description ofresidentKey
's values and semantics. requireResidentKey
, of type boolean, defaulting tofalse
-
This member is retained for backwards compatibility with WebAuthn Level 1 and, for historical reasons, its naming retains the deprecated “resident” terminology for discoverable credentials. Relying Parties SHOULD set it to
true
if, and only if,residentKey
is set torequired
. userVerification
, of type DOMString, defaulting to"preferred"
-
This member specifies the Relying Party's requirements regarding user verification for the
create()
operation. The value SHOULD be a member ofUserVerificationRequirement
but client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist.See
UserVerificationRequirement
for the description ofuserVerification
's values and semantics.
5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment
)
This enumeration’s values describe authenticators' attachment modalities. Relying Parties use this to express a preferred authenticator attachment modality when calling navigator.credentials.create()
to create a credential, and clients use this to report the authenticator attachment modality used to complete a registration or authentication ceremony.
enum AuthenticatorAttachment {"platform" ,"cross-platform" };
Note: The AuthenticatorAttachment
enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
platform
-
This value indicates platform attachment.
cross-platform
-
This value indicates cross-platform attachment.
Note: An authenticator attachment modality selection option is available only in the [[Create]](origin, options,
sameOriginWithAncestors)
operation. The Relying Party may use it to, for example, ensure the user has a roaming credential for
authenticating on another client device; or to specifically register a platform credential for easier reauthentication using a
particular client device. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
operation has no authenticator attachment modality selection option, so the Relying Party SHOULD accept any of the user’s registered credentials. The client and user will then use whichever is available and convenient at the time.
5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement
)
enum ResidentKeyRequirement {"discouraged" ,"preferred" ,"required" };
Note: The ResidentKeyRequirement
enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
This enumeration’s values describe the Relying Party's requirements for client-side discoverable credentials (formerly known as resident credentials or resident keys):
discouraged
-
The Relying Party prefers creating a server-side credential, but will accept a client-side discoverable credential. The client and authenticator SHOULD create a server-side credential if possible.
Note: A Relying Party cannot require that a created credential is a server-side credential and the Credential Properties Extension may not return a value for the
rk
property. Because of this, it may be the case that it does not know if a credential is a server-side credential or not and thus does not know whether creating a second credential with the same user handle will evict the first. preferred
-
The Relying Party strongly prefers creating a client-side discoverable credential, but will accept a server-side credential. The client and authenticator SHOULD create a discoverable credential if possible. For example, the client SHOULD guide the user through setting up user verification if needed to create a discoverable credential. This takes precedence over the setting of
userVerification
. required
-
The Relying Party requires a client-side discoverable credential. The client MUST return an error if a client-side discoverable credential cannot be created.
Note: The Relying Party can seek information on whether or not the authenticator created a client-side discoverable credential using the resident key credential property of the Credential Properties Extension.
This is useful when values of discouraged
or preferred
are used for options.
, because in those cases it is possible for an authenticator to create either a client-side discoverable credential or a server-side credential.authenticatorSelection
.residentKey
5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference
)
WebAuthn Relying Parties may use AttestationConveyancePreference
to specify their preference regarding attestation conveyance during credential generation.
enum AttestationConveyancePreference {"none" ,"indirect" ,"direct" ,"enterprise" };
Note: The AttestationConveyancePreference
enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
none
-
The Relying Party is not interested in authenticator attestation. For example, in order to potentially avoid having to obtain user consent to relay identifying information to the Relying Party, or to save a roundtrip to an Attestation CA or Anonymization CA. If the authenticator generates an attestation statement that is not a self attestation, the client will replace it with a None attestation statement.
This is the default, and unknown values fall back to the behavior of this value.
indirect
-
The Relying Party wants to receive a verifiable attestation statement, but allows the client to decide how to obtain such an attestation statement. The client MAY replace an authenticator-generated attestation statement with one generated by an Anonymization CA, in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a heterogeneous ecosystem.
Note: There is no guarantee that the Relying Party will obtain a verifiable attestation statement in this case. For example, in the case that the authenticator employs self attestation and the client passes the attestation statement through unmodified.
direct
-
The Relying Party wants to receive the attestation statement as generated by the authenticator.
enterprise
-
The Relying Party wants to receive an enterprise attestation, which is an attestation statement that may include information which uniquely identifies the authenticator. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration permits it for the requested RP ID.
If permitted, the user agent SHOULD signal to the authenticator (at invocation time) that enterprise attestation is requested, and convey the resulting AAGUID and attestation statement, unaltered, to the Relying Party.
5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions
)
The PublicKeyCredentialRequestOptions
dictionary supplies get()
with the data it needs to generate
an assertion. Its challenge
member MUST be present, while its other members are OPTIONAL.
dictionary PublicKeyCredentialRequestOptions {required BufferSource challenge ;unsigned long timeout ;DOMString rpId ;sequence <PublicKeyCredentialDescriptor >allowCredentials = [];DOMString userVerification = "preferred";sequence <DOMString >hints = [];AuthenticationExtensionsClientInputs extensions ; };
challenge
, of type BufferSource-
This member specifies a challenge that the authenticator signs, along with other data, when producing an authentication assertion. See the § 13.4.3 Cryptographic Challenges security consideration.
timeout
, of type unsigned long-
This OPTIONAL member specifies a time, in milliseconds, that the Relying Party is willing to wait for the call to complete. The value is treated as a hint, and MAY be overridden by the client.
rpId
, of type DOMString-
This OPTIONAL member specifies the RP ID claimed by the Relying Party. The client MUST verify that the Relying Party's origin matches the scope of this RP ID. The authenticator MUST verify that this RP ID exactly equals the rpId of the credential to be used for the authentication ceremony.
If not specified, its value will be the
CredentialsContainer
object’s relevant settings object's origin's effective domain. allowCredentials
, of type sequence<PublicKeyCredentialDescriptor>, defaulting to[]
-
This OPTIONAL member is used by the client to find authenticators eligible for this authentication ceremony. It can be used in two ways:
-
If the user account to authenticate is already identified (e.g., if the user has entered a username), then the Relying Party SHOULD use this member to list credential descriptors for credential records in the user account. This SHOULD usually include all credential records in the user account.
The items SHOULD specify
transports
whenever possible. This helps the client optimize the user experience for any given situation. Also note that the Relying Party does not need to filter the list when requesting user verification — the client will automatically ignore non-eligible credentials ifuserVerification
is set torequired
.See also the § 14.6.3 Privacy leak via credential IDs privacy consideration.
-
If the user account to authenticate is not already identified, then the Relying Party MAY leave this member empty or unspecified. In this case, only discoverable credentials will be utilized in this authentication ceremony, and the user account MAY be identified by the
userHandle
of the resultingAuthenticatorAssertionResponse
. If the available authenticators contain more than one discoverable credential scoped to the Relying Party, the credentials are displayed by the client platform or authenticator for the user to select from (see step 7 of § 6.3.3 The authenticatorGetAssertion Operation).
If not empty, the client MUST return an error if none of the listed credentials can be used.
The list is ordered in descending order of preference: the first item in the list is the most preferred credential, and the last is the least preferred.
-
userVerification
, of type DOMString, defaulting to"preferred"
-
This OPTIONAL member specifies the Relying Party's requirements regarding user verification for the
get()
operation. The value SHOULD be a member ofUserVerificationRequirement
but client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist. Eligible authenticators are filtered to only those capable of satisfying this requirement.See
UserVerificationRequirement
for the description ofuserVerification
's values and semantics. hints
, of type sequence<DOMString>, defaulting to[]
-
This OPTIONAL member contains zero or more elements from
PublicKeyCredentialHint
to guide the user agent in interacting with the user. Note that the elements have typeDOMString
despite being taken from that enumeration. See § 2.1.1 Enumerations as DOMString types. extensions
, of type AuthenticationExtensionsClientInputs-
The Relying Party MAY use this OPTIONAL member to provide client extension inputs requesting additional processing by the client and authenticator.
The extensions framework is defined in § 9 WebAuthn Extensions. Some extensions are defined in § 10 Defined Extensions; consult the IANA "WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809] for an up-to-date list of registered WebAuthn Extensions.
5.6. Abort Operations with AbortSignal
Developers are encouraged to leverage the AbortController
to manage the [[Create]](origin, options, sameOriginWithAncestors)
and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
operations.
See DOM § 3.3 Using AbortController and AbortSignal objects in APIs section for detailed instructions.
Note: DOM § 3.3 Using AbortController and AbortSignal objects in APIs section specifies that web platform APIs integrating with the AbortController
must reject the promise immediately once the AbortSignal
is aborted.
Given the complex inheritance and parallelization structure of the [[Create]](origin, options, sameOriginWithAncestors)
and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
methods, the algorithms for the two APIs fulfills this
requirement by checking the aborted property in three places. In the case of [[Create]](origin, options, sameOriginWithAncestors)
, the aborted property is checked first in Credential Management 1 § 2.5.4 Create a Credential immediately before calling [[Create]](origin, options, sameOriginWithAncestors)
,
then in § 5.1.3 Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method right before authenticator sessions start, and finally
during authenticator sessions. The same goes for [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
.
The visibility and focus state of the Window
object determines whether the [[Create]](origin, options, sameOriginWithAncestors)
and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
operations
should continue. When the Window
object associated with the Document loses focus, [[Create]](origin, options, sameOriginWithAncestors)
and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
operations
SHOULD be aborted.
The WHATWG HTML WG is discussing whether to provide a hook when a browsing context gains or loses focuses. If a hook is provided, the above paragraph will be updated to include the hook. See WHATWG HTML WG Issue #2711 for more details.
5.7. WebAuthn Extensions Inputs and Outputs
The subsections below define the data types used for conveying WebAuthn extension inputs and outputs.
Note: Authenticator extension outputs are conveyed as a part of authenticator data (see Table 1).
Note: The types defined below — AuthenticationExtensionsClientInputs
and AuthenticationExtensionsClientOutputs
— are applicable to both registration extensions and authentication extensions. The "Authentication..." portion of their names should be regarded as meaning "WebAuthentication..."
5.7.1. Authentication Extensions Client Inputs (dictionary AuthenticationExtensionsClientInputs
)
dictionary { };
AuthenticationExtensionsClientInputs
This is a dictionary containing the client extension input values for zero or more WebAuthn Extensions.
5.7.2. Authentication Extensions Client Outputs (dictionary AuthenticationExtensionsClientOutputs
)
dictionary { };
AuthenticationExtensionsClientOutputs
This is a dictionary containing the client extension output values for zero or more WebAuthn Extensions.
5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs
)
AuthenticationExtensionsAuthenticatorInputs = { * $$extensionInput .within ( tstr => any ) }
The CDDL type AuthenticationExtensionsAuthenticatorInputs
defines a CBOR map
containing the authenticator extension input values for zero or more WebAuthn Extensions.
Extensions can add members as described in § 9.3 Extending Request Parameters.
This type is not exposed to the Relying Party, but is used by the client and authenticator.
5.7.4. Authentication Extensions Authenticator Outputs (CDDL type AuthenticationExtensionsAuthenticatorOutputs
)
AuthenticationExtensionsAuthenticatorOutputs = { * $$extensionOutput .within ( tstr => any ) }
The CDDL type AuthenticationExtensionsAuthenticatorOutputs
defines a CBOR map
containing the authenticator extension output values for zero or more WebAuthn Extensions.
Extensions can add members as described in § 9.3 Extending Request Parameters.
5.8. Supporting Data Structures
The public key credential type uses certain data structures that are specified in supporting specifications. These are as follows.
5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData
)
The client data represents the contextual bindings of both the WebAuthn Relying Party and the client. It is a key-value mapping whose keys are strings. Values can be any type that has a valid encoding in JSON. Its structure is defined by the following Web IDL.
Note: The CollectedClientData
may be extended in the future. Therefore it’s critical when parsing to be tolerant of unknown keys and of any reordering of the keys. See also § 5.8.1.2 Limited Verification Algorithm.
dictionary CollectedClientData {required DOMString type ;required DOMString challenge ;required DOMString origin ;boolean crossOrigin ;DOMString topOrigin ; };dictionary {
TokenBinding required DOMString status ;DOMString id ; };enum {
TokenBindingStatus "present" ,"supported" };
type
, of type DOMString-
This member contains the string "webauthn.create" when creating new credentials, and "webauthn.get" when getting an assertion from an existing credential. The purpose of this member is to prevent certain types of signature confusion attacks (where an attacker substitutes one legitimate signature for another).
challenge
, of type DOMString-
This member contains the base64url encoding of the challenge provided by the Relying Party. See the § 13.4.3 Cryptographic Challenges security consideration.
origin
, of type DOMString-
This member contains the fully qualified origin of the requester, as provided to the authenticator by the client, in the syntax defined by [RFC6454].
crossOrigin
, of type boolean-
This OPTIONAL member contains the inverse of the
sameOriginWithAncestors
argument value that was passed into the internal method. topOrigin
, of type DOMString-
This OPTIONAL member contains the fully qualified top-level origin of the requester, in the syntax defined by [RFC6454]. It is set only if the call was made from context that is not same-origin with its ancestors, i.e. if
crossOrigin
istrue
. - [RESERVED] tokenBinding
-
This OPTIONAL member contains information about the state of the Token Binding protocol [TokenBinding] used when communicating with the Relying Party. Its absence indicates that the client doesn’t support token binding
Note: While Token Binding was present in Level 1 and Level 2 of WebAuthn, its use is not expected in Level 3. The tokenBinding field is reserved so that it will not be reused for a different purpose.
status
, of type DOMString-
This member SHOULD be a member of
TokenBindingStatus
but client platforms MUST ignore unknown values, treating an unknown value as if the tokenBinding member does not exist. When known, this member is one of the following:supported
-
Indicates the client supports token binding, but it was not negotiated when communicating with the Relying Party.
present
-
Indicates token binding was used when communicating with the Relying Party. In this case, the
id
member MUST be present.
Note: The
TokenBindingStatus
enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types. id
, of type DOMString-
This member MUST be present if
status
ispresent
, and MUST be a base64url encoding of the Token Binding ID that was used when communicating with the Relying Party.
Note: Obtaining a Token Binding ID is a client platform-specific operation.
The CollectedClientData
structure is used by the client to compute the following quantities:
- JSON-compatible serialization of client data
-
This is the result of performing the JSON-compatible serialization algorithm on the
CollectedClientData
dictionary. - Hash of the serialized client data
-
This is the hash (computed using SHA-256) of the JSON-compatible serialization of client data, as constructed by the client.
5.8.1.1. Serialization
The serialization of the CollectedClientData
is a subset of the algorithm for JSON-serializing to bytes. I.e. it produces a valid JSON encoding of the CollectedClientData
but also provides additional structure that may be exploited by verifiers to avoid integrating a full JSON parser. While verifiers are recommended to perform standard JSON parsing, they may use the more limited algorithm below in contexts where a full JSON parser is too large. This verification algorithm requires only base64url encoding, appending of bytestrings (which could be implemented by writing into a fixed template), and simple conditional checks (assuming that inputs are known not to need escaping).
The serialization algorithm works by appending successive byte strings to an, initially empty, partial result until the complete result is obtained.
-
Let result be an empty byte string.
-
Append 0x7b2274797065223a (
{"type":
) to result. -
Append CCDToString(
type
) to result. -
Append 0x2c226368616c6c656e6765223a (
,"challenge":
) to result. -
Append CCDToString(
challenge
) to result. -
Append 0x2c226f726967696e223a (
,"origin":
) to result. -
Append CCDToString(
origin
) to result. -
Append 0x2c2263726f73734f726967696e223a (
,"crossOrigin":
) to result. -
If
crossOrigin
is not present, or isfalse
:-
Append 0x66616c7365 (
false
) to result.
-
-
Otherwise:
-
Append 0x74727565 (
true
) to result.
-
-
If
topOrigin
is present:-
Append 0x2c22746f704f726967696e223a (
,"topOrigin":
) to result. -
Append CCDToString(
topOrigin
) to result.
-
-
Create a temporary copy of the
CollectedClientData
and remove the fieldstype
,challenge
,origin
,crossOrigin
(if present), andtopOrigin
(if present). -
If no fields remain in the temporary copy then:
-
Append 0x7d (
}
) to result.
-
-
Otherwise:
-
Invoke serialize JSON to bytes on the temporary copy to produce a byte string remainder.
-
Append 0x2c (
,
) to result. -
Remove the leading byte from remainder.
-
Append remainder to result.
-
-
The result of the serialization is the value of result.
The function CCDToString is used in the above algorithm and is defined as:
-
Let encoded be an empty byte string.
-
Append 0x22 (
"
) to encoded. -
Invoke ToString on the given object to convert to a string.
-
For each code point in the resulting string, if the code point:
- is in the set {U+0020, U+0021, U+0023–U+005B, U+005D–U+10FFFF}
-
Append the UTF-8 encoding of that code point to encoded.
- is U+0022
-
Append 0x5c22 (
\"
) to encoded. - is U+005C
-
Append 0x5c5c (\\) to encoded.
- otherwise
-
Append 0x5c75 (
\u
) to encoded, followed by four, lower-case hex digits that, when interpreted as a base-16 number, represent that code point.
-
Append 0x22 (
"
) to encoded. -
The result of this function is the value of encoded.
5.8.1.2. Limited Verification Algorithm
Verifiers may use the following algorithm to verify an encoded CollectedClientData
if they cannot support a full JSON parser:
-
The inputs to the algorithm are:
-
A bytestring, clientDataJSON, that contains
clientDataJSON
— the serializedCollectedClientData
that is to be verified. -
A string, type, that contains the expected
type
. -
A byte string, challenge, that contains the challenge byte string that was given in the
PublicKeyCredentialRequestOptions
orPublicKeyCredentialCreationOptions
. -
A string, origin, that contains the expected
origin
that issued the request to the user agent. -
An optional string, topOrigin, that contains the expected
topOrigin
that issued the request to the user agent, if available. -
A boolean, requireTopOrigin, that is true if, and only if, the verification should fail if topOrigin is defined and the
topOrigin
attribute is not present in clientDataJSON.This means that the verification algorithm is backwards compatible with the JSON-compatible serialization algorithm in Web Authentication Level 2 [webauthn-2-20210408] if, and only if, requireTopOrigin is
false
.
-
-
Let expected be an empty byte string.
-
Append 0x7b2274797065223a (
{"type":
) to expected. -
Append CCDToString(type) to expected.
-
Append 0x2c226368616c6c656e6765223a (
,"challenge":
) to expected. -
Perform base64url encoding on challenge to produce a string, challengeBase64.
-
Append CCDToString(challengeBase64) to expected.
-
Append 0x2c226f726967696e223a (
,"origin":
) to expected. -
Append CCDToString(origin) to expected.
-
Append 0x2c2263726f73734f726967696e223a (
,"crossOrigin":
) to expected. -
If topOrigin is defined:
-
Append 0x74727565 (
true
) to expected. -
If requireTopOrigin is true or if 0x2c22746f704f726967696e223a (
,"topOrigin":
) is a prefix of the substring of clientDataJSON beginning at the offset equal to the length of expected:-
Append 0x2c22746f704f726967696e223a (
,"topOrigin":
) to expected. -
Append CCDToString(topOrigin) to expected.
-
-
-
Otherwise, i.e. topOrigin is not defined:
-
Append 0x66616c7365 (
false
) to expected.
-
-
If expected is not a prefix of clientDataJSON then the verification has failed.
-
If clientDataJSON is not at least one byte longer than expected then the verification has failed.
-
If the byte of clientDataJSON at the offset equal to the length of expected:
- is 0x7d
-
The verification is successful.
- is 0x2c
-
The verification is successful.
- otherwise
-
The verification has failed.
5.8.1.3. Future development
In order to remain compatible with the limited verification algorithm, future versions of this specification must not remove any of the fields type
, challenge
, origin
, crossOrigin
, or topOrigin
from CollectedClientData
. They also must not change the serialization algorithm to change the order in which those fields are serialized, or insert new fields between them.
If additional fields are added to CollectedClientData
then verifiers that employ the limited verification algorithm will not be able to consider them until the two algorithms above are updated to include them. Once such an update occurs then the added fields inherit the same limitations as described in the previous paragraph. Such an algorithm update would have to accomodate serializations produced by previous versions. I.e. the verification algorithm would have to handle the fact that a sixth key–value pair may not appear sixth (or at all) if generated by a user agent working from a previous version.
5.8.2. Credential Type Enumeration (enum PublicKeyCredentialType
)
enum PublicKeyCredentialType {"public-key" };
Note: The PublicKeyCredentialType
enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
Currently one credential type is defined, namely "public-key
".
5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor
)
dictionary PublicKeyCredentialDescriptor {required DOMString type ;required BufferSource id ;sequence <DOMString >transports ; };
This dictionary identifies a specific public key credential.
It is used in create()
to prevent creating duplicate credentials on the same authenticator,
and in get()
to determine if and how the credential can currently be reached by the client.
The credential descriptor for a credential record is a subset of the properties of that credential record,
and mirrors some fields of the PublicKeyCredential
object returned by create()
and get()
.
type
, of type DOMString-
This member contains the type of the public key credential the caller is referring to. The value SHOULD be a member of
PublicKeyCredentialType
but client platforms MUST ignore anyPublicKeyCredentialDescriptor
with an unknowntype
.This SHOULD be set to the value of the type item of the credential record representing the identified public key credential source. This mirrors the
type
field ofPublicKeyCredential
.Note: If all
PublicKeyCredentialDescriptor
elements inallowCredentials
are ignored then that MUST result in an error since an emptyallowCredentials
is semantically distinct. id
, of type BufferSource-
This member contains the credential ID of the public key credential the caller is referring to.
This SHOULD be set to the value of the id item of the credential record representing the identified public key credential source. This mirrors the
rawId
field ofPublicKeyCredential
. transports
, of type sequence<DOMString>-
This OPTIONAL member contains a hint as to how the client might communicate with the managing authenticator of the public key credential the caller is referring to. The values SHOULD be members of
AuthenticatorTransport
but client platforms MUST ignore unknown values.This SHOULD be set to the value of the transports item of the credential record representing the identified public key credential source. This mirrors the
method of theresponse
.getTransports()
PublicKeyCredential
structure created by acreate()
operation.
5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport
)
enum AuthenticatorTransport {"usb" ,"nfc" ,"ble" ,"smart-card" ,"hybrid" ,"internal" };
Note: The AuthenticatorTransport
enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
getTransports()
.
usb
-
Indicates the respective authenticator can be contacted over removable USB.
nfc
-
Indicates the respective authenticator can be contacted over Near Field Communication (NFC).
ble
-
Indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).
smart-card
-
Indicates the respective authenticator can be contacted over ISO/IEC 7816 smart card with contacts.
hybrid
-
Indicates the respective authenticator can be contacted using a combination of (often separate) data-transport and proximity mechanisms. This supports, for example, authentication on a desktop computer using a smartphone.
internal
-
Indicates the respective authenticator is contacted using a client device-specific transport, i.e., it is a platform authenticator. These authenticators are not removable from the client device.
5.8.5. Cryptographic Algorithm Identifier (typedef COSEAlgorithmIdentifier
)
typedef long ;
COSEAlgorithmIdentifier
COSEAlgorithmIdentifier
's value is a number identifying a cryptographic algorithm.
The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry [IANA-COSE-ALGS-REG],
for instance, -7
for "ES256" and -257
for "RS256".
The COSE algorithms registry leaves degrees of freedom to be specified by other parameters in a COSE key. In order to promote interoperability, this specification makes the following additional guarantees of credential public keys:
-
Keys with algorithm ES256 (-7) MUST specify P-256 (1) as the crv parameter and MUST NOT use the compressed point form.
-
Keys with algorithm ES384 (-35) MUST specify P-384 (2) as the crv parameter and MUST NOT use the compressed point form.
-
Keys with algorithm ES512 (-36) MUST specify P-521 (3) as the crv parameter and MUST NOT use the compressed point form.
-
Keys with algorithm EdDSA (-8) MUST specify Ed25519 (6) as the crv parameter. (These always use a compressed form in COSE.)
These restrictions align with the recommendation in Section 2.1 of [RFC9053].
Note: There are many checks neccessary to correctly implement signature verification using these algorithms. One of these is that, when processing uncompressed elliptic-curve points, implementations should check that the point is actually on the curve. This check is highlighted because it’s judged to be at particular risk of falling through the gap between a cryptographic library and other code.
5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement
)
enum UserVerificationRequirement {"required" ,"preferred" ,"discouraged" };
A WebAuthn Relying Party may require user verification for some of its operations but not for others, and may use this type to express its needs.
Note: The UserVerificationRequirement
enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
required
-
The Relying Party requires user verification for the operation and will fail the overall ceremony if the response does not have the UV flag set. The client MUST return an error if user verification cannot be performed.
preferred
-
The Relying Party prefers user verification for the operation if possible, but will not fail the operation if the response does not have the UV flag set.
discouraged
-
The Relying Party does not want user verification employed during the operation (e.g., in the interest of minimizing disruption to the user interaction flow).
5.8.7. Client Capability Enumeration (enum ClientCapability
)
enum ClientCapability {"conditionalCreate" ,"conditionalGet" ,"hybridTransport" ,"passkeyPlatformAuthenticator" ,"userVerifyingPlatformAuthenticator" ,"relatedOrigins" ,"signalAllAcceptedCredentials" ,"signalCurrentUserDetails" ,"signalUnknownCredential" };
This enumeration defines a limited set of client capabilities which a WebAuthn Relying Party may evaluate to offer certain workflows and experiences to users.
Relying Parties may use the getClientCapabilities()
method of PublicKeyCredential
to obtain a description of available capabilities.
Note: The ClientCapability
enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
conditionalCreate
-
The WebAuthn Client is capable of
conditional
mediation for registration ceremonies..See § 5.1.3 Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method for more details.
conditionalGet
-
The WebAuthn Client is capable of
conditional
mediation for authentication ceremonies.This capability is equivalent to
isConditionalMediationAvailable()
resolving totrue
.See § 5.1.4 Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method for more details.
hybridTransport
-
The WebAuthn Client supports usage of the
hybrid
transport. passkeyPlatformAuthenticator
-
The WebAuthn Client supports usage of a passkey platform authenticator, locally and/or via
hybrid
transport. userVerifyingPlatformAuthenticator
-
The WebAuthn Client supports usage of a user-verifying platform authenticator.
relatedOrigins
-
The WebAuthn Client supports Related Origin Requests.
signalAllAcceptedCredentials
-
The WebAuthn Client supports
signalAllAcceptedCredentials()
. signalCurrentUserDetails
,-
The WebAuthn Client supports
signalCurrentUserDetails()
. signalUnknownCredential
-
The WebAuthn Client supports
signalUnknownCredential()
.
5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHint
)
enum PublicKeyCredentialHint {"security-key" ,"client-device" ,"hybrid" , };
Note: The PublicKeyCredentialHint
enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
Hints MAY contradict information contained in credential transports
and authenticatorAttachment
. When this occurs, the hints take precedence. (Note that transports
values are not provided when using discoverable credentials, leaving hints as the only avenue for expressing some aspects of such a request.)
security-key
-
Indicates that the Relying Party believes that users will satisfy this request with a physical security key. For example, an enterprise Relying Party may set this hint if they have issued security keys to their employees and will only accept those authenticators for registration and authentication.
For compatibility with older user agents, when this hint is used in
PublicKeyCredentialCreationOptions
, theauthenticatorAttachment
SHOULD be set tocross-platform
. client-device
-
Indicates that the Relying Party believes that users will satisfy this request with a platform authenticator attached to the client device.
For compatibility with older user agents, when this hint is used in
PublicKeyCredentialCreationOptions
, theauthenticatorAttachment
SHOULD be set toplatform
. hybrid
-
Indicates that the Relying Party believes that users will satisfy this request with general-purpose authenticators such as smartphones. For example, a consumer Relying Party may believe that only a small fraction of their customers possesses dedicated security keys. This option also implies that the local platform authenticator should not be promoted in the UI.
For compatibility with older user agents, when this hint is used in
PublicKeyCredentialCreationOptions
, theauthenticatorAttachment
SHOULD be set tocross-platform
.
5.9. Permissions Policy integration
This specification defines two policy-controlled features identified by
the feature-identifier tokens "publickey-credentials-create
"
and "publickey-credentials-get
".
Their default allowlists are both 'self
'. [Permissions-Policy]
A Document
's permissions policy determines whether any content in that document is allowed to successfully invoke the Web Authentication API, i.e., via navigator.credentials.create({publicKey:..., ...})
or navigator.credentials.get({publicKey:..., ...})
If disabled in any document, no content in the document will be allowed to use the foregoing methods: attempting to do so will return an error.
Note: Algorithms specified in [CREDENTIAL-MANAGEMENT-1] perform the actual permissions policy evaluation. This is because such policy evaluation needs to occur when there is access to the current settings object. The [[Create]](origin, options, sameOriginWithAncestors)
and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
internal methods does not have such access since they are invoked in parallel by CredentialsContainer
's Create a Credential
and Request a Credential
abstract operations [CREDENTIAL-MANAGEMENT-1].
5.10. Using Web Authentication within iframe
elements
The Web Authentication API is disabled by default in cross-origin iframe
s.
To override this default policy and indicate that a cross-origin iframe
is allowed to invoke the Web Authentication API's [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
method, specify the allow
attribute on the iframe
element and include the publickey-credentials-get
feature-identifier token in the allow
attribute’s value.
Relying Parties utilizing the WebAuthn API in an embedded context should review § 13.4.2 Visibility Considerations for Embedded Usage regarding UI redressing and its possible mitigations.
5.11. Using Web Authentication across related origins
By default, Web Authentication requires that the RP ID be equal to the origin's effective domain, or a registrable domain suffix of the origin's effective domain.
This can make deployment challenging for large environments where multiple country-specific domains are in use (e.g. example.com vs example.co.uk vs example.sg), where alternative or brand domains are required (e.g. myexampletravel.com vs examplecruises.com), and/or where platform as a service providers are used to support mobile apps.
WebAuthn Relying Parties can opt in to allowing WebAuthn Clients to enable a credential to be created and used across a limited set of related origins. Such Relying Parties MUST choose a common RP ID to use across all ceremonies from related origins.
A JSON document MUST be hosted at the webauthn
well-known URL [RFC8615] for the RP ID. The JSON document MUST be returned as follows:
-
The content type MUST be
application/json
. -
The top-level JSON object MUST contain a key named
origins
whose value MUST be an array of one or more strings containing web origins.
For example, for the RP ID example.com
:
{ "origins" : [ "https://example.co.uk" , "https://example.de" , "https://example.sg" , "https://example.net" , "https://exampledelivery.com" , "https://exampledelivery.co.uk" , "https://exampledelivery.de" , "https://exampledelivery.sg" , "https://myexamplerewards.com" , "https://examplecars.com" ] }
WebAuthn Clients supporting this feature MUST support at least five registrable origin labels. Client policy SHOULD define an upper limit to prevent abuse.
WebAuthn Clients supporting this feature SHOULD include relatedOrigins
in their response to getClientCapabilities().
5.11.1. Validating Related Origins
The related origins validation procedure, given arguments callerOrigin and rpIdRequested, is as follows:
-
Let maxLabels be the maximum number of registrable origin labels allowed by client policy.
-
Fetch the
webauthn
well-known URL [RFC8615] for the RP ID rpIdRequested (i.e.,https://rpIdRequested/.well-known/webauthn
).-
If the fetch fails, the response does not have a content type of
application/json
, or does not have a status code (after following redirects) of 200, then throw a "SecurityError
"DOMException
. -
If the body of the resource is not a valid JSON object, then throw a "
SecurityError
"DOMException
. -
If the value of the origins property of the JSON object is missing, or is not an array of strings, then throw a "
SecurityError
"DOMException
.
-
-
Let labelsSeen be a new empty set.
-
For each originItem of origins:
-
Let url be the result of running the URL parser with originItem as the input. If that fails, continue.
-
Let domain be the effective domain of url. If that is null, continue.
-
Let label be registrable origin label of domain.
-
If label is empty or null, continue.
-
If the size of labelsSeen is greater than or equal to maxLabels and labelsSeen does not contain label, continue.
-
If callerOrigin and url are same origin, return
true
. -
If the size of labelsSeen is less than maxLabels, append label to labelsSeen.
-
-
Return
false
.
6. WebAuthn Authenticator Model
The Web Authentication API implies a specific abstract functional model for a WebAuthn Authenticator. This section describes that authenticator model.
Client platforms MAY implement and expose this abstract model in any way desired. However, the behavior of the client’s Web Authentication API implementation, when operating on the authenticators supported by that client platform, MUST be indistinguishable from the behavior specified in § 5 Web Authentication API.
Note: [FIDO-CTAP] is an example of a concrete instantiation of this model, but it is one in which there are differences in the data it returns and those expected by the WebAuthn API's algorithms. The CTAP2 response messages are CBOR maps constructed using integer keys rather than the string keys defined in this specification for the same objects. The client is expected to perform any needed transformations on such data. The [FIDO-CTAP] specification details the mapping between CTAP2 integer keys and WebAuthn string keys in Section §6. Authenticator API.
For authenticators, this model defines the logical operations that they MUST support, and the data formats that they expose to the client and the WebAuthn Relying Party. However, it does not define the details of how authenticators communicate with the client device, unless they are necessary for interoperability with Relying Parties. For instance, this abstract model does not define protocols for connecting authenticators to clients over transports such as USB or NFC. Similarly, this abstract model does not define specific error codes or methods of returning them; however, it does define error behavior in terms of the needs of the client. Therefore, specific error codes are mentioned as a means of showing which error conditions MUST be distinguishable (or not) from each other in order to enable a compliant and secure client implementation.
Relying Parties may influence authenticator selection, if they deem necessary, by stipulating various authenticator characteristics when creating credentials and/or when generating assertions, through use of credential creation options or assertion generation options, respectively. The algorithms underlying the WebAuthn API marshal these options and pass them to the applicable authenticator operations defined below.
In this abstract model, the authenticator provides key management and cryptographic signatures. It can be embedded in the WebAuthn client or housed in a separate device entirely. The authenticator itself can contain a cryptographic module which operates at a higher security level than the rest of the authenticator. This is particularly important for authenticators that are embedded in the WebAuthn client, as in those cases this cryptographic module (which may, for example, be a TPM) could be considered more trustworthy than the rest of the authenticator.
Each authenticator stores a credentials map, a map from (rpId, userHandle) to public key credential source.
Additionally, each authenticator has an Authenticator Attestation Globally Unique Identifier or AAGUID, which is a 128-bit identifier indicating the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by its maker to be identical across all substantially identical authenticators made by that maker, and different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type of authenticator SHOULD be randomly generated to ensure this. The Relying Party MAY use the AAGUID to infer certain properties of the authenticator, such as certification level and strength of key protection, using information from other sources. The Relying Party MAY use the AAGUID to attempt to identify the maker of the authenticator without requesting and verifying attestation, but the AAGUID is not provably authentic without attestation.
The primary function of the authenticator is to provide WebAuthn signatures, which are bound to various contextual data. These data are observed and added at different levels of the stack as a signature request passes from the server to the authenticator. In verifying a signature, the server checks these bindings against expected values. These contextual bindings are divided in two: Those added by the Relying Party or the client, referred to as client data; and those added by the authenticator, referred to as the authenticator data. The authenticator signs over the client data, but is otherwise not interested in its contents. To save bandwidth and processing requirements on the authenticator, the client hashes the client data and sends only the result to the authenticator. The authenticator signs over the combination of the hash of the serialized client data, and its own authenticator data.
The goals of this design can be summarized as follows.
-
The scheme for generating signatures should accommodate cases where the link between the client device and authenticator is very limited, in bandwidth and/or latency. Examples include Bluetooth Low Energy and Near-Field Communication.
-
The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators should not have to parse high-level encodings such as JSON.
-
Both the client and the authenticator should have the flexibility to add contextual bindings as needed.
-
The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.
Authenticators produce cryptographic signatures for two distinct purposes:
-
An attestation signature is produced when a new public key credential is created via an authenticatorMakeCredential operation. An attestation signature provides cryptographic proof of certain properties of the authenticator and the credential. For instance, an attestation signature asserts the authenticator type (as denoted by its AAGUID) and the credential public key. The attestation signature is signed by an attestation private key, which is chosen depending on the type of attestation desired. For more details on attestation, see § 6.5 Attestation.
-
An assertion signature is produced when the authenticatorGetAssertion method is invoked. It represents an assertion by the authenticator that the user has consented to a specific transaction, such as logging in, or completing a purchase. Thus, an assertion signature asserts that the authenticator possessing a particular credential private key has established, to the best of its ability, that the user requesting this transaction is the same user who consented to creating that particular public key credential. It also asserts additional information, termed client data, that may be useful to the caller, such as the means by which user consent was provided, and the prompt shown to the user by the authenticator. The assertion signature format is illustrated in Figure 4, below.
The term WebAuthn signature refers to both attestation signatures and assertion signatures. The formats of these signatures, as well as the procedures for generating them, are specified below.
6.1. Authenticator Data
The authenticator data structure encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party's assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.
The authenticator data has a compact but extensible encoding. This is desired since authenticators can be devices with limited capabilities and low power requirements, with much simpler software stacks than the client platform.
The authenticator data structure is a byte array of 37 bytes or more, laid out as shown in Table .
Name | Length (in bytes) | Description |
---|---|---|
rpIdHash | 32 | SHA-256 hash of the RP ID the credential is scoped to. |
flags | 1 |
Flags (bit 0 is the least significant bit):
|
signCount | 4 | Signature counter, 32-bit unsigned big-endian integer. |
attestedCredentialData | variable (if present) | attested credential data (if present). See § 6.5.1 Attested Credential Data for details. Its length depends on the length of the credential ID and credential public key being attested. |
extensions | variable (if present) | Extension-defined authenticator data. This is a CBOR [RFC8949] map with extension identifiers as keys, and authenticator extension outputs as values. See § 9 WebAuthn Extensions for details. |
The RP ID is originally received from the client when the credential is created, and again when an assertion is generated. However, it differs from other client data in some important ways. First, unlike the client data, the RP ID of a credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is validated by the authenticator during the authenticatorGetAssertion operation, by verifying that the RP ID that the requested credential is scoped to exactly matches the RP ID supplied by the client.
Authenticators perform the following steps to generate an authenticator data structure:
-
The UP flag SHALL be set if and only if the authenticator performed a test of user presence. The UV flag SHALL be set if and only if the authenticator performed user verification. The
RFU
bits SHALL be set to zero.Note: If the authenticator performed both a test of user presence and user verification, possibly combined in a single authorization gesture, then the authenticator will set both the UP flag and the UV flag.
-
The BE flag SHALL be set if and only if the credential is a multi-device credential. This value MUST NOT change after a registration ceremony as defined in § 6.1.3 Credential Backup State.
-
The BS flag SHALL be set if and only if the credential is a multi-device credential and is currently backed up.
If the backup status of a credential is uncertain or the authenticator suspects a problem with the backed up credential, the BS flag SHOULD NOT be set.
-
For attestation signatures, the authenticator MUST set the AT flag and include the
attestedCredentialData
. For assertion signatures, the AT flag MUST NOT be set and theattestedCredentialData
MUST NOT be included. -
If the authenticator does not include any extension data, it MUST set the ED flag to zero, and to one if extension data is included.
Figure shows a visual representation of the authenticator data structure.
Determining attested credential data's length, which is variable, involves determining credentialPublicKey
’s beginning location given the preceding credentialId
’s length, and then determining the credentialPublicKey
’s length (see also Section 7 of [RFC9052]).
6.1.1. Signature Counter Considerations
Authenticators SHOULD implement a signature counter feature. These counters are conceptually stored for each credential
by the authenticator, or globally for the authenticator as a whole. The initial value of a credential’s signature counter is specified in the signCount
value of the authenticator data returned by authenticatorMakeCredential. The signature counter is incremented for each successful authenticatorGetAssertion operation by some positive value, and subsequent values are returned to the WebAuthn Relying Party within the authenticator data again. The signature counter's purpose is to aid Relying Parties in detecting cloned authenticators. Clone
detection is more important for authenticators with limited protection measures.
Authenticators that do not implement a signature counter leave the signCount
in the authenticator data constant at zero.
A Relying Party stores the signature counter of the most recent authenticatorGetAssertion operation. (Or the counter from the authenticatorMakeCredential operation if no authenticatorGetAssertion has ever been performed on a credential.) In subsequent authenticatorGetAssertion operations, the Relying Party compares the stored signature counter value with the new signCount
value returned in the assertion’s authenticator data. If either is non-zero, and the new signCount
value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.
Detecting a signature counter mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator. Relying Parties should address this situation appropriately relative to their individual situations, i.e., their risk tolerance.
Authenticators:
-
SHOULD implement per credential signature counters. This prevents the signature counter value from being shared between Relying Parties and being possibly employed as a correlation handle for the user. Authenticators MAY implement a global signature counter, i.e., on a per-authenticator basis, but this is less privacy-friendly for users.
-
SHOULD ensure that the signature counter value does not accidentally decrease (e.g., due to hardware failures).
6.1.2. FIDO U2F Signature Format Compatibility
The format for assertion signatures, which sign over the concatenation of an authenticator data structure and the hash of the serialized client data, are compatible with the FIDO U2F authentication signature format (see Section 5.4 of [FIDO-U2F-Message-Formats]).
This is because the first 37 bytes of the signed data in a FIDO U2F authentication response message constitute a valid authenticator data structure, and the remaining 32 bytes are the hash of the serialized client data. In this authenticator data structure, the rpIdHash
is the FIDO U2F application parameter, all flags
except UP
are always zero, and the attestedCredentialData
and extensions
are never present. FIDO U2F authentication signatures can therefore be verified by
the same procedure as other assertion signatures generated by the authenticatorGetAssertion operation.
6.1.3. Credential Backup State
Credential backup eligibility and current backup state is conveyed by the BE and BS flags in the authenticator data, as defined in Table .
The value of the BE flag is set during authenticatorMakeCredential operation and MUST NOT change.
The value of the BS flag may change over time based on the current state of the public key credential source. Table below defines valid combinations and their meaning.
BE | BS | Description |
---|---|---|
0
| 0
| The credential is a single-device credential. |
0
| 1
| This combination is not allowed. |
1
| 0
| The credential is a multi-device credential and is not currently backed up. |
1
| 1
| The credential is a multi-device credential and is currently backed up. |
It is RECOMMENDED that Relying Parties store the most recent value of these flags with the user account for future evaluation.
The following is a non-exhaustive list of how Relying Parties might use these flags:
-
Requiring additional authenticators:
When the BE flag is set to
0
, the credential is a single-device credential and the generating authenticator will never allow the credential to be backed up.A single-device credential is not resilient to single device loss. Relying Parties SHOULD ensure that each user account has additional authenticators registered and/or an account recovery process in place. For example, the user could be prompted to set up an additional authenticator, such as a roaming authenticator or an authenticator that is capable of multi-device credentials.
-
Upgrading a user to a password-free account:
When the BS flag changes from
0
to1
, the authenticator is signaling that the credential is backed up and is protected from single device loss.The Relying Party MAY choose to prompt the user to upgrade their account security and remove their password.
-
Adding an additional factor after a state change:
When the BS flag changes from
1
to0
, the authenticator is signaling that the credential is no longer backed up, and no longer protected from single device loss. This could be the result of the user actions, such as disabling the backup service, or errors, such as issues with the backup service.When this transition occurs, the Relying Party SHOULD guide the user through a process to validate their other authentication factors. If the user does not have another credential for their account, they SHOULD be guided through adding an additional credential to ensure they do not lose access to their account. For example, the user could be prompted to set up an additional authenticator, such as a roaming authenticator or an authenticator that is capable of multi-device credentials.
6.2. Authenticator Taxonomy
Many use cases are dependent on the capabilities of the authenticator used. This section defines some terminology for those capabilities, their most important combinations, and which use cases those combinations enable.
For example:
-
When authenticating for the first time on a particular client device, a roaming authenticator is typically needed since the user doesn’t yet have a platform credential on that client device.
-
For subsequent re-authentication on the same client device, a platform authenticator is likely the most convenient since it’s built directly into the client device rather than being a separate device that the user may have to locate.
-
For second-factor authentication in addition to a traditional username and password, any authenticator can be used.
-
Passwordless multi-factor authentication requires an authenticator capable of user verification, and in some cases also discoverable credential capable.
-
A laptop computer might support connecting to roaming authenticators via USB and Bluetooth, while a mobile phone might only support NFC.
The above examples illustrate the primary authenticator type characteristics:
-
Whether the authenticator is a roaming or platform authenticator, or in some cases both — the authenticator attachment modality. A roaming authenticator can support one or more transports for communicating with the client.
-
Whether the authenticator is capable of user verification — the authentication factor capability.
-
Whether the authenticator is discoverable credential capable — the credential storage modality.
These characteristics are independent and may in theory be combined in any way, but Table lists and names some authenticator types of particular interest.
Authenticator Type | Authenticator Attachment Modality | Credential Storage Modality | Authentication Factor Capability |
---|---|---|---|
Second-factor platform authenticator | platform | Either | Single-factor capable |
User-verifying platform authenticator | platform | Either | Multi-factor capable |
Second-factor roaming authenticator | cross-platform | Server-side storage | Single-factor capable |
Passkey roaming authenticator | cross-platform | Client-side storage | Multi-factor capable |
Passkey platform authenticator | platform (transport = internal ) or cross-platform (transport = hybrid )
| Client-side storage | Multi-factor capable |
A second-factor platform authenticator is convenient to use for re-authentication on the same client device, and can be used to add an extra layer of security both when initiating a new session and when resuming an existing session. A second-factor roaming authenticator is more likely to be used to authenticate on a particular client device for the first time, or on a client device shared between multiple users.
Passkey platform authenticators and passkey roaming authenticators enable passwordless multi-factor authentication. In addition to the proof of possession of the credential private key, these authenticators support user verification as a second authentication factor, typically a PIN or biometric recognition. The authenticator can thus act as two kinds of authentication factor, which enables multi-factor authentication while eliminating the need to share a password with the Relying Party. These authenticators also support discoverable credentials, also called passkeys, meaning they also enable authentication flows where username input is not necessary.
The user-verifying platform authenticator class is largely obsoleted by the passkey platform authenticator class,
but the definition is still used by the isUserVerifyingPlatformAuthenticatorAvailable
method.
The combinations not named in Table have less distinguished use cases:
-
A roaming authenticator that is discoverable credential capable but not multi-factor capable can be used for single-factor authentication without a username, where the user is automatically identified by the user handle and possession of the credential private key is used as the only authentication factor. This can be useful in some situations, but makes the user particularly vulnerable to theft of the authenticator.
-
A roaming authenticator that is multi-factor capable but not discoverable credential capable can be used for multi-factor authentication, but requires the user to be identified first which risks leaking personally identifying information; see § 14.6.3 Privacy leak via credential IDs.
The following subsections define the aspects authenticator attachment modality, credential storage modality and authentication factor capability in more depth.
6.2.1. Authenticator Attachment Modality
Clients can communicate with authenticators using a variety of mechanisms. For example, a client MAY use a client device-specific API to communicate with an authenticator which is physically bound to a client device. On the other hand, a client can use a variety of standardized cross-platform transport protocols such as Bluetooth (see § 5.8.4 Authenticator Transport Enumeration (enum AuthenticatorTransport)) to discover and communicate with cross-platform attached authenticators. We refer to authenticators that are part of the client device as platform authenticators, while those that are reachable via cross-platform transport protocols are referred to as roaming authenticators.
-
A platform authenticator is attached using a client device-specific transport, called platform attachment, and is usually not removable from the client device. A public key credential bound to a platform authenticator is called a platform credential.
-
A roaming authenticator is attached using cross-platform transports, called cross-platform attachment. Authenticators of this class are removable from, and can "roam" between, client devices. A public key credential bound to a roaming authenticator is called a roaming credential.
Some platform authenticators could possibly also act as roaming authenticators depending on context. For example, a platform authenticator integrated into a mobile device could make itself available as a roaming authenticator via Bluetooth. In this case clients running on the mobile device would recognise the authenticator as a platform authenticator, while clients running on a different client device and communicating with the same authenticator via Bluetooth would recognize it as a roaming authenticator.
The primary use case for platform authenticators is to register a particular client device as a "trusted device", so the client device itself acts as a something you have authentication factor for future authentication. This gives the user the convenience benefit of not needing a roaming authenticator for future authentication ceremonies, e.g., the user will not have to dig around in their pocket for their key fob or phone.
Use cases for roaming authenticators include: authenticating on a new client device for the first time, on rarely used client devices, client devices shared between multiple users, or client devices that do not include a platform authenticator; and when policy or preference dictates that the authenticator be kept separate from the client devices it is used with. A roaming authenticator can also be used to hold backup credentials in case another authenticator is lost.
6.2.2. Credential Storage Modality
An authenticator can store a public key credential source in one of two ways:
-
In persistent storage embedded in the authenticator, client or client device, e.g., in a secure element. This is a technical requirement for a client-side discoverable public key credential source.
-
By encrypting (i.e., wrapping) the public key credential source such that only this authenticator can decrypt (i.e., unwrap) it and letting the resulting ciphertext be the credential ID of the public key credential source. The credential ID is stored by the Relying Party and returned to the authenticator via the
allowCredentials
option ofget()
, which allows the authenticator to decrypt and use the public key credential source.This enables the authenticator to have unlimited credential storage capacity, since the encrypted public key credential sources are stored by the Relying Party instead of by the authenticator - but it means that a credential stored in this way must be retrieved from the Relying Party before the authenticator can use it.
Which of these storage strategies an authenticator supports defines the authenticator's credential storage modality as follows:
-
An authenticator has the client-side credential storage modality if it supports client-side discoverable public key credential sources. An authenticator with client-side credential storage modality is also called discoverable credential capable.
-
An authenticator has the server-side credential storage modality if it does not have the client-side credential storage modality, i.e., it only supports storing public key credential sources as a ciphertext in the credential ID.
Note that a discoverable credential capable authenticator MAY support both storage strategies. In this case, the authenticator MAY
at its discretion use different storage strategies for different credentials, though subject to the residentKey
and requireResidentKey
options of create()
.
6.2.3. Authentication Factor Capability
There are three broad classes of authentication factors that can be used to prove an identity during an authentication ceremony: something you have, something you know and something you are. Examples include a physical key, a password, and a fingerprint, respectively.
All WebAuthn Authenticators belong to the something you have class, but an authenticator that supports user verification can also act as one or two additional kinds of authentication factor. For example, if the authenticator can verify a PIN, the PIN is something you know, and a biometric authenticator can verify something you are. Therefore, an authenticator that supports user verification is multi-factor capable. Conversely, an authenticator that is not multi-factor capable is single-factor capable. Note that a single multi-factor capable authenticator could support several modes of user verification, meaning it could act as all three kinds of authentication factor.
Although user verification is performed locally on the authenticator and not by the Relying Party, the authenticator indicates if user verification was performed by setting the UV flag in the signed response returned to the Relying Party. The Relying Party can therefore use the UV flag to verify that additional authentication factors were used in a registration or authentication ceremony. The authenticity of the UV flag can in turn be assessed by inspecting the authenticator's attestation statement.
6.3. Authenticator Operations
A WebAuthn Client MUST connect to an authenticator in order to invoke any of the operations of that authenticator. This connection defines an authenticator session. An authenticator must maintain isolation between sessions. It may do this by only allowing one session to exist at any particular time, or by providing more complicated session management.
The following operations can be invoked by the client in an authenticator session.
6.3.1. Lookup Credential Source by Credential ID Algorithm
The result of looking up a credential id credentialId in an authenticator authenticator is the result of the following algorithm:
-
If authenticator can decrypt credentialId into a public key credential source credSource:
-
Set credSource.id to credentialId.
-
Return credSource.
-
-
For each public key credential source credSource of authenticator’s credentials map:
-
If credSource.id is credentialId, return credSource.
-
-
Return
null
.
6.3.2. The authenticatorMakeCredential Operation
It takes the following input parameters:
- hash
-
The hash of the serialized client data, provided by the client.
- rpEntity
- userEntity
-
The user account’s
PublicKeyCredentialUserEntity
, containing the user handle given by the Relying Party. - requireResidentKey
-
The effective resident key requirement for credential creation, a Boolean value determined by the client.
- requireUserPresence
-
The constant Boolean value
true
, or FALSE whenoptions.
is set tomediation
conditional
and the user agent previously collected consent from the user. - requireUserVerification
-
The effective user verification requirement for credential creation, a Boolean value determined by the client.
- credTypesAndPubKeyAlgs
-
A sequence of pairs of
PublicKeyCredentialType
and public key algorithms (COSEAlgorithmIdentifier
) requested by the Relying Party. This sequence is ordered from most preferred to least preferred. The authenticator makes a best-effort to create the most preferred credential that it can. - excludeCredentialDescriptorList
-
An OPTIONAL list of
PublicKeyCredentialDescriptor
objects provided by the Relying Party with the intention that, if any of these are known to the authenticator, it SHOULD NOT create a new credential. excludeCredentialDescriptorList contains a list of known credentials. - enterpriseAttestationPossible
-
A Boolean value that indicates that individually-identifying attestation MAY be returned by the authenticator.
- attestationFormats
-
A sequence of strings that expresses the Relying Party's preference for attestation statement formats, from most to least preferable. If the authenticator returns attestation, then it makes a best-effort attempt to use the most preferable format that it supports.
- extensions
-
A CBOR map from extension identifiers to their authenticator extension inputs, created by the client based on the extensions requested by the Relying Party, if any.
Note: Before performing this operation, all other operations in progress in the authenticator session MUST be aborted by running the authenticatorCancel operation.
When this operation is invoked, the authenticator MUST perform the following procedure:
-
Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code equivalent to "
UnknownError
" and terminate the operation. -
Check if at least one of the specified combinations of
PublicKeyCredentialType
and cryptographic parameters in credTypesAndPubKeyAlgs is supported. If not, return an error code equivalent to "NotSupportedError
" and terminate the operation. -
For each descriptor of excludeCredentialDescriptorList:
-
If looking up
descriptor.
in this authenticator returns non-null, and the returned item's RP ID and type matchid
rpEntity.
andid
excludeCredentialDescriptorList.
respectively, then collect an authorization gesture confirming user consent for creating a new credential. The authorization gesture MUST include a test of user presence. If the usertype
- confirms consent to create a new credential
-
return an error code equivalent to "
InvalidStateError
" and terminate the operation. - does not consent to create a new credential
-
return an error code equivalent to "
NotAllowedError
" and terminate the operation.
Note: The purpose of this authorization gesture is not to proceed with creating a credential, but for privacy reasons to authorize disclosure of the fact that
descriptor.
is bound to this authenticator. If the user consents, the client and Relying Party can detect this and guide the user to use a different authenticator. If the user does not consent, the authenticator does not reveal thatid
descriptor.
is bound to it, and responds as if the user simply declined consent to create a credential.id
-
-
If requireResidentKey is
true
and the authenticator cannot store a client-side discoverable public key credential source, return an error code equivalent to "ConstraintError
" and terminate the operation. -
If requireUserVerification is
true
and the authenticator cannot perform user verification, return an error code equivalent to "ConstraintError
" and terminate the operation. -
Collect an authorization gesture confirming user consent for creating a new credential.
The prompt for the authorization gesture is shown by the
authenticator if it has its own output capability, or by the user agent otherwise. The prompt SHOULD display
rpEntity.
,id
rpEntity.
,name
userEntity.
andname
userEntity.
, if possible.displayName
If requireUserVerification is
true
, the authorization gesture MUST include user verification.If requireUserPresence is
true
, the authorization gesture MUST include a test of user presence.If the user does not consent or if user verification fails, return an error code equivalent to "
NotAllowedError
" and terminate the operation. -
Once the authorization gesture has been completed and user consent has been obtained, generate a new credential object:
-
Let (publicKey, privateKey) be a new pair of cryptographic keys using the combination of
PublicKeyCredentialType
and cryptographic parameters represented by the first item in credTypesAndPubKeyAlgs that is supported by this authenticator. -
Let userHandle be
userEntity.
.id
-
Let credentialSource be a new public key credential source with the fields:
- type
- privateKey
-
privateKey
- rpId
-
rpEntity.
id
- userHandle
-
userHandle
- otherUI
-
Any other information the authenticator chooses to include.
-
If requireResidentKey is
true
or the authenticator chooses to create a client-side discoverable public key credential source:-
Let credentialId be a new credential id.
-
Set credentialSource.id to credentialId.
-
Let credentials be this authenticator’s credentials map.
-
Set credentials[(
rpEntity.
, userHandle)] to credentialSource.id
-
-
Otherwise:
-
Let credentialId be the result of serializing and encrypting credentialSource so that only this authenticator can decrypt it.
-
-
-
If any error occurred while creating the new credential object, return an error code equivalent to "
UnknownError
" and terminate the operation. -
Let processedExtensions be the result of authenticator extension processing for each supported extension identifier → authenticator extension input in extensions.
-
If the authenticator:
- is a U2F device
-
let the signature counter value for the new credential be zero. (U2F devices may support signature counters but do not return a counter when making a credential. See [FIDO-U2F-Message-Formats].)
- supports a global signature counter
-
Use the global signature counter's actual value when generating authenticator data.
- supports a per credential signature counter
-
allocate the counter, associate it with the new credential, and initialize the counter value as zero.
- does not support a signature counter
-
let the signature counter value for the new credential be constant at zero.
-
Let attestedCredentialData be the attested credential data byte array including the credentialId and publicKey.
-
Let attestationFormat be the first supported attestation statement format identifier from attestationFormats, taking into account enterpriseAttestationPossible. If attestationFormats contains no supported value, then let attestationFormat be the attestation statement format identifier most preferred by this authenticator.
-
Let authenticatorData be the byte array specified in § 6.1 Authenticator Data, including attestedCredentialData as the
attestedCredentialData
and processedExtensions, if any, as theextensions
. -
Create an attestation object for the new credential using the procedure specified in § 6.5.4 Generating an Attestation Object, the attestation statement format attestationFormat, and the values authenticatorData and hash, as well as
taking into account
the value of enterpriseAttestationPossible. For more details on attestation, see § 6.5 Attestation.
On successful completion of this operation, the authenticator returns the attestation object to the client.
6.3.3. The authenticatorGetAssertion Operation
It takes the following input parameters:
- rpId
-
The caller’s RP ID, as determined by the user agent and the client.
- hash
-
The hash of the serialized client data, provided by the client.
- allowCredentialDescriptorList
-
An OPTIONAL list of
PublicKeyCredentialDescriptor
s describing credentials acceptable to the Relying Party (possibly filtered by the client), if any. - requireUserPresence
-
The constant Boolean value
true
. It is included here as a pseudo-parameter to simplify applying this abstract authenticator model to implementations that may wish to make a test of user presence optional although WebAuthn does not. - requireUserVerification
-
The effective user verification requirement for assertion, a Boolean value provided by the client.
- extensions
-
A CBOR map from extension identifiers to their authenticator extension inputs, created by the client based on the extensions requested by the Relying Party, if any.
Note: Before performing this operation, all other operations in progress in the authenticator session MUST be aborted by running the authenticatorCancel operation.
When this method is invoked, the authenticator MUST perform the following procedure:
-
Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code equivalent to "
UnknownError
" and terminate the operation. -
Let credentialOptions be a new empty set of public key credential sources.
-
If allowCredentialDescriptorList was supplied, then for each descriptor of allowCredentialDescriptorList:
-
Let credSource be the result of looking up
descriptor.
in this authenticator.id
-
If credSource is not
null
, append it to credentialOptions.
-
-
Otherwise (allowCredentialDescriptorList was not supplied), for each key → credSource of this authenticator’s credentials map, append credSource to credentialOptions.
-
Remove any items from credentialOptions whose rpId is not equal to rpId.
-
If credentialOptions is now empty, return an error code equivalent to "
NotAllowedError
" and terminate the operation. -
Prompt the user to select a public key credential source selectedCredential from credentialOptions.
Collect an authorization gesture confirming user consent for using selectedCredential.
The prompt for the authorization gesture may be shown
by the authenticator if it has its own output capability, or by the user agent otherwise.
If requireUserVerification is
true
, the authorization gesture MUST include user verification.If requireUserPresence is
true
, the authorization gesture MUST include a test of user presence.If the user does not consent, return an error code equivalent to "
NotAllowedError
" and terminate the operation. -
Let processedExtensions be the result of authenticator extension processing for each supported extension identifier → authenticator extension input in extensions.
-
Increment the credential associated signature counter or the global signature counter value, depending on which approach is implemented by the authenticator, by some positive value. If the authenticator does not implement a signature counter, let the signature counter value remain constant at zero.
-
Let authenticatorData be the byte array specified in § 6.1 Authenticator Data including processedExtensions, if any, as the
extensions
and excludingattestedCredentialData
. -
Let signature be the assertion signature of the concatenation
authenticatorData || hash
using the privateKey of selectedCredential as shown in Figure , below. A simple, undelimited concatenation is safe to use here because the authenticator data describes its own length. The hash of the serialized client data (which potentially has a variable length) is always the last element. -
If any error occurred while generating the assertion signature, return an error code equivalent to "
UnknownError
" and terminate the operation. -
Return to the user agent:
-
selectedCredential.id, if either a list of credentials (i.e., allowCredentialDescriptorList) of length 2 or greater was supplied by the client, or no such list was supplied.
Note: If, within allowCredentialDescriptorList, the client supplied exactly one credential and it was successfully employed, then its credential ID is not returned since the client already knows it. This saves transmitting these bytes over what may be a constrained connection in what is likely a common case.
-
authenticatorData
-
signature
-
selectedCredential.userHandle
Note: In cases where allowCredentialDescriptorList was supplied the returned userHandle value may be
null
, see: userHandleResult.
-
If the authenticator cannot find any credential corresponding to the specified Relying Party that matches the specified criteria, it terminates the operation and returns an error.
6.3.4. The authenticatorCancel Operation
This operation takes no input parameters and returns no result.
When this operation is invoked by the client in an authenticator session, it has the effect of terminating any authenticatorMakeCredential or authenticatorGetAssertion operation currently in progress in that authenticator session. The authenticator stops prompting for, or accepting, any user input related to authorizing the canceled operation. The client ignores any further responses from the authenticator for the canceled operation.
This operation is ignored if it is invoked in an authenticator session which does not have an authenticatorMakeCredential or authenticatorGetAssertion operation currently in progress.
6.3.5. The silentCredentialDiscovery operation
This is an OPTIONAL operation authenticators MAY support to enable conditional
user mediation.
It takes the following input parameter:
- rpId
-
The caller’s RP ID, as determined by the client.
When this operation is invoked, the authenticator MUST perform the following procedure:
-
Let collectedDiscoverableCredentialMetadata be a new list whose items are DiscoverableCredentialMetadata structs with the following items:
- type
- id
- rpId
- userHandle
-
A user handle.
- otherUI
-
Other information used by the authenticator to inform its UI.
-
For each public key credential source credSource of authenticator’s credentials map:
-
If credSource is not a client-side discoverable credential, continue.
-
Let discoveredCredentialMetadata be a new DiscoverableCredentialMetadata struct whose items are copies of credSource’s type, id, rpId, userHandle and otherUI.
-
Append discoveredCredentialMetadata to collectedDiscoverableCredentialMetadata.
-
-
Return collectedDiscoverableCredentialMetadata.
6.4. String Handling
Authenticators may be required to store arbitrary strings chosen by a Relying Party, for example the name
and displayName
in a PublicKeyCredentialUserEntity
. This section discusses some practical consequences of handling arbitrary strings that may be presented to humans.
6.4.1. String Truncation
Each arbitrary string in the API will have some accommodation for the potentially limited resources available to an authenticator. When the chosen accommodation is string truncation, care needs to be taken to not corrupt the string value.
For example, truncation based on Unicode code points alone may cause a grapheme cluster to be truncated. This could make the grapheme cluster render as a different glyph, potentially changing the meaning of the string, instead of removing the glyph entirely. For example, figure shows the end of a UTF-8 encoded string whose encoding is 65 bytes long. If truncating to 64 bytes then the final 0x88 byte is removed first to satisfy the size limit. Since that leaves a partial UTF-8 code point, the remainder of that code point must also be removed. Since that leaves a partial grapheme cluster, the remainder of that cluster should also be removed.
The responsibility for handling these concerns falls primarily on the client, to avoid burdening authenticators with understanding character encodings and Unicode character properties. The following subsections define requirements for how clients and authenticators, respectively, may perform string truncation.
6.4.1.1. String Truncation by Clients
When a WebAuthn Client truncates a string, the truncation behaviour observable by the Relying Party MUST satisfy the following requirements:
Choose a size limit equal to or greater than the specified minimum supported length. The string MAY be truncated so that its length in bytes in the UTF-8 character encoding satisfies that limit. This truncation MUST respect UTF-8 code point boundaries, and SHOULD respect grapheme cluster boundaries [UAX29]. The resulting truncated value MAY be shorter than the chosen size limit but MUST NOT be shorter than the longest prefix substring that satisfies the size limit and ends on a grapheme cluster boundary.
The client MAY let the authenticator perform the truncation if it satisfies these requirements; otherwise the client MUST perform the truncation before relaying the string value to the authenticator.
In addition to the above, truncating on byte boundaries alone causes a known issue that user agents should be aware of: if the authenticator is using [FIDO-CTAP] then future messages from the authenticator may contain invalid CBOR since the value is typed as a CBOR string and thus is required to be valid UTF-8. Thus, when dealing with authenticators, user agents SHOULD:
-
Ensure that any strings sent to authenticators are validly encoded.
-
Handle the case where strings have been truncated resulting in an invalid encoding. For example, any partial code point at the end may be dropped or replaced with U+FFFD.
6.4.1.2. String Truncation by Authenticators
Because a WebAuthn Authenticator may be implemented in a constrained environment, the requirements on authenticators are relaxed compared to those for clients.
When a WebAuthn Authenticator truncates a string, the truncation behaviour MUST satisfy the following requirements:
Choose a size limit equal to or greater than the specified minimum supported length. The string MAY be truncated so that its length in bytes in the UTF-8 character encoding satisfies that limit. This truncation SHOULD respect UTF-8 code point boundaries, and MAY respect grapheme cluster boundaries [UAX29]. The resulting truncated value MAY be shorter than the chosen size limit but MUST NOT be shorter than the longest prefix substring that satisfies the size limit and ends on a grapheme cluster boundary.
6.4.2. Language and Direction Encoding
In order to be correctly displayed in context, the language and base direction of a string may be required. Strings in this API may have to be written to fixed-function authenticators and then later read back and displayed on a different platform. Thus language and direction metadata is encoded in the string itself to ensure that it is transported atomically.
To encode language and direction metadata in a string that is documented as permitting it, suffix its code points with two sequences of code points:
The first encodes a language tag with the code point U+E0001 followed by the ASCII values of the language tag each shifted up by U+E0000. For example, the language tag “en-US” becomes the code points U+E0001, U+E0065, U+E006E, U+E002D, U+E0055, U+E0053.
The second consists of a single code point which is either U+200E (“LEFT-TO-RIGHT MARK”), U+200F (“RIGHT-TO-LEFT MARK”), or U+E007F (“CANCEL TAG”). The first two can be used to indicate directionality but SHOULD only be used when neccessary to produce the correct result. (E.g. an RTL string that starts with LTR-strong characters.) The value U+E007F is a direction-agnostic indication of the end of the language tag.
So the string “حبیب الرحمان” could have two different DOMString values, depending on whether the language was encoded or not. (Since the direction is unambiguous a directionality marker is not needed in this example.)
-
Unadorned string: U+FEA2, U+FE92, U+FBFF, U+FE91, U+20, U+FE8E, U+FEDF, U+FEAE, U+FEA4, U+FEE3, U+FE8E, U+FEE7
-
With language “ar-SA” encoded: U+FEA2, U+FE92, U+FBFF, U+FE91, U+20, U+FE8E, U+FEDF, U+FEAE, U+FEA4, U+FEE3, U+FE8E, U+FEE7, U+E0001, U+E0061, U+E0072, U+E002D, U+E0053, U+E0041, U+E007F
Consumers of strings that may have language and direction encoded should be aware that truncation could truncate a language tag into a different, but still valid, language. The final directionality marker or CANCEL TAG code point provide an unambigous indication of truncation.
6.5. Attestation
Authenticators SHOULD also provide some form of attestation, if possible. If an authenticator does, the basic requirement is that the authenticator can produce, for each credential public key, an attestation statement verifiable by the WebAuthn Relying Party. Typically, this attestation statement contains a signature by an attestation private key over the attested credential public key and a challenge, as well as a certificate or similar data providing provenance information for the attestation public key, enabling the Relying Party to make a trust decision. However, if an attestation key pair is not available, then the authenticator MAY either perform self attestation of the credential public key with the corresponding credential private key, or otherwise perform no attestation. All this information is returned by authenticators any time a new public key credential is generated, in the overall form of an attestation object. The relationship of the attestation object with authenticator data (containing attested credential data) and the attestation statement is illustrated in figure , below.
If an authenticator employs self attestation or no attestation, then no provenance information is provided for the Relying Party to base a trust decision on. In these cases, the authenticator provides no guarantees about its operation to the Relying Party.
packed
attestation statement format. Several additional attestation statement
formats are defined in § 8 Defined Attestation Statement Formats. An important component of the attestation object is the attestation statement. This is a specific type of signed data object, containing statements about a public key credential itself and the authenticator that created it. It contains an attestation signature created using the key of the attesting authority (except for the case of self attestation, when it is created using the credential private key). In order to correctly interpret an attestation statement, a Relying Party needs to understand these two aspects of attestation:
-
The attestation statement format is the manner in which the signature is represented and the various contextual bindings are incorporated into the attestation statement by the authenticator. In other words, this defines the syntax of the statement. Various existing components and OS platforms (such as TPMs and the Android OS) have previously defined attestation statement formats. This specification supports a variety of such formats in an extensible way, as defined in § 6.5.2 Attestation Statement Formats. The formats themselves are identified by strings, as described in § 8.1 Attestation Statement Format Identifiers.
-
The attestation type defines the semantics of attestation statements and their underlying trust models. Specifically, it defines how a Relying Party establishes trust in a particular attestation statement, after verifying that it is cryptographically valid. This specification supports a number of attestation types, as described in § 6.5.3 Attestation Types.
In general, there is no simple mapping between attestation statement formats and attestation types. For example, the "packed" attestation statement format defined in § 8.2 Packed Attestation Statement Format can be used in conjunction with all attestation types, while other formats and types have more limited applicability.
The privacy, security and operational characteristics of attestation depend on:
-
The attestation type, which determines the trust model,
-
The attestation statement format, which MAY constrain the strength of the attestation by limiting what can be expressed in an attestation statement, and
-
The characteristics of the individual authenticator, such as its construction, whether part or all of it runs in a secure operating environment, and so on.
The attestation type and attestation statement format is chosen by the authenticator; Relying Parties can only signal their preferences by setting the attestation
and attestationFormats
parameters.
It is expected that most authenticators will support a small number of attestation types and attestation statement formats, while Relying Parties will decide what attestation types are acceptable to them by policy. Relying Parties will also need to understand the characteristics of the authenticators that they trust, based on information they have about these authenticators. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to access such information.
6.5.1. Attested Credential Data
Attested credential data is a variable-length byte array added to the authenticator data when generating an attestation object for a credential. Its format is shown in Table .
Name | Length (in bytes) | Description |
---|---|---|
aaguid | 16 | The AAGUID of the authenticator. |
credentialIdLength | 2 | Byte length L of credentialId, 16-bit unsigned big-endian integer. Value MUST be ≤ 1023. |
credentialId | L | Credential ID |
credentialPublicKey | variable | The credential public key encoded in COSE_Key format,
as defined in Section 7 of [RFC9052], using the CTAP2 canonical CBOR encoding form.
The COSE_Key-encoded credential public key MUST contain the "alg" parameter and MUST NOT
contain any other OPTIONAL parameters. The "alg" parameter MUST contain a COSEAlgorithmIdentifier value.
The encoded credential public key MUST also contain any additional REQUIRED parameters stipulated by the
relevant key type specification, i.e., REQUIRED for the key type "kty" and algorithm "alg"
(see Section 2 of [RFC9053]).
|
6.5.1.1. Examples of credentialPublicKey
Values Encoded in COSE_Key Format
This section provides examples of COSE_Key-encoded Elliptic Curve and RSA public keys for the ES256, PS256, and RS256 signature algorithms. These examples adhere to the rules defined above for the credentialPublicKey value, and are presented in CDDL [RFC8610] for clarity.
Section 7 of [RFC9052] defines the general framework for all COSE_Key-encoded keys. Specific key types for specific algorithms are defined in [RFC9053] as well as in other specifications, as noted below.
Below is an example of a COSE_Key-encoded Elliptic Curve public key in EC2 format (see Section 7.1 of [RFC9053]), on the P-256 curve, to be used with the ES256 signature algorithm (ECDSA w/ SHA-256, see Section 2.1 of [RFC9053]):
{ 1 : 2 , ; kt y: EC2 keyt ype3 : -7 , ; alg: ES256 signature algorit hm-1 : 1 , ; crv: P-256 curve-2 : x, ; x- coordinate as byte str in g32 bytes in len gt h ; e.g., in hex: 65e da5 a12577 c2 bae829437 fe 338701 a10 aaa375e1 bb5 b5 de108 de439 c08551 d-3 : y ; y- coordinate as byte str in g32 bytes in len gt h ; e.g., in hex: 1e52e d75701163 f 7 f 9e40 ddf 9 f 341 b3 dc9 ba860 af 7e0 ca7 ca7e9ee cd0084 d19 c}
Below is the above Elliptic Curve public key encoded in the CTAP2 canonical CBOR encoding form, whitespace and line breaks are included here for clarity and to match the CDDL [RFC8610] presentation above:
A5 01 02 03 26 20 01 21 58 20 65e da5 a12577 c2 bae829437 fe 338701 a10 aaa375e1 bb5 b5 de108 de439 c08551 d22 58 20 1e52e d75701163 f 7 f 9e40 ddf 9 f 341 b3 dc9 ba860 af 7e0 ca7 ca7e9ee cd0084 d19 c
Below is an example of a COSE_Key-encoded 2048-bit RSA public key (see [RFC8230] Section 4, to be used with the PS256 signature algorithm (RSASSA-PSS with SHA-256, see Section 2 of [RFC8230]:
{ 1 : 3 , ; kt y: RSA keyt ype3 : -37 , ; alg: PS256 -1 : n , ;n : RSA modulusn byte str in g256 bytes in len gt h ; e.g., in hex (middle bytes elidedf or brevit y): DB5 F651550...6 DC6548 ACC3 -2 : e ; e: RSA public exponent e byte str in g3 bytes in len gt h ; e.g., in hex: 010001 }
Below is an example of the same COSE_Key-encoded RSA public key as above, to be used with the RS256 signature algorithm (RSASSA-PKCS1-v1_5 with SHA-256):
{ 1 : 3 , ; kt y: RSA keyt ype3 : -257 , ; alg: RS256 -1 : n , ;n : RSA modulusn byte str in g256 bytes in len gt h ; e.g., in hex (middle bytes elidedf or brevit y): DB5 F651550...6 DC6548 ACC3 -2 : e ; e: RSA public exponent e byte str in g3 bytes in len gt h ; e.g., in hex: 010001 }
6.5.2. Attestation Statement Formats
As described above, an attestation statement format is a data format which represents a cryptographic signature by an authenticator over a set of contextual bindings. Each attestation statement format MUST be defined using the following template:
-
Supported attestation types:
-
Syntax: The syntax of an attestation statement produced in this format, defined using CDDL [RFC8610] for the extension point
$attStmtFormat
defined in § 6.5.4 Generating an Attestation Object. -
Signing procedure: The signing procedure for computing an attestation statement in this format given the public key credential to be attested, the authenticator data structure containing the authenticator data for the attestation, and the hash of the serialized client data.
-
Verification procedure: The procedure for verifying an attestation statement, which takes the following verification procedure inputs:
-
attStmt: The attestation statement structure
-
authenticatorData: The authenticator data claimed to have been used for the attestation
-
clientDataHash: The hash of the serialized client data
The procedure returns either:
-
An error indicating that the attestation is invalid, or
-
An implementation-specific value representing the attestation type, and the trust path. This attestation trust path is either empty (in case of self attestation), or a set of X.509 certificates.
-
The initial list of specified attestation statement formats is in § 8 Defined Attestation Statement Formats.
6.5.3. Attestation Types
WebAuthn supports several attestation types, defining the semantics of attestation statements and their underlying trust models:
Note: This specification does not define any data structures explicitly expressing the attestation types employed by authenticators. Relying Parties engaging in attestation statement verification — i.e., when
calling navigator.credentials.create()
they select an attestation conveyance other than none
and verify the received attestation statement — will determine the employed attestation type as a part of verification. See the "Verification procedure" subsections of § 8 Defined Attestation Statement Formats. See also § 14.4.1 Attestation Privacy. For all attestation types defined in this
section other than Self and None, Relying Party verification is followed by
matching the trust path to an acceptable root certificate per step 24 of § 7.1 Registering a New Credential.
Differentiating these attestation types becomes useful primarily as a means for determining if the attestation is acceptable
under Relying Party policy.
- Basic Attestation (Basic)
-
In the case of basic attestation [UAFProtocol], the authenticator’s attestation key pair is specific to an authenticator "model", i.e., a "batch" of authenticators. Thus, authenticators of the same, or similar, model often share the same attestation key pair. See § 14.4.1 Attestation Privacy for further information.
Basic attestation is also referred to as batch attestation.
- Self Attestation (Self)
-
In the case of self attestation, also known as surrogate basic attestation [UAFProtocol], the Authenticator does not have any specific attestation key pair. Instead it uses the credential private key to create the attestation signature. Authenticators without meaningful protection measures for an attestation private key typically use this attestation type.
- Attestation CA (AttCA)
-
In this case, an authenticator is based on a Trusted Platform Module (TPM) and holds an authenticator-specific "endorsement key" (EK). This key is used to securely communicate with a trusted third party, the Attestation CA [TCG-CMCProfile-AIKCertEnroll] (formerly known as a "Privacy CA"). The authenticator can generate multiple attestation identity key pairs (AIK) and requests an Attestation CA to issue an AIK certificate for each. Using this approach, such an authenticator can limit the exposure of the EK (which is a global correlation handle) to Attestation CA(s). AIKs can be requested for each authenticator-generated public key credential individually, and conveyed to Relying Parties as attestation certificates.
Note: This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently is called "active".
- Anonymization CA (AnonCA)
-
In this case, the authenticator uses an Anonymization CA which dynamically generates per-credential attestation certificates such that the attestation statements presented to Relying Parties do not provide uniquely identifiable information, e.g., that might be used for tracking purposes.
Note: Attestation statements conveying attestations of type AttCA or AnonCA use the same data structure as those of type Basic, so the three attestation types are, in general, distinguishable only with externally provided knowledge regarding the contents of the attestation certificates conveyed in the attestation statement.
- No attestation statement (None)
-
In this case, no attestation information is available. See also § 8.7 None Attestation Statement Format.
6.5.4. Generating an Attestation Object
To generate an attestation object (see: Figure 6) given:
- attestationFormat
- authData
-
A byte array containing authenticator data.
- hash
the authenticator MUST:
-
Let attStmt be the result of running attestationFormat’s signing procedure given authData and hash.
-
Let fmt be attestationFormat’s attestation statement format identifier
-
Return the attestation object as a CBOR map with the following syntax, filled in with variables initialized by this algorithm:
attObj = { authData: bytes, $$attStmtType } attStmtTemplate = ( fmt: text, attStmt: { * tstr => any } ; Map is filled in by each concrete attStmtType ) ; Every attestation statement format must have the above fields attStmtTemplate .within $$attStmtType
6.5.5. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures
-
For COSEAlgorithmIdentifier -7 (ES256), and other ECDSA-based algorithms, the
sig
value MUST be encoded as an ASN.1 DER Ecdsa-Sig-Value, as defined in [RFC3279] section 2.2.3.Example: 30 44 ; SEQUENCE (68 Bytes) 02 20 ; INTEGER (32 Bytes) | 3d 46 28 7b 8c 6e 8c 8c 26 1c 1b 88 f2 73 b0 9a | 32 a6 cf 28 09 fd 6e 30 d5 a7 9f 26 37 00 8f 54 02 20 ; INTEGER (32 Bytes) | 4e 72 23 6e a3 90 a9 a1 7b cf 5f 7a 09 d6 3a b2 | 17 6c 92 bb 8e 36 c0 41 98 a2 7b 90 9b 6e 8f 13
Note: As CTAP1/U2F authenticators are already producing signatures values in this format, CTAP2 authenticators will also produce signatures values in the same format, for consistency reasons.
It is RECOMMENDED that any new attestation formats defined not use ASN.1 encodings, but instead represent signatures as equivalent fixed-length byte arrays without internal structure, using the same representations as used by COSE signatures as defined in [RFC9053] and [RFC8230].
The below signature format definitions satisfy this requirement and serve as examples for deriving the same for other signature algorithms not explicitly mentioned here:
-
For COSEAlgorithmIdentifier -257 (RS256),
sig
MUST contain the signature generated using the RSASSA-PKCS1-v1_5 signature scheme defined in Section 8.2.1 of [RFC8017] with SHA-256 as the hash function. The signature is not ASN.1 wrapped. -
For COSEAlgorithmIdentifier -37 (PS256),
sig
MUST contain the signature generated using the RSASSA-PSS signature scheme defined in Section 8.1.1 of [RFC8017] with SHA-256 as the hash function. The signature is not ASN.1 wrapped.
7. WebAuthn Relying Party Operations
A registration or authentication ceremony begins with the WebAuthn Relying Party creating a PublicKeyCredentialCreationOptions
or PublicKeyCredentialRequestOptions
object, respectively, which encodes the parameters for the ceremony. The Relying Party SHOULD take care to not leak sensitive information during this stage; see § 14.6.2 Username Enumeration for details.
Upon successful execution of create()
or get()
, the Relying Party's script receives
a PublicKeyCredential
containing an AuthenticatorAttestationResponse
or AuthenticatorAssertionResponse
structure,
respectively, from the client. It must then deliver the contents of this structure to the Relying Party server, using methods outside
the scope of this specification. This section describes the operations that the Relying Party must perform upon receipt of these
structures.
7.1. Registering a New Credential
In order to perform a registration ceremony, the Relying Party MUST proceed as follows:
-
Let options be a new
CredentialCreationOptions
structure configured to the Relying Party's needs for the ceremony. Let pkOptions beoptions.
.publicKey
-
Call
navigator.credentials.create()
and pass options as the argument. Let credential be the result of the successfully resolved promise. If the promise is rejected, abort the ceremony with a user-visible error, or otherwise guide the user experience as might be determinable from the context available in the rejected promise. For example if the promise is rejected with an error code equivalent to "InvalidStateError
", the user might be instructed to use a different authenticator. For information on different error contexts and the circumstances leading to them, see § 6.3.2 The authenticatorMakeCredential Operation. -
Let response be
credential.
. If response is not an instance ofresponse
AuthenticatorAttestationResponse
, abort the ceremony with a user-visible error. -
Let clientExtensionResults be the result of calling
credential.
.getClientExtensionResults()
-
Let JSONtext be the result of running UTF-8 decode on the value of
response.
.clientDataJSON
Note: Using any implementation of UTF-8 decode is acceptable as long as it yields the same result as that yielded by the UTF-8 decode algorithm. In particular, any leading byte order mark (BOM) MUST be stripped.
-
Let C, the client data claimed as collected during the credential creation, be the result of running an implementation-specific JSON parser on JSONtext.
Note: C may be any implementation-specific data structure representation, as long as C’s components are referenceable, as required by this algorithm.
-
Verify that the value of
C.
istype
webauthn.create
. -
Verify that the value of
C.
equals the base64url encoding ofchallenge
pkOptions.
.challenge
- Verify that the value of
C.
is an origin expected by the Relying Party. See § 13.4.9 Validating the origin of a credential for guidance.origin
-
If
C.
is present:topOrigin
-
Verify that the Relying Party expects that this credential would have been created within an iframe that is not same-origin with its ancestors.
-
Verify that the value of
C.
matches the origin of a page that the Relying Party expects to be sub-framed within. See § 13.4.9 Validating the origin of a credential for guidance.topOrigin
-
-
Let hash be the result of computing a hash over
response.
using SHA-256.clientDataJSON
-
Perform CBOR decoding on the
attestationObject
field of theAuthenticatorAttestationResponse
structure to obtain the attestation statement format fmt, the authenticator data authData, and the attestation statement attStmt. -
Verify that the
rpIdHash
in authData is the SHA-256 hash of the RP ID expected by the Relying Party. -
If
options.
is not set tomediation
conditional
, verify that the UP bit of theflags
in authData is set. -
If the Relying Party requires user verification for this registration, verify that the UV bit of the
flags
in authData is set. -
If the BE bit of the
flags
in authData is not set, verify that the BS bit is not set. -
If the Relying Party uses the credential’s backup eligibility to inform its user experience flows and/or policies, evaluate the BE bit of the
flags
in authData. -
If the Relying Party uses the credential’s backup state to inform its user experience flows and/or policies, evaluate the BS bit of the
flags
in authData. -
Verify that the "alg" parameter in the credential public key in authData matches the
alg
attribute of one of the items inpkOptions.
.pubKeyCredParams
-
Verify that the values of the client extension outputs in clientExtensionResults and the authenticator extension
outputs in the
extensions
in authData are as expected, considering the client extension input values that were given inpkOptions.
and any specific policy of the Relying Party regarding unsolicited extensions, i.e., those that were not specified as part ofextensions
pkOptions.
. In the general case, the meaning of "are as expected" is specific to the Relying Party and which extensions are in use.extensions
Note: Client platforms MAY enact local policy that sets additional authenticator extensions or client extensions and thus cause values to appear in the authenticator extension outputs or client extension outputs that were not originally specified as part of
pkOptions.
. Relying Parties MUST be prepared to handle such situations, whether it be to ignore the unsolicited extensions or reject the attestation. The Relying Party can make this decision based on local policy and the extensions in use.extensions
Note: Since all extensions are OPTIONAL for both the client and the authenticator, the Relying Party MUST also be prepared to handle cases where none or not all of the requested extensions were acted upon.
-
Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against the set of supported WebAuthn Attestation Statement Format Identifier values. An up-to-date list of registered WebAuthn Attestation Statement Format Identifier values is maintained in the IANA "WebAuthn Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809].
-
Verify that attStmt is a correct attestation statement, conveying a valid attestation signature, by using the attestation statement format fmt’s verification procedure given attStmt, authData and hash.
Note: Each attestation statement format specifies its own verification procedure. See § 8 Defined Attestation Statement Formats for the initially-defined formats, and [IANA-WebAuthn-Registries] for the up-to-date list.
- If validation is successful, obtain a list of acceptable trust anchors (i.e. attestation root certificates)
for that attestation type and attestation statement format fmt, from a trusted source or from policy. For
example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the
aaguid
in theattestedCredentialData
in authData. -
Assess the attestation trustworthiness using the outputs of the verification procedure in step 22, as follows:
-
If no attestation was provided, verify that None attestation is acceptable under Relying Party policy.
-
If self attestation was used, verify that self attestation is acceptable under Relying Party policy.
-
Otherwise, use the X.509 certificates returned as the attestation trust path from the verification procedure to verify that the attestation public key either correctly chains up to an acceptable root certificate, or is itself an acceptable certificate (i.e., it and the root certificate obtained in step 23 may be the same).
-
-
Verify that the
credentialId
is ≤ 1023 bytes. Credential IDs larger than this many bytes SHOULD cause the RP to fail this registration ceremony. -
Verify that the
credentialId
is not yet registered for any user. If thecredentialId
is already known then the Relying Party SHOULD fail this registration ceremony.NOTE: The rationale for Relying Parties rejecting duplicate credential IDs is as follows: credential IDs contain sufficient entropy that accidental duplication is very unlikely. However, attestation types other than self attestation do not include a self-signature to explicitly prove possession of the credential private key at registration time. Thus an attacker who has managed to obtain a user’s credential ID and credential public key for a site (this could be potentially accomplished in various ways), could attempt to register a victim’s credential as their own at that site. If the Relying Party accepts this new registration and replaces the victim’s existing credential registration, and the credentials are discoverable, then the victim could be forced to sign into the attacker’s account at their next attempt. Data saved to the site by the victim in that state would then be available to the attacker.
-
If the attestation statement attStmt verified successfully and is found to be trustworthy,
then create and store a new credential record in the user account that was denoted in
pkOptions.
, with the following contents:user
- type
-
credential.
.type
- id
-
credential.
orid
credential.
, whichever format is preferred by the Relying Party.rawId
- publicKey
-
The credential public key in authData.
- signCount
-
authData.signCount
. - uvInitialized
- transports
-
The value returned from
response.
.getTransports()
- backupEligible
- backupState
The new credential record MAY also include the following OPTIONAL contents:
- attestationObject
-
response.
.attestationObject
- attestationClientDataJSON
-
response.
.clientDataJSON
-
If the attestation statement attStmt successfully verified but is not trustworthy per step 24 above, the Relying Party SHOULD fail the registration ceremony.
NOTE: However, if permitted by policy, the Relying Party MAY register the credential ID and credential public key but treat the credential as one with self attestation (see § 6.5.3 Attestation Types). If doing so, the Relying Party is asserting there is no cryptographic proof that the public key credential has been generated by a particular authenticator model. See [FIDOSecRef] and [UAFProtocol] for a more detailed discussion.
Verification of attestation objects requires that the Relying Party has a trusted method of determining acceptable trust anchors in step 23 above. Also, if certificates are being used, the Relying Party MUST have access to certificate status informa