2020-06-11 2023-09-13 Specification Required Mike Jones, Giridhar Mandyam packed The "packed" attestation statement format is a WebAuthn-optimized format for attestation. It uses a very compact but still extensible encoding method. This format is implementable by authenticators with limited resources (e.g., secure elements). Web Authentication Section §8.2, Packed Attestation Statement Format tpm The TPM attestation statement format returns an attestation statement in the same format as the packed attestation statement format, although the rawData and signature fields are computed differently. Web Authentication Section §8.3, TPM Attestation Statement Format android-key Platform authenticators on versions "N", and later, may provide this proprietary "hardware attestation" statement. Web Authentication Section §8.4, Android Key Attestation Statement Format android-safetynet Android-based platform authenticators MAY produce an attestation statement based on the Android SafetyNet API. Web Authentication Section §8.5, Android SafetyNet Attestation Statement Format fido-u2f Used with FIDO U2F authenticators Web Authentication Section §8.6, FIDO U2F Attestation Statement Format apple Used with Apple devices' platform authenticators Web Authentication Section §8.8, Apple Anonymous Attestation Statement Format none Used to replace any authenticator-provided attestation statement when a WebAuthn Relying Party indicates it does not wish to receive attestation information. Web Authentication Section §8.7, None Attestation Statement Format Specification Required Mike Jones, Giridhar Mandyam appid This authentication extension allows WebAuthn Relying Parties that have previously registered a credential using the legacy FIDO JavaScript APIs to request an assertion. Web Authentication Section §10.1, FIDO AppID Extension (appid) txAuthSimple This registration extension and authentication extension allows for a simple form of transaction authorization. A WebAuthn Relying Party can specify a prompt string, intended for display on a trusted device on the authenticator Web Authentication Section §10.2, Simple Transaction Authorization Extension (txAuthSimple) txAuthGeneric This registration extension and authentication extension allows images to be used as transaction authorization prompts as well. This allows authenticators without a font rendering engine to be used and also supports a richer visual appearance than accomplished with the webauthn.txauth.simple extension. Web Authentication Section §10.3, Generic Transaction Authorization Extension (txAuthGeneric) authnSel This registration extension allows a WebAuthn Relying Party to guide the selection of the authenticator that will be leveraged when creating the credential. It is intended primarily for WebAuthn Relying Parties that wish to tightly control the experience around credential creation. Web Authentication Section §10.4, Authenticator Selection Extension (authnSel) exts This registration extension enables the WebAuthn Relying Party to determine which extensions the authenticator supports. The extension data is a list (CBOR array) of extension identifiers encoded as UTF-8 Strings. This extension is added automatically by the authenticator. This extension can be added to attestation statements. Web Authentication Section §10.5, Supported Extensions Extension (exts) uvi This registration extension and authentication extension enables use of a user verification index. The user verification index is a value uniquely identifying a user verification data record. The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data as the initial key generation. This allows the detection and prevention of "friendly fraud". Web Authentication Section §10.6, User Verification Index Extension (uvi) loc The location registration extension and authentication extension provides the client device's current location to the WebAuthn Relying Party, if supported by the client platform and subject to user consent. Web Authentication Section §10.7, Location Extension (loc) uvm This registration extension and authentication extension enables use of a user verification method. The user verification method extension returns to the WebAuthn Relying Party which user verification methods (factors) were used for the WebAuthn operation. Web Authentication Section §10.3, User Verification Method Extension (uvm) credProtect This registration extension allows relying parties to specify a credential protection policy when creating a credential. Additionally, authenticators may choose to establish a default credential protection policy greater than userVerificationOptional (the lowest level) and unilaterally enforce such policy. Client to Authenticator Protocol (CTAP) Section §12.1 Credential Protection (credProtect) credBlob This registration extension and authentication extension enables RPs to provide a small amount of extra credential configuration information (the credBlob value) to the authenticator when a credential is made. Client to Authenticator Protocol (CTAP) Section §12.2 Credential Blob (credBlob) largeBlobKey This client platform-only extension provides for storage and retrieval of a per-credential key that is used by the client platform when writing and reading elements in the large-blob array. Client to Authenticator Protocol (CTAP) Section §12.3 Large Blob Key (largeBlobKey) minPinLength This registration extension returns the current minimum PIN length value to the Relying Party. Client to Authenticator Protocol (CTAP) Section §12.4 Minimum PIN Length Extension (minPinLength) hmac-secret This registration extension and authentication extension enables the platform to retrieve a symmetric secret scoped to the credential from the authenticator. Client to Authenticator Protocol (CTAP) Section §12.5 HMAC Secret Extension (hmac-secret) appidExclude This registration extension allows WebAuthn Relying Parties to exclude authenticators that contain specified credentials that were created with the legacy FIDO U2F JavaScript API [FIDOU2FJavaScriptAPI]. Web Authentication Section §10.2, FIDO AppID Exclusion Extension (appidExclude) credProps This client registration extension enables reporting of a newly-created credential's properties, as determined by the client, to the calling WebAuthn Relying Party's web application. Web Authentication Section §10.4, Credential Properties Extension (credProps) largeBlob This client registration extension and authentication extension allows a Relying Party to store opaque data associated with a credential. Web Authentication Section §10.5, Large blob storage extension (largeBlob) payment This extension supports the following functionality defined by the Secure Payment Confirmation API: (1) it allows credential creation in a cross-origin iframe (2) it allows a party other than the Relying Party to use the credential to perform an authentication ceremony on behalf of the Relying Party, and (3) it allows the browser to identify and cache Secure Payment Confirmation credentials. For discussion of important ways in which SPC differs from Web Authentication, see in particular Secure Payment Confirmation §10 Security Considerations and Secure Payment Confirmation §11 Privacy Considerations. Secure Payment Confirmation Section §5, WebAuthn Extension - "payment" W3C Web Authentication Working Group mailto:public-webauthn&w3.org 2022-02-28 W3C Web Payments Working Group mailto:public-payments-wg&w3.org 2023-09-13