index.bs

<pre class='metadata'>
Title: Web Authentication: An API for accessing Scoped Credentials
Status: ED
Prepare for TR: true
TR: https://www.w3.org/TR/webauthn/
ED: https://w3c.github.io/webauthn/
Previous Version: https://www.w3.org/TR/2016/WD-webauthn-20160902/
Previous Version: https://www.w3.org/TR/2016/WD-webauthn-20160531/
Shortname: webauthn
Level: 
Editor: Vijay Bharadwaj, w3cid 55440, Microsoft, vijay.bharadwaj@microsoft.com
Editor: Hubert Le Van Gong, w3cid 84817, PayPal, hlevangong@paypal.com
Editor: Dirk Balfanz, w3cid 47648, Google, balfanz@google.com
Editor: Alexei Czeskis, w3cid 87258, Google, aczeskis@google.com
Editor: Arnar Birgisson, w3cid 87332, Google, arnarb@google.com
Editor: Jeff Hodges, w3cid 43843, PayPal, Jeff.Hodges@paypal.com
Editor: Michael B. Jones, w3cid 38745, Microsoft, mbj@microsoft.com
Editor: Rolf Lindemann, w3cid 84447, Nok Nok Labs, rolf@noknok.com
Editor: J.C. Jones, w3cid 87240, Mozilla, jc@mozilla.com
group: webauthn
Issue Tracking: Github https://github.com/w3c/webauthn/issues
Text Macro: RP Relying Party
Text Macro: RPS Relying Parties
Text Macro: INFORMATIVE <em>This section is not normative.</em>
Text Macro: WAC WebAuthn Client
Ignored Vars: op, alg, type, algorithm
Abstract: This specification defines an API enabling the creation and use of strong, attested, cryptographic scoped credentials 
 by web applications, for the purpose of strongly authenticating users. Conceptually, one or more credentials, each scoped to a
 given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The
 user agent mediates access to scoped credentials in order to preserve user privacy. Authenticators are responsible for ensuring
 that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying
 parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators,
 including their signature and attestation functionality.
Boilerplate: omit conformance, omit feedback-header
Markup Shorthands: css off, markdown on
</pre>


# Introduction # {#intro}

[INFORMATIVE]

This specification defines an API enabling the creation and use of strong, attested, cryptographic <em><a>scoped
credentials</a></em> by web applications, for the purpose of strongly authenticating users. A <a>scoped credential</a> is
created and stored by an <em><a>authenticator</a></em> at the behest of a <em><a>[RP]</a></em>, subject to <em><a>user
consent</a></em>. Subsequently, the scoped credential can only be accessed by web origins belonging to that [RP].
This scoping is enforced jointly by <em><a>conforming User Agents</a></em> and <em><a>authenticators</a></em>. 
Additionally, privacy across <a>[RPS]</a> is maintained; [RPS] are not able to detect any properties, or even
the existence, of credentials scoped to other [RPS].

[RPS] employ the <a>Web Authentication API</a> during two distinct, but related, <a>ceremonies</a> involving a user. The first
is <a>Registration</a>, where a <a>scoped credential</a> is created on an <a>authenticator</a>, and associated by a <a>[RP]</a>
with the present user's account (the account may already exist or may be created at this time). The second is
<a>Authentication</a>, where the <a>[RP]</a> is presented with a <em><a>WebAuthn Assertion</a></em> proving the presence and
consent of the user who registered the <a>scoped credential</a>. Functionally, the <a>Web Authentication API</a> comprises two
methods (along with associated data structures): <a>makeCredential()</a> and <a>getAssertion()</a>. The former is used during
<a>Registration</a> and the latter during <a>Authentication</a>.

Broadly, compliant <a>authenticators</a> protect <a>scoped credentials</a>, and
interact with user agents to implement the <a>Web Authentication API</a>. Some
authenticators may run on the same computing device (e.g., smart phone, tablet,
desktop PC) as the user agent is running on. For instance, such an authenticator
might consist of a Trusted Execution Environment (TEE) applet, a Trusted
Platform Module (TPM), or a Secure Element (SE) integrated into the computing
device in conjunction with some means for <a>user verification</a>, along with
appropriate platform software to mediate access to these components'
functionality. Other authenticators may operate autonomously from the computing
device running the user agent, and be accessed over a transport such as
Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field
Communications (NFC).


## Use Cases ## {#use-cases}

The below use case scenarios illustrate use of two very different types of <a>authenticators</a>, as well as outline further
scenarios. Additional scenarios, including sample code, are given later in [[#sample-scenarios]].

### Registration ### {#usecase-registration}

- On a phone:
    * User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using
        (possibly a legacy method such as a password), or creates a new account.
    * The phone prompts, "Do you want to register this device with example.com?"
    * User agrees.
    * The phone prompts the user for a previously configured <a>authorization gesture</a> (PIN, biometric, etc.); the user
        provides this.
    * Website shows message, "Registration complete."


### Authentication ### {#usecase-authentication}

- On a laptop:
    * User navigates to example.com in a browser, sees an option to "Sign in with your phone."
    * User chooses this option and gets a message from the browser, "Please complete this action on your phone."

- Next, on their phone:
    * User sees a discreet prompt or notification, "Sign in to example.com."
    * User selects this prompt / notification.
    * User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."
    * User picks an identity, is prompted for an <a>authorization gesture</a> (PIN, biometric, etc.) and provides this.

- Now, back on the laptop:
    * Web page shows that the selected user is signed-in, and navigates to the signed-in page.


### Other use cases and configurations ### {#other-configurations}

A variety of additional use cases and configurations are also possible, including (but not limited to):

- User navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.

- A [RP] prompts the user for their <a>authorization gesture</a> in order to authorize a single transaction, such as a payment 
    or other financial transaction.

# Conformance # {#conformance}

This specification defines criteria for a <a>Conforming User Agent</a>: A User Agent MUST behave as described in this
specification in order to be considered conformant. <a>Conforming User Agents</a> MAY implement algorithms given in this
specification in any way desired, so long as the end result is indistinguishable from the result that would be obtained by the
specification's algorithms. A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this
specification, as described in the “Web IDL” specification. [[!WebIDL-1]]

This specification also defines a model of a conformant <a>authenticator</a> (see [[#authenticator-model]]). This is a set of
functional and security requirements for an authenticator to be usable by a <a>Conforming User Agent</a>. As described in
[[#use-cases]], an authenticator may be implemented in the operating system underlying the User Agent, or in external hardware,
or a combination of both.


## Dependencies ## {#dependencies}

This specification relies on several other underlying specifications.

: HTML5
:: The concept of <dfn for='web'>origin</dfn> and the <dfn>Navigator</dfn> interface are defined in [[!HTML5]].

: Web IDL
:: Many of the interface definitions and all of the IDL in this specification depend on [[!WebIDL-1]]. This updated version of
    the Web IDL standard adds support for <dfn>Promises</dfn>, which are now the preferred mechanism for asynchronous
    interaction in all new web APIs.

: DOM
:: <dfn>DOMException</dfn> and the DOMException values used in this specification are defined in [[!DOM4]].

: Web Cryptography API
:: The <dfn dictionary>AlgorithmIdentifier</dfn> type and the method for normalizing an algorithm are defined in
    [[WebCryptoAPI#algorithm-dictionary]].
:: The <dfn dictionary>CryptoKey</dfn> type for representing cryptographic keys is defined in
    [[WebCryptoAPI#cryptokey-interface]].
:: The <dfn dictionary>JsonWebKey</dfn> dictionary for representing cryptographic keys is defined in
    [[WebCryptoAPI#JsonWebKey-dictionary]].

: Base64url encoding
:: The term <dfn>Base64url Encoding</dfn> refers to the base64 encoding using the URL- and filename-safe character set defined
    in Section 5 of [[!RFC4648]], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the
    inclusion of any line breaks, whitespace, or other additional characters. This is the same encoding as used by JSON Web
    Signature (JWS) [[RFC7515]].

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[[!RFC2119]].


# Terminology # {#terminology}

: <dfn>ASCII case-insensitive match</dfn>
:: A method of testing two strings for equality by comparing them exactly, code point for code point, except that the codepoints
    in the range U+0041 .. U+005A (i.e. LATIN CAPITAL LETTER A to LATIN CAPITAL LETTER Z) and the corresponding codepoints in
    the range U+0061 .. U+007A (i.e. LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are also considered to match.

: <dfn>Assertion</dfn>
:: See <a>WebAuthn Assertion</a>.

: <dfn>Attestation</dfn>
:: Generally, a statement that serves to bear witness, confirm, or authenticate. 
    In the WebAuthn context, attestation is employed to attest to the provenance of an authenticator and the data it emits; 
    including, for example: credential IDs, public keys, signature counters, etc. 
    See also <a>attestation format</a>, and <a>attestation type</a>. 

: <dfn>Attestation Certificate</dfn>
:: A X.509 Certificate for a key pair used by an <a>Authenticator</a> to attest to its manufacture and capabilities. The
    <a>Authenticator</a> uses the attestation private key to sign the <a>[RP]</a>-specific public key (and additional data) it
    generates and returns upon invocation via the <a>authenticatorMakeCredential</a> operation.

: <dfn>Authentication</dfn>
:: The <a>ceremony</a> where a user, and the user's computing device(s) (containing at least one <a>authenticator</a>) work in
	concert to cryptographically prove to an <a>[RP]</a> that the user controls the private key associated with a
	previously-registered <a>scoped credential</a> (see <a>Registration</a>). Note that this includes employing <a>user
	verification</a>.

: <dfn>Authenticator</dfn>
:: A cryptographic device used by a <a>[WAC]</a> to (i) generate a <a>scoped credential</a> and register it with a <a>[RP]</a>,
	and (ii) subsequently used to cryptographically sign and return, in the form of an <a>WebAuthn Assertion</a>, a challenge
	and other data presented by a <a>[RP]</a> (in concert with the <a>[WAC]</a>) in order to effect authentication.

: <dfn>Authorization Gesture</dfn>
:: Essentially the same as <a>user verification</a>.

: <dfn>Ceremony</dfn>
:: The concept of a ceremony [[Ceremony]] is an extension of the concept of a network protocol, with human nodes alongside
	computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects
	that carry data. What is out-of-band to a protocol is in-band to a ceremony. In this specification, <a>Registration</a>,
	<a>Authentication</a>, and <a>user verification</a> are ceremonies.
    
: <dfn>Client</dfn>
:: See <a>Conforming User Agent</a>.

: <dfn>Conforming User Agent</dfn>
:: A user agent implementing, in conjunction with the underlying platform, the <a>Web Authentication API</a> and algorithms
	given in this specification, and handling communication between <a>Authenticators</a> and <a>[RPS]</a>.

: <dfn>eTLD+1</dfn>
:: Also known as a <em>Registered Domain</em> [[PSL]], an eTLD+1 is an <em>effective Top-Level Domain Name</em> (eTLD), plus the
	next domain name label, proceeding from right to left. An eTLD is also known as a <em>public suffix</em> [[RFC7719]].

: <dfn>Registration</dfn>
:: The <a>ceremony</a> where a user, a <a>[RP]</a>, and the user's computing device(s) (containing at least one
	<a>authenticator</a>) work in concert to create a <a>scoped credential</a> and associate it with the user's <a>[RP]</a>
	account. Note that this includes employing <a>user verification</a>.

: <dfn>[RP]</dfn>
:: The entity whose web application utilizes the <a>Web Authentication API</a> to register and authenticate users. See
    <a>Registration</a> and <a>Authentication</a>, respectively.

    Note: While the term [RP] is used in other contexts (e.g., X.509 and OAuth), an entity acting as a [RP] in one context is
        not necessarily a [RP] in others.

: <dfn>Relying Party Identifier</dfn>
: <dfn>RP ID</dfn>
:: A Relying Party Identifier is derived from a <a>[RP]</a>'s web origin's hostname by computing the hostname's <a>eTLD+1</a>. 

: <dfn>Scoped Credential</dfn>
:: Generically, a credential is data one entity presents to another in order to authenticate the former's identity [[RFC4949]].
	A WebAuthn <em><a>scoped credential</a></em> is a <code>{ identifier, type }</code> pair identifying authentication
	information established by the authenticator and the [RP], together, at <a>registration</a> time. 
	The authentication information consists of an asymmetric key pair, where the public key portion is returned to the [RP]. who
	stores it in conjunction with the present user's account.
	The authenticator maps the private key to the [RP]'s <a>RP ID</a> and stores it. 
	Subsequently, only that [RP], as identified by its <a>RP ID</a>, is able to employ the <a>scoped credential</a> in 
	<a>authentication</a> ceremonies, via the <a>getAssertion()</a> method. 
	The [RP] uses its copy of the stored public key to verify the resultant <a>WebAuthn Assertion</a>.


: <dfn>User Consent</dfn>
:: User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts.
	<a>User verification</a> encompasses the means employed by the user to indicate consent.

: <dfn>User Verification</dfn>
:: The process by which an <a>authenticator</a> <em>locally authorizes</em> the invocation of the
	<a>authenticatorMakeCredential</a> and <a>authenticatorGetAssertion</a> operations, for example through a touch plus pin
	code, a password, a gesture (e.g., presenting a fingerprint), or other modality. Note that invocation of said operations
	implies use of key material managed by the authenticator.

: <dfn>WebAuthn Assertion</dfn>
:: The cryptographically signed {{WebAuthnAssertion}} object returned by an <a>authenticator</a> as the result of a
	<a>authenticatorGetAssertion</a> operation.

: <dfn>[WAC]</dfn>
:: See <a>Conforming User Agent</a>.




# <dfn>Web Authentication API</dfn> # {#api}

This section normatively specifies the API for creating and using scoped credentials. Support for deleting credentials is 
deliberately omitted; this is expected to be done through platform-specific user interfaces rather than from a script. The basic 
idea is that the credentials belong to the user and are managed by an authenticator, with which the [RP] interacts through the 
client (consisting of the browser and underlying OS platform). Scripts can (with the user's consent) request the browser to 
create a new credential for future use by the [RP]. Scripts can also request the user’s permission to perform authentication 
operations with an existing credential. All such operations are performed in the authenticator and are mediated by the browser 
and/or platform on the user's behalf. At no point does the script get access to the credentials themselves; it only gets 
information about the credentials in the form of objects. 

The security properties of this API are provided by the client and the authenticator working together. The authenticator, which
holds and manages credentials, ensures that all operations are scoped to a particular web origin, and cannot be replayed against
a different origin, by incorporating the origin in its responses. Specifically, as defined in [[#signature-format]], the full
origin of the requester is included, and signed over, in the attestation statement produced when a new credential is created as
well as in all assertions produced by WebAuthn credentials.

Additionally, to maintain user privacy and prevent malicious [RPS] from probing for the presence of credentials belonging to
other [RPS], each credential is also associated with a Relying Party Identifier, or RP ID. This RP ID is provided by the client
to the authenticator for all operations, and the authenticator ensures that credentials created by a [RP] can only be used in
operations requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases
where a single [RP] maintains multiple web origins.

The client facilitates these security measures by providing correct web origins and RP IDs to the authenticator for each
operation. Since this is an integral part of the WebAuthn security model, user agents MUST only expose this API to callers in
<dfn>secure contexts</dfn>, as defined in [[secure-contexts]].

The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL listing is given in the [[#idl-index]]. The API is defined as a part of the Navigator interface:


<pre class="idl">
    partial interface Navigator {
        readonly attribute WebAuthentication authentication;
    };
</pre>


## <dfn interface>WebAuthentication</dfn> Interface ## {#iface-credential}

<pre class="idl">
    interface WebAuthentication {
        Promise < ScopedCredentialInfo > makeCredential (
            Account                                 accountInformation,
            sequence < ScopedCredentialParameters > cryptoParameters,
            BufferSource                            attestationChallenge,
            optional CredentialOptions              options
        );

        Promise < WebAuthnAssertion > getAssertion (
            BufferSource               assertionChallenge,
            optional AssertionOptions  options
        );
    };
</pre>

This interface has two methods, which are described in the following subsections.


### Create a new credential (<dfn method for="WebAuthentication">makeCredential()</dfn> method) ### {#makeCredential}

With this method, a script can request the User Agent to create a new credential of a given type and persist it to the
underlying platform, which may involve data storage managed by the browser or the OS. The user agent will prompt the user to
approve this operation. On success, the promise will be resolved with a {{ScopedCredentialInfo}} object describing the newly
created credential.

This method takes the following parameters:

- The <dfn>accountInformation</dfn> parameter specifies information about the user account for which the credential is being
    created. This is meant for later use by the authenticator when it needs to prompt the user to select a credential.

- The <dfn>cryptoParameters</dfn> parameter supplies information about the desired properties of the credential to be created.
    The sequence is ordered from most preferred to least preferred. The platform makes a best effort to create the most
    preferred credential that it can.

- The <dfn>attestationChallenge</dfn> parameter contains a challenge intended to be used for generating the attestation
    statement of the newly created credential.

- The optional <dfn dfn-for="makeCredential()">options</dfn> parameter specifies additional options, as described in
    [[#credential-options]].

When this method is invoked, the user agent MUST execute the following algorithm:

1. If {{CredentialOptions/timeoutSeconds}} was specified, check if its value lies within a reasonable range as defined by the
    platform and if not, correct it to the closest value lying within that range. Set |adjustedTimeout| to this adjusted value.
    If {{CredentialOptions/timeoutSeconds}} was not specified, then set |adjustedTimeout| to a platform-specific default.

2. Let |promise| be a new <a data-lt="Promises">Promise</a>. Return |promise| and start a timer for |adjustedTimeout| seconds.
    Then asynchronously continue executing the following steps.

3. Set |callerOrigin| to the <a link-for='web'>origin</a> of the caller. Derive the RP ID from |callerOrigin| by computing the
    "public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "<a>eTLD+1</a>")
    part of |callerOrigin| [[PSL]]. Let |rpId| be the lowercase form of this RP ID. Set |rpIdHash| to the SHA-256 hash of the
    UTF-8 encoding of |rpId|.

4. Process each element of <a>cryptoParameters</a> using the following steps, to produce a new sequence `normalizedParameters`:
    - Let |current| be the currently selected element of <a>cryptoParameters</a>.
    - If `current.type` does not contain a {{CredentialType}} supported by this implementation, then stop processing |current|
        and move on to the next element in <a>cryptoParameters</a>.
    - Let `normalizedAlgorithm` be the result of normalizing an algorithm using the procedure defined in [[!WebCryptoAPI]],
        with |alg| set to `current.algorithm` and |op| set to 'generateKey'. If an error occurs during this procedure, then
        stop processing |current| and move on to the next element in <a>cryptoParameters</a>.
    - Add a new object of type {{ScopedCredentialParameters}} to `normalizedParameters`, with |type| set to `current.type` and
        |algorithm| set to `normalizedAlgorithm`.

5. If <a>excludeList</a> is undefined, set it to the empty list.

6. If {{CredentialOptions/extensions}} was specified, process any extensions supported by this client platform, to produce the
    extension data that needs to be sent to the authenticator. Call this data |clientExtensions|.

7. Use {{attestationChallenge}}, |callerOrigin| and |rpId|, along with the token binding key associated with |callerOrigin| (if
    any), to create a {{ClientData}} structure representing this request. Choose a hash algorithm for {{ClientData/hashAlg}} and
    compute the <a>clientDataJSON</a> and <a>clientDataHash</a>.
    
8. Initialize |issuedRequests| to an empty list.

9. For each authenticator currently available on this platform: asynchronously invoke the <a>authenticatorMakeCredential</a>
    operation on that authenticator with |rpIdHash|, <a>clientDataHash</a>, <a>accountInformation</a>, `normalizedParameters`,
    <a>excludeList</a> and |clientExtensions| as parameters. Add a corresponding entry to |issuedRequests|.

10. While |issuedRequests| is not empty, perform the following actions depending upon the |adjustedTimeout| timer and responses
    from the authenticators:
    - If the |adjustedTimeout| timer expires, then for each entry in |issuedRequests| invoke the <a>authenticatorCancel</a>
        operation on that authenticator and remove its entry from the list.
    - If any authenticator returns a status indicating that the user cancelled the operation, delete that authenticator's
        entry from |issuedRequests|. For each remaining entry in |issuedRequests| invoke the <a>authenticatorCancel</a>
        operation on that authenticator and remove its entry from the list.
    - If any authenticator returns an error status, delete the corresponding entry from |issuedRequests|.
    - If any authenticator indicates success:
        - Remove this authenticator's entry from |issuedRequests|.
        - Create a new {{ScopedCredentialInfo}} object named |value| and populate its fields with the values returned from the
            authenticator as well as the <a>clientDataJSON</a> computed earlier.
        - For each remaining entry in |issuedRequests| invoke the <a>authenticatorCancel</a> operation on that authenticator and
            remove its entry from the list.
        - Resolve |promise| with |value| and terminate this algorithm.

10. Resolve |promise| with a <a>DOMException</a> whose name is "NotFoundError", and terminate this algorithm.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator.


### Use an existing credential (<dfn method for="WebAuthentication">getAssertion()</dfn> method) ### {#getAssertion}

This method is used to discover and use an existing scoped credential, with the user's consent. The script optionally specifies
some criteria to indicate what credentials are acceptable to it. The user agent and/or platform locates credentials matching the
specified criteria, and guides the user to pick one that the script should be allowed to use. The user may choose not to provide
a credential even if one is present, for example to maintain privacy.

This method takes the following parameters:

- The <dfn>assertionChallenge</dfn> parameter contains a challenge that the selected authenticator is expected to sign to
    produce the assertion.

- The optional <dfn dfn-for="getAssertion()">options</dfn> parameter specifies additional options, as described in
    [[#assertion-options]].

When this method is invoked, the user agent MUST execute the following algorithm:

1. If {{AssertionOptions/timeoutSeconds}} was specified, check if its value lies within a reasonable range as defined by the
    platform and if not, correct it to the closest value lying within that range. Set |adjustedTimeout| to this adjusted value.
    If {{AssertionOptions/timeoutSeconds}} was not specified, then set |adjustedTimeout| to a platform-specific default.

2. Let |promise| be a new <a data-lt="Promises">Promise</a>. Return |promise| and start a timer for |adjustedTimeout| seconds.
    Then asynchronously continue executing the following steps.

3. Set |callerOrigin| to the <a link-for='web'>origin</a> of the caller. Derive the RP ID from |callerOrigin| by computing the
    "public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "<a>eTLD+1</a>")
    part of |callerOrigin| [[PSL]]. Let |rpId| be the lowercase form of this RP ID. Set |rpIdHash| to the SHA-256 hash of the
    UTF-8 encoding of |rpId|.

4. If {{AssertionOptions/extensions}} was specified, process any extensions supported by this client platform, to produce the
    extension data that needs to be sent to the authenticator. Call this data |clientExtensions|.

5. Use {{assertionChallenge}}, |callerOrigin| and |rpId|, along with the token binding key associated with |callerOrigin| (if
    any), to create a {{ClientData}} structure representing this request. Choose a hash algorithm for {{ClientData/hashAlg}} and
    compute the <a>clientDataJSON</a> and <a>clientDataHash</a>.
    
6. Initialize |issuedRequests| to an empty list.

7. For each authenticator currently available on this platform, perform the following steps:
    - If <a>allowList</a> is undefined or empty, let |credentialList| be an empty list. Otherwise, execute a platform-specific
        procedure to determine which, if any, credentials listed in <a>allowList</a> might be present on this authenticator, and
        set |credentialList| to this filtered list. If no such filtering is possible, set |credentialList| to an empty list.
    - If the above filtering process concludes that none of the credentials on <a>allowList</a> can possibly be on this
        authenticator, do not perform any of the following steps for this authenticator, and proceed to the next authenticator
        (if any).
    - Asynchronously invoke the <a>authenticatorGetAssertion</a> operation on this authenticator with |rpIdHash|,
        <a>clientDataHash</a>, |credentialList|, and |clientExtensions| as parameters.
    - Add an entry to |issuedRequests|, corresponding to this request.

8. While |issuedRequests| is not empty, perform the following actions depending upon the |adjustedTimeout| timer and responses
    from the authenticators:
    - If the timer for |adjustedTimeout| expires, then for each entry in |issuedRequests| invoke the <a>authenticatorCancel</a>
        operation on that authenticator and remove its entry from the list.
    - If any authenticator returns a status indicating that the user cancelled the operation, delete that authenticator's entry
        from |issuedRequests|. For each remaining entry in |issuedRequests| invoke the <a>authenticatorCancel</a> operation on
        that authenticator, and remove its entry from the list.
    - If any authenticator returns an error status, delete the corresponding entry from |issuedRequests|.
    - If any authenticator returns success:
        - Remove this authenticator's entry from |issuedRequests|.
        - Create a new {{WebAuthnAssertion}} object named |value| and populate its fields with the values returned from the
            authenticator as well as the <a>clientDataJSON</a> computed earlier.
        - For each remaining entry in |issuedRequests| invoke the <a>authenticatorCancel</a> operation on that authenticator and
            remove its entry from the list.
        - Resolve |promise| with |value| and terminate this algorithm.

9. Resolve |promise| with a <a>DOMException</a> whose name is "NotFoundError", and terminate this algorithm.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator with which to complete the operation.


## <dfn interface>ScopedCredentialInfo</dfn> Interface ## {#iface-credentialInfo}

<pre class="idl">
    interface ScopedCredentialInfo {
        readonly attribute Credential           credential;
        readonly attribute CryptoKey            publicKey;
        readonly attribute WebAuthnAttestation  attestation;
    };
</pre>

<div dfn-for="ScopedCredentialInfo">
    This interface represents a newly-created scoped credential. It contains information about the credential that can be used
    to locate it later for use, and also contains metadata that can be used by the <a>[RP]</a> to assess the strength of the
    credential during registration.

    The <dfn>credential</dfn> attribute contains a unique identifier for the credential represented by this object.

    The <dfn>publicKey</dfn> attribute contains the public key associated with the credential, represented as a
    CryptoKey object as defined in [[WebCryptoAPI#cryptokey-interface]].

    The <dfn>attestation</dfn> attribute contains a key attestation statement returned by the authenticator. This provides
    information about the credential and the authenticator it is held in, such as the level of security assurance provided by
    the authenticator.
</div>


## User Account Information (dictionary <dfn dictionary>Account</dfn>) ## {#iface-account}

<pre class="idl">
    dictionary Account {
        required DOMString rpDisplayName;
        required DOMString displayName;
        DOMString          name;
        DOMString          id;
        DOMString          imageURL;
    };
</pre>



<div dfn-for="Account">
    This dictionary is used by the caller to specify information about the user account and <a>[RP]</a> with which a credential
    is to be associated. It is intended to help the authenticator in providing a friendly credential selection interface for the
    user.

    The <dfn>rpDisplayName</dfn> member contains the friendly name of the [RP], such as "Acme Corporation", "Widgets Inc" or
    "Awesome Site".

    The <dfn>displayName</dfn> member contains the friendly name associated with the user account by the [RP], such as "John P.
    Smith".

    The <dfn>name</dfn> member contains a detailed name for the account, such as "john.p.smith@example.com".

    The <dfn>id</dfn> member contains an identifier for the account, stored for the use of the [RP]. This is not meant to be
    displayed to the user.

    The <dfn>imageURL</dfn> member contains a URL that resolves to the user's account image. This may be a URL that can be used
    to retrieve an image containing the user's current avatar, or a data URI that contains the image data.
</div>


## Parameters for Credential Generation (dictionary <dfn dictionary>ScopedCredentialParameters</dfn>) ## {#credential-params}

<pre class="idl">
    dictionary ScopedCredentialParameters {
        required CredentialType        type;
        required AlgorithmIdentifier   algorithm;
    };
</pre>

<div dfn-for="ScopedCredentialParameters">
    This dictionary is used to supply additional parameters when creating a new credential.

    The <dfn>type</dfn> member specifies the type of credential to be created.

    The <dfn>algorithm</dfn> member specifies the cryptographic signature algorithm with which the newly generated credential
    will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.
</div>


## Additional options for Credential Generation (dictionary <dfn dictionary>CredentialOptions</dfn>) ## {#credential-options}

<pre class="idl">
    dictionary CredentialOptions {
        unsigned long                       timeoutSeconds;
        sequence < CredentialDescription >  excludeList;
        WebAuthnExtensions                  extensions;
    };
</pre>


<div dfn-for="CredentialOptions">
    This dictionary is used to supply additional options when creating a new credential. All these parameters are optional.

    - The <dfn>timeoutSeconds</dfn> parameter specifies a time, in seconds, that the caller is willing to wait for the call to
        complete. This is treated as a hint, and may be overridden by the platform.

    - The <dfn>excludeList</dfn> parameter is intended for use by <a>[RPS]</a> that wish to limit the creation of multiple
        credentials for the same account on a single authenticator. The platform is requested to return an error if the new
        credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.

    - The <dfn>extensions</dfn> parameter contains additional parameters requesting additional processing by the client and
        authenticator. For example, the caller may request that only authenticators with certain capabilities be used to create
        the credential, or that additional information be returned in the attestation statement. Alternatively, the caller may
        specify an additional message that they would like the authenticator to display to the user. Extensions are defined in
        [[#extensions]].
</div>


## WebAuthn Assertion (interface <dfn interface>WebAuthnAssertion</dfn>) ## {#iface-assertion}

<pre class="idl">
    interface WebAuthnAssertion {
        readonly attribute Credential  credential;
        readonly attribute ArrayBuffer clientData;
        readonly attribute ArrayBuffer level2Data;
        readonly attribute ArrayBuffer signature;
    };
</pre>

Scoped credentials produce a cryptographic signature that provides proof of possession of a private key as well as evidence of
user consent to a specific transaction. The structure of these signatures is defined as follows.

<div dfn-for="WebAuthnAssertion">
    The <dfn>credential</dfn> member represents the credential that was used to generate this assertion.

    The <dfn>clientData</dfn> member contains the parameters sent to the authenticator by the client, in serialized form. See
    [[#sec-client-data]] for the format of this parameter and how it is generated.

    The <b><em>level2Data</em></b> member contains the serialized data returned by the authenticator. See
    [[#sec-authenticator-data]].

    The <dfn>signature</dfn> member contains the raw signature returned from the authenticator. See
    [[#authenticator-signature]].
</div>


## Additional options for Assertion Generation (dictionary <dfn dictionary>AssertionOptions</dfn>) ## {#assertion-options}

<pre class="idl">
    dictionary AssertionOptions {
        unsigned long                      timeoutSeconds;
        sequence < CredentialDescription > allowList;
        WebAuthnExtensions                 extensions;
    };
</pre>

<div dfn-for="AssertionOptions">
    This dictionary is used to supply additional options when generating an assertion. All these parameters are optional.

    - The optional <dfn>timeoutSeconds</dfn> parameter specifies a time, in seconds, that the caller is willing to wait for the
        call to complete. This is treated as a hint, and may be overridden by the platform.

    - The optional <dfn>allowList</dfn> member contains a list of credentials acceptable to the caller, in order of the caller's
        preference.

    - The optional <dfn>extensions</dfn> parameter contains additional parameters requesting additional processing by the client
        and authenticator. For example, if transaction confirmation is sought from the user, then the prompt string would be
        included in an extension. Extensions are defined in a companion specification.
</div>


## WebAuthn Assertion Extensions (dictionary <dfn dictionary>WebAuthnExtensions</dfn>) ## {#iface-assertion-extensions}

<pre class="idl">
    dictionary WebAuthnExtensions {
    };
</pre>

This is a dictionary containing zero or more extensions as defined in [[#extensions]]. An extension is an additional parameter
that can be passed to the <a>getAssertion()</a> method and triggers some additional processing by the client platform and/or the
authenticator.

If the caller wants to pass extensions to the platform, it SHOULD do so by adding one entry per extension to this dictionary
with the extension identifier as the key, and the extension's value as the value (see [[#signature-format]] for details).


## Credential Attestation Statement (interface <dfn interface>WebAuthnAttestation</dfn>) ## {#iface-attestation}

<pre class="idl">
    interface WebAuthnAttestation {
        readonly    attribute USVString     format;
        readonly    attribute ArrayBuffer   clientData;
        readonly    attribute ArrayBuffer   level2Data; // was authenticatorData
        readonly    attribute any           level1Data;  // was statement
    };
</pre>

Authenticators also provide some form of attestation. The basic requirement is that the authenticator can produce, for each
credential public key, attestation information that can be verified by a <a>[RP]</a>. Typically, this information contains a
signature by an attesting key over the attested public key and a challenge, as well as a certificate or similar information
providing provenance information for the attesting key, enabling a trust decision to be made.

<div dfn-for="WebAuthnAttestation">
    The <dfn>format</dfn> member specifies the format of attestation level1Data contained in this structure. Attestation formats
    are defined in [[#attestation-formats]]. This specification supports a number of attestation formats, in
    [[#defined-attestation-formats]]. Other attestation formats may be defined in later versions of this specification.

    The <dfn>clientData</dfn> member contains the <a>clientDataJSON</a> (see [[#signature-format]]). The exact JSON encoding
    must be preserved as the hash (<a>clientDataHash</a>) has been computed over it.

    The <b><em>level2Data</em></b> member contains the serialized data returned by the authenticator. See
    [[#sec-authenticator-data]].

    The <dfn>level1Data</dfn> element contains the actual attestation statement. The structure of this object depends on the
    attestation format. For more details, see [[#cred-attestation-stmts]].
</div>

This attestation statement is delivered to the <a>[RP]</a> by the [RP]'s script running on the client, using methods outside
the scope of this specification. It contains all the information that the [RP]'s server requires to validate the level1Data, as
well as to decode and validate the bindings of both the client and authenticator data.


## Supporting Data Structures ## {#supporting-data-structures}

The scoped credential type uses certain data structures that are specified in supporting specifications. These are as follows.


### Client data used in WebAuthn signatures (dictionary <dfn dictionary>ClientData</dfn>) ### {#sec-client-data}

The client data represents the contextual bindings of both the [RP] and the client platform. It is a key-value mapping with
string-valued keys. Values may be any type that has a valid encoding in JSON. Its structure is defined by the following Web IDL.

<pre class="idl">
    dictionary ClientData {
        required DOMString           challenge;
        required DOMString           origin;
        required DOMString           rpId;
        required AlgorithmIdentifier hashAlg;
        DOMString                    tokenBinding;
        WebAuthnExtensions           extensions;
    };
</pre>

<div dfn-for="ClientData">
    The <dfn>challenge</dfn> member contains the base64url encoding of the challenge provided by the RP.

    The <dfn>origin</dfn> member contains the fully qualified web origin of the requester, as provided to the authenticator by
    the client, in the syntax defined by [[RFC6454]].

    The <dfn>rpId</dfn> member contains the RP ID of the requester, as computed by the client.

    The <dfn>hashAlg</dfn> member specifies the hash algorithm used to compute <a>clientDataHash</a> (see
    [[#authenticator-signature]]). Use "S256" for SHA-256, "S384" for SHA384, "S512" for SHA512, and "SM3" for SM3 (see
    [[#iana-considerations]]). This algorithm is chosen by the client at its sole discretion.

    The <dfn>tokenBinding</dfn> member contains the base64url encoding of the Token Binding ID that this client uses for the
    Token Binding protocol when communicating with the [RP]. This can be omitted if no Token Binding has been negotiated between
    the client and the [RP].

    The optional <dfn>extensions</dfn> member contains additional parameters generated by processing the extensions passed in
    by the [RP]. WebAuthn extensions are detailed in Section [[#extensions]].
</div>

This structure is used by the client to compute the following quantities:

: <dfn>clientDataJSON</dfn>
:: This is the UTF-8 encoded JSON serialization [[RFC7159]] of a {{ClientData}} dictionary.

: <dfn>clientDataHash</dfn>
:: This is the hash (computed using <a>hashAlg</a>) of <a>clientDataJSON</a>.


### Credential Type enumeration (enum <dfn enum>CredentialType</dfn>) ### {#credentialType}

<pre class="idl">
    enum CredentialType {
        "ScopedCred"
    };
</pre>

<div dfn-for="CredentialType">
    This enumeration defines the valid credential types. It is an extension point; values may be added to it in the future, as
    more credential types are defined. The values of this enumeration are used for versioning the WebAuthn assertion and
    attestation statement according to the type of the authenticator.

    Currently one credential type is defined, namely "<dfn>ScopedCred</dfn>".
</div>


### Unique Identifier for Credential (interface <dfn interface>Credential</dfn>) ### {#credential-identifier}

<pre class="idl">
    interface Credential {
        readonly attribute CredentialType type;
        readonly attribute ArrayBuffer    id;
    };
</pre>

This interface contains the attributes that are returned to the caller when a new credential is created, and can be used later
by the caller to select a credential for use.

<div dfn-for="Credential">
    The <dfn>type</dfn> attribute contains a value of type {{CredentialType}}, indicating the specification and version that
    this credential conforms to.

    The <dfn>id</dfn> attribute contains an identifier for the credential, chosen by the platform with help from the
    authenticator. This identifier is used to look up credentials for use, and is therefore expected to be globally unique with
    high probability across all credentials of the same type, across all authenticators. This API does not constrain the format
    or length of this identifier, except that it must be sufficient for the platform to uniquely select a key. For example, an
    authenticator without on-board storage may create identifiers that consist of the key material wrapped with a key that is
    burned into the authenticator.
</div>


### Credential Descriptor (dictionary <dfn dictionary>CredentialDescription</dfn>) ### {#credential-dictionary}

<pre class="idl">
    dictionary CredentialDescription {
        required CredentialType type;
        required BufferSource   id;
    };
</pre>

This dictionary contains the attributes that are specified by a caller when referring to a credential as an input parameter to
the {{makeCredential()}} or {{getAssertion()}} method. It mirrors the fields of the {{Credential}} object returned by these methods.

<div dfn-for="CredentialDescription">
    The <dfn>type</dfn> attribute contains the type of the credential the caller is referring to.

    The <dfn>id</dfn> attribute contains the identifier of the credential that the caller is referring to.
</div>


### Cryptographic Algorithm Identifier (type {{AlgorithmIdentifier}}) ### {#alg-identifier}

A string or dictionary identifying a cryptographic algorithm and optionally a set of parameters for that algorithm. This type is
defined in [[!WebCryptoAPI]].


# WebAuthn Authenticator model # {#authenticator-model}

The API defined in this specification implies a specific abstract functional model for an <a>authenticator</a>. This section
describes the authenticator model. Client platforms may implement and expose this abstract model in any way desired. However,
the behavior of the client's Web Authentication API implementation, when operating on the authenticators
supported by that platform, MUST be indistinguishable from the behavior specified in [[#api]].

In this abstract model, each authenticator stores some number of scoped credentials. Each scoped credential has an identifier
which is unique (or extremely unlikely to be duplicated) among all scoped credentials. Each credential is also associated with a
<a>[RP]</a>, whose identity is represented by a <a>Relying Party Identifier</a> (<a>RP ID</a>).

Each authenticator has an AAGUID, which is a 128-bit identifier that indicates the type (e.g. make and model) of the
authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators
made by that manufacturer, and different (with probability 1-2<sup>-128</sup> or greater) from the AAGUIDs of all other types of
authenticators. The RP MAY use the AAGUID to infer certain properties of the authenticator, such as certification level and
strength of key protection, using information from other sources.


## Authenticator operations ## {#authenticator-ops}

A client must connect to an authenticator in order to invoke any of the operations of that authenticator. This connection
defines an authenticator session. An authenticator must maintain isolation between sessions. It may do this by only allowing one
session to exist at any particular time, or by providing more complicated session management.

The following operations can be invoked by the client in an authenticator session.


### The <dfn>authenticatorMakeCredential</dfn> operation ### {#op-make-cred}

This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
input parameters:

- The SHA-256 hash of the caller's RP ID, as determined by the user agent and the client.
- The <a>clientDataHash</a>, which is the hash of the serialized {{ClientData}} and is provided by the client.
- The {{Account}} information provided by the [RP].
- The {{CredentialType}} and cryptographic parameters requested by the [RP], with the cryptographic algorithms normalized as per
    the procedure in [[WebCryptoAPI#algorithm-normalization-normalize-an-algorithm]].
- A list of {{Credential}} objects provided by the [RP] with the intention that, if any of these are known to the authenticator,
    it should not create a new credential.
- Extension data created by the client based on the extensions requested by the [RP].

When this operation is invoked, the authenticator obtains user consent for creating a new credential. The prompt for obtaining 
this consent is shown by the authenticator if it has its own output capability, or by the user agent otherwise. Once user 
consent is obtained, the authenticator generates the appropriate cryptographic keys and creates a new credential. It also 
generates an identifier for the credential, such that this identifier is globally unique with high probability across all 
credentials with the same type across all authenticators. It then associates the credential with the specified RP ID hash such
that it will be able to retrieve the RP ID hash later, given the credential ID. Finally, it generates an attestation statement
that describes its own attributes as well as some attributes of the credential. For more details on attestation, see
[[#cred-attestation-stmts]].

On successful completion of this operation, the authenticator returns the following to the client:

- The type and unique identifier of the new credential.
- The public key associated with the new credential.
- The attestation statement, including information about the attestation format used.

If the user refuses consent, the authenticator returns an appropriate error status to the client.


### The <dfn>authenticatorGetAssertion</dfn> operation ### {#op-get-assertion}

This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
input parameters:

- The SHA-256 hash of the caller's RP ID, as determined by the user agent and the client.
- The <a>clientDataHash</a>, which is the hash of the serialized {{ClientData}} and is provided by the client.
- A list of credentials acceptable to the [RP] (possibly filtered by the client).
- Extension data created by the client based on the extensions requested by the [RP].

When this method is invoked, the authenticator allows the user to select a credential from among the credentials associated with
that [RP] (as determined by an exact match of the RP ID hash) and matching the specified criteria, then obtains user consent
for using that credential. The prompt for obtaining this consent may be shown by the authenticator if it has its own output
capability, or by the user agent otherwise. Once a credential is selected and user consent is obtained, the authenticator
computes a cryptographic signature using the credential's private key and constructs an assertion signature as specified in
[[#signature-format]].

On successful completion, the authenticator returns to the user agent:
- The identifier of the credential used to generate the signature.
- The <a>level2Data</a> used to generate the signature.
- The signature itself.

If the authenticator cannot find any credential corresponding to the specified [RP] that matches the specified criteria, it
terminates the operation and returns an error.

If the user refuses consent, the authenticator returns an appropriate error status to the client.


### The <dfn>authenticatorCancel</dfn> operation ### {#op-cancel}

This operation takes no input parameters and returns no result.

When this operation is invoked by the client in an authenticator session, it has the effect of terminating any
<a>authenticatorMakeCredential</a> or <a>authenticatorGetAssertion</a> operation currently in progress in that authenticator
session. The authenticator stops prompting for, or accepting, any user input related to authorizing the canceled operation. The
client ignores any further responses from the authenticator for the canceled operation.

This operation is ignored if it is invoked in an authenticator session which does not have an <a>authenticatorMakeCredential</a>
or <a>authenticatorGetAssertion</a> operation currently in progress.


## Signature Format ## {#signature-format}

WebAuthn signatures are bound to various contextual data. These data are observed, and added at different levels of the stack as
a signature request passes from the server to the authenticator. In verifying a signature, the server checks these bindings
against expected values.

The components of a system using WebAuthn can be divided into three layers:

1. The <a>[RP]</a> (RP), which uses the WebAuthn services. The RP consists of a server component and a web-application running
    in a browser.

2. The <a>WebAuthn Client</a> platform, which consists of the User Agent and the OS and device on which it executes.

3. The <a>Authenticator</a> itself, which provides key management and cryptographic signatures. This may be embedded in the
    WebAuthn client, or housed in a separate device entirely. In the latter case, the interface between the WebAuthn client and
    the authenticator is a separately-defined protocol.
    
This specification defines the common signature format shared by all the above layers. This includes how the different 
contextual bindings are encoded, signed over, and delivered to the RP. 

The goals of this design can be summarized as follows.

- The scheme for generating signatures should accommodate cases where the link between the client platform and authenticator
    is very limited, in bandwidth and/or latency. Examples include Bluetooth Low Energy and Near-Field Communication.

- The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators
    should not have to parse high-level encodings such as JSON.

- Both the client platform and the authenticator should have the flexibility to add contextual bindings as needed.

- The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.

The contextual bindings are divided in two: Those added by the RP or the client platform, referred to as client data; and those
added by the authenticator, referred to as the authenticator data. The client data must be signed over, but an authenticator is
otherwise not interested in its contents. To save bandwidth and processing requirements on the authenticator, the client
platform hashes the {{ClientData}} and sends only the result to the authenticator. The authenticator signs over the combination
of this <a>clientDataHash</a>, and its own authenticator data.


### Level2Data ### {#sec-authenticator-data}

The level2Data encodes contextual bindings made by the <a>authenticator</a> itself. These bindings are typically controlled
(generated or at least verified) by the authenticator itself, and derive their trust from the [RP]'s assessment of the security
of the authenticator. The level2Data has a compact but extensible encoding. This is desired since authenticators can be
devices with limited capabilities and low power requirements, with much simpler software stacks than the client platform
components.

Note: Some authenticators cannot fully control the level2Data.  This is indicated in the related metadata to such authenticator.

The encoding of authenticator data is a byte array of 37 bytes or more, as follows.

<table class="complex data longlastcol">
    <tr>
        <th>Length (in bytes)</th>
        <th>Description</th>
    </tr>
    <tr>
        <td>32</td>
        <td>
            SHA-256 hash of the RP ID associated with the credential.
        </td>
    </tr>
    <tr>
        <td>1</td>
        <td>
            Flags (bit 0 is the least significant bit):
            - Bit 0: Test of User Presence (`TUP`) result.
            - Bits 1-5: Reserved for future use (`RFU`).
            - Bit 6: Attestation data included (`AT`). Indicates whether the authenticator added attestation data.
            - Bit 7: Extension data included (`ED`). Indicates if the authenticator data has extensions.
        </td>
    </tr>
    <tr>
        <td>4</td>
        <td>Signature counter (`signCount`), 32-bit unsigned big-endian integer.</td>
    </tr>
    <tr>
        <td>variable (if present)</td>
        <td>
            Attestation data (if present). See below for details. Its length n depends on the length of the public key and
            credential ID of the credential being attested.
        </td>
    </tr>
    <tr>
        <td>variable (if present)</td>
        <td>
            Extension-defined authenticator data. This is a CBOR [[RFC7049]] map with extension identifiers as keys, and
            extension authenticator data values as values. See [[#extensions]] for details.
        </td>
    </tr>
</table>

Note that the RP ID hash is originally received from the client when the credential is created, and again when an assertion is
generated. However, it differs from other client data in some important ways. First, unlike the client data, the RP ID of a
credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is
validated by the authenticator during the <a>authenticatorGetAssertion</a> operation, by making sure that the RP ID hash
associated with the requested credential exactly matches the RP ID hash supplied by the client. These differences also explain
why the RP ID hash is always a SHA-256 hash instead of being crypto-agile like the <a>clientDataHash</a>; for a given RP ID, we
need the hash to be computed the same way by all clients for all operations so that authenticators can roam among clients
without losing interoperability.

The `TUP` flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The
`RFU` bits in the flags byte SHALL be set to zero.

For attestation signatures, the authenticator MUST set the AT flag and include the attestation data. For authentication
signatures, the AT flag MUST NOT be set and the attestation data MUST NOT be included. The attestation data, if present, MUST be
in the following format:

<table class="complex data longlastcol">
    <tr>
        <th>Length (in bytes)</th>
        <th>Description</th>
    </tr>
    <tr>
        <td>16</td>
        <td>The AAGUID of the authenticator.</td>
    </tr>
    <tr>
        <td>2</td>
        <td>Byte length l of Credential ID</td>
    </tr>
    <tr>
        <td>(length)</td>
        <td>Credential ID (l bytes)</td>
    </tr>
    <tr>
        <td>2</td>
        <td>
            Public key algorithm and encoding (16-bit big-endian value). Allowed values are:

            1. 0x0100. This is raw ANSI X9.62 formatted Elliptic Curve public key [[!SEC1]], i.e.,
                `[0x04, X (n bytes), Y (n bytes)]`, where the byte `0x04` denotes the uncompressed point compression method and
                n denotes the key length in bytes.

            2. 0x0102.  Raw encoded RSA PKCS1 or RSASSA-PSS public key [[RFC3447]]. In the case of RSASSA-PSS, the default
                parameters according to [[RFC4055]] MUST be assumed, i.e.,
                - Mask Generation Algorithm MGF1 with SHA256
                - Salt Length of 32 bytes, i.e., the length of a SHA256 hash value.
                - Trailer Field value of 1, which represents the trailer field with hexadecimal value `0xBC`.

                That is, `[modulus (256 bytes), e (m-n bytes)]`, where `m` is the total length of the field. This total length
                should be taken from the object containing this key
        </td>
    </tr>
    <tr>
        <td>2</td>
        <td>Byte length m of following public key bytes (16 bit value with most significant byte first).</td>
    </tr>
    <tr>
        <td>(length)</td>
        <td>The public key (m bytes) according to the encoding denoted before.</td>
    </tr>
</table>

If the authenticator does not include any extension data, it MUST set the `ED` flag in the first byte to zero, and to one if
extension data is included.

The figure below shows a visual representation of the authenticator data structure.

<figure>
    <img src="images/fido-signature-formats-figure1.svg"/>
    <figcaption><dfn>level2Data</dfn> layout.</figcaption>
</figure>

Note: The `level2Data` describes its own length: If the AT and ED flags are not set, it is always 37 bytes long. If the
AT flag is present, the attestation data describes its own length. If the ED flag is set, then the total length is 37 bytes plus
the length of the attestation data, plus the length of the CBOR map that follows.


### Generating a signature ### {#authenticator-signature}

A raw cryptographic signature must assert the integrity of both the client data and the authenticator data. Thus, an
<a>authenticator</a> SHALL compute a signature over the concatenation of the |level2Data| and the <a>clientDataHash</a>.

<figure id="fig-signature">
    <img src="images/fido-signature-formats-figure2.svg"/>
    <figcaption>Generating a signature on the authenticator.</figcaption>
</figure>

Note: A simple, undelimited concatenation is safe to use here because the |level2Data| describes its own length. The
    <a>clientDataHash</a> (which potentially has a variable length) is always the last element.

The authenticator MUST return both the <a>level2Data</a> and the raw signature back to the client. The client, in turn,
MUST return <a>clientDataJSON</a>, <a>level2Data</a> and the signature to the RP. The first two are returned in the
`clientData` and `level2Data` members respectively of the {{WebAuthnAssertion}} and {{WebAuthnAttestation}} structures.


## Credential Attestation Statements ## {#cred-attestation-stmts}

An attestation statement is a specific type of signed data object, containing statements about a credential itself and the
authenticator that created it. It is created using the process described in [[#signature-format]], with the important difference
that the signature is generated not using the private key associated with the credential but using the key of the attesting
authority. In order to correctly interpret an attestation statement, a [RP] needs to understand two aspects of the attestation:

1. The <dfn>attestation format</dfn> is the manner in which the signature is represented and the various contextual bindings are
    serialized into the attestation statement by the <a>Authenticator</a>. In other words, this defines the syntax of the
    statement. Various existing devices and platforms (such as TPMs and the Android OS) have previously defined attestation
    formats. This specification supports a variety of such formats in an extensible way, as defined in [[#attestation-formats]].

2. The <dfn>attestation type</dfn> defines the semantics of the attestation level1Data and its underlying trust model. It defines
    how a [RP] establishes trust in a particular attestation statement, after verifying that it is cryptographically valid. The
    privacy, security and operational characteristics of attestation depend mainly on the attestation type, and are largely
    independent of the attestation format.

In general, there is no simple mapping between attestation formats and attestation types. For example the "packed" attestation
format defined in [[#packed-attestation]] can be used in conjunction with all attestation types, while other formats and types
have more limited applicability.

It is expected that most authenticators will support a small number of attestation types and formats, while [RPS] will decide
what attestation types are acceptable to them by policy.


### Attestation Formats ### {#attestation-formats}

As described above, an attestation format is a data format which represents a cryptographic signature by an authenticator over a
set of contextual bindings. Each attestation format is defined by the following attributes:

- The name of the format, used to identify it in a {{WebAuthnAttestation}} structure. This MUST be an ASCII string, and MUST
    NOT be an <a>ASCII case-insensitive match</a> for the name of any other attestation format.

- The set of attestation types supported by the format.

- The syntax of an attestation level1Data produced in this format.

- The procedure for computing an attestation statement in this format given the following:
    - The authenticator data for the attestation, created as per [[#sec-authenticator-data]]
    - The current value of the authenticator's signature counter
    - The <a>clientDataHash</a> of the client's contextual bindings

- The procedure for verifying an attestation statement, which takes the following:
    - The authenticator data claimed to have been used for the attestation
    - The <a>clientDataHash</a> of the client's contextual bindings
    - A trust anchor (a root certificate, a DAA root key or the public key of the credential itself)

    and returns a Boolean value indicating whether the attestation is cryptographically valid, and if so the attestation type.

The initial list of supported formats is in [[#defined-attestation-formats]].


<!-- Editors Note: differentiating section IDs from non-section IDs is useful because at times we need to seperately reference
     different things having the same nominal name, eg attestation-types-the-section, and attestation-types-the-definition -->
### Attestation Types ### {#sctn-attestation-types}

WebAuthn supports multiple attestation types:

: <dfn>Basic Attestation</dfn>
:: In the case of basic attestation [[UAFProtocol]], the Authenticator's attestation private key is specific to an
    Authenticator model.  That means that an Authenticator of the same model typically shares the same attestation private key.
    This model is also used for FIDO UAF 1.0 and FIDO U2F 1.0.

: <dfn>Self Attestation</dfn>
:: In the case of self attestation, also known as surrogate basic attestation [[UAFProtocol]], the Authenticator doesn't have
    any specific attestation key. Instead it uses the authentication key itself to sign the attestation statement.
    Authenticators without meaningful protection measures for an attestation private key typically use this attestation type.

: <dfn>Privacy CA</dfn>
:: In this case, the Authenticator owns an authenticator-specific (endorsement) key. This key is used to securely communicate
    with a trusted third party, the Privacy CA.  The Authenticator can generate multiple attestation key pairs and asks the
    Privacy CA to issue an attestation certificate for it. Using this approach, the Authenticator can limit the exposure of the
    endorsement key (which is a global correlation handle) to Privacy CA(s). Attestation keys can be requested for each scoped
    credential individually.

    Note: This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently
        is called "active".

: <dfn>Direct Anonymous Attestation</dfn> (DAA)
:: In this case, the Authenticator receives DAA credentials from a single DAA-Issuer. These DAA credentials are used along with
    blinding to sign the attestation data. The concept of blinding avoids the DAA credentials being misused as global
    correlation handle. WebAuthn supports DAA using elliptic curve cryptography and bilinear pairings, called ECDAA (see
    [[FIDOEcdaaAlgorithm]]) in this specification.


### Verifying an Attestation Statement ### {#verifying-an-attestation-statement}

This section outlines the recommended algorithm for verifying an attestation statement, independent of attestation format.

Upon receiving an attestation statement in the form of a {{WebAuthnAttestation}} structure, the [RP] shall:

1. Perform JSON decoding to extract the {{ClientData}} used for the attestation from the {{WebAuthnAttestation/clientData}}.

2. Verify that the {{ClientData/challenge}} in the {{ClientData}} matches the challenge that was sent to the authenticator.

3. Verify that the {{ClientData/origin}} and {{ClientData/rpId}} in the {{ClientData}} match the origin and RP ID used by the
    RP.

4. Verify that the {{ClientData/tokenBinding}} in the {{ClientData}} matches the token binding public key for the TLS connection
    over which the attestation was obtained.

5. Verify that the {{ClientData/extensions}} in the {{ClientData}} is a proper subset of the extensions requested by the RP.

6. Verify that the RP ID hash in the {{WebAuthnAttestation/level2Data}} is indeed the SHA-256 hash of the
    {{ClientData/rpId}}.   

7. Perform an <a>ASCII case-insensitive match</a> on {{WebAuthnAttestation/format}} to determine the attestation format.

8. Look up the attestation root certificate or DAA root key from a trusted source. For example, the FIDO Metadata Service
    [[FIDOMetadataService]] provides one way to access such information. The AAGUID in the
    {{WebAuthnAssertion/level2Data}} can be used for this lookup.
    
9. Using the verification process for the above attestation format, validate that the attestation
    {{WebAuthnAttestation/level1Data}} is valid for the given {{WebAuthnAttestation/level2Data}},
    {{WebAuthnAttestation/clientData}} and the above trust anchor.
    Note: Depending on the metadata on the authenticator model, the level2Data might be controlled by the Client or by the Authenticator.

The [RP] MAY take any of the below actions when verification of an attestation statement fails, according to its policy:

- Reject the request, such as a registration request, associated with the attestation statement.

- Accept the request associated with the attestation statement but treat the attested Scoped Credential as one with self
    attestation (see [[#sctn-attestation-types]]). If doing so, the [RP] is asserting there is no cryptographic proof that the
    Scoped Credential has been generated by a particular Authenticator model. See [[FIDOSecRef]] and [[UAFProtocol]] for a more
    detailed discussion.

Verification of attestation statements requires that the [RP] has a trusted method of determining the trust anchor in Step 8
above. Also, if certificates are being used, the [RP] must have access to certificate status information for the intermediate
CA certificates. The relying party must also be able to build the attestation certificate chain if the client didn't provide
this chain in the attestation information.


### Security Considerations ### {#sec-attestation-security-considerations}


#### Privacy #### {#sec-attestation-privacy}

Attestation keys may be used to track users or link various online identities of the same user together. This may be mitigated
in several ways, including:

- A WebAuthn <a>Authenticator</a> manufacturer may choose to ship all of their devices with the same (or a fixed number of)
    attestation key(s) (called <a>Basic Attestation</a>). This will anonymize the user at the risk of not being able to revoke a
    particular attestation key should its WebAuthn Authenticator be compromised.

- A WebAuthn Authenticator may be capable of dynamically generating different attestation keys (and requesting related
    certificates) per origin (following the <a>Privacy CA</a> approach). For example, a WebAuthn Authenticator can ship with a
    master attestation key (and certificate), and combined with a cloud operated privacy CA, can dynamically generate per origin
    attestation keys and attestation certificates.

- A WebAuthn Authenticator can implement <a>direct anonymous attestation</a> (see [[FIDOEcdaaAlgorithm]]).  Using this scheme,
    the authenticator generates a blinded attestation signature.  This allows the [RP] to verify the signature using the DAA
    root key, but the attestation signature doesn't serve as a global correlation handle.


#### Attestation Certificate and Attestation Certificate CA Compromise #### {#ca-compromise}

When an intermediate CA or a root CA used for issuing attestation certificates is compromised, WebAuthn <a>Authenticator</a>
attestation keys are still safe although their certificates can no longer be trusted. A WebAuthn Authenticator manufacturer that
has recorded the public attestation keys for their devices can issue new attestation certificates for these keys from a new
intermediate CA or from a new root CA. If the root CA changes, the [RPS] must update their trusted root certificates
accordingly.

A WebAuthn Authenticator attestation certificate must be revoked by the issuing CA if its key has been compromised. A WebAuthn
Authenticator manufacturer may need to ship a firmware update and inject new attestation keys and certificates into already
manufactured WebAuthn Authenticators, if the exposure was due to a firmware flaw. (The process by which this happens is out of
scope for this specification.) If the WebAuthn Authenticator manufacturer does not have this capability, then it may not be
possible for [RPS] to trust any further valid attestation statements from the affected WebAuthn Authenticators.

If attestation certificate validation fails due to a revoked intermediate attestation CA certificate, and the [RP]'s policy
requires rejecting the registration/authentication request in these situations, then it is recommended that the [RP] also
un-registers (or marks with a trust level equivalent to "<a>self attestation</a>") scoped credentials that were registered after
the CA compromise date using an attestation certificate chaining up to the same intermediate CA. It is thus recommended that
[RPS] remember intermediate attestation CA certificates during Authenticator registration in order to un-register related Scoped
Credentials if the registration was performed after revocation of such certificates.

If a DAA attestation key has been compromised, it can be added to the RogueList (i.e., the list of revoked authenticators)
maintained by the related DAA-Issuer. The [RP] should verify whether an authenticator belongs to the RogueList when performing
DAA-Verify. For example, the FIDO Metadata Service [[FIDOMetadataService]] provides one way to access such information.


#### Attestation Certificate Hierarchy #### {#cert-hierarchy}

A 3-tier hierarchy for attestation certificates is recommended (i.e., Attestation Root, Attestation Issuing CA, Attestation
Certificate). It is also recommended that for each WebAuthn Authenticator device line (i.e., model), a separate issuing CA is
used to help facilitate isolating problems with a specific version of a device.

If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
must be specified either in the attestation certificate itself or it must be specified in `rawData`.



# Defined Attestation Formats # {#defined-attestation-formats}

WebAuthn supports pluggable attestation data formats. This section defines an initial set of such formats.

## Attestation Format Identifiers ## {#sctn-attstn-fmt-ids}

Attestation formats are identified by a string, called a <dfn>attestation format identifier</dfn>, chosen by the attestation
format author.

Attestation format identifiers SHOULD be registered per [[WebAuthn-Registries]] "Registries for Web Authentication (WebAuthn)".
All registered attestation format identifiers are unique amongst themselves as a matter of course.

Unregistered attestation format identifiers SHOULD use reverse domain-name naming, using a domain
name registered by the attestation type developer, in order to assure uniqueness of the identifier. 
All attestation format identifiers MUST be a maximum of 32 octets in length and MUST
consist only of printable USASCII characters, i.e., VCHAR as defined in [[!RFC5234]] (note: this means attestation format
identifiers based on domain names MUST incorporate only LDH Labels [[!RFC5890]]). 
Implementations MUST match WebAuthn attestation format identifiers in a case-insensitive fashion. 

Attestation formats that may exist in multiple versions SHOULD include a version in their identifier. In effect, different
versions are thus treated as different extensions, e.g., `packed2` as a new version of the `packed` attestation format.

The following sections present a set of currently-defined and registered attestation formats and their identifiers. See the
WebAuthn Attestation Format Identifier Registry defined in [[WebAuthn-Registries]] for an up-to-date list of registered WebAuthn
Attestation Formats.

## Packed Attestation Format ## {#packed-attestation}

Packed attestation is a WebAuthn optimized format of attestation data. It uses a very compact but still extensible encoding
method. Encoding this format can even be implemented by <a>authenticators</a> with very limited resources (e.g., secure
elements).

: Attestation format identifier
:: packed

: Attestation types supported
:: All

: Syntax
:: A Packed Attestation level1Data has the following format:

    <pre class="idl">
        interface PackedAttestation {
            readonly    attribute ArrayBuffer   x5c;
            readonly    attribute ArrayBuffer   daaKey;
            readonly    attribute DOMString     alg;
            readonly    attribute ArrayBuffer   signature;
        };
    </pre>

    <div dfn-for="PackedAttestation">
        The <dfn>x5c</dfn> attribute contains the attestation certificate and its certificate chain as described in [[!RFC7515]]
        section 4.1.6.

        The <dfn>alg</dfn> element contains the name of the algorithm used to generate the attestation signature according to
        [[!RFC7518]] section 3.1. The following algorithms are supported:

        1. "ES256" [[!RFC7518]]
        2. "RS256" [[!RFC7518]]
        3. "PS256" [[!RFC7518]]
        4. "ED256" [[!FIDOEcdaaAlgorithm]]
        5. "ED512" [[!FIDOEcdaaAlgorithm]]

        The <dfn>signature</dfn> element contains the attestation signature.
    </div>

: Signing procedure
:: The authenticator produces a signature as specified in [[#authenticator-signature]] using the attestation private key. 

: Verification procedure
:: If {{PackedAttestation/x5c}} is present, this indicates that the attestation type is not DAA. In this case:
    - Verify the {{PackedAttestation/signature}} using the public key in {{PackedAttestation/x5c}} with the algorithm specified
        in {{PackedAttestation/alg}}.
    - Verify that {{PackedAttestation/x5c}} correctly chains to the trust anchor provided.
    - Verify that {{PackedAttestation/x5c}} meets the requirements in [[#packed-attestation-cert-requirements]].
    
    If {{PackedAttestation/daaKey}} is present, then the attestation type is DAA. In this case:
    - Verify that {{PackedAttestation/alg}} is "ED256" or "ED512".
    - Perform DAA-Verify on {{PackedAttestation/signature}} (see [[!FIDOEcdaaAlgorithm]]).
    - If {{PackedAttestation/x5c}} contains an extension with OID `1 3 6 1 4 1 45724 1 1 4` (id-fido-gen-ce-aaguid) verify that
        the value of this extension matches the AAGUID in the {{WebAuthnAttestation/level1Data}}.
    
    If neither {{PackedAttestation/x5c}} nor {{PackedAttestation/daaKey}} is present, self attestation is in use.
    - Verify the signature using the public key of the credential.
    - Validate that {{PackedAttestation/alg}} matches the algorithm in {{WebAuthnAttestation/level1Data}}.

    Note: It depends on the auhenticator metadata whether level2Data is controlled by the Client or by the authenticator.
    
### Packed attestation level1Data certificate requirements ### {#packed-attestation-cert-requirements}

The attestation certificate MUST have the following fields/extensions:

- Version must be set to 3.
- Subject field MUST be set to:
    : Subject-C
    :: Country where the Authenticator vendor is incorporated
    : Subject-O
    :: Legal name of the Authenticator vendor
    : Subject-OU
    :: Authenticator Attestation
    : Subject-CN
    :: No stipulation.

- If the related attestation root certificate is used for multiple authenticator models, the Extension OID
    `1 3 6 1 4 1 45724 1 1 4` (id-fido-gen-ce-aaguid) MUST be present, containing the AAGUID as value.

- The Basic Constraints extension MUST have the CA component set to false

- An Authority Information Access (AIA) extension with entry `id-ad-ocsp` and a CRL Distribution Point extension [[RFC5280]]
    are both optional as the status of many attestation certificates is available through authenticator metadata services. 
    See, for example, the FIDO Metadata Service [[FIDOMetadataService]].


## TPM Attestation Format ## {#tpm-attestation}

This attestation format is generally used by authenticators that use a Trusted Platform Model as their cryptographic engine.

: Attestation format identifier
:: tpm

: Attestation types supported
:: Privacy CA, DAA

: Syntax
:: A TPM Attestation level1Data has the following format:

    <pre class="idl">
        interface TpmAttestation {
            readonly    attribute DOMString     tpmVersion;
            readonly    attribute ArrayBuffer   x5c;
            readonly    attribute ArrayBuffer   daaKey;
            readonly    attribute ArrayBuffer   certifyInfo;
            readonly    attribute DOMString     alg;
            readonly    attribute ArrayBuffer   signature;
        };
    </pre>

    <div dfn-for="TpmAttestation">
        The <dfn>tpmVersion</dfn> field contains the version of the TPM specification to which the signature conforms. Currently
        supported versions are "1.2" and "2.0".

        The <dfn>x5c</dfn> attribute contains the attestation certificate and its certificate chain as described in [[!RFC7515]]
        section 4.1.6. This will be an AIK certificate.

        The <dfn>alg</dfn> element contains the name of the algorithm used to generate the attestation signature according to
        [[!RFC7518]] section 3.1. The following algorithms are supported:

        1. "RSA1_5" [[!RFC7518]] (TPM v1.2 only)
        2. "ES256" [[!RFC7518]]  (TPM v2.0 only)
        3. "RS256" [[!RFC7518]]  (TPM v2.0 only)
        4. "PS256" [[!RFC7518]]  (TPM v2.0 only)
        5. "ED256" [[!FIDOEcdaaAlgorithm]]  (TPM v2.0 only)
        6. "ED512" [[!FIDOEcdaaAlgorithm]]  (TPM v2.0 only)

        The <dfn>signature</dfn> element contains the attestation signature.
    </div>

: Signing procedure
:: Concatenate the {{WebAuthnAttestation/level2Data}} and {{WebAuthnAttestation/clientData}} as specified in
    [[#authenticator-signature]]; let this be `attInput`.
    
    If using TPM version 1.2, generate a signature using the procedure specified in [[TPMv1-2-Part3]] Section 13.8 or
    Section 13.9, using the attestation private key and setting the `antiReplay` parameter to the SHA-1 hash of `attInput`.

    If using TPM version 2.0, generate a signature using the procedure specified in [[TPMv2-Part3]] Section 18.2, using the
    attestation private key and setting the `qualifyingData` parameter to `attInput`.
    
    In both the above cases, return the certifyInfo output parameter along with the signature.

: Verification procedure
:: If {{TpmAttestation/x5c}} is present, this indicates that the attestation type is not DAA. In this case:
    - Verify the {{TpmAttestation/signature}} is over the {{TpmAttestation/certifyInfo}} using the public key in
        {{TpmAttestation/x5c}} with the algorithm specified in {{TpmAttestation/alg}}.
    - If {{TpmAttestation/tpmVersion}} is "1.2", verify that the {{TpmAttestation/certifyInfo}} contains a TPM_CERTIFY_INFO
        or TPM_CERTIFY_INFO2 structure with the `data` field set to the SHA-1 hash of the concatenation of
        {{WebAuthnAttestation/level2Data}} and  {{WebAuthnAttestation/clientData}}. 
    - If {{TpmAttestation/tpmVersion}} is "2.0", verify that {{TpmAttestation/certifyInfo}} is a TPMS_ATTEST structure with the
        `extraData` field set to the concatenation of {{WebAuthnAttestation/level2Data}} and
        {{WebAuthnAttestation/clientData}}.
    - Verify that {{TpmAttestation/x5c}} correctly chains to the trust anchor provided.
    - Verify that {{TpmAttestation/x5c}} meets the requirements in [[#tpm-cert-requirements]].
    
    If {{TpmAttestation/daaKey}} is present, then the attestation type is DAA.
    - Verify that {{TpmAttestation/alg}} is "ED256" or "ED512".
    - Perform DAA-Verify on {{TpmAttestation/signature}} to verify that it is over the {{TpmAttestation/certifyInfo}}
        (see [[!FIDOEcdaaAlgorithm]]). 
    - Verify that {{TpmAttestation/certifyInfo}} is a TPMS_ATTEST structure with the `extraData` field set to the concatenation
        of {{WebAuthnAttestation/level2Data}} and {{WebAuthnAttestation/clientData}}.
    - If {{TpmAttestation/x5c}} contains an extension with OID `1 3 6 1 4 1 45724 1 1 4` (id-fido-gen-ce-aaguid) verify that the
        value of this extension matches the AAGUID in the {{WebAuthnAttestation/level2Data}}.
    
    Note: It depends on the attestation certificate whether level2Data is controlled by the Client or by the authenticator.


### TPM attestation level1Data certificate requirements ### {#tpm-cert-requirements}

TPM <a>attestation certificate</a> MUST have the following fields/extensions:

- Version must be set to 3.

- Subject field MUST be set to empty.

- The Subject Alternative Name extension must be set as defined in [[TPMv2-EK-Profile]] section 3.2.9 if "version" equals 2 and
    [[TPMv1-2-Credential-Profiles]] section 3.2.9 if "version" equals 1.

- The Extended Key Usage extension MUST contain the
    "joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)" OID.

- The Basic Constraints extension MUST have the CA component set to false

- An Authority Information Access (AIA) extension with entry `id-ad-ocsp` and a CRL Distribution Point extension [[RFC5280]] are
    both optional as the status of many attestation certificates is available through metadata services. 
    See, for example, the FIDO Metadata Service [[FIDOMetadataService]].


## Android Attestation Format ## {#android-attestation}

When the <a>Authenticator</a> in question is a platform-provided Authenticator on the Android "N" or later platform, the attestation level1Data is based on the Android key attestation <a href="https://developer.android.com/preview/api-overview.html#key_attestation">https://developer.android.com/preview/api-overview.html#key_attestation</a>.

: Attestation format identifier
:: android-key

: Attestation types supported
:: Basic

: Syntax
:: An Android Attestation level1Data is a DER encoded X.509 certificate, see <a href="https://developer.android.com/training/articles/security-key-attestation.html">https://developer.android.com/training/articles/security-key-attestation.html</a>.


: Signing procedure
:: Concatenate the {{WebAuthnAttestation/level2Data}} and {{WebAuthnAttestation/clientData}} as specified in
    [[#authenticator-signature]]; let this be `attInput`. Request a Android Key Attestation (i.e. calling "keyStore.getCertificateChain(myKeyUUID)") providing this as the challenge value (e.g. using "setAttestationChallenge").

: Verification procedure
:: If the attestation format is "android-key":
    - Verify that the level1Data is signed (issued) by a valid attestation certificate being chained to a trusted attestation root certificate.

    - Check that `level1Data.KeyDescription.attestationChallenge` equals the attestationChallenge that was passed into the
        {{makeCredential()}} call.  

    - Check that the {{ClientData/origin}} and {{ClientData/tokenBinding}} parameters in the `AndroidAttestationClientData` match
        the [RP] App.

    - Check that `level1Data.publicKey` is the same key as the one returned in the `ScopedCredentialInfo` by the
        `makeCredential` call.

    - Check that `level1Data.AuthorizationList.allApplications` is <em>not</em> present, since ScopedCredentials must be bound to the rpId.

    - Check that `level1Data.AuthorizationList.origin == KM_TAG_GENERATED`, that `level1Data.AuthorizationList.purpose == KM_PURPOSE_SIGN`, that `level1Data.AuthorizationList.keySize` and `level1Data.AuthorizationList.digest` are acceptable, that `level1Data.authType` only contains acceptable user verification methods, that `level1Data.AuthorizationList.authTimeout == 0` or is <em>not</em> present, and that `level1Data.AuthorizationList.noAuthRequired` is <em>not</em> present.

    Note: level2Data is controlled by the Client and <i>not</i> by the authenticator.


## Android SafetyNet Attestation Format ## {#android-safetynet-attestation}

When the <a>Authenticator</a> in question is a platform-provided Authenticator on the Android platform, the attestation
level1Data is based on the <a href="https://developer.android.com/training/safetynet/index.html#compat-check-response">SafetyNet
API</a>.

: Attestation format identifier
:: android-safetynet

: Attestation types supported
:: Basic

: Syntax
:: An Android Attestation level1Data has the following format:

    <pre class="idl">
        interface AndroidAttestation {
            readonly attribute unsigned long version;
            readonly attribute DOMString     safetyNetResponse;
        };
    </pre>

    <div dfn-for="AndroidAttestation">
        The <dfn>version</dfn> element is set to the version number of Google Play Services responsible for providing the SafetyNet
        API.

        The <dfn>safetyNetResponse</dfn> element contains the value returned by the above SafetyNet API. This value is a JWS
        [[RFC7515]] object (see <a href="https://developer.android.com/training/safetynet/index.html#compat-check-response">
        SafetyNet online documentation</a>) in Compact Serialization.
    </div>

: Signing procedure
:: Concatenate the {{WebAuthnAttestation/level2Data}} and {{WebAuthnAttestation/clientData}} as specified in
    [[#authenticator-signature]]; let this be `attInput`. Request a SafetyNet attestation, providing this as the nonce value.

: Verification procedure
:: If the attestation format is "android":
    - Verify that the attestation certificate is issued to the hostname "attest.android.com" (see
        <a href="https://developer.android.com/training/safetynet/index.html#compat-check-response"> SafetyNet online
        documentation</a>).

    - Check that `AndroidAttestationClientData.challenge` equals the attestationChallenge that was passed into the
        {{makeCredential()}} call.

    - Check that the {{ClientData/origin}} and {{ClientData/tokenBinding}} parameters in the `AndroidAttestationClientData` match
        the [RP] App.

    - Check that `AndroidAttestationClientData.publicKey` is the same key as the one returned in the `ScopedCredentialInfo` by the
        `makeCredential` call.

    - Check that the hash of the <a>clientDataJSON</a> matches the `nonce` attribute in the payload of the `safetynetResponse` JWS.

    - Check that the `ctsProfileMatch` attribute in the payload of the `safetynetResponse` is true.

    Note: level1Data and level2Data are controlled by the Client and <i>not</i> by the authenticator.

# WebAuthn Extensions # {#extensions}

The mechanism for generating scoped credentials, as well as requesting and generating WebAuthn assertions, as defined in
[[#api]], can be extended to suit particular use cases. Each case is addressed by defining a registration extension and/or
an authentication extension. Extensions can define additions to the following steps and data:

- {{makeCredential()}} request parameters for registration extension.

- {{getAssertion()}} request parameters for authentication extensions.

- Client processing, and the {{ClientData}} structure, for registration extensions and authentication extensions.

- Authenticator processing, and the <a>level2Data</a> structure, for registration extensions and authentication
    extensions.

When requesting an assertion for a scoped credential, a [RP] can list a set of extensions to be used, if they are supported by
the client and/or the authenticator. It sends the client arguments for each extension in the {{getAssertion()}} call (for
authentication extensions) or {{makeCredential()}} call (for registration extensions) to the client platform. The client
platform performs additional processing for each extension that it supports, and augments {{ClientData}} as required by the
extension. In addition, the client collects the authenticator arguments for the above extensions, and passes them to the
authenticator in the <a>authenticatorMakeCredential</a> call (for registration extensions) or <a>authenticatorGetAssertion</a>
call (for authentication extensions). These authenticator arguments are passed as name-value pairs, with the extension
identifier as the name, and the corresponding authenticator argument as the value. The authenticator, in turn, performs
additional processing for the extensions that it supports, and augments |level2Data| as specified by the extension.

All WebAuthn extensions are optional for both clients and authenticators. Thus, any extensions requested by a [RP] may be
ignored by the client browser or OS and not passed to the authenticator at all, or they may be ignored by the authenticator.
Ignoring an extension is never considered a failure in WebAuthn API processing, so when [RPS] include extensions with any API
calls, they must be prepared to handle cases where some or all of those extensions are ignored.

Clients wishing to support the widest possible range of extensions may choose to pass through any extensions that they do not
recognize to authenticators, generating the authenticator argument by simply encoding the client argument in CBOR. All
WebAuthn extensions MUST be defined in such a way that this implementation choice does not endanger the user's security or
privacy. For instance, if an extension requires client processing, it could be defined in a manner that ensures such a naïve
pass-through will produce a semantically invalid authenticator argument, resulting in the extension being ignored by the
authenticator. Since all extensions are optional, this will not cause a functional failure in the API operation.


## Extension Identifiers ## {#extension-id}

Extensions are identified by a string, called an <dfn>extension identifier</dfn>, chosen by the extension author. 

Extension identifiers SHOULD be registered per [[WebAuthn-Registries]] "Registries for Web Authentication (WebAuthn)".
All registered extension identifiers are unique amongst themselves as a matter of course.

Unregistered extension identifiers should aim to be globally unique, e.g., by including the defining entity such as `myCompany_extension`.

All extension identifiers MUST be a maximum of 32 octets in length and MUST
consist only of printable USASCII characters, i.e., VCHAR as defined in [[!RFC5234]].
Implementations MUST match WebAuthn extension identifiers in a case-insensitive fashion. 

Extensions that may exist in multiple versions should take care to include a version in their identifier. In effect, different
versions are thus treated as different extensions, e.g., `myCompany_extension_01`

Extensions defined in this specification use a fixed prefix of `webauthn` for the extension identifiers. This prefix should not
be used for extensions not defined by the W3C.

[[#extension-predef]] defines an initial set of currently-defined and registered extensions their identifiers. See the WebAuthn
Extension Identifiers Registry defined in [[WebAuthn-Registries]] for an up-to-date list of registered WebAuthn Extension
Identifiers.


## Defining extensions ## {#extension-specification}

A definition of an extension must specify, at minimum, an extension identifier and an extension client argument sent via the
{{getAssertion()}} or {{makeCredential()}} call. Additionally, extensions may specify additional values in {{ClientData}}, 
`level2Data` (in the case of authentication extensions), or both. Finally, if the extension requires any authenticator 
processing, it must also specify an authenticator argument to be sent via the <a>authenticatorGetAssertion</a> or 
<a>authenticatorMakeCredential</a> call.

Any extension that requires client processing MUST specify a method of augmenting {{ClientData}} that unambiguously lets the
[RP] know that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST
specify a method of augmenting `level2Data` to let the [RP] know that the extension was honored by the authenticator.


## Extending request parameters ## {#extension-request-parameters}

An extension defines up to two request arguments. The <dfn>client argument</dfn> is passed from the <a>[RP]</a> to the client
in the {{getAssertion()}} or {{makeCredential()}} call, while the <dfn>authenticator argument</dfn> is passed from the client
to the authenticator during the processing of these calls.

A [RP] simultaneously requests the use of an extension and sets its client argument by including an entry in the
{{CredentialOptions/extensions}} option to the {{makeCredential()}} or {{getAssertion()}} call. The entry key MUST be the
extension identifier, and the value MUST be the <a>client argument</a>.

<pre class="example highlight">
    var assertionPromise = credentials.getAssertion(..., /* extensions */ {
        "webauthnExample_foobar": 42
    });
</pre>

Extension definitions MUST specify the valid values for their client argument. Clients SHOULD ignore extensions with an invalid
client argument. If an extension does not require any parameters from the [RP], it SHOULD be defined as taking a Boolean client
argument, set to `true` to signify that the extension is requested by the [RP].

Extensions that only affect client processing need not specify an authenticator argument. Extensions that affect authenticator
processing MUST specify a method of computing the authenticator argument from the client argument. For extensions that do not
require additional parameters, and are defined as taking a Boolean client argument set to `true`, this method SHOULD consist of
passing an authenticator argument of `true` (CBOR major type 7, value 21).

Note: Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate
    over low-bandwidth links such as Bluetooth Low-Energy or NFC.


## Extending client processing ## {#extension-client-processing}

Extensions may define additional processing requirements on the client platform during the creation of credentials or the
generation of an assertion. In order for the <a>[RP]</a> to verify the processing took place, or if the processing has a result
value that the [RP] needs to be aware of, the extension should specify a client data value to be included in the {{ClientData}}
structure.

The client data value may be any value that can be encoded using JSON. If any extension processed by a client defines such a
value, the client SHOULD include a dictionary in {{ClientData}} with the key {{ClientData/extensions}}. For each such
extension, the client SHOULD add an entry to this dictionary with the extension identifier as the key, and the extension's
client data value.

Extensions that require authenticator processing MUST define the process by which the client argument can be used to determine
the authenticator argument.


## Extending authenticator processing ## {#extension-authenticator-processing}

Extensions that define additional authenticator processing may similarly define an authenticator data value. The value may be
any data that can be encoded in CBOR. An authenticator that processes an authentication extension that defines such a value must
include it in the `level2Data`.

As specified in [[#sec-authenticator-data]], the authenticator data value of each processed extension is included in the
extended data part of the `level2Data`. This part is a CBOR map, with extension identifiers as keys, and the
authenticator data value of each extension as the value.


## Example extension ## {#sample-extensions}

[INFORMATIVE]

To illustrate the requirements above, consider a hypothetical extension "Geo". This extension, if supported, lets both clients
and authenticators embed their geolocation in assertions.

The extension identifier is chosen as `webauthnExample_geo`. The client argument is the constant value `true`, since the
extension does not require the <a>[RP]</a> to pass any particular information to the client, other than that it requests the use
of the extension. The [RP] sets this value in its request for an assertion:

<pre class="highlight">
    var assertionPromise =
        credentials.getAssertion("SGFuIFNvbG8gc2hvdCBmaXJzdC4",
            {}, /* Empty filter */
            { 'webauthnExample_geo': true });
</pre>

The extension defines the additional client data to be the client's location, if known, as a GeoJSON [[GeoJSON]] point. The
client constructs the following client data:

<pre class="highlight">
    {
        ...,
        'extensions': {
            'webauthnExample_geo': {
                'type': 'Point',
                'coordinates': [65.059962, -13.993041]
            }
        }
    }
</pre>

The extension also requires the client to set the authenticator parameter to the fixed value `true`.

Finally, the extension requires the authenticator to specify its geolocation in the authenticator data, if known. The extension
e.g. specifies that the location shall be encoded as a two-element array of floating point numbers, encoded with CBOR. An
authenticator does this by including it in the `level2Data`. As an example, authenticator data may be as follows
(notation taken from [[RFC7049]]):

<pre class="highlight">
    81 (hex)                                    -- Flags, ED and TUP both set.
    20 05 58 1F                                 -- Signature counter
    A1                                          -- CBOR map of one element
        73                                      -- Key 1: CBOR text string of 19 bytes
            77 65 62 61 75 74 68 6E 45 78 61
            6D 70 6C 65 5F 67 65 6F             -- "webauthnExample_geo" UTF-8 string
        82                                      -- Value 1: CBOR array of two elements
            FA 42 82 1E B3                      -- Element 1: Latitude as CBOR encoded float
            FA C1 5F E3 7F                      -- Element 2: Longitude as CBOR encoded float
</pre>


# Pre-defined extensions # {#extension-predef}

This section defines an initial set of extensions. These are recommended for implementation by user agents targeting broad
interoperability.


## Transaction authorization ## {#extension-txauth}

This authentication extension allows for a simple form of transaction authorization. A [RP] can specify a prompt string,
intended for display on a trusted device on the authenticator.

: Extension identifier
:: `webauthn_txAuthSimple`

: Client argument
:: A single UTF-8 encoded string prompt.

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The client argument encoded as a CBOR text string (major type 3).

: Authenticator processing
:: The authenticator MUST display the prompt to the user before performing the user verification / test of user presence. The
    authenticator may insert line breaks if needed.

: Authenticator data
:: A single UTF-8 string, representing the prompt as displayed (including any eventual line breaks).

The generic version of this extension allows images to be used as prompts as well.  This allows authenticators without a font
rendering engine to be used and also supports a richer visual appearance.

: Extension identifier
:: `webauthn_txAuthGeneric`

: Client argument
:: A CBOR map with one pair of data items (CBOR tagged as 0xa1). The pair of data items consists of
    1. one UTF-8 encoded string <dfn>contentType</dfn>, containing the MIME-Type of the content, e.g. "image/png"
    2. and the <dfn>content</dfn> itself, encoded as CBOR byte array.

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The client argument encoded as a CBOR map.

: Authenticator processing
:: The authenticator MUST display the <a>content</a> to the user before performing the user verification / test of user
    presence. The authenticator may add other information below the <a>content</a>. No changes are allowed to the <a>content</a>
    itself, i.e., inside <a>content</a> boundary box.

: Authenticator data
:: The hash value of the <a>content</a> which was displayed. The authenticator MUST use the same hash algorithm as it uses for
    the signature itself.


## Authenticator Selection Extension ## {#extension-authenticator-selection}

This registration extension allows a [RP] to guide the selection of the authenticator that will be leveraged when creating the
credential. It is intended primarily for [RPS] that wish to tightly control the experience around credential creation.

: Extension identifier
:: `webauthn_authnSel`

: Client argument
:: A sequence of AAGUIDs:

    <pre class="idl highlight">
        typedef sequence < AAGUID > AuthenticatorSelectionList;
    </pre>

    Each AAGUID corresponds to an authenticator model that is acceptable to the [RP] for this credential creation. The
    list is ordered by decreasing preference.

    An AAGUID is defined as an array containing the globally unique identifier of the authenticator model being sought.

    <pre class="idl highlight">
        typedef BufferSource AAGUID;
    </pre>

: Client processing
:: This extension can only be used during {{makeCredential()}}. If the client supports the Authenticator Selection Extension, it
    MUST use the first available authenticator whose AAGUID is present in the <dfn>AuthenticatorSelectionList</dfn>. If none of
    the available authenticators match a provided AAGUID, the client MUST select an authenticator from among the available
    authenticators to generate the credential.

: Authenticator argument
:: There is no authenticator argument.

: Authenticator processing
:: None.


## SupportedExtensions Extension ## {#supported-extensions-extension}

: Extension identifier
:: `webauthn_exts`

: Client argument
:: The Boolean value `true` to indicate that this extension is requested by the [RP].

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator processing
:: The <a>authenticator</a> augments the authenticator data with a list of extensions that the authenticator supports, as
    defined below. This extension can be added to attestation statements.

: Authenticator data
:: The SupportedExtensions extension is a list (CBOR array) of extension identifiers encoded as UTF-8 Strings.


## User Verification Index (UVI) Extension ## {#uvi-extension}

: Extension identifier
:: `webauthn_uvi`

: Client argument
:: The Boolean value `true` to indicate that this extension is requested by the [RP].

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator processing
:: The <a>authenticator</a> augments the authenticator data with a user verification index indicating the method used by the
    user to authorize the operation, as defined below. This extension can be added to attestation statements and assertions.

: Authenticator data
:: The user verification index (UVI) is a value uniquely identifying a user verification data record. The UVI is encoded as CBOR
    byte string (type 0x58). Each UVI value MUST be specific to the related key (in order to provide unlinkability). It also
    must contain sufficient entropy that makes guessing impractical. UVI values MUST NOT be reused by the Authenticator (for
    other biometric data or users).

    The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data
    as the initial key generation. This allows the detection and prevention of "friendly fraud".

    As an example, the UVI could be computed as SHA256(KeyID | SHA256(rawUVI)), where the rawUVI reflects (a) the biometric
    reference data, (b) the related OS level user ID and (c) an identifier which changes whenever a factory reset is performed
    for the device, e.g. rawUVI = biometricReferenceData | OSLevelUserID | FactoryResetCounter.

    Servers supporting UVI extensions MUST support a length of up to 32 bytes for the UVI value.

    Example for rawData containing one UVI extension
    <pre class="highlight">
        F1 D0                                       -- This is a WebAuthn packed rawData object
        81                                          -- TUP and ED set
        00 00 00 01                                 -- (initial) signature counter
        ...                                         -- all public key alg etc.
        A1                                          -- extension: CBOR map of one element
            6C                                      -- Key 1: CBOR text string of 11 bytes
                77 65 62 61 75 74 68 6E 5F 75 76 69 -- "webauthn_uvi" UTF-8 string
            58 20                                   -- Value 1: CBOR byte string with 0x20 bytes
                00 43 B8 E3 BE 27 95 8C             -- the UVI value itself
                28 D5 74 BF 46 8A 85 CF
                46 9A 14 F0 E5 16 69 31
                DA 4B CF FF C1 BB 11 32
                82
    </pre>

## Location Extension ## {#uvi-location}

: Extension identifier
:: `webauthn_loc`

: Client argument
:: The Boolean value `true` to indicate that this extension is requested by the [RP].

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator processing
:: If the <a>authenticator</a> does not support the extension, then the authenticator MUST ignore the extension request.  
    If the <a>authenticator</a> accepts the extension, then the authenticator SHOULD only add this extension data to a packed 
    attestation or assertion.

: Authenticator data
:: If the <a>authenticator</a> accepts the extension request, then authenticator data SHOULD provide location data in the form of a 
    CBOR-encoded map, with the first value being the extension identifier and the second being an array of returned values.  The array 
    elements SHOULD be derived from (key,value) pairings for each location attribute that the <a>authenticator</a> supports. The following is 
    an example of authenticator data where the returned array is comprised of a {longitude, latitude, altitude} triplet, following the
    coordinate representation defined in <a href=https://dev.w3.org/geo/api/spec-source.html#coordinates_interface>The W3C Geolocation API
    Specification</a>.

    <pre class="highlight">
        F1 D0                                       -- This is a WebAuthn packed rawData object
        81                                          -- TUP and ED set
        00 00 00 01                                 -- (initial) signature counter
        ...                                         -- all public key alg etc.
        A1                                          -- extension: CBOR map of one element
            6C                                      -- Value 1: CBOR text string of 11 bytes
                77 65 62 61 75 74 68 6E 5F 6C 6F 63 -- "webauthn_loc" UTF-8 string
            86                                      -- Value 2: array of 6 elements
                68				    -- Element 1:  CBOR text string of 8 bytes
                   6C 61 74 69 74 75 64 65          -- “latitude” UTF-8 string
                FB ...				    -- Element 2:  Latitude as CBOR encoded double-precision float
                69				    -- Element 3:  CBOR text string of 9 bytes
                   6C 6F 6E 67 69 74 75 64 65       -- “longitude” UTF-8 string
                FB ...				    -- Element 4:  Longitude as CBOR encoded double-precision float
                68				    -- Element 5:  CBOR text string of 8 bytes
                  61 6C 74 69 74 75 64 65           -- “altitude” UTF-8 string
                FB ...				    -- Element 6:  Altitude as CBOR encoded double-precision float
    </pre>
    

## User Verification Mode (UVM) Extension ## {#uvm-extension}

: Extension identifier
:: `webauthn_uvm`

: Client argument
:: The Boolean value true to indicate that this extension is requested by the WebAuthn Relying Party.

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator processing
:: The <a>authenticator</a> augments the authenticator data with a user verification index indicating the method used by the
    user to authorize the operation, as defined below. This extension can be added to attestation statements and assertions.

: Authenticator data
:: Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance. 
    To accommodate this possibility the UVM is encoded as CBOR array (major type 4) with a maximum allowed length of 3 -
    * Type 0x81 – only 1 factor was used for authentication.
    * Type 0x82 – 2 factors were used.
    * Type 0x83 – 3 or more factors were used. 
    
    Each data item is in turn a CBOR array of length 3 (type 0x83) with the following data items:
    - Data Item 1 – User Verification Method. This is the authentication method/factor used by the authenticator to verify 
                    the user. Available values are defined in the FIDO Registry of Predefined Values, ‘User Verification 
                    Methods’ section. It is encoded as a CBOR unsigned integer (Major type 0).
    - Data Item 2 – Key Protection Type. This is the method used by the authenticator to protect the FIDO registration 
                    private key material. Available values are defined in the FIDO Registry of Predefined Values, ‘Key 
                    Protection Types’ section. It is encoded as a CBOR 2 byte unsigned short (Major type 0).
    - Data Item 3 – Matcher Protection Type. This is the method used by the authenticator to protect the matcher that 
		    performs user verification. Available values are defined in the FIDO Registry of Predefined Values, 
		    ‘Matcher Protection Types’ section. It is encoded as a CBOR 2 byte unsigned short (Major type 0).

    This is repeated for each factor used in the authentication instance.
    
    If >3 factors can be used in an authentication instance the authenticator vendor must select the 3 factors it believes 
    will be most relevant to the Server to include in the UVM.

    Servers supporting the UVM extension MUST support a length up to 36 bytes for a 3 factor maximum UVM value.  

    Example for rawData containing one UVM extension for a multi-factor authentication instance where 2 factors were used:
    <pre class="highlight">
        F1 D0                  -- This is a WebAuthn packed rawData object
        81                     -- TUP and ED set
        00 00 00 01            -- (initial) signature counter
        ...                    -- all public key alg etc.
        A1                     -- extension: CBOR map of one element
            6C                 -- Key 1: CBOR text string of 12 bytes
                77 65 62 61 75 74 68 6E 2E 75 76 6d -- "webauthn_uvm" UTF-8 string
            82                 -- Value 1: CBOR array of length 2 indicating two factor usage
                83              -- Item 1: CBOR array of length 3
                    02           -- Subitem 1: CBOR integer for User Verification Method Fingerprint 
                    04           -- Subitem 2: CBOR short for Key Protection Type TEE
                    02           -- Subitem 3: CBOR short for Matcher Protection Type TEE
                83              -- Item 2: CBOR array of length 3
                    04           -- Subitem 1: CBOR integer for User Verification Method Passcode 
                    01           -- Subitem 2: CBOR short for Key Protection Type Software
                    01           -- Subitem 3: CBOR short for Matcher Protection Type Software
    </pre>


# IANA Considerations # {#iana-considerations}

This specification registers the algorithm names "S256", "S384", "S512", and "SM3" with the IANA JSON Web Algorithms registry as
defined in section "Cryptographic Algorithms for Digital Signatures and MACs" in [[RFC7518]].

These names follow the naming strategy in <a href="https://tools.ietf.org/html/draft-ietf-oauth-spop-15">
draft-ietf-oauth-spop-15</a>.

<table class="def">
<tbody>
    <tr> <td>Algorithm Name</td>                   <td>"S256"</td> </tr>
    <tr> <td>Algorithm Description</td>            <td>The SHA256 hash algorithm.</td> </tr>
    <tr> <td>Algorithm Usage Location(s)</td>      <td>"alg", i.e., used with JWS.</td> </tr>
    <tr> <td>JOSE Implementation Requirements</td> <td>Optional+</td> </tr>
    <tr> <td>Change Controller</td>                <td><a href='https://fidoalliance.org/contact/'>FIDO Alliance</a></td> </tr>
    <tr> <td>Specification Documents</td>          <td>[[!FIPS-180-4]] </td> </tr>
    <tr> <td>Algorithm Analysis Document(s)</td>   <td>[[SP800-107r1]]</td> </tr>
</tbody>
</table>

<table class="def">
<tbody>
    <tr> <td>Algorithm Name</td>                   <td>"S384"</td> </tr>
    <tr> <td>Algorithm Description</td>            <td>The SHA384 hash algorithm.</td> </tr>
    <tr> <td>Algorithm Usage Location(s)</td>      <td>"alg", i.e., used with JWS.</td> </tr>
    <tr> <td>JOSE Implementation Requirements</td> <td>Optional</td> </tr>
    <tr> <td>Change Controller</td>                <td><a href='https://fidoalliance.org/contact/'>FIDO Alliance</a></td> </tr>
    <tr> <td>Specification Documents</td>          <td>[[!FIPS-180-4]] </td> </tr>
    <tr> <td>Algorithm Analysis Document(s)</td>   <td>[[SP800-107r1]]</td> </tr>
</tbody>
</table>

<table class="def">
<tbody>
    <tr> <td>Algorithm Name</td>                   <td>"S512"</td> </tr>
    <tr> <td>Algorithm Description</td>            <td>The SHA512 hash algorithm.</td> </tr>
    <tr> <td>Algorithm Usage Location(s)</td>      <td>"alg", i.e., used with JWS.</td> </tr>
    <tr> <td>JOSE Implementation Requirements</td> <td>Optional+</td> </tr>
    <tr> <td>Change Controller</td>                <td><a href='https://fidoalliance.org/contact/'>FIDO Alliance</a></td> </tr>
    <tr> <td>Specification Documents</td>          <td>[[!FIPS-180-4]] </td> </tr>
    <tr> <td>Algorithm Analysis Document(s)</td>   <td>[[SP800-107r1]]</td> </tr>
</tbody>
</table>

<table class="def">
<tbody>
    <tr> <td>Algorithm Name</td>                   <td>"SM3"</td> </tr>
    <tr> <td>Algorithm Description</td>            <td>The SM3 hash algorithm.</td> </tr>
    <tr> <td>Algorithm Usage Location(s)</td>      <td>"alg", i.e., used with JWS.</td> </tr>
    <tr> <td>JOSE Implementation Requirements</td> <td>Optional</td> </tr>
    <tr> <td>Change Controller</td>                <td><a href='https://fidoalliance.org/contact/'>FIDO Alliance</a></td> </tr>
    <tr> <td>Specification Documents</td>          <td>[[!OSCCA-SM3]] </td> </tr>
    <tr> <td>Algorithm Analysis Document(s)</td>   <td>N/A</td> </tr>
</tbody>
</table>


# Sample scenarios # {#sample-scenarios}

[INFORMATIVE]

In this section, we walk through some events in the lifecycle of a scoped credential, along with the corresponding sample code
for using this API. Note that this is an example flow, and does not limit the scope of how the API can be used.

As was the case in earlier sections, this flow focuses on a use case involving an external first-factor <a>authenticator</a>
with its own display. One example of such an authenticator would be a smart phone. Other authenticator types are also supported
by this API, subject to implementation by the platform. For instance, this flow also works without modification for the case of
an authenticator that is embedded in the client platform. The flow also works for the case of an authenticator without
its own display (similar to a smart card) subject to specific implementation considerations. Specifically, the client platform
needs to display any prompts that would otherwise be shown by the authenticator, and the authenticator needs to allow the client
platform to enumerate all the authenticator's credentials so that the client can have information to show appropriate prompts.


## Registration ## {#sample-registration}

This is the first-time flow, in which a new credential is created and registered with the server.

1. The user visits example.com, which serves up a script. At this point, the user must already be logged in using a legacy
    username and password, or additional authenticator, or other means acceptable to the [RP].

2. The [RP] script runs the code snippet below.

3. The client platform searches for and locates the authenticator.

4. The client platform connects to the authenticator, performing any pairing actions if necessary.

5. The authenticator shows appropriate UI for the user to select the authenticator on which the new credential will be
    created, and obtains a biometric or other authorization gesture from the user.

6. The authenticator returns a response to the client platform, which in turn returns a response to the [RP] script. If
    the user declined to select an authenticator or provide authorization, an appropriate error is returned.

7. If a new credential was created,
    - The [RP] script sends the newly generated public key to the server, along with additional information about public key
        such as attestation that it is held in trusted hardware.
    - The server stores the public key in its database and associates it with the user as well as with the strength of
        authentication indicated by attestation, also storing a friendly name for later use.
    - The script may store data such as the credential ID in local storage, to improve future UX by narrowing the choice of
        credential for the user.

The sample code for generating and registering a new key follows:

<pre class="example highlight">
    var webauthnAPI = navigator.authentication;

    if (!webauthnAPI) { /* Platform not capable. Handle error. */ }

    var userAccountInformation = {
        rpDisplayName: "Acme",
        displayName: "John P. Smith",
        name: "johnpsmith@example.com",
        id: "1098237235409872",
        imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
    };

    // This Relying Party will accept either an ES256 or RS256 credential, but
    // prefers an ES256 credential.
    var cryptoParams = [
        {
            type: "ScopedCred",
            algorithm: "ES256"
        },
        {
            type: "ScopedCred",
            algorithm: "RS256"
        }
    ];
    var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
    var options = { timeoutSeconds: 300,  // 5 minutes
                    excludeList: [],      // No excludeList
                    extensions: {"webauthn.location": true}  // Include location information
                                                   // in attestation
    };

    // Note: The following call will cause the authenticator to display UI.
    webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge, options)
        .then(function (newCredentialInfo) {
        // Send new credential info to server for verification and registration.
    }).catch(function (err) {
        // No acceptable authenticator or user refused consent. Handle appropriately.
    });
</pre>


## Authentication ## {#sample-authentication}

This is the flow when a user with an already registered credential visits a website and wants to authenticate using the
credential.

1. The user visits example.com, which serves up a script.

2. The script asks the client platform for a WebAuthn identity assertion, providing as much information as possible to narrow
    the choice of acceptable credentials for the user. This may be obtained from the data that was stored locally after
    registration, or by other means such as prompting the user for a username.

3. The <a>[RP]</a> script runs one of the code snippets below.

4. The client platform searches for and locates the authenticator.

5. The client platform connects to the authenticator, performing any pairing actions if necessary.

6. The authenticator presents the user with a notification that their attention is required. On opening the
    notification, the user is shown a friendly selection menu of acceptable credentials using the account information provided
    when creating the credentials, along with some information on the origin that is requesting these keys.

7. The authenticator obtains a biometric or other authorization gesture from the user.

8. The authenticator returns a response to the client platform, which in turn returns a response to the [RP] script.
    If the user declined to select a credential or provide an authorization, an appropriate error is returned.

9. If an assertion was successfully generated and returned,
    - The script sends the assertion to the server.
    - The server examines the assertion and validates that it was correctly generated. If so, it looks up the identity
        associated with the associated public key; that identity is now authenticated. If the public key is not recognized by
        the server (e.g., deregistered by server due to inactivity) then the authentication has failed; each [RP] will handle
        this in its own way.
    - The server now does whatever it would otherwise do upon successful authentication -- return a success page, set
        authentication cookies, etc.

If the [RP] script does not have any hints available (e.g., from locally stored data) to help it narrow the list of credentials,
then the sample code for performing such an authentication might look like this:

<pre class="example highlight">
    var webauthnAPI = navigator.authentication;

    if (!webauthnAPI) { /* Platform not capable. Handle error. */ }

    var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
    var options = {
                    timeoutSeconds = 300,  // 5 minutes
                    allowList: [{ type: "ScopedCred" }]
                  };

    webauthnAPI.getAssertion(challenge, options)
        .then(function (assertion) {
        // Send assertion to server for verification
    }).catch(function (err) {
        // No acceptable credential or user refused consent. Handle appropriately.
    });
</pre>

On the other hand, if the [RP] script has some hints to help it narrow the list of credentials, then the sample code for
performing such an authentication might look like the following. Note that this sample also demonstrates how to use the
extension for transaction authorization.

<pre class="example highlight">
    var webauthnAPI = navigator.authentication;

    if (!webauthnAPI) { /* Platform not capable. Handle error. */ }

    var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
    var acceptableCredential1 = {
        type: "ScopedCred",
        id: "ISEhISEhIWhpIHRoZXJlISEhISEhIQo="
    };
    var acceptableCredential2 = {
        type: "ScopedCred",
        id: "cm9zZXMgYXJlIHJlZCwgdmlvbGV0cyBhcmUgYmx1ZQo="
    };
    
    var options = {
                    timeoutSeconds: 300,  // 5 minutes
                    allowList: [acceptableCredential1, acceptableCredential2];
                    extensions: { 'webauthn.txauth.simple':
                       "Wave your hands in the air like you just don't care" };
                  };

    webauthnAPI.getAssertion(challenge, options)
        .then(function (assertion) {
        // Send assertion to server for verification
    }).catch(function (err) {
        // No acceptable credential or user refused consent. Handle appropriately.
    });
</pre>


## Decommissioning ## {#sample-decommissioning}

The following are possible situations in which decommissioning a credential might be desired. Note that all of these are
handled on the server side and do not need support from the API specified here.

- Possibility #1 -- user reports the credential as lost.
    * User goes to server.example.net, authenticates and follows a link to report a lost/stolen device.
    * Server returns a page showing the list of registered credentials with friendly names as configured during registration.
    * User selects a credential and the server deletes it from its database.
    * In future, the <a>[RP]</a> script does not specify this credential in any list of acceptable credentials, and assertions
        signed by this credential are rejected.

- Possibility #2 -- server deregisters the credential due to inactivity.
    * Server deletes credential from its database during maintenance activity.
    * In the future, the [RP] script does not specify this credential in any list of acceptable credentials, and assertions
        signed by this credential are rejected.

- Possibility #3 -- user deletes the credential from the device.
    * User employs a device-specific method (e.g., device settings UI) to delete a credential from their device.
    * From this point on, this credential will not appear in any selection prompts, and no assertions can be generated with it.
    * Sometime later, the server deregisters this credential due to inactivity.




# Acknowledgements # {#acknowledgements}
We thank the following for their contributions to, and thorough review of, this specification: Jing Jin and Giridhar Mandyam.

<pre class=biblio>
{  
  "Ceremony": {
    "title": "Ceremony Design and Analysis",
    "href": "https://eprint.iacr.org/2007/399.pdf",
    "authors": ["Carl Ellison"],
    "date": "2007"
  },

  "WebAuthn-Registries": {
    "authors": [
        "Jeff Hodges"
    ],
    "date": "June 2016",
    "href": "https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?modeAsFormat=html/ascii&url=https://raw.githubusercontent.com/w3c/webauthn/master/draft-hodges-webauthn-registries.xml#46923110554855074732",
    "publisher": "W3C WebAuthn Working Draft",
    "status": "Active Internet-Draft",
    "title": "Registries for Web Authentication (WebAuthn)",
    "id": "WebAuthn-Registries"
  },
	
  "GeoJSON": {
    "title": "The GeoJSON Format Specification",
    "href": "http://geojson.org/geojson-spec.html"
  },
  
  "SP800-107r1": {
    "title": "NIST Special Publication 800-107: Recommendation for Applications Using Approved Hash Algorithms",
    "href": "http://csrc.nist.gov/publications/nistpubs/800-107-rev1/sp800-107-rev1.pdf",
    "authors": ["Quynh Dang"],
    "date": "August 2012"
  },
  
  "OSCCA-SM3": {
    "title": "SM3 Cryptographic Hash Algorithm",
    "href": "http://www.oscca.gov.cn/UpFile/20101222141857786.pdf",
    "date": "December 2010"
  },
  
  "TPM": {
    "title": "TPM Main Specification",
    "publisher": "Trusted Computing Group",
    "date": "Accessed March 2014",
    "href": "http://www.trustedcomputinggroup.org/resources/tpm_main_specification"
  },
  
  "UAFProtocol": {
    "authors": ["R. Lindemann", "D. Baghdasaryan", "E. Tiffany", "D. Balfanz", "B. Hill", "J. Hodges"],
    "title": "FIDO UAF Protocol Specification v1.0",
    "status": "FIDO Alliance Proposed Standard",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html"
  },
  
  "FIDOEcdaaAlgorithm": {
    "title": "FIDO ECDAA Algorithm",
    "authors": ["R. Lindemann", "A. Edgington", "R. Urian"],
    "status": "FIDO Alliance Proposed Standard (To Be Published)"
  },
  
  "SEC1": {
    "title": "SEC1: Elliptic Curve Cryptography, Version 2.0",
    "publisher": "Standards for Efficient Cryptography Group",
    "href": "http://www.secg.org/sec1-v2.pdf"
  },
  
  "FIDOMetadataService": {
    "authors": ["R. Lindemann", "B. Hill", "D. Baghdasaryan"],
    "title": "FIDO Metadata Service v1.0",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-metadata-service-v1.0-ps-20141208.html",
    "status": "FIDO Alliance Proposed Standard"
  },
  
  "TPMv1-2-Part2": {
    "title": "TPM Main Part 2: TPM Structures",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf"
  },
  
  "TPMv1-2-Part3": {
    "title": "TPM Main Part 3: TPM Commands",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-3-TPM-Commands_v1.2_rev116_01032011.pdf"
  },
  
  "TPMv2-Part2": {
    "title": "Trusted Platform Module Library, Part 2: Structures",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.16-1.pdf"
  },
  
  "TPMv2-Part3": {
    "title": "Trusted Platform Module Library, Part 3: Commands",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.16-1.pdf"
  },
  
  "TPMv2-EK-Profile": {
    "title": "TCG EK Credential Profile for TPM Family 2.0",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf"
  },
  
  "TPMv1-2-Credential-Profiles": {
    "title": "TCG Credential Profiles for TPM Family 1.2",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profiles_V1.2_Level2_Revision8.pdf"
  },
  
  "FIDOSecRef": {
    "authors": ["R. Lindemann", "D. Baghdasaryan", "B. Hill"],
    "title": "FIDO Security Reference",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-security-ref-v1.0-ps-20141208.html",
    "status": "FIDO Alliance Proposed Standard"
  }
}
</pre>