0

I tried to create a basic webauthn implementation, using the "Web Authentication API" to use user's biometric.

There's one thing I don't get and I didn't find the answer online, it is: Why do I get an attestation with a format set to 'packed' by default instead of 'fido-u2f' ? what am I doing wrong ?

Here's the "challenge" I return to the user when he asks for registration :

{
  challenge: randomBase64URLBuffer(32),

  rp: {
    name: "Fido"
  },

  user: {
    id: id,
    name: username,
    displayName: displayName
  }, 

  attestation: 'direct',

  pubKeyCredParams: [
    { type: "public-key", alg: -7 },
    { type: "public-key", alg: -257 }
  ]
}

Then after formatting the response client-side, I pass it to the navigator.credentials.create({ publicKey }) as publicKey.

Once it has been sent back to the api for confirming registration, I decode it with cbor.decodeAllSync(myAttestationBuffer) but all i got is a credential response with fmt set as packed.

I'm a beginner in this matter so feel free to correct me :) Is there a way to specify which attestation format I want ? I'm probably missing something ...

Thanks for your help !

defless
  • 103
  • 1
  • 1
  • 6

1 Answers1

0

The attestation format is determined by what your browser and authenticator supports - you cannot request a specific format.

As of the time of writing, Firefox 101.0.1 returns fido-u2f attestation when used with my FIDO2-compatible Yubikey since it uses the older U2F protocol to communicate. Firefox uses https://github.com/mozilla/authenticator-rs under the hood for this. The same key returns the newer packed attestation format with Chrome 102.0.5005.115.

Rafe
  • 753
  • 4
  • 20