Web Authentication (WebAuthn)

Created
2020-06-11
Last Updated
2020-08-10
Available Formats

XML

HTML

Plain text

Registries included below

WebAuthn Attestation Statement Format Identifiers

Registration Procedure(s)
Specification Required
Expert(s)
Jeff Hodges, Mike Jones, Giridhar Mandyam
Reference
[RFC8809]
Available Formats

CSV
WebAuthn Attestation Statement Format Identifier Description Reference Change Controller Notes
packed The "packed" attestation statement format is a WebAuthn-optimized format for attestation. It uses a very compact but still extensible encoding method. This format is implementable by authenticators with limited resources (e.g., secure elements). [Web Authentication] Section §8.2, Packed Attestation Statement Format [W3C_Web_Authentication_Working_Group]
tpm The TPM attestation statement format returns an attestation statement in the same format as the packed attestation statement format, although the rawData and signature fields are computed differently. [Web Authentication] Section §8.3, TPM Attestation Statement Format [W3C_Web_Authentication_Working_Group]
android-key Platform-provided authenticators based on versions "N", and later, may provide this proprietary "hardware attestation" statement. [Web Authentication] Section §8.4, Android Key Attestation Statement Format [W3C_Web_Authentication_Working_Group]
android-safetynet Android-based, platform-provided authenticators MAY produce an attestation statement based on the Android SafetyNet API. [Web Authentication] Section §8.5, Android SafetyNet Attestation Statement Format [W3C_Web_Authentication_Working_Group]
fido-u2f Used with FIDO U2F authenticators [Web Authentication] Section §8.6, FIDO U2F Attestation Statement Format [W3C_Web_Authentication_Working_Group]

WebAuthn Extension Identifiers

Registration Procedure(s)
Specification Required
Expert(s)
Jeff Hodges, Mike Jones, Giridhar Mandyam
Reference
[RFC8809]
Available Formats

CSV
WebAuthn Extension Identifier Description Reference Change Controller Notes
appid This authentication extension allows WebAuthn Relying Parties that have previously registered a credential using the legacy FIDO JavaScript APIs to request an assertion. [Web Authentication] Section §10.1, FIDO AppID Extension (appid) [W3C_Web_Authentication_Working_Group]
txAuthSimple This registration extension and authentication extension allows for a simple form of transaction authorization. A WebAuthn Relying Party can specify a prompt string, intended for display on a trusted device on the authenticator [Web Authentication] Section §10.2, Simple Transaction Authorization Extension (txAuthSimple) [W3C_Web_Authentication_Working_Group]
txAuthGeneric This registration extension and authentication extension allows images to be used as transaction authorization prompts as well. This allows authenticators without a font rendering engine to be used and also supports a richer visual appearance than accomplished with the webauthn.txauth.simple extension. [Web Authentication] Section §10.3, Generic Transaction Authorization Extension (txAuthGeneric) [W3C_Web_Authentication_Working_Group]
authnSel This registration extension allows a WebAuthn Relying Party to guide the selection of the authenticator that will be leveraged when creating the credential. It is intended primarily for WebAuthn Relying Parties that wish to tightly control the experience around credential creation. [Web Authentication] Section §10.4, Authenticator Selection Extension (authnSel) [W3C_Web_Authentication_Working_Group]
exts This registration extension enables the WebAuthn Relying Party to determine which extensions the authenticator supports. The extension data is a list (CBOR array) of extension identifiers encoded as UTF-8 Strings. This extension is added automatically by the authenticator. This extension can be added to attestation statements. [Web Authentication] Section §10.5, Supported Extensions Extension (exts) [W3C_Web_Authentication_Working_Group]
uvi This registration extension and authentication extension enables use of a user verification index. The user verification index is a value uniquely identifying a user verification data record. The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data as the initial key generation. This allows the detection and prevention of "friendly fraud". [Web Authentication] Section §10.6, User Verification Index Extension (uvi) [W3C_Web_Authentication_Working_Group]
loc The location registration extension and authentication extension provides the client device's current location to the WebAuthn Relying Party, if supported by the client platform and subject to user consent. [Web Authentication] Section §10.7, Location Extension (loc) [W3C_Web_Authentication_Working_Group]
uvm This registration extension and authentication extension enables use of a user verification method. The user verification method extension returns to the WebAuthn Relying Party which user verification methods (factors) were used for the WebAuthn operation. [Web Authentication] Section §10.8, User Verification Method Extension (uvm) [W3C_Web_Authentication_Working_Group]

Contact Information

ID Name Contact URI Last Updated
[W3C_Web_Authentication_Working_Group] W3C Web Authentication Working Group mailto:public-webauthn&w3.org 2020-06-11