I tried to create a basic webauthn implementation, using the “Web Authentication API” to use user’s biometric.
There’s one thing I don’t get and I didn’t find the answer online, it is: Why do I get an attestation with a format set to ‘packed‘ by default instead of ‘fido-u2f‘ ? what am I doing wrong ?
Here’s the “challenge” I return to the user when he asks for registration :
{
challenge: randomBase64URLBuffer(32),
rp: {
name: "Fido"
},
user: {
id: id,
name: username,
displayName: displayName
},
attestation: 'direct',
pubKeyCredParams: [
{ type: "public-key", alg: -7 },
{ type: "public-key", alg: -257 }
]
}
Then after formatting the response client-side, I pass it to the navigator.credentials.create({ publicKey }) as publicKey.
Once it has been sent back to the api for confirming registration, I decode it with cbor.decodeAllSync(myAttestationBuffer) but all i got is a credential response with fmt set as packed.
I’m a beginner in this matter so feel free to correct me 🙂 Is there a way to specify which attestation format I want ? I’m probably missing something …
Thanks for your help !
Advertisement
Answer
The attestation format is determined by what your browser and authenticator supports – you cannot request a specific format.
As of the time of writing, Firefox 101.0.1 returns fido-u2f attestation when used with my FIDO2-compatible Yubikey since it uses the older U2F protocol to communicate. Firefox uses https://github.com/mozilla/authenticator-rs under the hood for this. The same key returns the newer packed attestation format with Chrome 102.0.5005.115.