WebAuthn Attestation Types

WebAuthn supports several attestation types, defining the semantics of attestation statements and their underlying trust models.

  • Basic Attestation (Basic)

    • This type of attestation contains a signature that is generated by the private key of the attestation key pair.

    • It also includes a certificate that can be used to verify the signature.

    • The certificate might be an end-entity certificate or a batch certificate.

  • Self Attestation (Self)

    • In this case, the private key of the attestation key pair is used for the signature, but unlike Basic Attestation, the certificate here is generated by the authenticator itself, rather than being issued by an external entity.

    • This type of attestation is typically used for authenticators that cannot or do not wish to obtain external attestation.

  • Attestation CA (AttCA)

    • This type of attestation involves a Privacy Certificate Authority (Privacy CA).

    • The authenticator first generates a self attestation and sends it to the Privacy CA.

    • The Privacy CA validates the self attestation and then generates a new certificate that doesn't contain any information that can trace back to a specific authenticator.

    • The purpose of this method is to enhance user privacy.

  • Anonymization CA (AnonCA)

    • This type of attestation is similar in concept to the Attestation CA Attestation, but with a stronger focus on user privacy.

    • In the AnonCA model, the authenticator generates a key pair and sends the public key to the Anonymization CA. The AnonCA then issues a certificate for the public key, but in a way that ensures the certificate cannot be linked back to the original request from the authenticator.

    • This means that even if an attacker has access to both the AnonCA's logs and the attestation statement, they cannot correlate the two and trace back to the individual authenticator or user.

    • The primary goal of the AnonCA is to provide a level of attestation while ensuring that the user's privacy is maintained. The AnonCA acts as a mediator to vouch for the authenticity of the device without revealing its exact identity.

  • No attestation statement (None)

    • This type of attestation does not contain any attestation information.

    • It's simply a structure without any attestation details.

References

PreviousWebAuthn AttestationNextAttestation Statements & Privacy Impacts

Last updated