Webauthn & Passkey demo

Detected capability

Attribute	Value
Secure
U2F
Webauthn
Webauthn.Conditional mediation supported
Webauthn.User-verifying platform authenticator (Platform authenticator supported)

Attribute

Value

Secure

U2F

Webauthn

Webauthn.Conditional mediation supported

Webauthn.User-verifying platform authenticator
(Platform authenticator supported)

Attribute	Value
External URL
Debug enabled

Attribute

Value

External URL

Debug enabled

navigator.credentials

Create



Show/Hide section	Relying Party User Other attributes Credential Exclusion Auth. Selector Attestations Extensions

Attribute	Value	Action	Validations & Guidance
Relying party		Set value	Validation Required PublicKeyCredentialRpEntity
Relying Party ID		Set value	Validations Optional DOMString Valid Domain string Default: origin's effective domain Allowed: Suffix of origin (e.g. origin a1.a2.acme.com, then a2.acme.com & acme.com are allowed) Does not contain scheme or port. Scheme should be https & port is unrestricted
Relying Party Name		Set value	Human palatable name e.g. ACME Corp Validations Required DOMString Formatting: RFC8266: trim space, compact multi-space,NFKC Normalize, non-empty Language & directional encoding: Tag Language(U+E0001), direction(L-R:U+200E,R-L:U+200F,Cancel:U+E007F) May be truncated to 64 bytes by authenticators
User		Set value	Validation Required PublicKeyCredentialUserEntity
User ID		Set value Format	Validations Required BufferSource User.ID + RP.ID combination must be unique in authenticator (or it may override previous discoverable credential) Max size:64 No PII data
User Name		Set value	This may be chosen by user to differentiate with similar display name. Validations Required DOMString Formatting: RFC 8265 (UsernameCasePreserved): NFC Normalize, Bidi Rule, non-empty Language & directional encoding: Tag Language(U+E0001), direction(L-R:U+200E,R-L:U+200F,Cancel:U+E007F) May be truncated to 64 bytes by authenticators
User Display Name		Set value	User must choose it Validations Required DOMString Formatting: RFC8266: trim space, compact multi-space,NFKC Normalize, non-empty Language & directional encoding: Tag Language(U+E0001), direction(L-R:U+200E,R-L:U+200F,Cancel:U+E007F) May be truncated to 64 bytes by authenticators
Other attributes
Challenge		Set value Format	Validations Required BufferSource Generated on Server; stored for validation of response Base64 encoded Randomized with enough entropy to make guessing infeasible Min size: 16 bytes
Public Key credential parameters	Ed25519 ES256 RS256 (?) TODO: Add all the allowed values from the IANA registry	Set value	Validations Required PublicKeyCredentialParameters {type (DOMString/Required):'public-key', alg (long/Required): COSEAlgorithmIdentifier} IANA COSE Algorithms Registry Additional guarantees for credential public key (e.g. not use compressed point form for ES*) in alignment with RFC9053 Guidance Support for RSA discouraged
Timeout (millis)		Set value	Validation Optional unsigned long Guidance Treated as hint & MAY be overridden by client (browser)
Exclude credentials	Click to generate	Set value	Validation Optional Array of PublicKeyCredentialDescriptor that are existing credential mapped to user { type (DOMString/Required): 'public-key', id (BufferSource/Required): Credential ID (rawID of PublicKeyCredential), transports ([]DOMString/Optional): Applicable AuthenticatorTransport (usb/nfc/ble/hybrid/internal) } Guidance New credential not created on authenticator for giver user.id + rp.id if given credential(s) already exists on the authenticator. Guide user to use a diff authenticator or error if that fails. Need to provide credential raw id (is that a security/privacy issue?)TODO: Need analysis
Authenticator Selection		Set value	Validation Optional AuthenticatorSelectionCriteria
Authenticator attachment		Set value	Validation Optional DOMString Allowed values: 'platform'/'cross-platform' Guidance 'platform'(not removable from device)/'cross-platform' (removable) Some platform authenticators can be roaming (e.g. TPM on mobile available through bluetooth) TODO: There is no specific guidance on passkeys in this context
Resident key (Discoverable?)		Set value	Validation Optional DOMString Allowed values: 'discouraged'/'preferred'/'required' Guidance server side credential Preferred supersedes userVerification setting Server side credential: there is no way for RP to know if credential is server side or not & so does not know if creating a second cred with same handle will evict the first (TODO: does this mean that excluded cred must be provided explicitly) Client side discoverable credential can be validated using CredentialPropertiesOutput.rk extension.
Require resident key	Resident key required?	Set value	Validation Optional boolean Default value: false Guidance requireResidentKey must be set to true if residentKey is set to required
User verification		Set value	Validation Optional DOMString Allowed values: required/"preferred"/"discouraged" Default value: preferred Guidance How to handle error condition for preferred?
Attestation		Set value	Validation Optional DOMString Allowed values: "none"/"indirect"/"direct"/"enterprise" Default value: none Guidance Attestation conveyance definition is cyclic in the specification Values none: RP not interested due to avoid user consent save round trip to attestation CA or Anon CA If authenticator generates self-attestation, it is passed through by client. All other attestations are replaced with none by client. indirect: client (e.g. browser) decided which attestation statement is provided. Client may replace authenticator attestation with anonymous attestation (for privacy). No guarantee of receiving verifiable attestation (may receive self-attestation). direct: receive exactly what was generated by authenticator. ??what if there is nothing generated?? enterprise: attestation may include uniquely identifying information. Typically, explicitly configured in client/user agent for specific RP (Relying Party) ID (domain). Client/user agent should not change the value. Types of Attestation: Basic/Batch - Authenticator of same model share same attestation key pair Self - uses credential private key to create attestation signature Attestation CA (AttCA) - Endorsement key stored in TPM used to communicate with Attestation/Privacy CA and get Attestation Identity Key (AIK) Certificate signed. AIK can be generated for each credential and shared as attestation cert with RP. Most recent cert is called "Active" Anonymization CA (AnonCA) - dynamically generated per-credential certificate All attestations are distinguishable only with externally provided knowledge (???) regarding content of att cert.
Preferred Attestation Formats	Packed TPM Android key Android Safetynet API FIDO U2F Apple None	Set value	Validation Optional []DOMString Allowed values IANA WebAuthn Registry Default value: [] Guidance Order value from most preferable to least preferable (Not supported) Parameter is advisory and authenticator may use format not specified.
Extensions		Validations All extension support is optional Allowed values (established by RFC8809 Extension identifier Globally unique Max length: 32 octet Printable USASCII char except \(%x22) and "(%x5c) Version, if required, must be added to name Guidance Types Client extension: processed by client/browser Authenticator extension: passes through client and processed by authenticator Registration : extensions are invoked during the navigator.credentials.create() operation Authentication : extensions are invoked during the navigator.credentials.get() operation Output may be signed (extension) or unsigned (unsignedExtensionOutputs)
FIDO AppID Exclusion Extension (appidExclude)		Set value	Validation USVString FIDO App ID Default value: preferred Guidance Returns 'true' if the extension was acted on otherwise false
Credential Properties (credProps)		Set value	Validation Boolean Guidance Returns 'resident key credential' property as true if created credential is discoverable otherwise it is server-side credential
Pseudo-random function (prf)		Set value	Guidance This is implemented on top of hmac-secret extension Returns enabled=true, if one or two PRF are available for use to create credential. results of evaluating prf Override UserVerificationRequirement setting if provided.
PRF first		Set value	Validation Required BufferSource
PRF second		Set value	Validation Optional BufferSource
Supported extensions (Webauthn 1)		Set value	Validation Boolean Guidance Output a list of extension identifier string
User Verification Index extensions (Webauthn 1)		Set value	Validation Boolean Guidance The user verification index (UVI) is a value uniquely identifying a user verification data record.
Location extensions (Webauthn 1)		Set value	Validation Boolean Guidance Returns Coordinate of location from authenticator record.
User Verification Method extensions (Webauthn 1 & 2)		Set value	Validation Boolean Guidance Returns JSON array of 3-element arrays.
Large Blob storage		Set value	Guidance Allow relying party to store data associated with credential during authentication. Roaming authenticator for cross-platform authenticator using FIDO-CTAP only support for discoverable credential authenticatorSelection.residentKey must be set to required or preferre
Large blob storage		Set value	Validation DOMString LargeBlobSupport (required/preferred)
attr	val	action	val&guide

Attribute	Value	Action	Validations & Guidance
Authenticator attachment type			Validation Optional DOMString Valid values: platform/cross-platform Guidance
Raw ID		Format	Validation Required ArrayBuffer
JSON Representation			Validation Generated RegistrationResponseJSON
ID		Format	Validation Required USVString
Response	Validation Required AuthenticatorResponse AuthenticatorAttestationResponse
clientDataJSON			Validation Required ArrayBuffer Collected Client Data format
	Type			Validations Required DOMString Values: 'webauthn.create'/'webauthn.get'
Challenge		Format	Validations Required DOMString Values: 'webauthn.create'/'webauthn.get'
Origin			Validation Required DOMString RFC6454
Top level Origin			Validation Optional DOMString RFC6454
Cross Origin?			Validation Optional Boolean
Transports			Validation Required Array of DOMString Authenticator transport
Authenticator Data		Format	Validation Required ArrayBuffer
Public Key //TODO: show all algos.		Format	Validation Optional ArrayBuffer DER Subject Public Key Info
Public Key algorithm			Validation Required COSEAlgorithmIdentifier
Attestation Object		Format	Validation Required ArrayBuffer CBOR Format Guidance Contains format, attestation statement (based on format) & Authenticator data Signed by Attestationkey pair
	Attestation Statement
Format			Validation String Required Allowed values (Defined by RFC8809): 'packed'/'tpm'/'android-key'/... Guidance Specifies the format of attestation statement packed (Basic, Self, AttCA) TPM (AttCA) Android Key (Basic) Android SafetyNet (Basic) Fido U2F (Basic, AttCA) None (None) Apple Anonymous (Anonymization CA)
Algorithm to generate signature (alg) TODO: show all algos.			Validation COSEAlgorithmIdentifier Applicable for Android key Packed TPM
Attestation signature (sig)		Format	Validation ArrayBuffer Applicable for Android key Packed TPM U2F
X509 encoded Certificate for attestation (x5c)		Format	Validation ArrayBuffer Applicable for Android key Packed TPM Apple U2F
Key ID (ecdaaKeyId)		Format	Validation ArrayBuffer Applicable for Packed TPM
Version (ver)			Validation String Applicable for Android safetynet TPM
Response (response)		Format	Validation ArrayBuffer Applicable for Android safetynet
TPMS_ATTEST structure (certinfo)		Format	Validation ArrayBuffer Applicable for TPM
TPMT_PUBLIC structure (pubArea)		Format	Validation ArrayBuffer Applicable for TPM
Authenticator Data
RP ID Hash		Format	Validation length 32 bytes SHA256 hash of RP ID TODO: Add validation against given value in option & client JSON
Flags			Validation Length: 1 byte
	Bit 0: User Present[0-absent]
Bit 1: Reserved for future use
Bit 2: User Verified (1-verified)
Bit 3: Backup Eligible (0-single/1-multi-device)
Bit 4: Backup state (1-backed up/0-not backed up)
Bit 5: Reserved for future use
Bit 6: Attested credential data included?
Bit 7: Extension included?
Sign count			Validation 32-bit unsigned big-endian integer Length: 4 bytes Guidance Incremented for each successful authentication Authenticator should implement for each credential (SHOULD) or globally for authenticator(MAY) For each credential (SHOULD) or globally for authenticator(MAY) Help RP detect cloned authenticators by storing it
Attested Credential Data
	AAGUID of authenticator		Format	Validation Length: 16 bytes
Credential ID		Format	Validation Required Credential ID format
Credential Public key		Format	Validation Required RFC9052 COSE Key format



Show/Hide section	Basic Response Collected Client Data Authenticator Data Attested Credential Data Attestation Statement

Attribute			Action	Validations & Guidance
Authenticator attachment type				Validation Optional DOMString Valid values: platform/cross-platform Guidance
Raw ID			Format	Validation Required ArrayBuffer
ID			Format	Validation Required USVString
Response				Validation Required AuthenticatorResponse AuthenticatorAssertionResponse
Signature			Format	Validation Required ArrayBuffer ReadOnly Guidance Signed by private key for selected credential SHA256 hash of authenticator data, clientDataHashRP ID TODO: Add validation against given value in option & client JSON
User handle			Format	Validation Required ArrayBuffer ReadOnly Nullable Guidance User handle returned SHA256 hash of authenticator data, clientDataHashRP ID TODO: Add validation against given value in option & client JSON
clientDataJSON				Validation Required ArrayBuffer Collected Client Data format
	Type			Validations Required DOMString Values: 'webauthn.create'/'webauthn.get'
	Challenge		Format	Validations Required DOMString Values: 'webauthn.create'/'webauthn.get'
	Origin			Validation Required DOMString RFC6454
	Top level Origin			Validation Optional DOMString RFC6454
	Cross Origin?			Validation Optional Boolean
Authenticator Data
RP ID Hash			Format	Validation length 32 bytes SHA256 hash of RP ID TODO: Add validation against given value in option & client JSON
Flags				Validation Length: 1 byte
		Bit 0: User Present[0-absent]
		Bit 1: Reserved for future use
		Bit 2: User Verified (1-verified)
		Bit 3: Backup Eligible (0-single/1-multi-device)
		Bit 4: Backup state (1-backed up/0-not backed up)
		Bit 5: Reserved for future use
		Bit 6: Attested credential data included?
		Bit 7: Extension included?
Sign count				Validation 32-bit unsigned big-endian integer Length: 4 bytes Guidance Incremented for each successful authentication Authenticator should implement for each credential (SHOULD) or globally for authenticator(MAY) For each credential (SHOULD) or globally for authenticator(MAY) Help RP detect cloned authenticators by storing it
Attested Credential Data
	AAGUID of authenticator		Format	Validation Length: 16 bytes
	Credential ID		Format	Validation Required Credential ID format
	Credential Public key		Format	Validation Required RFC9052 COSE Key format
Attestation Object			Format	Validation Required ArrayBuffer CBOR Format Guidance Contains format, attestation statement (based on format) & Authenticator data Signed by Attestationkey pair
	Attestation Statement
	Format			Validation String Required Allowed values (Defined by RFC8809): 'packed'/'tpm'/'android-key'/... Guidance Specifies the format of attestation statement packed (Basic, Self, AttCA) TPM (AttCA) Android Key (Basic) Android SafetyNet (Basic) Fido U2F (Basic, AttCA) None (None) Apple Anonymous (Anonymization CA)
	Signature Algorithm			Validation COSEAlgorithmIdentifier Applicable for Android key Packed TPM
	Attestation signature (sig)		Format	Validation ArrayBuffer Applicable for Android key Packed TPM U2F
	X509 encoded Certificate for attestation (x5c)		Format	Validation ArrayBuffer Applicable for Android key Packed TPM Apple U2F
	Key ID (ecdaaKeyId)		Format	Validation ArrayBuffer Applicable for Packed TPM
	Version (ver)			Validation String Applicable for Android safetynet TPM
	Response (response)		Format	Validation ArrayBuffer Applicable for Android safetynet
	TPMS_ATTEST structure (certinfo)		Format	Validation ArrayBuffer Applicable for TPM
	TPMT_PUBLIC structure (pubArea)		Format	Validation ArrayBuffer Applicable for TPM

New Session Description
Current Sessions

Username

Detected capability

Configuration

Operations

Session

navigator.credentials

Create

Validation

Validations

Validations

Validation

Validations

Validations

Validations

Validations

Validations

Guidance

Validation

Guidance

Validation

Guidance

Validation

Validation

Guidance

Validation

Guidance

Validation

Guidance

Validation

Guidance

Validation

Guidance

Validation

Guidance

Validations

Guidance

Validation

Guidance

Validation

Guidance

Guidance

Validation

Validation

Validation

Guidance

Validation

Guidance

Validation

Guidance

Validation

Guidance

Guidance

Validation

Validation

Guidance

Validation

Validation

Validation

Validation

Validation

Validations

Validations

Validation

Validation

Validation

Validation

Validation

Validation

Validation

Validation

Guidance

Validation

Guidance

Validation

Applicable for

Validation

Applicable for

Validation

Applicable for

Validation

Applicable for