index.bs

<!--   ***********  Web Authentication - Level 1 - Spec source file ***********
Notes:
* the h1 tag is spec title that is rendered within the document window. Wrapping
  may be controlled with break tags.  The spec 'Level' value is not appended.
* the Title metadata value is what is rendered in the browser's titlebar, any break
  tags will be rendered. It also has the spec 'Level' value (gratuitously) appended.
-->

<h1>Web Authentication:<br>An API for accessing Public Key Credentials<br>Level 1</h1>
<pre class='metadata'>
Title: Web Authentication: An API for accessing Public Key Credentials - Level
Status: ED
Prepare for TR: true
TR: https://www.w3.org/TR/webauthn/
ED: https://w3c.github.io/webauthn/
Previous Version: https://www.w3.org/TR/2018/WD-webauthn-20180306/
Previous Version: https://www.w3.org/TR/2017/WD-webauthn-20171205/
Previous Version: https://www.w3.org/TR/2017/WD-webauthn-20170811/
Previous Version: https://www.w3.org/TR/2017/WD-webauthn-20170505/
Previous Version: https://www.w3.org/TR/2017/WD-webauthn-20170216/
Previous Version: https://www.w3.org/TR/2016/WD-webauthn-20161207/
Previous Version: https://www.w3.org/TR/2016/WD-webauthn-20160928/
Previous Version: https://www.w3.org/TR/2016/WD-webauthn-20160902/
Previous Version: https://www.w3.org/TR/2016/WD-webauthn-20160531/
Shortname: webauthn
Level: 1
Editor: Dirk Balfanz, w3cid 47648, Google, balfanz@google.com
Editor: Alexei Czeskis, w3cid 87258, Google, aczeskis@google.com
Editor: Jeff Hodges, w3cid 43843, PayPal, Jeff.Hodges@paypal.com
Editor: J.C. Jones, w3cid 87240, Mozilla, jc@mozilla.com
Editor: Michael B. Jones, w3cid 38745, Microsoft, mbj@microsoft.com
Editor: Akshay Kumar, w3cid 99318, Microsoft, akshayku@microsoft.com
Editor: Angelo Liao, w3cid 94342, Microsoft, huliao@microsoft.com
Editor: Rolf Lindemann, w3cid 84447, Nok Nok Labs, rolf@noknok.com
Editor: Emil Lundberg, Yubico, emil@yubico.com
Former Editor: Vijay Bharadwaj, w3cid 55440, Microsoft, vijay.bharadwaj@microsoft.com
Former Editor: Arnar Birgisson, w3cid 87332, Google, arnarb@google.com
Former Editor: Hubert Le Van Gong, w3cid 84817, PayPal, hlevangong@paypal.com
!Contributors: <a href="mailto:cbrand@google.com">Christiaan Brand</a> (Google)
!Contributors: <a href="mailto:agl@google.com">Adam Langley</a> (Google)
!Contributors: <a href="mailto:mandyam@qti.qualcomm.com">Giridhar Mandyam</a> (Qualcomm)
!Contributors: <a href="mailto:mkwst@google.com">Mike West</a> (Google)
!Contributors: <a href="mailto:Johan.Verrept@vasco.com">Johan Verrept</a> (VASCO Data Security)
!Contributors: <a href="mailto:jyasskin@google.com">Jeffrey Yasskin</a> (Google)
group: webauthn
Issue Tracking: GitHub https://github.com/w3c/webauthn/issues
!Tests: <a href=https://github.com/w3c/web-platform-tests/tree/master/webauthn>web-platform-tests webauthn/</a> (<a href=https://github.com/w3c/web-platform-tests/labels/webauthn>ongoing work</a>)
Text Macro: RP Relying Party
Text Macro: RPS Relying Parties
Text Macro: INFORMATIVE <em>This section is not normative.</em>
Text Macro: WAC WebAuthn Client
Ignored Vars: op, alg, type, algorithm
Abstract: This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based
 credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more [=public key
 credentials=], each scoped to a given [=Relying Party=], are created and stored on an [=authenticator=] by the user agent in
 conjunction with the web application. The user agent mediates access to [=public key credentials=] in order to preserve user
 privacy. [=Authenticators=] are responsible for ensuring that no operation is performed without [=user consent=].
 [=Authenticators=] provide cryptographic proof of their properties to [=relying parties=] via [=attestation=]. This
 specification also describes the functional model for WebAuthn conformant [=authenticators=], including their signature and
 [=attestation=] functionality.
Boilerplate: omit conformance, omit feedback-header, omit abstract-header
Markup Shorthands: css off, markdown on
</pre>


<!-- TODO: Clean out these anchor lists once they appear in Shepherd -->
<pre class="anchors">

spec: ECMAScript; urlPrefix: https://tc39.github.io/ecma262/#
    type: method
        for: JSON; text: stringify; url: sec-json.stringify
    type: dfn
        text: %ArrayBuffer%; url: sec-arraybuffer-constructor
        url: sec-object-internal-methods-and-internal-slots
            text: internal method
            text: internal slot

spec: HTML52; urlPrefix: https://w3c.github.io/html/
    type: dfn
        urlPrefix: browsers.html
            text: origin; url: concept-cross-origin
            text: opaque origin; url: opaque-origin
            text: tuple origin
            text: document.domain; url:dom-document-domain

spec: TokenBinding; urlPrefix: https://tools.ietf.org/html/draft-ietf-tokbind-protocol#
    type: dfn
        text: Token Binding
        text: Token Binding ID; url: section-3.2

spec: credential-management-1; urlPrefix: https://w3c.github.io/webappsec-credential-management/
    type: dictionary
        text: CredentialCreationOptions; url: dictdef-credentialcreationoptions
    type: dictionary
        text: CredentialRequestOptions; url: dictdef-credentialrequestoptions
    for: Credential
        type: method
            text: [[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)
            text: [[Create]](origin, options, sameOriginWithAncestors)
            text: [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)
            text: [[Store]](credential, sameOriginWithAncestors)
    for: CredentialsContainer
        type: method
            text: create(); url: dom-credentialscontainer-create
    type: dfn
        text: signal
        text: same-origin with its ancestors; url: same-origin-with-its-ancestors

spec: Geolocation-API; urlPrefix: https://dev.w3.org/geo/api/spec-source.html
    type: interface
        text: Coordinates; url: coordinates_interface

spec: mixed-content; urlPrefix: www.w3.org/TR/mixed-content/
    type: dfn
        text: a priori authenticated

spec: page-visibility; urlPrefix: https://www.w3.org/TR/page-visibility/
    type: dfn
        text: visibility states

spec: WHATWG HTML; urlPrefix: https://html.spec.whatwg.org/
    type: dfn 
        text: focus
        text: username; url: attr-fe-autocomplete-username

spec: FIDO-CTAP; urlPrefix: https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html
    type: dfn
        text: CTAP2 canonical CBOR encoding form; url: ctap2-canonical-cbor-encoding-form

spec: FIDO-APPID; urlPrefix: https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-appid-and-facets-v1.2-ps-20170411.html
    type: dfn
        text: determining the FacetID of a calling application; url: determining-the-facetid-of-a-calling-application
        text: determining if a caller's FacetID is authorized for an AppID; url: determining-if-a-caller-s-facetid-is-authorized-for-an-appid

</pre> <!-- class=anchors -->

<!-- L128 spec:webappsec-credential-management-1; type:dictionary; for:/; text:CredentialRequestOptions -->

<pre class="link-defaults">
spec:credential-management; type:dfn; text:credentials
spec:html; type:dfn; for:environment settings object; text:global object
spec:infra; type:dfn; for:/; text:set
spec:infra; type:dfn; text:list
spec:infra; type:dfn; for:struct; text:item
spec:url; type:dfn; text:domain
spec:url; type:dfn; for:url; text:host
spec:url; type:dfn; text:valid domain;
spec:webidl; type:interface; text:Promise
</pre>

<pre class=biblio>
{
    "IANA-COSE-ALGS-REG": {
        "href": "https://www.iana.org/assignments/cose/cose.xhtml#algorithms",
        "title": "IANA CBOR Object Signing and Encryption (COSE) Algorithms Registry",
        "publisher": "IANA"
    },

    "Feature-Policy": {
        "href": "https://wicg.github.io/feature-policy/",
        "title": "Feature Policy",
        "publisher": "WICG: Web Incubator Community Group",
        "status": "Draft Community Group Report"
    }
}
</pre>


# Introduction # {#intro}

[INFORMATIVE]

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based
credentials by web applications, for the purpose of strongly authenticating users. A [=public key credential=] is
created and stored by an <em>[=authenticator=]</em> at the behest of a <em>[=[RP]=]</em>, subject to <em>[=user
consent=]</em>. Subsequently, the [=public key credential=] can only be accessed by [=origins=] belonging to that [=[RP]=].
This scoping is enforced jointly by <em>[=conforming User Agents=]</em> and <em>[=authenticators=]</em>.
Additionally, privacy across [=[RPS]=] is maintained; [=[RPS]=] are not able to detect any properties, or even
the existence, of credentials scoped to other [RPS].

[=[RPS]=] employ the [=Web Authentication API=] during two distinct, but related, [=ceremonies=] involving a user. The first
is [=Registration=], where a [=public key credential=] is created on an [=authenticator=], and associated by a [=[RP]=]
with the present user's account (the account MAY already exist or MAY be created at this time). The second is
[=Authentication=], where the [=[RP]=] is presented with an <em>[=Authentication Assertion=]</em> proving the presence
and [=user consent|consent=] of the user who registered the [=public key credential=]. Functionally, the [=Web Authentication
API=] comprises a {{PublicKeyCredential}} which extends the Credential Management API [[!CREDENTIAL-MANAGEMENT-1]], and
infrastructure which allows those credentials to be used with {{CredentialsContainer/create()|navigator.credentials.create()}} and
{{CredentialsContainer/get()|navigator.credentials.get()}}. The former is used during [=Registration=], and the
latter during [=Authentication=].

Broadly, compliant [=authenticators=] protect [=public key credentials=], and interact with user agents to implement the
[=Web Authentication API=]. Some authenticators MAY run on the same computing device (e.g., smart phone, tablet, desktop PC) as
the user agent is running on. For instance, such an authenticator might consist of a Trusted Execution Environment (TEE) applet,
a Trusted Platform Module (TPM), or a Secure Element (SE) integrated into the computing device in conjunction with some means
for [=user verification=], along with appropriate platform software to mediate access to these components' functionality. Other
authenticators MAY operate autonomously from the computing device running the user agent, and be accessed over a transport such
as Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field Communications (NFC).


## Use Cases ## {#use-cases}

The below use case scenarios illustrate use of two very different types of [=authenticators=], as well as outline further
scenarios. Additional scenarios, including sample code, are given later in [[#sample-scenarios]].

### Registration ### {#usecase-registration}

- On a phone:
    * User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using
        (possibly a legacy method such as a password), or creates a new account.
    * The phone prompts, "Do you want to register this device with example.com?"
    * User agrees.
    * The phone prompts the user for a previously configured [=authorization gesture=] (PIN, biometric, etc.); the user
        provides this.
    * Website shows message, "Registration complete."


### Authentication ### {#usecase-authentication}

- On a laptop or desktop:
    * User navigates to example.com in a browser, sees an option to "Sign in with your phone."
    * User chooses this option and gets a message from the browser, "Please complete this action on your phone."

- Next, on their phone:
    * User sees a discrete prompt or notification, "Sign in to example.com."
    * User selects this prompt / notification.
    * User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."
    * User picks an identity, is prompted for an [=authorization gesture=] (PIN, biometric, etc.) and provides this.

- Now, back on the laptop:
    * Web page shows that the selected user is signed in, and navigates to the signed-in page.


### Other use cases and configurations ### {#other-configurations}

A variety of additional use cases and configurations are also possible, including (but not limited to):

- A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.

- A user obtains a discrete, [=roaming authenticator=], such as a "fob" with USB or USB+NFC/BLE connectivity options, loads
    example.com in their browser on a laptop or phone, and is guided though a flow to create and register a credential on the
    fob.

- A [=[RP]=] prompts the user for their [=authorization gesture=] in order to authorize a single transaction, such as a payment
    or other financial transaction.

# Conformance # {#conformance}

This specification defines three conformance classes. Each of these classes is specified so that conforming members of the class
are secure against non-conforming or hostile members of the other classes.

## User Agents ## {#conforming-user-agents}

A User Agent MUST behave as described by [[#api]] in order to be considered conformant. [=Conforming User Agents=] MAY implement
algorithms given in this specification in any way desired, so long as the end result is indistinguishable from the result that
would be obtained by the specification's algorithms.

A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this specification, as described in the
“Web IDL” specification. [[!WebIDL-1]]

## Authenticators ## {#conforming-authenticators}

An [=authenticator=] MUST provide the operations defined by [[#sctn-authenticator-model]], and those operations MUST behave as
described there. This is a set of functional and security requirements for an authenticator to be usable by a [=Conforming User
Agent=].

As described in [[#use-cases]], an authenticator may be implemented in the operating system underlying the User Agent, or in
external hardware, or a combination of both.

### Backwards Compatibility with FIDO U2F ### {#conforming-authenticators-u2f}

[=Authenticators=] that only support the [[#fido-u2f-attestation]] have no mechanism to store a
[=user handle=], so the returned {{AuthenticatorAssertionResponse/userHandle}} will always be null.

## [RPS] ## {#conforming-relying-parties}

A [=[RP]=] MUST behave as described in [[#rp-operations]] to obtain the security benefits offered by this specification.

## All Conformance Classes ## {#conforming-all-classes}

All [=CBOR=] encoding performed by the members of the above conformance classes MUST be done using the
[=CTAP2 canonical CBOR encoding form=].
All decoders of the above conformance classes SHOULD reject CBOR that is not validly encoded
in the [=CTAP2 canonical CBOR encoding form=] and SHOULD reject messages with duplicate map keys.


# Dependencies # {#dependencies}

This specification relies on several other underlying specifications, listed
below and in [[#index-defined-elsewhere]].

: Base64url encoding
:: The term <dfn>Base64url Encoding</dfn> refers to the base64 encoding using the URL- and filename-safe character set defined
    in Section 5 of [[!RFC4648]], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the
    inclusion of any line breaks, whitespace, or other additional characters.

: CBOR
:: A number of structures in this specification, including attestation statements and extensions, are encoded using the
    [=CTAP2 canonical CBOR encoding form=] of the Compact Binary Object Representation (<dfn>CBOR</dfn>) [[!RFC7049]],
    as defined in [[!FIDO-CTAP]].

: CDDL
:: This specification describes the syntax of all [=CBOR=]-encoded data using the CBOR Data Definition Language (CDDL) [[!CDDL]].

: COSE
:: CBOR Object Signing and Encryption (COSE) [[!RFC8152]].  The IANA COSE Algorithms registry established by this specification is also used.

:  Credential Management
:: The API described in this document is an extension of the {{Credential}} concept defined in [[!CREDENTIAL-MANAGEMENT-1]].

: DOM
:: {{DOMException}} and the DOMException values used in this specification are defined in [[!DOM4]].

: ECMAScript
:: [=%ArrayBuffer%=] is defined in [[!ECMAScript]].

: HTML
:: The concepts of [=relevant settings object=], [=origin=],
    [=opaque origin=], and [=is a registrable domain suffix of or is equal to=] are defined in [[!HTML52]].

: Web IDL
:: Many of the interface definitions and all of the IDL in this specification depend on [[!WebIDL-1]]. This updated version of
    the Web IDL standard adds support for {{Promise}}s, which are now the preferred mechanism for asynchronous
    interaction in all new web APIs.

: FIDO AppID
:: The algorithms for [=determining the FacetID of a calling application=] and
    [=determining if a caller's FacetID is authorized for an AppID=] (used only in
    the `appid` extension) are defined by [[!FIDO-APPID]].

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
"OPTIONAL" in this document are to be interpreted as described in [[!RFC2119]].


# Terminology # {#terminology}

: <dfn>Assertion</dfn>
:: See [=Authentication Assertion=].

: <dfn>Attestation</dfn>
:: Generally, <em>attestation</em> is a statement serving to bear witness, confirm, or authenticate.
    In the WebAuthn context, [=attestation=] is employed to <em>attest</em> to the <em>provenance</em> of an [=authenticator=]
    and the data it emits; including, for example: [=credential IDs=], [=credential key pairs=], signature counters, etc. An
    [=attestation statement=] is conveyed in an [=attestation object=] during [=registration=]. See also [[#sctn-attestation]]
    and [Figure 3](#fig-attStructs). Whether or how the client platform conveys the [=attestation statement=] and [=AAGUID=] 
    portions of the [=attestation object=] to the [=[RP]=] is described by [=attestation conveyance=].

: <dfn>Attestation Certificate</dfn>
:: A X.509 Certificate for the <dfn>attestation key pair</dfn> used by an [=authenticator=] to attest to its manufacture
    and capabilities. At [=registration=] time, the [=authenticator=] uses the <dfn>attestation private key</dfn> to sign
    the [=[RP]=]-specific [=credential public key=] (and additional data) that it generates and returns via the
    [=authenticatorMakeCredential=] operation. [=[RPS]=] use the <dfn>attestation public key</dfn> conveyed in the [=attestation
    certificate=] to verify the [=attestation signature=]. Note that in the case of [=self attestation=], the
    [=authenticator=] has no distinct [=attestation key pair=] nor [=attestation certificate=], see [=self
    attestation=] for details.

: <dfn>Authentication</dfn>
:: The [=ceremony=] where a user, and the user's computing device(s) (containing at least one [=authenticator=]) work in
    concert to cryptographically prove to a [=[RP]=] that the user controls the [=credential private key=] associated with a
    previously-registered [=public key credential=] (see [=Registration=]). Note that this includes a [=test of user presence=] or
    [=user verification=].

: <dfn>Authentication Assertion</dfn>
:: The cryptographically signed {{AuthenticatorAssertionResponse}} object returned by an [=authenticator=] as the result of an
    [=authenticatorGetAssertion=] operation.

    This corresponds to the [[CREDENTIAL-MANAGEMENT-1]] specification's single-use <a
    spec="credential-management">credentials</a>.

: <dfn>Authenticator</dfn>
:: A cryptographic entity used by a [=[WAC]=] to (i) generate a [=public key credential=] and register it with a [=[RP]=],
    and (ii) [=authentication|authenticate=] by potentially [=user verification|verifying the user=], and then 
    cryptographically signing and returning, in the form of an [=Authentication Assertion=], 
    a challenge and other data presented by a [=[RP]=] (in concert with the [=[WAC]=]).

: <dfn>Authorization Gesture</dfn>
:: An [=authorization gesture=] is a physical interaction performed by a user with an authenticator as part of a [=ceremony=],
    such as [=registration=] or [=authentication=]. By making such an [=authorization gesture=], a user [=user consent|provides
    consent=] for (i.e., <em>authorizes</em>) a [=ceremony=] to proceed. This MAY involve [=user verification=] if the
    employed [=authenticator=] is capable, or it MAY involve a simple [=test of user presence=].

: <dfn>Biometric Recognition</dfn>
:: The automated recognition of individuals based on their biological and behavioral characteristics [[ISOBiometricVocabulary]].

: <dfn>Biometric Authenticator</dfn>
:: Any [=authenticator=] that implements [=biometric recognition=].

: <dfn>Ceremony</dfn>
:: The concept of a [=ceremony=] [[Ceremony]] is an extension of the concept of a network protocol, with human nodes alongside
    computer nodes and with communication links that include user interface(s), human-to-human communication, and transfers of
    physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony. In this specification,
    [=Registration=] and [=Authentication=] are ceremonies, and an [=authorization gesture=] is often a component of
    those [=ceremonies=].

: <dfn>Client</dfn>
:: See [=WebAuthn Client=], [=Conforming User Agent=].

: <dfn>Client-Side</dfn>
:: This refers in general to the combination of the user's platform device, user agent, authenticators, and everything gluing
    it all together.

: <dfn>Client-side-resident Credential Private Key</dfn>
:: A [=Client-side-resident Credential Private Key=] is stored either on the client platform, or in some cases on the
    authenticator itself, e.g., in the case of a discrete first-factor roaming authenticator. Such <dfn>client-side credential
    private key storage</dfn> has the property that the authenticator is able to select the [=credential private key=] given
    only an [=RP ID=], possibly with user assistance (e.g., by providing the user a pick list of credentials associated with the RP
    ID). By definition, the private key is always exclusively controlled by the Authenticator. In the case of a
    [=Client-side-resident Credential Private Key=], the Authenticator might offload storage of wrapped key material to the
    client platform, but the client platform is not expected to offload the key storage to remote entities (e.g. RP Server).

: <dfn>Conforming User Agent</dfn>
:: A user agent implementing, in conjunction with the underlying platform, the [=Web Authentication API=] and algorithms
    given in this specification, and handling communication between [=authenticators=] and [=[RPS]=].

: <dfn>Credential ID</dfn>
:: A probabilistically-unique [=byte sequence=] identifying a [=public key credential source=] and its [=authentication assertions=].

    Credential IDs are generated by [=authenticators=] in two forms:
    1. At least 16 bytes that include at least 100 bits of entropy, or
    1. The [=public key credential source=], without its [=Credential ID=], encrypted so only its [=managing authenticator=] can
        decrypt it. This form allows the [=authenticator=] to be nearly stateless, by having the [=[RP]=] store any necessary
        state.

        Note: [[FIDO-UAF-AUTHNR-CMDS]] includes guidance on encryption techniques under "Security Guidelines".

    [=[RPS]=] do not need to distinguish these two [=Credential ID=] forms.

: <dfn>Credential Public Key</dfn>
:: The public key portion of a [=[RP]=]-specific <dfn>credential key pair</dfn>, generated by an [=authenticator=] and
    returned to a [=[RP]=] at [=registration=] time (see also [=public key credential=]). The private key portion of the
    [=credential key pair=] is known as the <dfn>credential private key</dfn>. Note that in the case of [=self
    attestation=], the [=credential key pair=] is also used as the [=attestation key pair=], see [=self attestation=]
    for details.

: <dfn>Human Palatability</dfn>
:: An identifier that is [=human palatability|human-palatable=] is intended to be rememberable and reproducible by typical human
    users, in contrast to identifiers that are, for example, randomly generated sequences of bits [[EduPersonObjectClassSpec]].

: <dfn>Public Key Credential Source</dfn>
:: A [=credential source=] ([[CREDENTIAL-MANAGEMENT-1]]) used by an [=authenticator=] to generate [=authentication assertions=]. A [=public key credential source=] consists of a [=struct=] with the following [=struct/items=]:

    <dl dfn-for="public key credential source">
        :   <dfn>type</dfn>
        ::  whose value is of {{PublicKeyCredentialType}}, defaulting to {{public-key}}.

        :   <dfn>id</dfn>
        ::  A [=Credential ID=].

        :   <dfn>privateKey</dfn>
        ::  The [=credential private key=].

        :   <dfn>rpId</dfn>
        ::  The [=Relying Party Identifier=], for the [=[RP]=] this [=public key credential source=] is associated with.

        :   <dfn>userHandle</dfn>
        ::  The [=user handle=] associated when this [=public key credential source=] was created. This [=struct/item=] is
            nullable.

        :   <dfn>otherUI</dfn>
        ::  Optional other information used by the [=authenticator=] to inform its UI. For example, this might include the user's
            {{displayName}}.
    </dl>

    The [=authenticatorMakeCredential=] operation creates a [=public key credential source=] bound to a <dfn for="public key
    credential source">managing authenticator</dfn> and returns the [=credential public key=] associated with its [=credential
    private key=]. The [=[RP]=] can use this [=credential public key=] to verify the [=authentication assertions=] created by
    this [=public key credential source=].

: <dfn>Public Key Credential</dfn>
:: Generically, a *credential* is data one entity presents to another in order to *authenticate* the former to the latter
    [[RFC4949]]. The term [=public key credential=] refers to one of: a [=public key credential source=], the
    possibly-[=attestation|attested=] [=credential public key=] corresponding to a [=public key credential source=], or an
    [=authentication assertion=]. Which one is generally determined by context.

    <div class="note">
        Note: This is a [=willful violation=] of [[RFC4949]]. In English, a "credential" is both a) the thing presented to prove
        a statement and b) intended to be used multiple times. It's impossible to achieve both criteria securely with a single
        piece of data in a public key system. [[RFC4949]] chooses to define a credential as the thing that can be used multiple
        times (the public key), while this specification gives "credential" the English term's flexibility. This specification
        uses more specific terms to identify the data related to an [[RFC4949]] credential:

        : "Authentication information" (possibly including a private key)
        :: [=Public key credential source=]
        : "Signed value"
        :: [=Authentication assertion=]
        : [[RFC4949]] "credential"
        :: [=Credential public key=] or [=attestation object=]
    </div>

    At [=registration=] time, the [=authenticator=] creates an asymmetric key pair, and stores its [=credential private
    key|private key portion=] and information from the [=[RP]=] into a [=public key credential source=]. The [=credential public
    key|public key portion=] is returned to the [=[RP]=], who then stores it in conjunction with the present user's account.
    Subsequently, only that [=[RP]=], as identified by its [=RP ID=], is able to employ the [=public key credential=] in
    [=authentication|authentication ceremonies=], via the {{CredentialsContainer/get()}} method. The [=[RP]=] uses its stored
    copy of the [=credential public key=] to verify the resultant [=authentication assertion=].

: <dfn>Rate Limiting</dfn>
:: The process (also known as throttling) by which an authenticator implements controls against brute force attacks by limiting
    the number of consecutive failed authentication attempts within a given period of time. If the limit is reached, the
    authenticator should impose a delay that increases exponentially with each successive attempt, or disable the current
    authentication modality and offer a different authentication factor if available. Rate limiting is often implemented as an
    aspect of [=user verification=].

: <dfn>Registration</dfn>
:: The [=ceremony=] where a user, a [=[RP]=], and the user's computing device(s) (containing at least one
    [=authenticator=]) work in concert to create a [=public key credential=] and associate it with the user's [=[RP]=] account.
    Note that this includes employing a [=test of user presence=] or [=user verification=].

: <dfn>[RP]</dfn>
:: The entity whose web application utilizes the [=Web Authentication API=] to register and authenticate users. See
    [=Registration=] and [=Authentication=], respectively.

        Note: While the term [=[RP]=] is used in other contexts (e.g., X.509 and OAuth), an entity acting as a [=[RP]=] in one
        context is not necessarily a [=[RP]=] in other contexts.

: <dfn>Relying Party Identifier</dfn>
: <dfn>RP ID</dfn>
:: A [=valid domain string=] that identifies the [=[RP]=] on whose behalf a given [=registration=] or
    [=authentication|authentication ceremony=] is being performed. A [=public key credential=] can only be used for
    [=authentication=] with the same entity (as identified by [=RP ID=]) it was registered with. By default, the [=RP ID=] for a
    WebAuthn operation is set to the caller's [=environment settings object/origin=]'s [=effective domain=]. This default MAY be
    overridden by the caller, as long as the caller-specified [=RP ID=] value [=is a registrable domain suffix of or is equal
    to=] the caller's [=environment settings object/origin=]'s [=effective domain=]. See also [[#createCredential]] and
    [[#getAssertion]].

    <div class="note" id="note-pkcredscope">
        Note: A [=Public key credential=]'s scope is for a [=[RP]=]'s [=origin=], with the following <em>restrictions</em> and
            <em>relaxations</em>:
            - The scheme is always `https` (i.e., <em>a restriction</em>), and,
            - the host may be equal to the [=[RP]=]'s [=origin=]'s [=effective domain=], or it may be equal to a registrable
                domain suffix of the [=[RP]=]'s [=origin=]'s [=effective domain=] (i.e., <em>an available relaxation</em>), and,
            - all (TCP) ports on that host (i.e., <em>a relaxation</em>).

        This is done in order to match the behavior of pervasively deployed ambient credentials (e.g., cookies, [[RFC6265]]).
        Please note that this is a greater relaxation of "same-origin" restrictions than what
        [=document.domain=]'s setter provides.
    </div>

: <dfn>Test of User Presence</dfn>
:: A [=test of user presence=] is a simple form of [=authorization gesture=] and technical process where a user interacts with
    an [=authenticator=] by (typically) simply touching it (other modalities may also exist), yielding a boolean result. Note
    that this does not constitute [=user verification=] because a [=test of user presence|user presence test=], by definition,
    is not capable of [=biometric recognition=], nor does it involve the presentation of a shared secret such as a password or
    PIN.

: <dfn>User Consent</dfn>
:: User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts.
    An [=authorization gesture=] is a [=ceremony=] component often employed to indicate [=user consent=].

: <dfn>User Handle</dfn>
:: The user handle is specified by a [=[RP]=] and is a unique identifier for a user account with that [=[RP]=]. A user handle is
    an opaque [=byte sequence=] with a maximum size of 64 bytes.

    The user handle is not meant to be displayed to the user, but is used by the [=[RP]=] to control the number of credentials - an
    authenticator will never contain more than one credential for a given [=[RP]=] under the same user handle.

: <dfn>User Verification</dfn>
:: The technical process by which an [=authenticator=] <em>locally authorizes</em> the invocation of the
    [=authenticatorMakeCredential=] and [=authenticatorGetAssertion=] operations. [=User verification=] MAY be instigated
    through various [=authorization gesture=] modalities; for example, through a touch plus pin code, password entry, or
    [=biometric recognition=] (e.g., presenting a fingerprint) [[ISOBiometricVocabulary]]. The intent is to be able to
    distinguish individual users. Note that invocation of the [=authenticatorMakeCredential=] and [=authenticatorGetAssertion=]
    operations implies use of key material managed by the authenticator. Note that for security, [=user verification=] and use
    of [=credential private keys=] must occur within a single logical security boundary defining the [=authenticator=].

: <dfn id=concept-user-present>User Present</dfn>
: <dfn>UP</dfn>
:: Upon successful completion of a [=test of user presence|user presence test=], the user is said to be
    "[=user present|present=]".

: <dfn id=concept-user-verified>User Verified</dfn>
: <dfn>UV</dfn>
:: Upon successful completion of a [=user verification=] process, the user is said to be "[=user verified|verified=]".

: <dfn>[WAC]</dfn>
:: Also referred to herein as simply a [=client=]. See also [=Conforming User Agent=]. A [=[WAC]=] is an intermediary entity typically implemented in the user agent (in whole, or in part). Conceptually, it underlies the [=Web Authentication API=] and embodies the implementation of the {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)}} and {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}} [=internal methods=]. It is responsible for both marshalling the inputs for the underlying [=authenticator operations=], and for returning the results of the latter operations to the [=Web Authentication API=]'s callers.


# <dfn>Web Authentication API</dfn> # {#api}

This section normatively specifies the API for creating and using [=public key credentials=]. The basic
idea is that the credentials belong to the user and are managed by an authenticator, with which the [=[RP]=] interacts through the
client (consisting of the browser and underlying OS platform). Scripts can (with the [=user consent|user's consent=]) request the
browser to create a new credential for future use by the [=[RP]=]. Scripts can also request the user’s permission to perform
authentication operations with an existing credential. All such operations are performed in the authenticator and are mediated by
the browser and/or platform on the user's behalf. At no point does the script get access to the credentials themselves; it only
gets information about the credentials in the form of objects.

In addition to the above script interface, the authenticator MAY implement (or come with client software that implements) a user
interface for management. Such an interface MAY be used, for example, to reset the authenticator to a clean state or to inspect
the current state of the authenticator. In other words, such an interface is similar to the user interfaces provided by browsers
for managing user state such as history, saved passwords, and cookies. Authenticator management actions such as credential
deletion are considered to be the responsibility of such a user interface and are deliberately omitted from the API exposed to
scripts.

The security properties of this API are provided by the client and the authenticator working together. The authenticator, which
holds and manages credentials, ensures that all operations are scoped to a particular [=origin=], and cannot be replayed against
a different [=origin=], by incorporating the [=origin=] in its responses. Specifically, as defined in [[#authenticator-ops]],
the full [=origin=] of the requester is included, and signed over, in the [=attestation object=] produced when a new credential
is created as well as in all assertions produced by WebAuthn credentials.

Additionally, to maintain user privacy and prevent malicious [=[RPS]=] from probing for the presence of [=public key
credentials=] belonging to other [=[RPS]=], each [=public key credential|credential=] is also associated with a [=Relying Party
Identifier=], or [=RP ID=]. This [=RP ID=] is provided by the client to the [=authenticator=] for all operations, and the
[=authenticator=] ensures that [=public key credential|credentials=] created by a [=[RP]=] can only be used in operations
requested by the same [=RP ID=]. Separating the [=origin=] from the [=RP ID=] in this way allows the API to be used in cases
where a single [=[RP]=] maintains multiple [=origins=].

The client facilitates these security measures by providing the [=[RP]=]'s [=origin=] and [=RP ID=] to the [=authenticator=] for
each operation. Since this is an integral part of the WebAuthn security model, user agents only expose this API to callers in
[=secure contexts=].

The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL
listing is given in the [[#idl-index]].

## <dfn interface>PublicKeyCredential</dfn> Interface ## {#iface-pkcredential}

The {{PublicKeyCredential}} interface inherits from {{Credential}} [[!CREDENTIAL-MANAGEMENT-1]], and contains the attributes
that are returned to the caller when a new credential is created, or a new assertion is requested.

<xmp class="idl">
    [SecureContext, Exposed=Window]
    interface PublicKeyCredential : Credential {
        [SameObject] readonly attribute ArrayBuffer              rawId;
        [SameObject] readonly attribute AuthenticatorResponse    response;
        AuthenticationExtensionsClientOutputs getClientExtensionResults();
    };
</xmp>
<dl dfn-type="attribute" dfn-for="PublicKeyCredential">
    :   {{Credential/id}}
    ::  This attribute is inherited from {{Credential}}, though {{PublicKeyCredential}} overrides {{Credential}}'s getter,
        instead returning the [=base64url encoding=] of the data contained in the object's
        {{PublicKeyCredential/[[identifier]]}} [=internal slot=].

    :   {{PublicKeyCredential/rawId}}
    ::  This attribute returns the {{ArrayBuffer}} contained in the {{PublicKeyCredential/[[identifier]]}} internal slot.

    :   <dfn>response</dfn>
    ::  This attribute contains the [=authenticator=]'s response to the client's request to either create a [=public key
        credential=], or generate an [=authentication assertion=]. If the {{PublicKeyCredential}} is created in response to
        {{CredentialsContainer/create()}}, this attribute's value will be an {{AuthenticatorAttestationResponse}}, otherwise,
        the {{PublicKeyCredential}} was created in response to {{CredentialsContainer/get()}}, and this attribute's value
        will be an {{AuthenticatorAssertionResponse}}.

    :   {{PublicKeyCredential/getClientExtensionResults()}}
    ::  This operation returns the value of {{PublicKeyCredential/[[clientExtensionsResults]]}}, which is a [=map=] containing
        [=extension identifier=] → [=client extension output=] entries produced by the extension's
        [=client extension processing=].

    :   <dfn>\[[type]]</dfn>
    ::  The {{PublicKeyCredential}} [=interface object=]'s {{Credential/[[type]]}} [=internal slot=]'s value is the string
        "`public-key`".

        Note: This is reflected via the {{Credential/type}} attribute getter inherited from {{Credential}}.

    :   <dfn>\[[discovery]]</dfn>
    ::  The {{PublicKeyCredential}} [=interface object=]'s {{Credential/[[discovery]]}} [=internal slot=]'s value is
        "{{Credential/[[discovery]]/remote}}".

    :   <dfn>\[[identifier]]</dfn>
    ::  This [=internal slot=] contains the [=credential ID=], chosen by the platform with help from the authenticator.
        The [=credential ID=] is used to look up credentials for use, and is therefore expected to be globally unique
        with high probability across all credentials of the same type, across all authenticators.

        Note: This API does not constrain
        the format or length of this identifier, except that it MUST be sufficient for the platform to uniquely select a key.
        For example, an authenticator without on-board storage may create identifiers containing a [=credential private key=]
        wrapped with a symmetric key that is burned into the authenticator.

    :   <dfn>\[[clientExtensionsResults]]</dfn>
    ::  This [=internal slot=] contains the results of processing client extensions requested by the [=[RP]=] upon the
        [=[RP]=]'s invocation of either {{CredentialsContainer/create()|navigator.credentials.create()}} or
        {{CredentialsContainer/get()|navigator.credentials.get()}}.
</dl>

{{PublicKeyCredential}}'s [=interface object=] inherits {{Credential}}'s implementation of
{{Credential/[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)}}, and defines its own
implementation of {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)}}, {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}}, and
{{Credential/[[Store]](credential, sameOriginWithAncestors)}}.


### `CredentialCreationOptions` Dictionary Extension ### {#credentialcreationoptions-extension}

To support registration via {{CredentialsContainer/create()|navigator.credentials.create()}}, this document extends
the {{CredentialCreationOptions}} dictionary as follows:

<pre class="idl">
    partial dictionary CredentialCreationOptions {
        PublicKeyCredentialCreationOptions      publicKey;
    };
</pre>

### `CredentialRequestOptions` Dictionary Extension ### {#credentialrequestoptions-extension}

To support obtaining assertions via {{CredentialsContainer/get()|navigator.credentials.get()}}, this document extends the
{{CredentialRequestOptions}} dictionary as follows:

<pre class="idl">
    partial dictionary CredentialRequestOptions {
        PublicKeyCredentialRequestOptions      publicKey;
    };
</pre>


### Create a new credential - PublicKeyCredential's `[[Create]](origin, options, sameOriginWithAncestors)` method ### {#createCredential}

<div link-for-hint="PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)">
{{PublicKeyCredential}}'s [=interface object=]'s implementation of the

<dfn for="PublicKeyCredential" method>\[[Create]](origin, options, sameOriginWithAncestors)</dfn> [=internal method=] [[CREDENTIAL-MANAGEMENT-1]] allows
[=[RP]=] scripts to call {{CredentialsContainer/create()|navigator.credentials.create()}} to request the creation of a new
[=public key credential source=], bound to an [=authenticator=]. This
{{CredentialsContainer/create()|navigator.credentials.create()}} operation can be aborted by leveraging the {{AbortController}};
see [[dom#abortcontroller-api-integration]] for detailed instructions.


This [=internal method=] accepts three arguments:

<dl dfn-type="argument" dfn-for="PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)">

    :   <dfn>origin</dfn>
    ::  This argument is the [=relevant settings object=]'s [=environment settings object/origin=], as determined by the
        calling {{CredentialsContainer/create()}} implementation.

    :   <dfn>options</dfn>
    ::  This argument is a {{CredentialCreationOptions}} object whose
        <code>|options|.{{CredentialCreationOptions/publicKey}}</code> member contains a {{PublicKeyCredentialCreationOptions}}
        object specifying the desired attributes of the to-be-created [=public key credential=].

    :   <dfn>sameOriginWithAncestors</dfn>
    ::  This argument is a boolean which is true if and only if the caller's [=environment settings object=] is
        [=same-origin with its ancestors=].

</dl>

Note: <strong>This algorithm is synchronous:</strong> the {{Promise}} resolution/rejection is handled by
{{CredentialsContainer/create()|navigator.credentials.create()}}.

When this method is invoked, the user agent MUST execute the following algorithm:

1. Assert: <code>|options|.{{CredentialCreationOptions/publicKey}}</code> is [=present=].

1. If <var ignore>sameOriginWithAncestors</var> is `false`, return a "{{NotAllowedError}}" {{DOMException}}.

    Note: This "sameOriginWithAncestors" restriction aims to address the concern raised in the
    [[CREDENTIAL-MANAGEMENT-1#security-origin-confusion|Origin Confusion]] section of [[CREDENTIAL-MANAGEMENT-1]],
    while allowing [=[RP]=] script access to Web Authentication functionality, e.g., when running in
    a [=secure context=] framed document that is [=same-origin with its ancestors=].
    However, in the future, this specification (in conjunction with 
    [[CREDENTIAL-MANAGEMENT-1]]) may provide [=[RPS]=] with more fine-grained control--e.g., ranging
    from allowing only top-level access to Web Authentication functionality,
    to allowing cross-origin embedded cases--by leveraging
    [[Feature-Policy]] once the latter specification becomes stably implemented in user agents.

1. Let |options| be the value of <code>|options|.{{CredentialCreationOptions/publicKey}}</code>.

1. If the {{PublicKeyCredentialCreationOptions/timeout}} member of |options| is [=present=], check if its value lies within a
    reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set a timer
    |lifetimeTimer| to this adjusted value. If the {{PublicKeyCredentialCreationOptions/timeout}} member of |options| is [=present|not
    present=], then set |lifetimeTimer| to a platform-specific default.

1. Let |callerOrigin| be {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)/origin}}. If |callerOrigin| is an [=opaque origin=], return a {{DOMException}} whose name is
    "{{NotAllowedError}}", and terminate this algorithm.

1. Let |effectiveDomain| be the |callerOrigin|'s [=effective domain=].
    If [=effective domain=] is not a [=valid domain=], then return a
    {{DOMException}} whose name is "{{SecurityError}}" and terminate this algorithm.

    Note: An [=effective domain=] may resolve to a [=host=], which can be represented in various manners,
        such as [=domain=], [=ipv4 address=], [=ipv6 address=], [=opaque host=], or [=empty host=].
        Only the [=domain=] format of [=host=] is allowed here.

<!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to compile w/o errors
-->
    <li id='CreateCred-DetermineRpId'>

        If <code>|options|.{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}</code>
            <dl class="switch">

                :   Is [=present=]
                ::  If <code>|options|.{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}</code> [=is not a
                    registrable domain suffix of and is not equal to=] |effectiveDomain|, return a {{DOMException}} whose name
                    is "{{SecurityError}}", and terminate this algorithm.

                :   Is [=present|not present=]
                ::  Set <code>|options|.{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}</code> to
                    |effectiveDomain|.
            </dl>

        Note: <code>|options|.{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}</code> represents the
            caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings object/origin=]'s
            [=effective domain=] unless the caller has explicitly set
            <code>|options|.{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}</code> when calling
            {{CredentialsContainer/create()}}.
    </li>

1. Let |credTypesAndPubKeyAlgs| be a new [=list=] whose [=list/items=] are pairs of {{PublicKeyCredentialType}} and
    a {{COSEAlgorithmIdentifier}}.

1. [=list/For each=] |current| of <code>|options|.{{PublicKeyCredentialCreationOptions/pubKeyCredParams}}</code>:

    1. If <code>|current|.{{PublicKeyCredentialParameters/type}}</code> does not contain a {{PublicKeyCredentialType}} supported
        by this implementation, then [=continue=].
    1. Let |alg| be <code>|current|.{{PublicKeyCredentialParameters/alg}}</code>.
    1. [=list/Append=] the pair of <code>|current|.{{PublicKeyCredentialParameters/type}}</code> and |alg| to
        |credTypesAndPubKeyAlgs|.

1. If |credTypesAndPubKeyAlgs| [=list/is empty=] and <code>|options|.{{PublicKeyCredentialCreationOptions/pubKeyCredParams}}</code>
    [=list/is not empty=], return a {{DOMException}} whose name is "{{NotSupportedError}}", and terminate this algorithm.

1. Let |clientExtensions| be a new [=map=] and let |authenticatorExtensions| be a new [=map=].

1. If the {{PublicKeyCredentialCreationOptions/extensions}} member of |options| is [=present=], then [=map/for each=]
    |extensionId| → |clientExtensionInput| of <code>|options|.{{PublicKeyCredentialCreationOptions/extensions}}</code>:
    1. If |extensionId| is not supported by this client platform or is not a [=registration extension=], then [=continue=].

    1. [=map/Set=] |clientExtensions|[|extensionId|] to |clientExtensionInput|.

    1. If |extensionId| is not an [=authenticator extension=], then [=continue=].

    1. Let |authenticatorExtensionInput| be the ([=CBOR=]) result of running |extensionId|'s [=client extension processing=]
        algorithm on |clientExtensionInput|. If the algorithm returned an error, [=continue=].

    1. [=map/Set=] |authenticatorExtensions|[|extensionId|] to the [=base64url encoding=] of |authenticatorExtensionInput|.

1. Let |collectedClientData| be a new {{CollectedClientData}} instance whose fields are:
    : {{CollectedClientData/type}}
    :: The string "webauthn.create".
    : {{CollectedClientData/challenge}}
    :: The [=base64url encoding=] of |options|.{{PublicKeyCredentialCreationOptions/challenge}}.
    : {{CollectedClientData/origin}}
    :: The [=ascii serialization of an origin|serialization of=] |callerOrigin|.
    : {{CollectedClientData/tokenBinding}}
    :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.

1. Let |clientDataJSON| be the [=JSON-serialized client data=] constructed from |collectedClientData|.

1. Let |clientDataHash| be the [=hash of the serialized client data=] represented by |clientDataJSON|.

1. If the <code>|options|.{{CredentialCreationOptions/signal}}</code> is [=present=] and its 
    [=AbortSignal/aborted flag=] is set to true, return a {{DOMException}} whose name is "{{AbortError}}" 
    and terminate this algorithm.

1. Start |lifetimeTimer|.

1. Let |issuedRequests| be a new [=ordered set=].

1. [=set/For each=] |authenticator| that becomes available on this platform during the lifetime of |lifetimeTimer|, do the
    following:

    Issue: The definitions of "lifetime of" and "becomes available" are intended to represent how
    devices are hot-plugged into (USB) or discovered by (NFC) browsers, and are underspecified.
    Resolving this with good definitions or some other means will be addressed by resolving
    [Issue #613](https://github.com/w3c/webauthn/issues/613).

    1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}</code> is [=present=]:

          1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{authenticatorAttachment}}</code> is
            [=present|present=] and its value is not equal to |authenticator|'s attachment modality, [=iteration/continue=].
          1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{requireResidentKey}}</code> is set to
            `true` and the |authenticator| is not capable of storing a [=Client-Side-Resident Credential Private Key=],
            [=iteration/continue=].
          1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}}</code> is
            set to {{UserVerificationRequirement/required}} and the |authenticator| is not capable of performing [=user
            verification=], [=iteration/continue=].

    1. Let |userVerification| be the <dfn>effective user verification requirement for credential creation</dfn>, a Boolean value,
        as follows. If
        <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}}</code>

            <dl class="switch">

                :   is set to {{UserVerificationRequirement/required}}
                ::  Let |userVerification| be `true`.

                :   is set to {{UserVerificationRequirement/preferred}}
                ::  If the |authenticator|

                    <dl class="switch">
                        :   is capable of [=user verification=]
                        ::  Let |userVerification| be `true`.

                        :   is not capable of [=user verification=]
                        ::  Let |userVerification| be `false`.
                    </dl>

                :   is set to {{UserVerificationRequirement/discouraged}}
                ::  Let |userVerification| be `false`.

            </dl>

    1. Let |userPresence| be a Boolean value set to the inverse of |userVerification|.

    1. Let |excludeCredentialDescriptorList| be a new [=list=].

    1. [=list/For each=] credential descriptor |C| in <code>|options|.{{PublicKeyCredentialCreationOptions/excludeCredentials}}</code>:
        1. If <code>|C|.{{transports}}</code> [=list/is not empty=], and |authenticator| is connected over a transport not
            mentioned in <code>|C|.{{transports}}</code>, the client MAY [=continue=].
        1. Otherwise, [=list/Append=] |C| to |excludeCredentialDescriptorList|.

<!-- @@EDITOR-ANCHOR-01A: KEEP THIS LIST SYNC'D WITH THE LIST UP AT @@EDITOR-ANCHOR-01B -->
    1. Invoke the [=authenticatorMakeCredential=] operation on |authenticator| with
        |clientDataHash|,
        <code>|options|.{{PublicKeyCredentialCreationOptions/rp}}</code>, <code>|options|.{{PublicKeyCredentialCreationOptions/user}}</code>,
        <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/requireResidentKey}}</code>,
        |userPresence|,
        |userVerification|,
        |credTypesAndPubKeyAlgs|,
        |excludeCredentialDescriptorList|,
        and |authenticatorExtensions| as parameters.

    1. [=set/Append=] |authenticator| to |issuedRequests|.

1. [=While=] |lifetimeTimer| has not expired, perform the following actions depending upon |lifetimeTimer| and responses from the
    authenticators:
    <dl class="switch">
        :   If |lifetimeTimer| expires,
        ::  [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
            and [=set/remove=] |authenticator| from |issuedRequests|.

        :   If the <code>|options|.{{CredentialCreationOptions/signal}}</code> is [=present=] and its 
            [=AbortSignal/aborted flag=] is set to true, 
        ::  [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=]
            operation on |authenticator| and [=set/remove=] |authenticator| from |issuedRequests|. Then return a {{DOMException}} 
            whose name is "{{AbortError}}" and terminate this algorithm.

        :   If any |authenticator| returns a status indicating that the user cancelled the operation,
        ::  1. [=set/Remove=] |authenticator| from |issuedRequests|.
            1. [=set/For each=] remaining |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on
                |authenticator| and [=set/remove=] it from |issuedRequests|.

                Note: [=Authenticators=] may return an indication of "the user cancelled the entire operation".
                How a user agent manifests this state to users is unspecified.

        :   If any |authenticator| returns an error status equivalent to "{{InvalidStateError}}",
        ::  1. [=set/Remove=] |authenticator| from |issuedRequests|.
            1. [=set/For each=] remaining |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on
                |authenticator| and [=set/remove=] it from |issuedRequests|.
            1. Return a {{DOMException}} whose name is "{{InvalidStateError}}" and terminate this algorithm.

            Note: This error status is handled separately because the |authenticator| returns it only if
            |excludeCredentialDescriptorList| identifies a credential bound to the |authenticator| and the user has [=user
            consent|consented=] to the operation. Given this explicit consent, it is acceptable for this case to be
            distinguishable to the [=[RP]=].

        :   If any |authenticator| returns an error status not equivalent to "{{InvalidStateError}}",
        ::  [=set/Remove=] |authenticator| from |issuedRequests|.

            Note: This case does not imply [=user consent=] for the operation, so details about the error must be hidden from the
            [=[RP]=] in order to prevent leak of potentially identifying information. See [[#sec-make-credential-privacy]] for
            details.

        :   If any |authenticator| indicates success,
        ::  1.  [=set/Remove=] |authenticator| from |issuedRequests|.

            1.  Let |credentialCreationData| be a [=struct=] whose [=items=] are:

                :   <code><dfn for="credentialCreationData">attestationObjectResult</dfn></code>
                ::  whose value is the bytes returned from the successful [=authenticatorMakeCredential=] operation.

                    Note: this value is <code>attObj</code>, as defined in [[#generating-an-attestation-object]].

                :   <code><dfn for="credentialCreationData">clientDataJSONResult</dfn></code>
                ::  whose value is the bytes of |clientDataJSON|.

                :   <code><dfn for="credentialCreationData">attestationConveyancePreferenceOption</dfn></code>
                ::  whose value is the value of |options|.{{PublicKeyCredentialCreationOptions/attestation}}.

                :   <code><dfn for="credentialCreationData">clientExtensionResults</dfn></code>
                ::  whose value is an {{AuthenticationExtensionsClientOutputs}} object containing [=extension identifier=] →
                    [=client extension output=] entries. The entries are created by running each extension's
                    [=client extension processing=] algorithm to create the [=client extension outputs=], for each
                    [=client extension=] in <code>{{AuthenticatorResponse/clientDataJSON}}.clientExtensions</code>.

            1.  Let |constructCredentialAlg| be an algorithm that takes a [=global object=]
                |global|, and whose steps are:

                1.  If <code>|credentialCreationData|.[=attestationConveyancePreferenceOption=]</code>'s value is
                    <dl class="switch">
                        :   "none"
                        ::  Replace potentially uniquely identifying information with non-identifying versions of the
                            same:
                               1. If the [=AAGUID=] in the [=attested credential data=] is 16 zero bytes, <code>|credentialCreationData|.[=attestationObjectResult=].fmt</code> is "packed", and "x5c" & "ecdaaKeyId" are both absent from <code>|credentialCreationData|.[=attestationObjectResult=]</code>, then [=self attestation=] is being used and no further action is needed.
                               1. Otherwise
                                  1. Replace the [=AAGUID=] in the [=attested credential data=] with 16 zero bytes.
                                  1. Set the value of <code>|credentialCreationData|.[=attestationObjectResult=].fmt</code> to "none", and set the value of <code>|credentialCreationData|.[=attestationObjectResult=].attStmt</code> to be an empty [=CBOR=] map. (See [[#none-attestation]] and [[#generating-an-attestation-object]]).

                        :   "indirect"
                        ::  The client MAY replace the [=AAGUID=] and [=attestation statement=] with a more privacy-friendly
                            and/or more easily verifiable version of the same data (for example, by employing an [=Anonymization CA=]).

                        :   "direct"
                        ::  Convey the [=authenticator=]'s [=AAGUID=] and [=attestation statement=], unaltered, to the RP.

                        Issue: @balfanz wishes to add to the "direct" case:
                            If the [=authenticator=] violates the privacy requirements of the [=attestation type=] it is using, 
                            the client SHOULD terminate this algorithm with an "AttestationNotPrivateError".
                    </dl>

                1.  Let |attestationObject| be a new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the
                    bytes of <code>|credentialCreationData|.[=attestationObjectResult=]</code>'s value.

                1.  Let |id| be <code>|attestationObject|.authData.[=attestedCredentialData=].[=credentialId=]</code>.

                1.  Let |pubKeyCred| be a new {{PublicKeyCredential}} object associated with |global| whose fields are:

                    :   {{PublicKeyCredential/[[identifier]]}}
                    ::  |id|

                    :   {{PublicKeyCredential/response}}
                    ::  A new {{AuthenticatorAttestationResponse}} object associated with |global| whose fields are:

                        :   {{AuthenticatorResponse/clientDataJSON}}
                        ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                            <code>|credentialCreationData|.[=credentialCreationData/clientDataJSONResult=]</code>.

                        :   {{AuthenticatorAttestationResponse/attestationObject}}
                        ::  |attestationObject|

                    :   {{PublicKeyCredential/[[clientExtensionsResults]]}}
                    ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                        <code>|credentialCreationData|.[=credentialCreationData/clientExtensionResults=]</code>.

                1.  Return |pubKeyCred|.

            1. [=set/For each=] remaining |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on
                |authenticator| and [=set/remove=] it from |issuedRequests|.

            1. Return |constructCredentialAlg| and terminate this algorithm.

    </dl>

1. Return a {{DOMException}} whose name is "{{NotAllowedError}}". In order to prevent information leak that could identify the
    user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
    [[#sec-assertion-privacy]] for details.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator.
</div>


### Use an existing credential to make an assertion - PublicKeyCredential's `[[Get]](options)` method ### {#getAssertion}

[=[RPS]=] call <code><a idl for="CredentialsContainer" lt="get()">navigator.credentials.get({publicKey:..., ...})</a></code> to
discover and use an existing [=public key credential=], with the [=user consent|user's consent=]. [=[RP]=] script optionally specifies some criteria
to indicate what [=credential sources=] are acceptable to it. The user agent and/or platform locates [=credential sources=]
matching the specified criteria, and guides the user to pick one that the script will be allowed to use. The user may choose to
decline the entire interaction even if a [=credential source=] is present, for example to maintain privacy. If the user picks a
[=credential source=], the user agent then uses
[[#op-get-assertion]] to sign a [RP]-provided challenge and other collected data into an assertion, which is used as a
[=credential=].

The {{CredentialsContainer/get()}} implementation [[CREDENTIAL-MANAGEMENT-1]] calls
<code>PublicKeyCredential.{{PublicKeyCredential/[[CollectFromCredentialStore]]()}}</code> to collect any [=credentials=] that
should be available without [=user mediation=] (roughly, this specification's [=authorization gesture=]), and if it does not find
exactly one of those, it then calls <code>PublicKeyCredential.{{PublicKeyCredential/[[DiscoverFromExternalSource]]()}}</code> to have
the user select a [=credential source=].

Since this specification requires an [=authorization gesture=] to create any [=credentials=], the <code>PublicKeyCredential.<dfn
for="PublicKeyCredential" method>\[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)</dfn></code> [=internal method=] inherits the default behavior of
{{Credential/[[CollectFromCredentialStore]]()|Credential.[[CollectFromCredentialStore]]()}}, of returning an empty set.

<h5 id="discover-from-external-source" algorithm>PublicKeyCredential's <code><dfn for="PublicKeyCredential" method>\[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</dfn></code> method</h5>

<div link-for-hint="PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)">

This [=internal method=] accepts three arguments:

<dl dfn-type="argument" dfn-for="PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)">

    :   <dfn>origin</dfn>
    ::  This argument is the [=relevant settings object=]'s [=environment settings object/origin=], as determined by the
        calling {{CredentialsContainer/get()}} implementation, i.e., {{CredentialsContainer}}'s <a abstract-op>Request a `Credential`</a> abstract operation.

    :   <dfn>options</dfn>
    ::  This argument is a {{CredentialRequestOptions}} object whose
        <code>|options|.{{CredentialRequestOptions/publicKey}}</code> member contains a {{PublicKeyCredentialRequestOptions}}
        object specifying the desired attributes of the [=public key credential=] to discover.

    :   <dfn>sameOriginWithAncestors</dfn>
    ::  This argument is a boolean which is true if and only if the caller's [=environment settings object=] is
        [=same-origin with its ancestors=].
</dl>

Note: <strong>This algorithm is synchronous:</strong> the {{Promise}} resolution/rejection is handled by
{{CredentialsContainer/get()|navigator.credentials.get()}}.

When this method is invoked, the user agent MUST execute the following algorithm:

1. Assert: <code>|options|.{{CredentialRequestOptions/publicKey}}</code> is [=present=].

1. If <var ignore>sameOriginWithAncestors</var> is `false`, return a "{{NotAllowedError}}" {{DOMException}}.

    Note: This "sameOriginWithAncestors" restriction aims to address the concern raised in the
    [[CREDENTIAL-MANAGEMENT-1#security-origin-confusion|Origin Confusion]] section of [[CREDENTIAL-MANAGEMENT-1]],
    while allowing [=[RP]=] script access to Web Authentication functionality, e.g., when running in
    a [=secure context=] framed document that is [=same-origin with its ancestors=].
    However, in the future, this specification (in conjunction with 
    [[CREDENTIAL-MANAGEMENT-1]]) may provide [=[RPS]=] with more fine-grained control--e.g., ranging
    from allowing only top-level access to Web Authentication functionality,
    to allowing cross-origin embedded cases--by leveraging
    [[Feature-Policy]] once the latter specification becomes stably implemented in user agents.

1. Let |options| be the value of <code>|options|.{{CredentialRequestOptions/publicKey}}</code>.

1. If the {{PublicKeyCredentialRequestOptions/timeout}} member of |options| is [=present=], check if its value lies
    within a reasonable range as defined by the platform and if not, correct it to the closest value lying within that range.
    Set a timer |lifetimeTimer| to this adjusted value. If the {{PublicKeyCredentialRequestOptions/timeout}} member of
    |options| is [=present|not present=], then set |lifetimeTimer| to a platform-specific default.

1. Let |callerOrigin| be {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)/origin}}. If |callerOrigin| is 
    an [=opaque origin=], return a {{DOMException}} whose name is "{{NotAllowedError}}", and terminate this algorithm.

1. Let |effectiveDomain| be the |callerOrigin|'s [=effective domain=].
    If [=effective domain=] is not a [=valid domain=], then return a
    {{DOMException}} whose name is "{{SecurityError}}" and terminate this algorithm.

    Note: An [=effective domain=] may resolve to a [=host=], which can be represented in various manners,
        such as [=domain=], [=ipv4 address=], [=ipv6 address=], [=opaque host=], or [=empty host=].
        Only the [=domain=] format of [=host=] is allowed here.

        <li id='GetAssn-DetermineRpId'>
            If |options|.{{PublicKeyCredentialRequestOptions/rpId}} is [=present|not present=], then set |rpId| to
                |effectiveDomain|.

                Otherwise:

                1. If |options|.{{PublicKeyCredentialRequestOptions/rpId}} [=is not a registrable domain suffix of and is not
                    equal to=] |effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate
                    this algorithm.

                1. Set |rpId| to |options|.{{PublicKeyCredentialRequestOptions/rpId}}.

                    Note: |rpId| represents the caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment
                    settings object/origin=]'s [=effective domain=] unless the caller has explicitly set
                    |options|.{{PublicKeyCredentialRequestOptions/rpId}} when calling {{CredentialsContainer/get()}}.
        </li>

1. Let |clientExtensions| be a new [=map=] and let |authenticatorExtensions| be a new [=map=].

1. If the {{PublicKeyCredentialRequestOptions/extensions}} member of |options| is [=present=], then [=map/for each=]
    |extensionId| → |clientExtensionInput| of <code>|options|.{{PublicKeyCredentialRequestOptions/extensions}}</code>:
    1. If |extensionId| is not supported by this client platform or is not an [=authentication extension=], then [=continue=].

    1. [=map/Set=] |clientExtensions|[|extensionId|] to |clientExtensionInput|.

    1. If |extensionId| is not an [=authenticator extension=], then [=continue=].

    1. Let |authenticatorExtensionInput| be the ([=CBOR=]) result of running |extensionId|'s [=client extension processing=]
        algorithm on |clientExtensionInput|. If the algorithm returned an error, [=continue=].

    1. [=map/Set=] |authenticatorExtensions|[|extensionId|] to the [=base64url encoding=] of |authenticatorExtensionInput|.

1. Let |collectedClientData| be a new {{CollectedClientData}} instance whose fields are:
    : {{CollectedClientData/type}}
    :: The string "webauthn.get".
    : {{CollectedClientData/challenge}}
    :: The [=base64url encoding=] of |options|.{{PublicKeyCredentialRequestOptions/challenge}}
    : {{CollectedClientData/origin}}
    :: The [=ascii serialization of an origin|serialization of=] |callerOrigin|.
    : {{CollectedClientData/tokenBinding}}
    :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.

1. Let |clientDataJSON| be the [=JSON-serialized client data=] constructed from |collectedClientData|.

1. Let |clientDataHash| be the [=hash of the serialized client data=] represented by |clientDataJSON|.

1. If the <code>|options|.{{CredentialRequestOptions/signal}}</code> is [=present=] and its 
    [=AbortSignal/aborted flag=] is set to true, return a {{DOMException}} whose name is "{{AbortError}}" 
    and terminate this algorithm.

1. Let |issuedRequests| be a new [=ordered set=].

1. Let |authenticator| be a platform-specific handle whose value identifies an [=authenticator=].

1. Start |lifetimeTimer|.

1. [=set/For each=] |authenticator| that becomes available on this platform during the lifetime of
    |lifetimeTimer|, perform the following steps:

    Issue: The definitions of "lifetime of" and "becomes available" are intended to represent how
    devices are hot-plugged into (USB) or discovered by (NFC) browsers, and are underspecified.
    Resolving this with good definitions or some other means will be addressed by resolving
    [Issue #613](https://github.com/w3c/webauthn/issues/613).

    1. If <code>|options|.{{PublicKeyCredentialRequestOptions/userVerification}}</code> is set to
        {{UserVerificationRequirement/required}} and the |authenticator| is not capable of performing [=user verification=],
        [=iteration/continue=].

    1. Let |userVerification| be the <dfn>effective user verification requirement for assertion</dfn>, a Boolean value, as
        follows. If <code>|options|.{{PublicKeyCredentialRequestOptions/userVerification}}</code>

            <dl class="switch">

                :   is set to {{UserVerificationRequirement/required}}
                ::  Let |userVerification| be `true`.

                :   is set to {{UserVerificationRequirement/preferred}}
                ::  If the |authenticator|

                    <dl class="switch">
                        :   is capable of [=user verification=]
                        ::  Let |userVerification| be `true`.

                        :   is not capable of [=user verification=]
                        ::  Let |userVerification| be `false`.
                    </dl>

                :   is set to {{UserVerificationRequirement/discouraged}}
                ::  Let |userVerification| be `false`.

            </dl>

    1. Let |userPresence| be a Boolean value set to the inverse of |userVerification|.

    1. <span id="allowCredentialDescriptorListCreation"></span>
        If <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code>
        <dl class="switch">
            :   [=list/is not empty=]
            ::  1. Let |allowCredentialDescriptorList| be a new [=list=].

                1. Execute a platform-specific procedure to determine which, if any, [=public key credentials=] described by
                    <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> are bound to this
                    |authenticator|, by matching with |rpId|,
                    <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}.{{PublicKeyCredentialDescriptor/id}}</code>,
                    and
                    <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}.{{PublicKeyCredentialDescriptor/type}}</code>.
                    Set |allowCredentialDescriptorList| to this filtered list.

                1. If |allowCredentialDescriptorList| [=list/is empty=], [=continue=].

                1. Let |distinctTransports| be a new [=ordered set=].

                1. If |allowCredentialDescriptorList| has exactly one value, let |savedCredentialId| be a new 
                    {{PublicKeyCredentialDescriptor}}.{{PublicKeyCredentialDescriptor/id}} and set its value to <code>|allowCredentialDescriptorList|[0].id</code>'s
                    value (see [here](#authenticatorGetAssertion-return-values) in [[#op-get-assertion]] for more information).

                Issue: The foregoing step _may_ be incorrect, in that we are attempting to create |savedCredentialId|
                    here and use it later below, and we do not have a global in which to allocate a place for it. Perhaps this
                    is good enough?  addendum: [@jcjones feels the above step is likely good enough](https://github.com/w3c/webauthn/pull/665#discussion_r148130187).

                1. [=list/For each=] credential descriptor |C| in |allowCredentialDescriptorList|,
                    [=set/append=] each value, if any, of <code>|C|.{{transports}}</code> to |distinctTransports|.

                    Note: This will aggregate only distinct values of {{transports}} (for this [=authenticator=]) in
                        |distinctTransports| due to the properties of [=ordered sets=].

                1. If |distinctTransports|
                    <dl class="switch">
                        :   [=list/is not empty=]
                        ::  The client selects one |transport| value from |distinctTransports|, possibly incorporating local
                            configuration knowledge of the appropriate transport to use with |authenticator| in making its
                            selection.

                            Then, using |transport|, invoke the [=authenticatorGetAssertion=] operation on
                            |authenticator|, with |rpId|, |clientDataHash|, |allowCredentialDescriptorList|, |userPresence|,
                            |userVerification|, and |authenticatorExtensions| as parameters.

                        :   [=list/is empty=]
                        ::  Using local configuration knowledge of the appropriate transport to use with |authenticator|,
                            invoke the [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|,
                            |clientDataHash|, |allowCredentialDescriptorList|, |userPresence|, |userVerification|, and
                            |clientExtensions| as parameters.
                    </dl>

            :   [=list/is empty=]
            ::  Using local configuration knowledge of the appropriate transport to use with |authenticator|, invoke the
                [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|, |clientDataHash|, |userPresence|,
                |userVerification| and |clientExtensions| as parameters.

                Note: In this case, the [=[RP]=] did not supply a list of acceptable credential descriptors. Thus, the
                    authenticator is being asked to exercise any credential it may possess that is bound to
                    the [=[RP]=], as identified by |rpId|.
        </dl>

    1. [=set/Append=] |authenticator| to |issuedRequests|.

1. [=While=] |lifetimeTimer| has not expired, perform the following actions depending upon |lifetimeTimer|
    and responses from the authenticators:

    <dl class="switch">

        :   If |lifetimeTimer| expires,
        ::  [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on
            |authenticator| and [=set/remove=] |authenticator| from |issuedRequests|.

        :   If the {{CredentialRequestOptions/signal}} member is [=present=] and the [=AbortSignal/aborted flag=] is set to 
            true,
        ::  [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
            and [=set/remove=] |authenticator| from |issuedRequests|. Then 
            return a {{DOMException}} whose name is "{{AbortError}}" and terminate this algorithm.

        :   If any |authenticator| returns a status indicating that the user cancelled the operation,
        ::  1. [=set/Remove=] |authenticator| from |issuedRequests|.
            1. [=set/For each=] remaining |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation
                on |authenticator| and [=set/remove=] it from |issuedRequests|.

                Note: [=Authenticators=] may return an indication of "the user cancelled the entire operation".
                How a user agent manifests this state to users is unspecified.

        :   If any |authenticator| returns an error status,
        ::  [=set/Remove=] |authenticator| from |issuedRequests|.

        :   If any |authenticator| indicates success,
        ::  1.  [=set/Remove=] |authenticator| from |issuedRequests|.

            1.  Let <var ignore>assertionCreationData</var> be a [=struct=] whose [=items=] are:

                :   <code><dfn for="assertionCreationData">credentialIdResult</code>
                ::  If |savedCredentialId| exists, set the value of [=credentialIdResult=] to be the bytes of
                    |savedCredentialId|. Otherwise, set the value of [=credentialIdResult=] to be the bytes of the
                    [=credential ID=] returned from the successful [=authenticatorGetAssertion=] operation, as defined in
                    [[#op-get-assertion]].

                :   <code><dfn for="assertionCreationData">clientDataJSONResult</dfn></code>
                ::  whose value is the bytes of |clientDataJSON|.

                :   <code><dfn for="assertionCreationData">authenticatorDataResult</dfn></code>
                ::  whose value is the bytes of the [=authenticator data=] returned by the [=authenticator=].

                :   <code><dfn for="assertionCreationData">signatureResult</dfn></code>
                ::  whose value is the bytes of the signature value returned by the [=authenticator=].

                :   <code><dfn for="assertionCreationData">userHandleResult</dfn></code>
                ::  If the [=authenticator=] returned a [=user handle=], set the value of [=userHandleResult=] to be the bytes of
                    the returned [=user handle=]. Otherwise, set the value of [=userHandleResult=] to null.

                :   <code><dfn for="assertionCreationData">clientExtensionResults</dfn></code>
                ::  whose value is an {{AuthenticationExtensionsClientOutputs}} object containing [=extension identifier=] →
                    [=client extension output=] entries. The entries are created by running each extension's
                    [=client extension processing=] algorithm to create the [=client extension outputs=], for each
                    [=client extension=] in <code>{{AuthenticatorResponse/clientDataJSON}}.clientExtensions</code>.

            1.  Let |constructAssertionAlg| be an algorithm that takes a [=global object=]
                |global|, and whose steps are:

                1.  Let |pubKeyCred| be a new {{PublicKeyCredential}} object associated with |global| whose fields are:

                    :   {{PublicKeyCredential/[[identifier]]}}

                    ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                        <code>|assertionCreationData|.[=credentialIdResult=]</code>.

                    :   {{PublicKeyCredential/response}}
                    ::  A new {{AuthenticatorAssertionResponse}} object associated with |global| whose fields are:

                        :   {{AuthenticatorResponse/clientDataJSON}}
                        ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                            <code>|assertionCreationData|.[=assertionCreationData/clientDataJSONResult=]</code>.

                        :   {{AuthenticatorAssertionResponse/authenticatorData}}
                        ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                            <code>|assertionCreationData|.[=assertionCreationData/authenticatorDataResult=]</code>.

                        :   {{AuthenticatorAssertionResponse/signature}}
                        ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                            <code>|assertionCreationData|.[=assertionCreationData/signatureResult=]</code>.

                        :   {{AuthenticatorAssertionResponse/userHandle}}
                        ::  If <code>|assertionCreationData|.[=assertionCreationData/userHandleResult=]</code> is null, set this
                            field to null. Otherwise, set this field to a new {{ArrayBuffer}}, created using |global|'s
                            [=%ArrayBuffer%=], containing the bytes of
                            <code>|assertionCreationData|.[=assertionCreationData/userHandleResult=]</code>.

                    :   {{PublicKeyCredential/[[clientExtensionsResults]]}}
                    ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                        <code>|assertionCreationData|.[=assertionCreationData/clientExtensionResults=]</code>.

                1.  Return |pubKeyCred|.

            1.  [=set/For each=] remaining |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation
                on |authenticator| and [=set/remove=] it from |issuedRequests|.

            1.  Return |constructAssertionAlg| and terminate this algorithm.
    </dl>

1. Return a {{DOMException}} whose name is "{{NotAllowedError}}". In order to prevent information leak that could identify the
    user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
    [[#sec-assertion-privacy]] for details.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator with which to complete the operation.
</div>


### Store an existing credential - PublicKeyCredential's `[[Store]](credential, sameOriginWithAncestors)` method ### {#storeCredential}

<div link-for-hint="PublicKeyCredential/[[Store]](credential, sameOriginWithAncestors)">

The <dfn for="PublicKeyCredential" method>\[[Store]](credential, sameOriginWithAncestors)</dfn> method is not supported
for Web Authentication's {{PublicKeyCredential}} type, so it always returns an error.

Note: This algorithm is synchronous; the {{Promise}} resolution/rejection is handled by
{{CredentialsContainer/store()|navigator.credentials.store()}}.

This [=internal method=] accepts two arguments:

<dl dfn-type="argument" dfn-for="PublicKeyCredential/[[Store]](credential, sameOriginWithAncestors)">
    :   <dfn>credential</dfn>
    ::  This argument is a {{PublicKeyCredential}} object.

    :   <dfn>sameOriginWithAncestors</dfn>
    ::  This argument is a boolean which is true if and only if the caller's [=environment settings object=] is
        [=same-origin with its ancestors=].
</dl>

When this method is invoked, the user agent MUST execute the following algorithm:

1. Return a {{DOMException}} whose name is "{{NotSupportedError}}", and terminate this algorithm

</div>

###  Preventing silent access to an existing credential - PublicKeyCredential's `[[preventSilentAccess]](credential, sameOriginWithAncestors)` method ### {#preventSilentAccessCredential}

<div link-for-hint="PublicKeyCredential/[[preventSilentAccess]](credential, sameOriginWithAncestors)">

Calling the <dfn for="PublicKeyCredential" method>\[[preventSilentAccess]](credential, sameOriginWithAncestors)</dfn> method
will have no effect on authenticators that require an [=authorization gesture=],
but setting that flag may potentially exclude authenticators that can operate without user intervention.

This [=internal method=] accepts no arguments.

</div>

### Availability of User-Verifying Platform Authenticator - PublicKeyCredential's `isUserVerifyingPlatformAuthenticatorAvailable()` method ### {#isUserVerifyingPlatformAuthenticatorAvailable}

<div link-for-hint="WebAuthentication/isUserVerifyingPlatformAuthenticatorAvailable">

[=[RPS]=] use this method to determine whether they can create a new credential using a [=user verification|user-verifying=] [=platform authenticator=].
Upon invocation, the [=client=] employs a platform-specific procedure to discover available [=user verification|user-verifying=] [=platform authenticators=].
If successful, the [=client=] then assesses whether the user is willing to create a credential using one of the available [=user verification|user-verifying=] [=platform authenticators=].
This assessment may include various factors, such as:
    - Whether the user is running in private or incognito mode.
    - Whether the user has configured the [=client=] to not create such credentials.
    - Whether the user has previously expressed an unwillingness to create a new credential for this [=[RP]=],
        either through configuration or by declining a user interface prompt.
    - The user's explicitly stated intentions, determined through user interaction.
If this assessment is affirmative, the promise is resolved with the value of <i>True</i>.
Otherwise, the promise is resolved with the value of <i>False</i>.
Based on the result, the [=[RP]=] can take further actions to guide the user to create a credential.

This method has no arguments and returns a boolean value.

If the promise will return <i>False</i>,
the [=client=] SHOULD wait a fixed period of time from the invocation of the method before returning <i>False</i>.
This is done so that callers cannot distinguish between
the case where the user was unwilling to create a credential using one of the available [=user verification|user-verifying=] [=platform authenticators=] and
the case where no [=user verification|user-verifying=] [=platform authenticator=] exists.
Trying to make these cases indistinguishable is done in an attempt to not provide additional information that could be used for fingerprinting.
A timeout value on the order of 10 minutes is recommended;
this is enough time for successful user interactions to be performed
but short enough that the dangling promise will still be resolved in a reasonably timely fashion.

<pre class="idl">
    partial interface PublicKeyCredential {
        static Promise < boolean > isUserVerifyingPlatformAuthenticatorAvailable();
    };
</pre>

</div>

## Authenticator Responses (interface <dfn interface>AuthenticatorResponse</dfn>) ## {#iface-authenticatorresponse}

[=Authenticators=] respond to [=[RP]=] requests by returning an object derived from the
{{AuthenticatorResponse}} interface:

<pre class="idl">
    [SecureContext, Exposed=Window]
    interface AuthenticatorResponse {
        [SameObject] readonly attribute ArrayBuffer      clientDataJSON;
    };
</pre>
<div dfn-type="attribute" dfn-for="AuthenticatorResponse">
    :   <dfn>clientDataJSON</dfn>
    ::  This attribute contains a [=JSON-serialized client data|JSON serialization=] of the [=client data=] passed to the
        authenticator by the client in its call to either {{CredentialsContainer/create()}} or {{CredentialsContainer/get()}}.
</div>

### Information about Public Key Credential (interface <dfn interface>AuthenticatorAttestationResponse</dfn>) ### {#iface-authenticatorattestationresponse}

The {{AuthenticatorAttestationResponse}} interface represents the [=authenticator=]'s response to a client's request
for the creation of a new [=public key credential=]. It contains information about the new credential that can be used to
identify it for later use, and metadata that can be used by the [=[RP]=] to assess the characteristics of the credential
during registration.

<pre class="idl">
    [SecureContext, Exposed=Window]
    interface AuthenticatorAttestationResponse : AuthenticatorResponse {
        [SameObject] readonly attribute ArrayBuffer      attestationObject;
    };
</pre>
<div dfn-type="attribute" dfn-for="AuthenticatorAttestationResponse">
    :   {{AuthenticatorResponse/clientDataJSON}}
    ::  This attribute, inherited from {{AuthenticatorResponse}}, contains the [=JSON-serialized client data=] (see
        [[#sctn-attestation]]) passed to the authenticator by the client in order to generate this credential. The
        exact JSON serialization must be preserved, as the [=hash of the serialized client data=] has been computed
        over it.

    :   <dfn>attestationObject</dfn>
    ::  This attribute contains an [=attestation object=], which is opaque to, and cryptographically protected against
        tampering by, the client. The [=attestation object=] contains both [=authenticator data=] and an [=attestation
        statement=]. The former contains the AAGUID, a unique [=credential ID=], and the [=credential public key=]. The
        contents of the [=attestation statement=] are determined by the [=attestation statement format=] used by the
        [=authenticator=]. It also contains any additional information that the [=[RP]=]'s server requires to validate the
        [=attestation statement=], as well as to decode and validate the [=authenticator data=] along with the
        [=JSON-serialized client data=]. For more details, see [[#sctn-attestation]], [[#generating-an-attestation-object]],
        and [Figure 3](#fig-attStructs).
</div>

### Web Authentication Assertion (interface <dfn interface>AuthenticatorAssertionResponse</dfn>) ### {#iface-authenticatorassertionresponse}

The {{AuthenticatorAssertionResponse}} interface represents an [=authenticator=]'s response to a client's request for
generation of a new [=authentication assertion=] given the [=[RP]=]'s challenge and optional list of credentials it is
aware of. This response contains a cryptographic signature proving possession of the [=credential private key=], and
optionally evidence of [=user consent=] to a specific transaction.

<pre class="idl">
    [SecureContext, Exposed=Window]
    interface AuthenticatorAssertionResponse : AuthenticatorResponse {
        [SameObject] readonly attribute ArrayBuffer      authenticatorData;
        [SameObject] readonly attribute ArrayBuffer      signature;
        [SameObject] readonly attribute ArrayBuffer?     userHandle;
    };
</pre>
<div dfn-type="attribute" dfn-for="AuthenticatorAssertionResponse">
    :   {{AuthenticatorResponse/clientDataJSON}}
    ::  This attribute, inherited from {{AuthenticatorResponse}}, contains the [=JSON-serialized client data=] (see
        [[#sec-client-data]]) passed to the authenticator by the client in order to generate this assertion. The
        exact JSON serialization MUST be preserved, as the [=hash of the serialized client data=] has been computed
        over it.

    :   <dfn>authenticatorData</dfn>
    ::  This attribute contains the [=authenticator data=] returned by the authenticator. See [[#sec-authenticator-data]].

    :   <dfn>signature</dfn>
    ::  This attribute contains the raw signature returned from the authenticator. See [[#op-get-assertion]].

    :   <dfn>userHandle</dfn>
    ::  This attribute contains the [=user handle=] returned from the authenticator, or null if the authenticator did not return a
        [=user handle=]. See [[#op-get-assertion]].
</div>

## Parameters for Credential Generation (dictionary <dfn dictionary>PublicKeyCredentialParameters</dfn>) ## {#credential-params}

<pre class="idl">
    dictionary PublicKeyCredentialParameters {
        required PublicKeyCredentialType      type;
        required COSEAlgorithmIdentifier      alg;
    };
</pre>

<div dfn-type="dict-member" dfn-for="PublicKeyCredentialParameters">
    This dictionary is used to supply additional parameters when creating a new credential.

    The <dfn>type</dfn> member specifies the type of credential to be created.

    The <dfn>alg</dfn> member specifies the cryptographic signature algorithm with which the newly generated credential
    will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.

    Note: we use "alg" as the latter member name, rather than spelling-out "algorithm", because it will be serialized into
        a message to the authenticator, which may be sent over a low-bandwidth link.
</div>

## Options for Credential Creation (dictionary <dfn dictionary>PublicKeyCredentialCreationOptions</dfn>) ## {#dictionary-makecredentialoptions}

<xmp class="idl">
    dictionary PublicKeyCredentialCreationOptions {
        required PublicKeyCredentialRpEntity         rp;
        required PublicKeyCredentialUserEntity       user;

        required BufferSource                             challenge;
        required sequence<PublicKeyCredentialParameters>  pubKeyCredParams;

        unsigned long                                timeout;
        sequence<PublicKeyCredentialDescriptor>      excludeCredentials = [];
        AuthenticatorSelectionCriteria               authenticatorSelection;
        AttestationConveyancePreference              attestation = "none";
        AuthenticationExtensionsClientInputs         extensions;
    };
</xmp>
<div dfn-type="dict-member" dfn-for="PublicKeyCredentialCreationOptions">
    :   <dfn>rp</dfn>
    ::  This member contains data about the [=[RP]=] responsible for the request.

        Its value's {{PublicKeyCredentialEntity/name}} member is required.

        Its value's {{PublicKeyCredentialRpEntity/id}} member specifies the [=relying party identifier=] with which the credential
        should be associated. If omitted, its value will be the {{CredentialsContainer}} object's [=relevant
        settings object=]'s [=environment settings object/origin=]'s [=effective domain=].

    :   <dfn>user</dfn>
    ::  This member contains data about the user account for which the [=[RP]=] is requesting attestation.

        Its value's {{PublicKeyCredentialEntity/name}}, {{PublicKeyCredentialUserEntity/displayName}} and
        {{PublicKeyCredentialUserEntity/id}} members are required.

    :   <dfn>challenge</dfn>
    ::  This member contains a challenge intended to be used for generating the newly created credential's [=attestation
        object=].

    :   <dfn>pubKeyCredParams</dfn>
    ::  This member contains information about the desired properties of the credential to be created. The sequence is ordered
        from most preferred to least preferred. The platform makes a best-effort to create the most preferred credential that it
        can.

    :   <dfn>timeout</dfn>
    ::  This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is
        treated as a hint, and MAY be overridden by the platform.

    :   <dfn>excludeCredentials</dfn>
    ::  This member is intended for use by [=[RPS]=] that wish to limit the creation of multiple credentials for the same
        account on a single authenticator. The platform is requested to return an error if the new credential would be created
        on an authenticator that also contains one of the credentials enumerated in this parameter.

    :   <dfn>authenticatorSelection</dfn>
    ::  This member is intended for use by [=[RPS]=] that wish to select the appropriate authenticators to participate in
        the {{CredentialsContainer/create()}} operation.

    :   <dfn>attestation</dfn>
    ::  This member is intended for use by [=[RPS]=] that wish to express their preference for [=attestation conveyance=].
        The default is {{AttestationConveyancePreference/none}}.

    :   <dfn>extensions</dfn>
    ::  This member contains additional parameters requesting additional processing by the client and authenticator. For
        example, the caller may request that only authenticators with certain capabilities be used to create the credential, or
        that particular information be returned in the [=attestation object=]. Some extensions are defined in [[#extensions]];
        consult the IANA "WebAuthn Extension Identifier" registry established by [[!WebAuthn-Registries]] for an up-to-date list
        of registered WebAuthn Extensions.
</div>

### Public Key Entity Description (dictionary <dfn dictionary>PublicKeyCredentialEntity</dfn>) ### {#dictionary-pkcredentialentity}

The {{PublicKeyCredentialEntity}} dictionary describes a user account, or a [=[RP]=], with which a [=public key credential=] is
associated.

<xmp class="idl">
    dictionary PublicKeyCredentialEntity {
        required DOMString    name;
        USVString             icon;
    };
</xmp>
<div dfn-type="dict-member" dfn-for="PublicKeyCredentialEntity">
    :   <dfn>name</dfn>
    ::  A human-readable name for the entity. Its function depends on what the {{PublicKeyCredentialEntity}} represents:

          - When inherited by {{PublicKeyCredentialRpEntity}} it is a human-friendly identifier for the [=[RP]=], intended only
            for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "Awesome Site".
          - When inherited by {{PublicKeyCredentialUserEntity}}, it is a [=human palatability|human-palatable=] identifier for a
            user account. It is intended only for display, and SHOULD allow the user to easily tell the difference between user
            accounts with similar {{PublicKeyCredentialUserEntity/displayName}}s. For example, "alexm", "alex.p.mueller@example.com"
            or "+14255551234". The [=[RP]=] MAY let the user choose this, and MAY restrict the choice as needed or appropriate.
            For example, a [=[RP]=] might choose to map [=human palatability|human-palatable=] [=username=] account identifiers to
            the {{PublicKeyCredentialEntity/name}} member of {{PublicKeyCredentialUserEntity}}.

        [=Authenticators=] MUST accept and store a 64-byte minimum length for a {{PublicKeyCredentialEntity/name}} member's
        value. Authenticators MAY truncate a {{PublicKeyCredentialEntity/name}} member's value to a length equal to or greater
        than 64 bytes.

    :   <dfn>icon</dfn>
    ::  A [=URL serializer|serialized=] URL which resolves to an image associated with the entity. For example, this could be
        a user's avatar or a [=[RP]=]'s logo. This URL MUST be an [=a priori authenticated URL=]. [=Authenticators=] MUST
        accept and store a 128-byte minimum length for an icon member's value.
        Authenticators MAY ignore an icon member's value if its length is greater than 128 bytes.
</div>


### RP Parameters for Credential Generation (dictionary <dfn dictionary>PublicKeyCredentialRpEntity</dfn>) ### {#sctn-rp-credential-params}

The {{PublicKeyCredentialRpEntity}} dictionary is used to supply additional [=[RP]=] attributes when creating a new credential.

<pre class="idl">
    dictionary PublicKeyCredentialRpEntity : PublicKeyCredentialEntity {
        DOMString      id;
    };
</pre>

<div dfn-type="dict-member" dfn-for="PublicKeyCredentialRpEntity">
    :   <dfn>id</dfn>
    ::  A unique identifier for the [=[RP]=] entity, which sets the [=RP ID=].
</div>


### User Account Parameters for Credential Generation (dictionary <dfn dictionary>PublicKeyCredentialUserEntity</dfn>) ### {#sctn-user-credential-params}

The {{PublicKeyCredentialUserEntity}} dictionary is used to supply additional user account attributes when creating a new
credential.

<pre class="idl">
    dictionary PublicKeyCredentialUserEntity : PublicKeyCredentialEntity {
        required BufferSource   id;
        required DOMString      displayName;
    };
</pre>

<div dfn-type="dict-member" dfn-for="PublicKeyCredentialUserEntity">
    :   <dfn>id</dfn>
    ::  The [=user handle=] of the user account entity.

    :   <dfn>displayName</dfn>
    ::  A human-friendly name for the user account, intended only for display. For example, "Alex P. Müller" or "田中 倫". The
        [=[RP]=] SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary.

        [=Authenticators=] MUST accept and store a 64-byte minimum length for a {{PublicKeyCredentialUserEntity/displayName}}
        member's value. Authenticators MAY truncate a {{PublicKeyCredentialUserEntity/displayName}} member's value to a length
        equal to or greater than 64 bytes.
</div>


### Authenticator Selection Criteria (dictionary <dfn dictionary>AuthenticatorSelectionCriteria</dfn>) ### {#authenticatorSelection}

[=[RPS]=] may use the {{AuthenticatorSelectionCriteria}} dictionary to specify their requirements regarding authenticator
attributes.

<xmp class="idl">
    dictionary AuthenticatorSelectionCriteria {
        AuthenticatorAttachment      authenticatorAttachment;
        boolean                      requireResidentKey = false;
        UserVerificationRequirement  userVerification = "preferred";
    };
</xmp>

<div dfn-type="dict-member" dfn-for="AuthenticatorSelectionCriteria">
    :   <dfn>authenticatorAttachment</dfn>
    ::  If this member is [=present|present=], eligible authenticators are filtered to only authenticators attached with the
        specified [[#attachment]].

    :   <dfn>requireResidentKey</dfn>
    ::  This member describes the [=[RPS]=]' requirements regarding availability of the [=Client-side-resident Credential
        Private Key=]. If the parameter is set to true, the authenticator MUST create a
        [=Client-side-resident Credential Private Key=] when creating a [=public key credential=].

    :   <dfn>userVerification</dfn>
    ::  This member describes the [=[RP]=]'s requirements regarding [=user verification=] for the
        {{CredentialsContainer/create()}} operation. Eligible authenticators are filtered to only those capable of satisfying this
        requirement.
</div>


### Authenticator Attachment enumeration (enum <dfn enum>AuthenticatorAttachment</dfn>) ### {#attachment}

<pre class="idl">
    enum AuthenticatorAttachment {
        "platform",       // Platform attachment
        "cross-platform"  // Cross-platform attachment
    };
</pre>

Clients can communicate with authenticators using a variety of mechanisms. For example, a client MAY use a platform-specific
API to communicate with an authenticator which is physically bound to a platform. On the other hand, a client can use a
variety of standardized cross-platform transport protocols such as Bluetooth (see [[#transport]]) to discover and
communicate with [=cross-platform attached=] authenticators. Therefore, we use {{AuthenticatorAttachment}} to describe an
[=authenticator=]'s <dfn>attachment modality</dfn>. We define authenticators that are part of the client's
platform as having a [=platform attachment=], and refer to them as <dfn>platform authenticators</dfn>. While those that
are reachable via cross-platform transport protocols are defined as having [=cross-platform attachment=], and refer to
them as <dfn>roaming authenticators</dfn>.

<ul>
    <li><dfn>platform attachment</dfn> - the respective authenticator is attached
        using platform-specific transports.  Usually, authenticators of
        this class are non-removable from the platform. A [=public key credential=] bound to a [=platform authenticator=] is
        called a <dfn>platform credential</dfn>.
    <li><dfn lt="cross-platform attached|cross-platform attachment">cross-platform attachment</dfn> - the respective
        authenticator is attached using cross-platform transports. Authenticators of this class are removable from, and can
        "roam" among, client platforms. A [=public key credential=] bound to a [=roaming authenticator=] is called a <dfn>roaming
        credential</dfn>.
</ul>

This distinction is important because there are use-cases where only [=platform authenticators=] are acceptable to a [=[RP]=], and
conversely ones where only [=roaming authenticators=] are employed. As a concrete example of the former, a [=platform credential=]
may be used by [=[RPS]=] to quickly and conveniently reauthenticate the user with a minimum of friction, e.g., the user will not
have to dig around in their pocket for their key fob or phone. As a concrete example of the latter, when the user is accessing the
[=[RP]=] from a given client for the first time, they may be asked to use a [=roaming credential=] which was originally
registered with the [=[RP]=] using a different client.

Note: An [=attachment modality=] selection option is available only in the {{PublicKeyCredential/[[Create]](origin, options,
sameOriginWithAncestors)}} operation. The [=[RP]=] may use it to, for example, ensure the user has a [=roaming credential=] for
authenticating using other [=clients=]; or to specifically register a [=platform credential=] for easier reauthentication using a
particular [=client=]. The {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}}
operation has no [=attachment modality=] selection option, so the [=[RP]=] should accept any of the user's registered [=public key
credential|credentials=]. The [=client=] and user will then use whichever is available and convenient at the time.


### <dfn>Attestation Conveyance</dfn> Preference enumeration (enum <dfn enum>AttestationConveyancePreference</dfn>) ### {#attestation-convey}

[=[RPS]=] may use {{AttestationConveyancePreference}} to specify their preference regarding [=attestation conveyance=]
during credential generation.

<pre class="idl">
    enum AttestationConveyancePreference {
        "none",
        "indirect",
        "direct"
    };
</pre>

<div dfn-type="enum-value" dfn-for="AttestationConveyancePreference">
    *   <dfn>none</dfn> - indicates that the [=[RP]=] is not interested in [=authenticator=] [=attestation=].
        For example, in order to potentially avoid having to obtain [=user consent=] to relay identifying information to
        the [=[RP]=], or to save a roundtrip to an [=Attestation CA=].

        This is the default value.

    *   <dfn>indirect</dfn> - indicates that the [=[RP]=] prefers an [=attestation=] conveyance yielding verifiable
        [=attestation statements=], but allows the client to decide how to obtain such [=attestation statements=].
        The client MAY replace the authenticator-generated [=attestation statements=] with [=attestation statements=] generated
        by an [=Anonymization CA=], in order to protect the user's privacy, or to assist [=[RPS]=] with attestation verification in a
        heterogeneous ecosystem.

        Note: There is no guarantee that the [=[RP]=] will obtain a verifiable [=attestation statement=] in this case.
        For example, in the case that the authenticator employs [=self attestation=].

    *   <dfn>direct</dfn> - indicates that the [=[RP]=] wants to receive the [=attestation statement=] as generated by
        the [=authenticator=].

</div>


## Options for Assertion Generation (dictionary <dfn dictionary>PublicKeyCredentialRequestOptions</dfn>) ## {#assertion-options}

The {{PublicKeyCredentialRequestOptions}} dictionary supplies {{CredentialsContainer/get()}} with the data it needs to generate
an assertion. Its {{PublicKeyCredentialRequestOptions/challenge}} member MUST be present, while its other members are OPTIONAL.

<xmp class="idl">
    dictionary PublicKeyCredentialRequestOptions {
        required BufferSource                challenge;
        unsigned long                        timeout;
        USVString                            rpId;
        sequence<PublicKeyCredentialDescriptor> allowCredentials = [];
        UserVerificationRequirement          userVerification = "preferred";
        AuthenticationExtensionsClientInputs extensions;
    };
</xmp>

<dl dfn-type="dict-member" dfn-for="PublicKeyCredentialRequestOptions">
    :   <dfn>challenge</dfn>
    ::  This member represents a challenge that the selected [=authenticator=] signs, along with other data, when producing an
        [=authentication assertion=]. See the [[#cryptographic-challenges]] security consideration.

    :   <dfn>timeout</dfn>
    ::  This OPTIONAL member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete.
        The value is treated as a hint, and MAY be overridden by the platform.

    :   <dfn>rpId</dfn>
    ::  This optional member specifies the [=relying party identifier=] claimed by the caller. If omitted, its value will
        be the {{CredentialsContainer}} object's [=relevant settings object=]'s [=environment settings object/origin=]'s
        [=effective domain=].

    :   <dfn>allowCredentials</dfn>
    ::  This optional member contains a list of {{PublicKeyCredentialDescriptor}} objects representing [=public key credentials=]
        acceptable to the caller, in descending order of the caller's preference (the first item in the list is the most
        preferred credential, and so on down the list).

    :   <dfn>userVerification</dfn>
    ::  This member describes the [=[RP]=]'s requirements regarding [=user verification=] for the
        {{CredentialsContainer/get()}} operation. Eligible authenticators are filtered to only those capable of satisfying this
        requirement.

    :   <dfn>extensions</dfn>
    ::  This OPTIONAL member contains additional parameters requesting additional processing by the client and authenticator.
        For example, if transaction confirmation is sought from the user, then the prompt string might be included as an
        extension.
</dl>


## Abort operations with `AbortSignal` ## {#abortoperation}

Developers are encouraged to leverage the {{AbortController}} to manage the 
{{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)}} and {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}} operations.
See [[dom#abortcontroller-api-integration]] section for detailed instructions. 

    Note: [[dom#abortcontroller-api-integration]] section specifies that web platform APIs integrating with the  
    {{AbortController}} must reject the promise immediately once the [=AbortSignal/aborted flag=] is set. 
    Given the complex inheritance and parallelization structure of the {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)}}
    and {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}} methods, the algorithms for the two APIs fulfills this
    requirement by checking the [=AbortSignal/aborted flag=] in three places. In the case of 
    {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)}}, the aborted flag is checked first in
    [[credential-management-1#algorithm-create]] immediately before calling {{Credential/[[Create]](origin, options, sameOriginWithAncestors)}},
    then in [[#createCredential]] right before [=authenticator sessions=] start, and finally
    during [=authenticator sessions=]. The same goes for
    {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}}.

The [=visibility states|visibility=] and [=focus=] state of the [=Window=] object determines whether the 
{{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)}} and {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}} operations
should continue. When the [=Window=] object associated with the [[=Document=] loses focus, 
{{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)}} and {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}} operations
SHOULD be aborted. 

    Issue: The WHATWG HTML WG is discussing whether to provide a hook when a browsing context gains or
    loses focuses. If a hook is provided, the above paragraph will be updated to include the hook.
    See [WHATWG HTML WG Issue #2711](https://github.com/whatwg/html/issues/2711) for more details. 


## Authentication Extensions Client Inputs (typedef <dfn>AuthenticationExtensionsClientInputs</dfn>) ## {#iface-authentication-extensions-client-inputs}

<xmp class="idl">
    dictionary AuthenticationExtensionsClientInputs {
    };
</xmp>

This is a dictionary containing the [=client extension input=] values for zero or more WebAuthn extensions, as defined in [[#extensions]].


## Authentication Extensions Client Outputs (typedef <dfn>AuthenticationExtensionsClientOutputs</dfn>) ## {#iface-authentication-extensions-client-outputs}

<xmp class="idl">
    dictionary AuthenticationExtensionsClientOutputs {
    };
</xmp>

This is a dictionary containing the [=client extension output=] values for zero or more WebAuthn extensions, as defined in [[#extensions]].


## Authentication Extensions Authenticator Inputs (typedef <dfn>AuthenticationExtensionsAuthenticatorInputs</dfn>) ## {#iface-authentication-extensions-authenticator-inputs}

<xmp class="idl">
    typedef record<DOMString, DOMString> AuthenticationExtensionsAuthenticatorInputs;
</xmp>

This is a dictionary containing the [=authenticator extension input=] values for zero or more WebAuthn extensions, as defined in [[#extensions]].


## Supporting Data Structures ## {#supporting-data-structures}

The [=public key credential=] type uses certain data structures that are specified in supporting specifications. These are as
follows.


### Client data used in WebAuthn signatures (dictionary <dfn dictionary>CollectedClientData</dfn>) ### {#sec-client-data}

The <dfn>client data</dfn> represents the contextual bindings of both the [=[RP]=] and the client platform. It is a key-value
mapping with string-valued keys. Values can be any type that has a valid encoding in JSON. Its structure is defined by the
following Web IDL.

<pre class="idl">
    dictionary CollectedClientData {
        required DOMString           type;
        required DOMString           challenge;
        required DOMString           origin;
        TokenBinding                 tokenBinding;
    };

    dictionary TokenBinding {
        required TokenBindingStatus status;
        DOMString id;
    };

    enum TokenBindingStatus { "present", "supported", "not-supported" };
</pre>

<div dfn-type="dict-member" dfn-for="CollectedClientData">
    The <dfn>type</dfn> member contains the string "webauthn.create" when creating new credentials, and "webauthn.get"
    when getting an assertion from an existing credential. The purpose of this member is to prevent certain types of signature
    confusion attacks (where an attacker substitutes one legitimate signature for another).

    The <dfn>challenge</dfn> member contains the base64url encoding of the challenge provided by the RP.
    See the [[#cryptographic-challenges]] security consideration.

    The <dfn>origin</dfn> member contains the fully qualified [=origin=] of the requester, as provided to the authenticator by
    the client, in the syntax defined by [[RFC6454]].

    The <dfn>tokenBinding</dfn> member contains information about the state of the [=Token Binding=] protocol used when communicating with the [=[RP]=]. The `status` member is one of:
        * `not-supported`: when the client does not support token binding.
        * `supported`: the client supports token binding, but it was not negotiated when communicating with the [=[RP]=].
        * `present`: token binding was used when communicating with the [=[RP]=]. In this case, the `id` member MUST be present and MUST be a [=base64url encoding=] of the [=Token Binding ID=] that was used.

    This structure is used by the client to compute the following quantities:

    : <dfn dfn>JSON-serialized client data</dfn>
    :: This is the [=UTF-8 encoding=] of the result of calling the initial value of {{JSON/stringify|JSON.stringify}} on a
        {{CollectedClientData}} dictionary.

    : <dfn dfn>Hash of the serialized client data</dfn>
    :: This is the hash (computed using SHA-256) of the [=JSON-serialized client data=], as constructed by the client.
</div>


### Credential Type enumeration (enum <dfn enum>PublicKeyCredentialType</dfn>) ### {#credentialType}

<pre class="idl">
    enum PublicKeyCredentialType {
        "public-key"
    };
</pre>

<div dfn-type="enum-value" dfn-for="PublicKeyCredentialType">
    This enumeration defines the valid credential types. It is an extension point; values can be added to it in the future, as
    more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and
    attestation structures according to the type of the authenticator.

    Currently one credential type is defined, namely "<dfn>public-key</dfn>".
</div>


### Credential Descriptor (dictionary <dfn dictionary>PublicKeyCredentialDescriptor</dfn>) ### {#credential-dictionary}

<xmp class="idl">
    dictionary PublicKeyCredentialDescriptor {
        required PublicKeyCredentialType      type;
        required BufferSource                 id;
        sequence<AuthenticatorTransport>      transports;
    };
</xmp>

This dictionary contains the attributes that are specified by a caller when referring to a [=public key credential=] as an input
parameter to the {{CredentialsContainer/create()}} or {{CredentialsContainer/get()}} methods. It mirrors the fields of the
{{PublicKeyCredential}} object returned by the latter methods.

<div dfn-type="dict-member" dfn-for="PublicKeyCredentialDescriptor">
    The <dfn>type</dfn> member contains the type of the [=public key credential=] the caller is referring to.

    The <dfn>id</dfn> member contains the [=credential ID=] of the [=public key credential=] that the caller is referring to.
</div>


### Authenticator Transport enumeration (enum <dfn enum>AuthenticatorTransport</dfn>) ### {#transport}

<pre class="idl">
    enum AuthenticatorTransport {
        "usb",
        "nfc",
        "ble"
    };
</pre>

<div dfn-type="enum-value" dfn-for="AuthenticatorTransport">
    Authenticators may communicate with clients using a variety of transports. This enumeration defines a hint as to how clients
    might communicate with a particular authenticator in order to obtain an assertion for a specific credential. Note that these
    hints represent the [=[RP]=]'s best belief as to how an authenticator may be reached. A [=[RP]=] may obtain a list of
    transports hints from some [=attestation statement formats=] or via some out-of-band mechanism; it is outside the scope of
    this specification to define that mechanism.

    <ul>
        <li><dfn>usb</dfn> - the respective authenticator can be contacted over USB.
        <li><dfn>nfc</dfn> - the respective authenticator can be contacted over Near Field Communication (NFC).
        <li><dfn>ble</dfn> - the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).
    </ul>
</div>


### Cryptographic Algorithm Identifier (typedef <dfn>COSEAlgorithmIdentifier</dfn>) ### {#alg-identifier}

<pre class="idl">
    typedef long COSEAlgorithmIdentifier;
</pre>

<div dfn-type="typedef" dfn-for="COSEAlgorithmIdentifier">
    A {{COSEAlgorithmIdentifier}}'s value is a number identifying a cryptographic algorithm.
    The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry [[!IANA-COSE-ALGS-REG]],
    for instance, <code>-7</code> for "ES256" and <code>-257</code> for "RS256".
</div>


### User Verification Requirement enumeration (enum <dfn enum>UserVerificationRequirement</dfn>) ### {#userVerificationRequirement}

<pre class="idl">
    enum UserVerificationRequirement {
        "required",
        "preferred",
        "discouraged"
    };
</pre>

A [=[RP]=] may require [=user verification=] for some of its operations but not for others, and may use this type to express its
needs.

The value {{UserVerificationRequirement/required}} indicates that the [=[RP]=] requires [=user verification=] for the operation
and will fail the operation if the response does not have the [=UV=] [=flag=] set.

The value {{UserVerificationRequirement/preferred}} indicates that the [=[RP]=] prefers [=user verification=] for the
operation if possible, but will not fail the operation if the response does not have the [=UV=] [=flag=] set.

The value {{UserVerificationRequirement/discouraged}} indicates that the [=[RP]=] does not want [=user verification=] employed
during the operation (e.g., in the interest of minimizing disruption to the user interaction flow).


# WebAuthn <dfn>Authenticator Model</dfn> # {#sctn-authenticator-model}

[[#api|The Web Authentication API]] implies a specific abstract functional model for an [=authenticator=]. This section
describes that [=authenticator model=].

Client platforms MAY implement and expose this abstract model in any way desired. However, the behavior of the client's Web
Authentication API implementation, when operating on the authenticators supported by that platform, MUST be indistinguishable
from the behavior specified in [[#api]].

For authenticators, this model defines the logical operations that they MUST support, and the data formats that they expose to
the client and the [=[RP]=]. However, it does not define the details of how authenticators communicate with the client platform,
unless they are necessary for interoperability with [=[RPS]=]. For instance, this abstract model does not define protocols for
connecting authenticators to clients over transports such as USB or NFC. Similarly, this abstract model does not define specific
error codes or methods of returning them; however, it does define error behavior in terms of the needs of the client. Therefore,
specific error codes are mentioned as a means of showing which error conditions must be distinguishable (or not) from each other
in order to enable a compliant and secure client implementation.

[=[RPS]=] may influence authenticator selection, if they deem necessary, by stipulating various authenticator characteristics
when [[#createCredential|creating credentials]] and/or when [[#getAssertion|generating assertions]], through use of
[[#dictionary-makecredentialoptions|credential creation options]] or [[#assertion-options|assertion generation options]],
respectively. The algorithms underlying the [[#api|WebAuthn API]] marshal these options and pass them to the applicable
[[#authenticator-ops|authenticator operations]] defined below.

In this abstract model, the authenticator provides key management and cryptographic signatures. It can be embedded in the
WebAuthn client or housed in a separate device entirely. The authenticator itself can contain a cryptographic module which
operates at a higher security level than the rest of the authenticator. This is particularly important for authenticators that
are embedded in the WebAuthn client, as in those cases this cryptographic module (which may, for example, be a TPM) could be
considered more trustworthy than the rest of the authenticator.

Each authenticator stores a <dfn for=authenticator>credentials map</dfn>, a [=map=] from ([=rpId=], [[=userHandle=]]) to
[=public key credential source=].

Additionally, each authenticator has an AAGUID, which is a 128-bit identifier indicating the type (e.g. make and model) of the
authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators
made by that manufacturer, and different (with probability 1-2<sup>-128</sup> or greater) from the AAGUIDs of all other types of
authenticators. The RP MAY use the AAGUID to infer certain properties of the authenticator, such as certification level and
strength of key protection, using information from other sources.

The primary function of the authenticator is to provide WebAuthn signatures, which are bound to various contextual data. These
data are observed and added at different levels of the stack as a signature request passes from the server to the
authenticator. In verifying a signature, the server checks these bindings against expected values. These contextual bindings
are divided in two: Those added by the RP or the client, referred to as [=client data=]; and those added by the authenticator,
referred to as the [=authenticator data=]. The authenticator signs over the [=client data=], but is otherwise not interested in
its contents. To save bandwidth and processing requirements on the authenticator, the client hashes the [=client data=] and
sends only the result to the authenticator. The authenticator signs over the combination of the
[=hash of the serialized client data=], and its own [=authenticator data=].

The goals of this design can be summarized as follows.

- The scheme for generating signatures should accommodate cases where the link between the client platform and authenticator
    is very limited, in bandwidth and/or latency. Examples include Bluetooth Low Energy and Near-Field Communication.

- The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators
    should not have to parse high-level encodings such as JSON.

- Both the client platform and the authenticator should have the flexibility to add contextual bindings as needed.

- The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.

Authenticators produce cryptographic signatures for two distinct purposes:
1. An <dfn>attestation signature</dfn> is produced when a new [=public key credential=] is created via an
    [=authenticatorMakeCredential=] operation. An [=attestation signature=] provides cryptographic
    proof of certain properties of the [=authenticator=] and the credential. For instance, an [=attestation signature=]
    asserts the [=authenticator=] type (as denoted by its AAGUID) and the [=credential public key=]. The [=attestation
    signature=] is signed by an [=attestation private key=], which is chosen depending on the type of [=attestation=] desired.
    For more details on [=attestation=], see [[#sctn-attestation]].
2. An <dfn>assertion signature</dfn> is produced when the [=authenticatorGetAssertion=] method is invoked. It represents an
    assertion by the [=authenticator=] that the user has [=user consent|consented=] to a specific transaction, such as logging
    in, or completing a purchase. Thus, an [=assertion signature=] asserts that the [=authenticator=] possessing a particular
    [=credential private key=] has established, to the best of its ability, that the user requesting this transaction is the
    same user who [=user consent|consented=] to creating that particular [=public key credential=]. It also asserts additional
    information, termed [=client data=], that may be useful to the caller, such as the means by which [=user consent=] was
    provided, and the prompt shown to the user by the [=authenticator=]. The [=assertion signature=] format is illustrated in
    [Figure 2, below](#fig-signature).

The formats of these signatures, as well as the procedures for generating them, are specified below.

## Authenticator data ## {#sec-authenticator-data}

The <dfn>authenticator data</dfn> structure encodes contextual bindings made by the [=authenticator=]. These bindings are
controlled by the authenticator itself, and derive their trust from the [=[RP]=]'s assessment of the security properties of the
authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy
than the [=client data=]. At the other extreme, the authenticator may be a discrete entity with high-security hardware and
software, connected to the client over a secure channel. In both cases, the [=[RP]=] receives the [=authenticator data=] in the same
format, and uses its knowledge of the authenticator to make trust decisions.

The [=authenticator data=] has a compact but extensible encoding. This is desired since authenticators can be devices with
limited capabilities and low power requirements, with much simpler software stacks than the client platform components.

The [=authenticator data=] structure is a byte array of 37 bytes or more, as follows.

<table class="complex data longlastcol">
    <tr>
        <th>Name</th>
        <th>Length (in bytes)</th>
        <th>Description</th>
    </tr>
    <tr>
        <td><dfn>rpIdHash</dfn></td>
        <td>32</td>
        <td>
            SHA-256 hash of the [=RP ID=] associated with the credential.
        </td>
    </tr>
    <tr>
        <td><dfn>flags</dfn></td>
        <td>1</td>
        <td>
            Flags (bit 0 is the least significant bit):
            - Bit 0: [=User Present=] ([=UP=]) result.
                - `1` means the user is [=user present|present=].
                - `0` means the user is not [=user present|present=].
            - Bit 1: Reserved for future use (`RFU1`).
            - Bit 2: [=User Verified=] ([=UV=]) result.
                - `1` means the user is [=user verified|verified=].
                - `0` means the user is not [=user verified|verified=].
            - Bits 3-5: Reserved for future use (`RFU2`).
            - Bit 6: [=Attested credential data=] included (`AT`).
                - Indicates whether the authenticator added [=attested credential data=].
            - Bit 7: Extension data included (`ED`).
                - Indicates if the [=authenticator data=] has [=authDataExtensions|extensions=].
        </td>
    </tr>
    <tr>
        <td><dfn>signCount</dfn></td>
        <td>4</td>
        <td>[=Signature counter=], 32-bit unsigned big-endian integer.</td>
    </tr>
    <tr>
        <td><dfn>attestedCredentialData</dfn></td>
        <td>variable (if present)</td>
        <td>
            [=attested credential data=] (if present). See [[#sec-attested-credential-data]] for details. Its length depends on
            the [=credentialIdLength|length=] of the [=credentialId|credential ID=] and [=credentialPublicKey|credential public
            key=] being attested.
        </td>
    </tr>
    <tr>
        <td><dfn lt="authDataExtensions">extensions</dfn></td>
        <td>variable (if present)</td>
        <td>
            Extension-defined [=authenticator data=]. This is a [=CBOR=] [[RFC7049]] map with [=extension identifiers=] as keys,
            and [=authenticator extension outputs=] as values. See [[#extensions]] for details.
        </td>
    </tr>
</table>

  NOTE: The names in the Name column in the above table are only for reference within this document, and are not present in the
  actual representation of the [=authenticator data=].


The [=RP ID=] is originally received from the client when the credential is created, and again when an assertion is generated.
However, it differs from other [=client data=] in some important ways. First, unlike the client data, the [=RP ID=] of a
credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is
validated by the authenticator during the [=authenticatorGetAssertion=] operation, by verifying that the [=RP ID=] associated
with the requested credential exactly matches the [=RP ID=] supplied by the client, and that the [=RP ID=] [=is a registrable
domain suffix of or is equal to=] the [=effective domain=] of the RP's [=origin=]'s [=effective domain=].

The `UP` flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The
`RFU` bits SHALL be set to zero.

For attestation signatures, the authenticator MUST set the AT flag and include the <code>[=attestedCredentialData=]</code>. For
authentication signatures, the AT flag MUST NOT be set and the <code>[=attestedCredentialData=]</code> MUST NOT be included.

If the authenticator does not include any extension data, it MUST set the `ED` flag to zero, and to one if
extension data is included.

The [figure below](#fig-authData) shows a visual representation of the [=authenticator data=] structure.

<figure id="fig-authData">
    <img src="images/fido-signature-formats-figure1.svg"/>
    <figcaption>[=Authenticator data=] layout.</figcaption>
</figure>

Note that the [=authenticator data=] describes its own length: If the AT and ED [=flags=] are not set, it is always 37 bytes long.
The [=attested credential data=] (which is only present if the AT flag is set) describes its own length. If the ED flag is set,
then the total length is 37 bytes plus the length of the [=attested credential data=], plus the length of the [=CBOR=] map that
follows.

### <dfn>Signature Counter</dfn> Considerations ### {#sign-counter}

Authenticators MUST implement a [=signature counter=] feature. The [=signature counter=] is incremented for each successful
[=authenticatorGetAssertion=] operation by some positive value, and its value is returned to the [=[RP]=] within the
[=authenticator data=]. The [=signature counter=]'s purpose is to aid [=[RPS]=] in detecting cloned authenticators. Clone
detection is more important for authenticators with limited protection measures.

An [=[RP]=] stores the [=signature counter=] of the most recent [=authenticatorGetAssertion=] operation. Upon a new
[=authenticatorGetAssertion=] operation, the [=[RP]=] compares the stored [=signature counter=] value with the new
<code>[=signCount=]</code> value returned in the assertion's [=authenticator data=].  If this new <code>[=signCount=]</code> value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.

Detecting a [=signature counter=]  mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator.  [=[RPS]=] should address this situation appropriately relative to their individual situations, i.e., their risk tolerance. 

Authenticators:
- should implement per-[=RP ID=] [=signature counters=].  This prevents the 
    [=signature counter=] value from being shared between [=[RPS]=] and being possibly employed 
    as a correlation handle for the user. Authenticators may implement a global [=signature counter=], 
    i.e., on a per-authenticator basis, but this is less privacy-friendly for users. 

- should ensure that the [=signature counter=] value does not 
    accidentally decrease  (e.g., due to hardware failures).

## <dfn>Authenticator operations</dfn> ## {#authenticator-ops}

A [=[WAC]=] MUST connect to an authenticator in order to invoke any of the operations of that authenticator. This connection
defines an <dfn>authenticator session</dfn>. An authenticator must maintain isolation between sessions. It may do this by only allowing one
session to exist at any particular time, or by providing more complicated session management.

The following operations can be invoked by the client in an authenticator session.


<h4 id="op-lookup-credsource-by-credid" algorithm>Lookup Credential Source by Credential ID algorithm</h4>

The result of <dfn for="credential id">looking up</dfn> a [=credential id=] |credentialId| in an [=authenticator=]
|authenticator| is the result of the following algorithm:
1. If |authenticator| can decrypt |credentialId| into a [=public key credential source=] |credSource|:
    1. Set |credSource|.[=public key credential source/id=] to |credentialId|.
    1. Return |credSource|.
1. [=map/For each=] [=public key credential source=] |credSource| of |authenticator|'s [=credentials map=]:
    1. If |credSource|.[=public key credential source/id=] is |credentialId|, return |credSource|.
1. Return `null`.


<h4 id="op-make-cred" algorithm>The <dfn>authenticatorMakeCredential</dfn> operation</h4>

It takes the following input parameters:

<!-- @@EDITOR-ANCHOR-01B: KEEP THIS LIST SYNC'D WITH THE LIST UP AT @@EDITOR-ANCHOR-01A -->
: |hash|
:: The [=hash of the serialized client data=], provided by the client.
: |rpEntity|
:: The [=[RP]=]'s {{PublicKeyCredentialRpEntity}}.
: |userEntity|
:: The user account's {{PublicKeyCredentialUserEntity}}, containing the [=user handle=] given by the [=[RP]=].
: |requireResidentKey|
:: The {{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{requireResidentKey}} value given by the [=[RP]=].
: |requireUserPresence|
:: A Boolean value provided by the client, which in invocations from a [=[WAC]=]'s
    {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)}} method is always set to the inverse of
    |requireUserVerification|.
: |requireUserVerification|
:: The [=effective user verification requirement for credential creation=], a Boolean value provided by the client.
: |credTypesAndPubKeyAlgs|
:: A sequence of pairs of {{PublicKeyCredentialType}} and public key algorithms ({{COSEAlgorithmIdentifier}}) requested by the
    [=[RP]=]. This sequence is ordered from most preferred to least preferred. The platform makes a best-effort to create the most
    preferred credential that it can.
: |excludeCredentialDescriptorList|
:: An optional list of {{PublicKeyCredentialDescriptor}} objects provided by the [=[RP]=] with the intention that, if any of
    these are known to the authenticator, it should not create a new credential. |excludeCredentialDescriptorList| contains a 
    list of known credentials.
: |extensions|
:: A [=CBOR=] [=map=] from [=extension identifiers=] to their [=authenticator extension inputs=], created by the client based on
    the extensions requested by the [=[RP]=], if any.

Note: Before performing this operation, all other operations in progress in the [=authenticator session=] MUST be aborted by 
running the [=authenticatorCancel=] operation.

When this operation is invoked, the [=authenticator=] MUST perform the following procedure:
1. Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
    equivalent to "{{UnknownError}}" and terminate the operation.
1. Check if at least one of the specified combinations of {{PublicKeyCredentialType}} and cryptographic parameters in
    |credTypesAndPubKeyAlgs| is supported.
    If not, return an error code equivalent to "{{NotSupportedError}}" and terminate the operation.

1. [=list/For each=] |descriptor| of |excludeCredentialDescriptorList|:

    1.  If [=credential id/looking up=] <code>|descriptor|.{{PublicKeyCredentialDescriptor/id}}</code> in this authenticator
        returns non-`null`, and the returned [=list/item=]'s [=RP ID=] and [=type=] match
        <code>|rpEntity|.{{PublicKeyCredentialRpEntity/id}}</code> and
        <code>|excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/type}}</code> respectively, then obtain [=user
        consent=] for creating a new credential. The method of obtaining [=user consent=] MUST include a [=test
        of user presence=]. If the user
        <dl class="switch">
            :   confirms consent to create a new credential
            ::  return an error code equivalent to "{{InvalidStateError}}" and terminate the operation.

            :   does not consent to create a new credential
            ::  return an error code equivalent to "{{NotAllowedError}}" and terminate the operation.
        </dl>

1. If |requireResidentKey| is `true` and the authenticator cannot store a [=Client-side-resident Credential
    Private Key=], return an error code equivalent to "{{ConstraintError}}" and terminate the operation.
1. If |requireUserVerification| is `true` and the authenticator cannot perform [=user verification=], return an error code
    equivalent to "{{ConstraintError}}" and terminate the operation.
1. Obtain [=user consent=] for creating a new credential. The prompt for obtaining this [=user consent|consent=] is shown by the
    authenticator if it has its own output capability, or by the user agent otherwise. The prompt SHOULD display
    <code>|rpEntity|.{{PublicKeyCredentialRpEntity/id}}</code>, <code>|rpEntity|.{{PublicKeyCredentialEntity/name}}</code>,
    <code>|userEntity|.{{PublicKeyCredentialEntity/name}}</code> and
    <code>|userEntity|.{{PublicKeyCredentialUserEntity/displayName}}</code>, if possible.

    If |requireUserVerification| is `true`, the method of obtaining [=user consent=] MUST include [=user verification=].

    If |requireUserPresence| is `true`, the method of obtaining [=user consent=] MUST include a [=test of user presence=].

    If the user does not [=user consent|consent=] or if [=user verification=] fails, return an error code equivalent to
    "{{NotAllowedError}}" and terminate the operation.

1. Once [=user consent=] has been obtained, generate a new credential object:
    1. Let (|publicKey|, |privateKey|) be a new pair of cryptographic keys using the combination of {{PublicKeyCredentialType}}
        and cryptographic parameters represented by the first [=list/item=] in |credTypesAndPubKeyAlgs| that is supported by
        this authenticator.
    1. Let |userHandle| be <code>|userEntity|.{{PublicKeyCredentialUserEntity/id}}</code>.
    1. Let |credentialSource| be a new [=public key credential source=] with the fields:
        <dl link-for="public key credential source">
            : [=type=]
            :: {{PublicKeyCredentialType/public-key}}.
            : [=privateKey=]
            :: |privateKey|
            : [=rpId=]
            :: <code>|rpEntity|.{{PublicKeyCredentialRpEntity/id}}</code>
            : [=userHandle=]
            :: |userHandle|
            : [=otherUI=]
            :: Any other information the authenticator chooses to include.
        </dl>
    1. If |requireResidentKey| is true or the authenticator chooses to create a [=Client-side-resident Credential Private Key=]:
        1. Let |credentialId| be a new [=credential id=].
        1. Set |credentialSource|.[=public key credential source/id=] to |credentialId|.
        1. Let |credentials| be this authenticator's [=credentials map=].
        1. [=map/Set=] |credentials|[(<code>|rpEntity|.{{PublicKeyCredentialRpEntity/id}}</code>, |userHandle|)] to |credentialSource|.
    1. Otherwise:
        1. Let |credentialId| be the result of serializing and encrypting |credentialSource| so that only this authenticator can
            decrypt it.
1. If any error occurred while creating the new credential object, return an error code equivalent to "{{UnknownError}}" and
    terminate the operation.
1. Let |processedExtensions| be the result of [=authenticator extension processing=] [=map/for each=] supported [=extension
    identifier=] → [=authenticator extension input=] in |extensions|.
1. If the [=authenticator=] supports:
    <dl class="switch">
        :   a per-[=RP ID=] [=signature counter=]
        ::  allocate the counter, associate it with the 
              [=RP ID=], and initialize the counter value as zero. 
        :  a global [=signature counter=]
        ::  Use the global [=signature counter=]'s actual value when generating 
              [=authenticator data=].
        : a per credential [=signature counter=]
        :: allocate the counter, associate it with the new credential, and initialize the counter value as zero.
    </dl>

1. Let |attestedCredentialData| be the [=attested credential data=] byte array including the |credentialId| and |publicKey|.
1. Let |authenticatorData| be the byte array specified in [[#sec-authenticator-data]], including |attestedCredentialData| as the
    <code>[=attestedCredentialData=]</code> and |processedExtensions|, if any, as the
    <code>[=authDataExtensions|extensions=]</code>.
1. Return the [=attestation object=] for the new credential created by the procedure specified in
    [[#generating-an-attestation-object]] using an authenticator-chosen [=attestation statement format=], |authenticatorData|,
    and |hash|. For more details on attestation, see [[#sctn-attestation]].

On successful completion of this operation, the authenticator returns the [=attestation object=] to the client.


<h4 id="op-get-assertion" algorithm> The <dfn>authenticatorGetAssertion</dfn> operation</h4>

It takes the following input parameters:

: |rpId|
:: The caller's [=RP ID=], as <a href='#GetAssn-DetermineRpId'>determined</a> by the user agent and the client.
: |hash|
:: The [=hash of the serialized client data=], provided by the client.
: |allowCredentialDescriptorList|
:: An optional [=list=] of {{PublicKeyCredentialDescriptor}}s describing credentials acceptable to the [=[RP]=] (possibly filtered
    by the client), if any.
: |requireUserPresence|
:: A Boolean value provided by the client, which in invocations from a [=[WAC]=]'s
    {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}} method is always set to the inverse of
    |requireUserVerification|.
: |requireUserVerification|
:: The [=effective user verification requirement for assertion=], a Boolean value provided by the client.
: |extensions|
:: A [=CBOR=] [=map=] from [=extension identifiers=] to their [=authenticator extension inputs=], created by the client based on
    the extensions requested by the [=[RP]=], if any.

Note: Before performing this operation, all other operations in progress in the [=authenticator session=] must be aborted by running the [=authenticatorCancel=] operation.

When this method is invoked, the [=authenticator=] MUST perform the following procedure:

1. Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
    equivalent to "{{UnknownError}}" and terminate the operation.
1. Let |credentialOptions| be a new empty [=set=] of [=public key credential sources=].
1. If |allowCredentialDescriptorList| was supplied, then [=list/for each=] |descriptor| of |allowCredentialDescriptorList|:
    1. Let |credSource| be the result of [=looking up=] <code>|descriptor|.{{PublicKeyCredentialDescriptor/id}}</code> in this
        authenticator.
    1. If |credSource| is not `null`, [=set/append=] it to |credentialOptions|.
1. Otherwise (|allowCredentialDescriptorList| was not supplied), [=map/for each=] <var ignore>key</var> → |credSource| of this
    authenticator's [=credentials map=], [=set/append=] |credSource| to |credentialOptions|.
1. [=list/Remove=] any items from |credentialOptions| whose [=public key credential source/rpId=] is not equal to
    |rpId|.
1. If |credentialOptions| is now empty, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation.

1. Prompt the user to select a [=public key credential source=] |selectedCredential| from |credentialOptions|.
    Obtain [=user consent=] for using |selectedCredential|. The prompt for obtaining this [=user consent|consent=] may be shown
    by the [=authenticator=] if it has its own output capability, or by the user agent otherwise.

    If |requireUserVerification| is `true`, the method of obtaining [=user consent=] MUST include [=user verification=].

    If |requireUserPresence| is `true`, the method of obtaining [=user consent=] MUST include a 
        [=test of user presence=].

    If the user does not [=user consent|consent=], return an error code equivalent to
    "{{NotAllowedError}}" and terminate the operation.

1. Let |processedExtensions| be the result of [=authenticator extension processing=] [=map/for each=] supported [=extension
    identifier=] → [=authenticator extension input=] in |extensions|.
1. Increment the [=RP ID=]-associated
    [=signature counter=] or the global [=signature counter=] value, depending on 
    which approach is implemented by the [=authenticator=], by some positive value.
1. Let |authenticatorData| be the byte array specified in [[#sec-authenticator-data]] including |processedExtensions|, if any, as
    the <code>[=authDataExtensions|extensions=]</code> and excluding <code>[=attestedCredentialData=]</code>.
1. Let |signature| be the [=assertion signature=] of the concatenation <code>|authenticatorData| || |hash|</code> using the
    [=public key credential source/privateKey=] of |selectedCredential| as shown in [Figure 2](#fig-signature), below. A simple,
    undelimited
    concatenation is safe to use here because the [=authenticator data=] describes its own length. The [=hash of the serialized
    client data=] (which potentially has a variable length) is always the last element.

    <figure id="fig-signature">
        <img src="images/fido-signature-formats-figure2.svg"/>
        <figcaption>Generating an [=assertion signature=].</figcaption>
    </figure>

1. If any error occurred while generating the [=assertion signature=], return an error code equivalent to "{{UnknownError}}" and
    terminate the operation.

<!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to compile w/o errors and to render properly.
-->
    <li id='authenticatorGetAssertion-return-values'>
        Return to the user agent:
            - |selectedCredential|.[=public key credential source/id=], if either a list of credentials
                (i.e., |allowCredentialDescriptorList|) of length 2 or greater was
                supplied by the client, or no such list was supplied.
    
                    Note: If, within |allowCredentialDescriptorList|, the client supplied exactly one credential and it was successfully employed, then its
                        [=credential ID=] is not returned since the client already knows it. This saves transmitting these bytes over
                        what may be a constrained connection in what is likely a common case.
    
            - |authenticatorData|
            - |signature|
            - |selectedCredential|.[=public key credential source/userHandle=]

                    Note: the returned [=public key credential source/userHandle=] value may be `null`, see:
                        [=assertionCreationData/userHandleResult=].
    </li>

If the [=authenticator=] cannot find any [=public key credential|credential=] corresponding to the specified [=[RP]=] that
matches the specified criteria, it terminates the operation and returns an error.


### The <dfn>authenticatorCancel</dfn> operation ### {#op-cancel}

This operation takes no input parameters and returns no result.

When this operation is invoked by the client in an [=authenticator session=], it has the effect of terminating any
[=authenticatorMakeCredential=] or [=authenticatorGetAssertion=] operation currently in progress in that authenticator
session. The authenticator stops prompting for, or accepting, any user input related to authorizing the canceled operation. The
client ignores any further responses from the authenticator for the canceled operation.

This operation is ignored if it is invoked in an [=authenticator session=] which does not have an [=authenticatorMakeCredential=]
or [=authenticatorGetAssertion=] operation currently in progress.


## Attestation ## {#sctn-attestation}

[=Authenticators=] MUST also provide some form of [=attestation=]. The basic requirement is that the [=authenticator=] can
produce, for each [=credential public key=], an [=attestation statement=] verifiable by the [=[RP]=]. Typically, this
[=attestation statement=] contains a signature by an [=attestation private key=] over the attested [=credential public key=] and
a challenge, as well as a certificate or similar data providing provenance information for the [=attestation public key=],
enabling the [=[RP]=] to make a trust decision. However, if an [=attestation key pair=] is not available, then the authenticator
MUST perform [=self attestation=] of the [=credential public key=] with the corresponding [=credential private key=]. All this
information is returned by [=authenticators=] any time a new [=public key credential=] is generated, in the overall form of an
<dfn>attestation object</dfn>. The relationship of the [=attestation object=] with [=authenticator data=] (containing
[=attested credential data=]) and the [=attestation statement=] is illustrated in [figure 3](#fig-attStructs), below.

<figure id="fig-attStructs">
    <img src="images/fido-attestation-structures.svg"/>
    <figcaption>[=Attestation object=] layout illustrating the included [=authenticator data=] (containing [=attested credential
    data=]) and the [=attestation statement=].</figcaption>
    <div class="note">
        This figure illustrates only the `packed` [=attestation statement format=]. Several additional [=attestation statement
        formats=] are defined in [[#defined-attestation-formats]].
    </div>
</figure>

An important component of the [=attestation object=] is the <dfn>attestation statement</dfn>. This is a specific type of signed
data object, containing statements about a [=public key credential=] itself and the [=authenticator=] that created it. It
contains an [=attestation signature=] created using the key of the attesting authority (except for the case of [=self
attestation=], when it is created using the [=credential private key=]). In order to correctly interpret an [=attestation
statement=], a [=[RP]=] needs to understand these two aspects of [=attestation=]:

1. The <dfn>attestation statement format</dfn> is the manner in which the signature is represented and the various contextual
    bindings are incorporated into the attestation statement by the [=authenticator=]. In other words, this defines the
    syntax of the statement. Various existing devices and platforms (such as TPMs and the Android OS) have previously defined
    [=attestation statement formats=]. This specification supports a variety of such formats in an extensible way, as defined in
    [[#attestation-formats]].

2. The <dfn>attestation type</dfn> defines the semantics of [=attestation statements=] and their underlying trust models.
    Specifically, it defines how a [=[RP]=] establishes trust in a particular [=attestation statement=], after verifying that it
    is cryptographically valid. This specification supports a number of [=attestation types=], as described in
    [[#sctn-attestation-types]].

In general, there is no simple mapping between [=attestation statement formats=] and [=attestation types=]. For example, the
"packed" [=attestation statement format=] defined in [[#packed-attestation]] can be used in conjunction with all [=attestation
types=], while other formats and types have more limited applicability.

The privacy, security and operational characteristics of [=attestation=] depend on:
- The [=attestation type=], which determines the trust model,
- The [=attestation statement format=], which MAY constrain the strength of the [=attestation=] by limiting what can be
    expressed in an [=attestation statement=], and
- The characteristics of the individual [=authenticator=], such as its construction, whether part or all of it runs in a secure
    operating environment, and so on.

It is expected that most [=authenticators=] will support a small number of [=attestation types=] and [=attestation statement
formats=], while [=[RPS]=] will decide what [=attestation types=] are acceptable to them by policy. [=[RPS]=] will also need to
understand the characteristics of the [=authenticators=] that they trust, based on information they have about these
[=authenticators=]. For example, the FIDO Metadata Service [[FIDOMetadataService]] provides one way to access such information.


### Attested credential data ### {#sec-attested-credential-data}

<dfn>Attested credential data</dfn> is a variable-length byte array added to the [=authenticator data=] when generating an [=attestation
object=] for a given credential. It has the following format:

<table class="complex data longlastcol">
    <tr>
        <th>Name</th>
        <th>Length (in bytes)</th>
        <th>Description</th>
    </tr>
    <tr>
        <td><dfn>aaguid</dfn></td>
        <td>16</td>
        <td>The AAGUID of the authenticator.</td>
    </tr>
    <tr>
        <td><dfn>credentialIdLength</dfn></td>
        <td>2</td>
        <td>Byte length <strong>L</strong> of Credential ID, 16-bit unsigned big-endian integer.</td>
    </tr>
    <tr>
        <td><dfn>credentialId</dfn></td>
        <td>L</td>
        <td>[=Credential ID=]</td>
    </tr>
    <tr>
        <td><dfn>credentialPublicKey</dfn></td>
        <td>variable</td>
        <td>
            The [=credential public key=] encoded in COSE_Key format,
            as defined in Section 7 of [[RFC8152]], using the [=CTAP2 canonical CBOR encoding form=].
            The COSE_Key-encoded [=credential public key=] MUST contain the optional "alg" parameter and MUST NOT
            contain any other optional parameters. The "alg" parameter MUST contain a {{COSEAlgorithmIdentifier}} value.
            The encoded [=credential public key=] MUST also contain any additional required parameters stipulated by the
            relevant key type specification, i.e., required for the key type "kty" and algorithm "alg" (see Section 8 of
            [[RFC8152]]).
        </td>
    </tr>
</table>

  NOTE: The names in the Name column in the above table are only for reference within this document, and are not present in the
  actual representation of the [=attested credential data=].

#### Examples of `credentialPublicKey` Values encoded in COSE_Key format #### {#sctn-encoded-credPubKey-examples}

This section provides examples of COSE_Key-encoded Elliptic Curve and RSA public keys for the ES256, PS256, and RS256
signature algorithms. These examples adhere to the rules defined above for the [=credentialPublicKey=] value, and are presented in [[CDDL]] for clarity. 

[[RFC8152]] [Section 7](https://tools.ietf.org/html/rfc8152#section-7) defines the general framework for all
COSE_Key-encoded keys.
Specific key types for specific algorithms are defined in other sections of [[RFC8152]] as well as in other specifications,
as noted below.

Below is an example of a COSE_Key-encoded Elliptic Curve public key in EC2 format (see [[RFC8152]]
[Section 13.1](https://tools.ietf.org/html/rfc8152#section-13.1)), on the P-256 curve, to be used with the ES256 signature
algorithm (ECDSA w/ SHA-256, see [[RFC8152]] [Section 8.1](https://tools.ietf.org/html/rfc8152#section-8.1)):

<pre class="example" highlight="json">
  {
    1:   2,  ; kty: EC2 key type
    3:  -7,  ; alg: ES256 signature algorithm
   -1:   1,  ; crv: P-256 curve
   -2:   x,  ; x-coordinate as byte string 32 bytes in length
             ; e.g., in hex: 65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c08551d
   -3:   y   ; y-coordinate as byte string 32 bytes in length
             ; e.g., in hex: 1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd0084d19c
  }
</pre>

Below is the above Elliptic Curve public key encoded in the [=CTAP2 canonical CBOR encoding form=], whitespace and line breaks
are included here for clarity and to match the [[CDDL]] presentation above:

<pre class="example" highlight="json">
  A5
     01  02

     03  26

     20  01

     21  58 20   65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c08551d

     22  58 20   1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd0084d19c
</pre>


Below is an example of a COSE_Key-encoded 2048-bit RSA public key (see [[RFC8230]] [Section 4](https://tools.ietf.org/html/rfc8230#section-4)),
to be used with the PS256 signature algorithm
(RSASSA-PSS with SHA-256, see [[RFC8230]] [Section 2](https://tools.ietf.org/html/rfc8230#section-2)):

<pre class="example" highlight="json">
  {
    1:   3,  ; kty: RSA key type
    3: -37,  ; alg: PS256
   -1:   n,  ; n:   RSA modulus n byte string 256 bytes in length
             ;      e.g., in hex (middle bytes elided for brevity): DB5F651550...6DC6548ACC3
   -2:   e   ; e:   RSA public exponent e byte string 3 bytes in length
             ;      e.g., in hex: 010001
  }
</pre>

Below is an example of the same COSE_Key-encoded RSA public key as above, 
to be used with the RS256 signature algorithm (RSASSA-PKCS1-v1_5 with SHA-256, see [[#sctn-cose-alg-reg]]):

<pre class="example" highlight="json">
  {
    1:   3,  ; kty: RSA key type
    3:-257,  ; alg: RS256
   -1:   n,  ; n:   RSA modulus n byte string 256 bytes in length
             ;      e.g., in hex (middle bytes elided for brevity): DB5F651550...6DC6548ACC3
   -2:   e   ; e:   RSA public exponent e byte string 3 bytes in length
             ;      e.g., in hex: 010001
  }
</pre>


### Attestation Statement Formats ### {#attestation-formats}

As described above, an [=attestation statement format=] is a data format which represents a cryptographic signature by an
[=authenticator=] over a set of contextual bindings. Each [=attestation statement format=] MUST be defined using the following
template:

- <strong>[=Attestation statement format identifier=]:</strong>

- <strong>Supported [=attestation types=]:</strong>

- <strong>Syntax:</strong>
    The syntax of an [=attestation statement=] produced in this format, defined using [[!CDDL]] for the extension point
    `$attStmtFormat` defined in [[#generating-an-attestation-object]].

- <dfn>Signing procedure</dfn>:
    The [=signing procedure=] for computing an [=attestation statement=] in this [=attestation statement format|format=] given
    the [=public key credential=] to be attested, the [=authenticator data=] structure containing the <dfn>authenticator data
    for the attestation</dfn>, and the [=hash of the serialized client data=].

- <dfn>Verification procedure</dfn>:
    The procedure for verifying an [=attestation statement=], which takes the following <dfn>verification procedure inputs</dfn>:
    - |attStmt|: The [=attestation statement=] structure
    - |authenticatorData|: The  <dfn>[=authenticator data=] claimed to have been used for the attestation</dfn>
    - |clientDataHash|: The [=hash of the serialized client data=]

    The procedure returns either:
    - An error indicating that the attestation is invalid, or
    - The [=attestation type=], and the [=attestation trust path|trust path=]. This <dfn>attestation trust path</dfn> is either
        empty (in case of [=self attestation=]), an identifier of an [=ECDAA-Issuer public key=] (in the case of [=ECDAA=]), or a
        set of X.509 certificates.

The initial list of specified [=attestation statement formats=] is in [[#defined-attestation-formats]].


<!-- Editors Note: differentiating section IDs from non-section IDs is useful because at times we need to seperately reference
     different things having the same nominal name, eg attestation-types-the-section, and attestation-types-the-definition -->
### Attestation Types ### {#sctn-attestation-types}

WebAuthn supports multiple attestation types:

: <dfn>Basic Attestation</dfn> (<dfn>Basic</dfn>)
:: In the case of basic attestation [[UAFProtocol]], the authenticator's [=attestation key pair=] is specific to an
    authenticator model.  Thus, authenticators of the same model often share the same attestation key pair. See
    [[#sec-attestation-privacy]] for further information.

: <dfn>Self Attestation</dfn> (<dfn>Self</dfn>)
:: In the case of [=self attestation=], also known as surrogate basic attestation [[UAFProtocol]], the Authenticator does not have
    any specific attestation key. Instead it uses the credential private key to create the attestation signature.
    Authenticators without meaningful protection measures for an attestation private key typically use this attestation type.

: <dfn>Attestation CA</dfn> (<dfn>AttCA</dfn>)
:: In this case, an [=authenticator=] is based on a Trusted Platform Module (TPM) and holds an authenticator-specific
    "endorsement key" (EK). This key is used to securely communicate with a trusted third party, the [=Attestation CA=]
    [[!TCG-CMCProfile-AIKCertEnroll]] (formerly known as a "Privacy CA"). The [=authenticator=] can generate multiple
    attestation identity key pairs (AIK) and requests an [=Attestation CA=] to issue an AIK certificate
    for each. Using this approach, such an [=authenticator=] can limit the exposure of the EK (which is a global correlation
    handle) to Attestation CA(s). AIKs can be requested for each [=authenticator=]-generated [=public key credential=]
    individually, and conveyed to [=[RPS]=] as [=attestation certificates=].

    Note: This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently
        is called "active".

: <dfn>Elliptic Curve based Direct Anonymous Attestation</dfn> (<dfn>ECDAA</dfn>)
:: In this case, the Authenticator receives direct anonymous attestation (<dfn>DAA</dfn>) credentials from a single DAA-Issuer.
    These DAA credentials are used along with blinding to sign the [=attested credential data=]. The concept of blinding avoids
    the DAA credentials being misused as global correlation handle. WebAuthn supports DAA using elliptic curve cryptography and
    bilinear pairings, called [=ECDAA=] (see [[FIDOEcdaaAlgorithm]]) in this specification. Consequently we denote the DAA-Issuer
    as ECDAA-Issuer (see [[FIDOEcdaaAlgorithm]]).

: <dfn>No attestation statement</dfn> (<dfn>None</dfn>)
:: In this case, no attestation information is available.

<h4 id="generating-an-attestation-object" algorithm>Generating an Attestation Object</h4>

To generate an [=attestation object=] (see: [Figure 3](#fig-attStructs)) given:

: |attestationFormat|
:: An [=attestation statement format=].
: |authData|
:: A byte array containing [=authenticator data=].
: |hash|
:: The [=hash of the serialized client data=].

the [=authenticator=] MUST:

1. Let <var ignore>attStmt</var> be the result of running |attestationFormat|'s [=signing procedure=] given |authData| and
    |hash|.
1. Let <var ignore>fmt</var> be |attestationFormat|'s [=attestation statement format identifier=]
1. Return the [=attestation object=] as a CBOR map with the following syntax, filled in with variables initialized by this
    algorithm:

    ```
    attObj = {
                authData: bytes,
                $$attStmtType
             }

    attStmtTemplate = (
                          fmt: text,
                          attStmt: { * tstr => any } ; Map is filled in by each concrete attStmtType
                      )

    ; Every attestation statement format must have the above fields
    attStmtTemplate .within $$attStmtType
    ```

### Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures ### {#signature-attestation-types}
    - For COSEAlgorithmIdentifier -7 (ES256),  and other ECDSA-based algorithms,
        a signature value is encoded as an ASN.1 DER Ecdsa-Sig-Value, as defined in [[RFC3279]] section 2.2.3.

        ```
        Example:
        30 44                                ; SEQUENCE (68 Bytes)
            02 20                            ; INTEGER (32 Bytes)
            |  3d 46 28 7b 8c 6e 8c 8c  26 1c 1b 88 f2 73 b0 9a
            |  32 a6 cf 28 09 fd 6e 30  d5 a7 9f 26 37 00 8f 54
            02 20                            ; INTEGER (32 Bytes)
            |  4e 72 23 6e a3 90 a9 a1  7b cf 5f 7a 09 d6 3a b2
            |  17 6c 92 bb 8e 36 c0 41  98 a2 7b 90 9b 6e 8f 13
        ```

        Note: As CTAP1/U2F devices are already producing signatures values in this format, CTAP2
        devices will also produce signatures values in the same format, for consistency reasons.
        It is recommended that any new attestation formats defined not use ASN.1 encodings,
        but instead represent signatures as equivalent fixed-length byte arrays without internal structure,
        using the same representations as used by COSE signatures as defined in [[!RFC8152]] and [[!RFC8230]].

    - For COSEAlgorithmIdentifier -257 (RS256), `sig` contains the signature generated using the
        RSASSA-PKCS1-v1_5 signature scheme defined in section 8.2.1 in [[RFC8017]] with SHA-256 as the hash function.
        The signature is not ASN.1 wrapped.

    - For COSEAlgorithmIdentifier -37 (PS256), `sig` contains the signature generated using the
        RSASSA-PSS signature scheme defined in section 8.1.1 in [[RFC8017]] with SHA-256 as the hash function.
        The signature is not ASN.1 wrapped.

# [=[RP]=] Operations # {#rp-operations}

Upon successful execution of {{CredentialsContainer/create()}} or {{CredentialsContainer/get()}}, the [=[RP]=]'s script receives
a {{PublicKeyCredential}} containing an {{AuthenticatorAttestationResponse}} or {{AuthenticatorAssertionResponse}} structure,
respectively, from the client. It must then deliver the contents of this structure to the [=[RP]=] server, using methods outside
the scope of this specification. This section describes the operations that the [=[RP]=] must perform upon receipt of these
structures.


## Registering a new credential ## {#registering-a-new-credential}

When registering a new credential, represented by an {{AuthenticatorAttestationResponse}} structure |response| and an
{{AuthenticationExtensionsClientOutputs}} structure |clientExtensionResults|, as part of a [=registration=] [=ceremony=], a
[=[RP]=] MUST proceed as follows:

1. Let |JSONtext| be the result of
    running [=UTF-8 decode=] on the value of <code>|response|.{{AuthenticatorResponse/clientDataJSON}}</code>.

    Note: Using any implementation of [=UTF-8 decode=] is acceptable as long as it yields the same result as that yielded by
    the [=UTF-8 decode=] algorithm. In particular, any leading byte order mark (BOM) MUST be stripped.

1. Let |C|, the [=client data=] claimed as collected during the credential creation, be the result of running an
    implementation-specific JSON parser on |JSONtext|.

    Note: |C| may be any implementation-specific data structure representation, as long as |C|'s components are referenceable, as
    required by this algorithm.

1. Verify that the value of <code>|C|.{{CollectedClientData/type}}</code> is `webauthn.create`.

1. Verify that the value of <code>|C|.{{CollectedClientData/challenge}}</code> matches the challenge that was sent to the
    authenticator in the {{CredentialsContainer/create()}} call.

1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].

1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the [=assertion=] was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.

1. Compute the hash of <code>|response|.{{AuthenticatorResponse/clientDataJSON}}</code> using SHA-256.

1. Perform CBOR decoding on the {{AuthenticatorAttestationResponse/attestationObject}} field of the
    {{AuthenticatorAttestationResponse}} structure to obtain the attestation statement format |fmt|, the [=authenticator data=]
    |authData|, and the attestation statement |attStmt|.

1. Verify that the [=RP ID=] hash in |authData| is indeed the SHA-256 hash of the [=RP ID=] expected by the RP.

1. If [=user verification=] is required for this registration, verify that the [=User Verified=] bit of the <code>[=flags=]</code>
    in |authData| is set.

1. If [=user verification=] is not required for this registration, verify that the [=User Present=] bit of the
    <code>[=flags=]</code> in |authData| is set.

1. Verify that the values of the [=client extension outputs=] in |clientExtensionResults| and the [=authenticator extension
    outputs=] in the <code>[=authdataextensions|extensions=]</code> in |authData| are as expected, considering the [=client
    extension input=] values that were given as the {{PublicKeyCredentialCreationOptions/extensions}} option in the
    {{CredentialsContainer/create()}} call.
    In particular, any [=extension identifier=] values in the |clientExtensionResults| and
    the <code>[=authdataextensions|extensions=]</code> in |authData|
    MUST be also be present as [=extension identifier=] values in
    the {{PublicKeyCredentialCreationOptions/extensions}} member of |options|,
    i.e., no extensions are present that were not requested.
    In the general case, the meaning of "are as expected" is specific to the [=[RP]=] and which extensions are in use.

    Note: Since all extensions are OPTIONAL for both the [=client=] and the [=authenticator=], the [=[RP]=] MUST be prepared to
    handle cases where none or not all of the requested extensions were acted upon.

1. Determine the attestation statement format by performing a USASCII case-sensitive match on |fmt| against the set of
    supported WebAuthn Attestation Statement Format Identifier values.
    The up-to-date list of registered WebAuthn Attestation Statement Format Identifier values
    is maintained in the in the IANA registry of the same name [[!WebAuthn-Registries]].

1. Verify that |attStmt| is a correct [=attestation statement=], conveying a valid [=attestation signature=], by using the
    [=attestation statement format=] |fmt|'s verification procedure given |attStmt|, |authData| and the [=hash of the serialized
    client data=] computed in step 7.

    Note: Each [=attestation statement format=] specifies its own verification procedure. See [[#defined-attestation-formats]] for
    the initially-defined formats, and [[!WebAuthn-Registries]] for the up-to-date list.

1. If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or [=ECDAA-Issuer
    public key=]s) for that attestation type and attestation statement format |fmt|, from a trusted source or from policy. For
    example, the FIDO Metadata Service [[FIDOMetadataService]] provides one way to obtain such information, using the
    <code>[=aaguid=]</code> in the <code>[=attestedCredentialData=]</code> in |authData|.

1. Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:
        - If [=self attestation=] was used, check if [=self attestation=] is acceptable under [=[RP]=] policy.
        - If [=ECDAA=] was used, verify that the [=identifier of the ECDAA-Issuer public key=] used is included in the set of
            acceptable trust anchors obtained in step 15.
        - Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key
            correctly chains up to an acceptable root certificate.

1. Check that the <code>[=credentialId=]</code> is not yet registered to any other user. If registration 
    is requested for a credential that is already registered to a different user, the [=[RP]=] SHOULD 
    fail this [=registration=] ceremony, or it MAY decide to accept the registration, e.g. while deleting the older registration.

1. If the attestation statement |attStmt| verified successfully and is found to be trustworthy, then register the new
    credential with the account that was denoted in the
    {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)/options}}.{{PublicKeyCredentialCreationOptions/user}} passed to
    {{CredentialsContainer/create()}}, by associating it with the <code>[=credentialId=]</code> and
    <code>[=credentialPublicKey=]</code> in the <code>[=attestedCredentialData=]</code> in |authData|, as appropriate for the
    [=[RP]=]'s system.

1. If the attestation statement |attStmt| successfully verified but is not trustworthy per step 16 above, the [=[RP]=] SHOULD fail
    the [=registration=] [=ceremony=].

    NOTE: However, if permitted by policy, the [=[RP]=] MAY register the [=credential ID=] and credential public key but treat the
        credential as one with [=self attestation=] (see [[#sctn-attestation-types]]). If doing so, the [=[RP]=] is asserting there
        is no cryptographic proof that the [=public key credential=] has been generated by a particular [=authenticator=] model.
        See [[FIDOSecRef]] and [[UAFProtocol]] for a more detailed discussion.

Verification of [=attestation objects=] requires that the [=[RP]=] has a trusted method of determining acceptable trust anchors
in step 15 above. Also, if certificates are being used, the [=[RP]=] MUST have access to certificate status information for the
intermediate CA certificates. The [=[RP]=] MUST also be able to build the attestation certificate chain if the client did not
provide this chain in the attestation information.


## Verifying an authentication assertion ## {#verifying-assertion}

When verifying a given {{PublicKeyCredential}} structure (|credential|) and an {{AuthenticationExtensionsClientOutputs}} structure
|clientExtensionResults|, as part of an [=authentication=] [=ceremony=], the [=[RP]=] MUST proceed as follows:

1. If the {{PublicKeyCredentialRequestOptions/allowCredentials}} option was given when this [=authentication=] [=ceremony=] was
    initiated, verify that <code>|credential|.{{Credential/id}}</code> identifies one of the [=public key credentials=] that were
    listed in {{PublicKeyCredentialRequestOptions/allowCredentials}}.

1. If <code>|credential|.{{PublicKeyCredential/response}}.{{AuthenticatorAssertionResponse/userHandle}}</code> is present, verify
    that the user identified by this value is the owner of the [=public key credential=] identified by
    <code>|credential|.{{Credential/id}}</code>.

1. Using |credential|'s {{Credential/id}} attribute (or the corresponding {{PublicKeyCredential/rawId}}, if
    [=base64url encoding=] is inappropriate for your use case), look up the corresponding credential public key.

1. Let |cData|, |aData| and |sig| denote the value of |credential|'s {{PublicKeyCredential/response}}'s
    {{AuthenticatorResponse/clientDataJSON}}, {{AuthenticatorAssertionResponse/authenticatorData}}, and
    {{AuthenticatorAssertionResponse/signature}} respectively.

1. Let |JSONtext| be the result of running [=UTF-8 decode=] on the value of |cData|.

    Note: Using any implementation of [=UTF-8 decode=] is acceptable as long as it yields the same result as that yielded by
    the [=UTF-8 decode=] algorithm. In particular, any leading byte order mark (BOM) MUST be stripped.

1. Let |C|, the [=client data=] claimed as used for the signature, be the result of running an implementation-specific
    JSON parser on |JSONtext|.

    Note: |C| may be any implementation-specific data structure representation, as long as |C|'s components are referenceable, as
    required by this algorithm.

1. Verify that the value of <code>|C|.{{CollectedClientData/type}}</code> is the string `webauthn.get`.

1. Verify that the value of <code>|C|.{{CollectedClientData/challenge}}</code> matches the challenge that was sent to the
    authenticator in the {{PublicKeyCredentialRequestOptions}} passed to the {{CredentialsContainer/get()}} call.

1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].

1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the attestation was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.

1. Verify that the <code>[=rpIdHash=]</code> in |aData| is the SHA-256 hash of the [=RP ID=] expected by the [=[RP]=].

1. If [=user verification=] is required for this assertion, verify that the [=User Verified=] bit of the <code>[=flags=]</code> in
    |aData| is set.

1. If [=user verification=] is not required for this assertion, verify that the [=User Present=] bit of the <code>[=flags=]</code>
    in |aData| is set.

1. Verify that the values of the [=client extension outputs=] in |clientExtensionResults| and the [=authenticator extension
    outputs=] in the <code>[=authdataextensions|extensions=]</code> in |authData| are as expected, considering the [=client
    extension input=] values that were given as the {{PublicKeyCredentialRequestOptions/extensions}} option in the
    {{CredentialsContainer/get()}} call.
    In particular, any [=extension identifier=] values in the |clientExtensionResults| and
    the <code>[=authdataextensions|extensions=]</code> in |authData|
    MUST be also be present as [=extension identifier=] values in
    the {{PublicKeyCredentialCreationOptions/extensions}} member of |options|,
    i.e., no extensions are present that were not requested.
    In the general case, the meaning of "are as expected" is specific to the [=[RP]=] and which extensions are in use.

    Note: Since all extensions are OPTIONAL for both the [=client=] and the [=authenticator=], the [=[RP]=] MUST be prepared to
    handle cases where none or not all of the requested extensions were acted upon.

1. Let |hash| be the result of computing a hash over the |cData| using SHA-256.

1. Using the credential public key looked up in step 3, verify that |sig| is a valid signature over the binary concatenation of
    |aData| and |hash|.

1. If the [=signature counter=] value |adata|.<code>[=signCount=]</code> is nonzero or the value stored
    in conjunction with |credential|'s {{Credential/id}} attribute
    is nonzero, then run the following sub-step:
      - If the [=signature counter=] value |adata|.<code>[=signCount=]</code> is
           <dl class="switch">
              <dt>greater than the [=signature counter=] value stored in conjunction 
                  with |credential|'s {{Credential/id}} attribute.</dt>
              <dd>Update the stored [=signature counter=] value, associated with 
                  |credential|'s {{Credential/id}} attribute, to be the value of 
                  |adata|.<code>[=signCount=]</code>.</dd>
              <dt>less than or equal to the [=signature counter=] value stored in conjunction
                  with |credential|'s {{Credential/id}} attribute.</dt>
              <dd>This is a signal that
                  the authenticator may be cloned, i.e. at least 
                  two copies of the [=credential private key=] may exist and are  
                  being used in parallel. [=[RPS]=] should incorporate this information  
                  into their risk scoring.  Whether the [=[RP]=] updates the 
                  stored [=signature counter=] value in this case, or not, or fails the 
                  [=authentication|authentication ceremony=] or not, is 
                  [=[RP]=]-specific. </dd>
           </dl>

1. If all the above steps are successful, continue with the authentication ceremony as appropriate. Otherwise, fail the
    [=authentication|authentication ceremony=].


# Defined Attestation Statement Formats # {#defined-attestation-formats}

WebAuthn supports pluggable attestation statement formats. This section defines an initial set of such formats.

## Attestation Statement Format Identifiers ## {#sctn-attstn-fmt-ids}

Attestation statement formats are identified by a string, called an <dfn>attestation statement format identifier</dfn>, chosen by
the author of the attestation statement format.

Attestation statement format identifiers SHOULD be registered per [[!WebAuthn-Registries]] "Registries for Web Authentication
(WebAuthn)". All registered attestation statement format identifiers are unique amongst themselves as a matter of course.

Unregistered attestation statement format identifiers SHOULD use lowercase reverse domain-name naming, using a domain name
registered by the developer, in order to assure uniqueness of the identifier. All attestation statement format identifiers MUST
be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote,
i.e., VCHAR as defined in [[!RFC5234]] but without %x22 and %x5c.

Note: This means attestation statement format identifiers based on domain names MUST incorporate only LDH Labels [[!RFC5890]].

Implementations MUST match WebAuthn attestation statement format identifiers in a case-sensitive fashion.

Attestation statement formats that may exist in multiple versions SHOULD include a version in their identifier. In effect,
different versions are thus treated as different formats, e.g., `packed2` as a new version of the `packed` attestation statement
format.

The following sections present a set of currently-defined and registered attestation statement formats and their identifiers.
The up-to-date list of registered WebAuthn Extensions is maintained in the IANA "WebAuthn Attestation Statement Format
Identifier" registry established by [[!WebAuthn-Registries]].


## Packed Attestation Statement Format ## {#packed-attestation}

This is a WebAuthn optimized attestation statement format. It uses a very compact but still extensible encoding method. It is
implementable by [=authenticators=] with limited resources (e.g., secure elements).

: Attestation statement format identifier
:: packed

: Attestation types supported
:: All

: Syntax
:: The syntax of a Packed Attestation statement is defined by the following CDDL:

    ```
    $$attStmtType //= (
                          fmt: "packed",
                          attStmt: packedStmtFormat
                      )

    packedStmtFormat = {
                           alg: COSEAlgorithmIdentifier,
                           sig: bytes,
                           x5c: [ attestnCert: bytes, * (caCert: bytes) ]
                       } //
                       {
                           alg: COSEAlgorithmIdentifier, (-260 for ED256 / -261 for ED512)
                           sig: bytes,
                           ecdaaKeyId: bytes
                       } //
                       {
                           alg: COSEAlgorithmIdentifier
                           sig: bytes,
                       }
    ```

    The semantics of the fields are as follows:

    : alg
    :: A {{COSEAlgorithmIdentifier}} containing the identifier of the algorithm used to generate the attestation signature.

    : sig
    :: A byte string containing the attestation signature.

    : x5c
    :: The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format.
        The attestation certificate MUST be the first element in the array.

    : ecdaaKeyId
    :: The <dfn>identifier of the ECDAA-Issuer public key</dfn>.  This is the
        BigNumberToB encoding of the component "c" of the <dfn>ECDAA-Issuer public key</dfn>
        as defined section 3.3, step 3.5 in [[!FIDOEcdaaAlgorithm]].

: Signing procedure
:: The signing procedure for this attestation statement format is 
    similar to [the procedure for generating assertion signatures](#fig-signature).
        1. Let |authenticatorData| denote the [=authenticator data for the attestation=], 
            and let |clientDataHash| denote the [=hash of the serialized client data=].

        1. If [=Basic=] or [=AttCA=] [=attestation=] is in use, the authenticator produces the |sig| by concatenating |authenticatorData| and
            |clientDataHash|, and signing the result using an [=attestation private key=] selected through an authenticator-specific
            mechanism. It sets |x5c| to the certificate chain of the [=attestation public key=] and |alg| to the algorithm of the
            attestation private key.

        1. If [=ECDAA=] is in use, the authenticator produces |sig| by concatenating |authenticatorData| and |clientDataHash|, and
            signing the result using ECDAA-Sign (see section 3.5 of [[!FIDOEcdaaAlgorithm]]) after selecting an
            [=ECDAA-Issuer public key=] related to the ECDAA signature private key through an 
            authenticator-specific mechanism (see [[!FIDOEcdaaAlgorithm]]). It sets |alg| to the algorithm of the selected
            [=ECDAA-Issuer public key=] and |ecdaaKeyId| to the [=identifier of the ECDAA-Issuer public key=] (see above).

        1. If [=self attestation=] is in use, the authenticator produces |sig| by concatenating |authenticatorData| and |clientDataHash|,
            and signing the result using the credential private key. It sets |alg| to the algorithm of the credential private key and
            omits the other fields.

: Verification procedure
:: Given the [=verification procedure inputs=] |attStmt|, |authenticatorData| and |clientDataHash|, the verification procedure is
    as follows:

        1. Verify that |attStmt| is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract
            the contained fields.

        1. If |x5c| is present, this indicates that the attestation type is not [=ECDAA=]. In this case:
            - Verify that |sig| is a valid signature over the concatenation of |authenticatorData| and |clientDataHash| using the
                attestation public key in |x5c| with the algorithm specified in |alg|.
            - Verify that |x5c| meets the requirements in [[#packed-attestation-cert-requirements]].
            - If |x5c| contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (`id-fido-gen-ce-aaguid`) verify that the value of this
                extension matches the <code>[=aaguid=]</code> in |authenticatorData|.
            - If successful, return attestation type [=Basic=] and [=attestation trust path=] |x5c|.

        1. If |ecdaaKeyId| is present, then the attestation type is [=ECDAA=]. In this case:
            - Verify that |sig| is a valid signature over the concatenation of |authenticatorData| and |clientDataHash| using
                ECDAA-Verify with [=ECDAA-Issuer public key=] identified by |ecdaaKeyId| (see [[!FIDOEcdaaAlgorithm]]).
            - If successful, return attestation type [=ECDAA=] and [=attestation trust path=] |ecdaaKeyId|.

        1. If neither |x5c| nor |ecdaaKeyId| is present, [=self attestation=] is in use.
            - Validate that |alg| matches the algorithm of the <code>[=credentialPublicKey=]</code> in |authenticatorData|.
            - Verify that |sig| is a valid signature over the concatenation of |authenticatorData| and |clientDataHash| using the
                credential public key with |alg|.
            - If successful, return attestation type [=Self=] and empty [=attestation trust path=].


### Packed attestation statement certificate requirements ### {#packed-attestation-cert-requirements}

The attestation certificate MUST have the following fields/extensions:

- Version MUST be set to 3 (which is indicated by an ASN.1 INTEGER with value 2).
- Subject field MUST be set to:
    : Subject-C
    :: ISO 3166 code specifying the country where the Authenticator vendor is incorporated (PrintableString)
    : Subject-O
    :: Legal name of the Authenticator vendor (UTF8String)
    : Subject-OU
    :: Literal string “Authenticator Attestation” (UTF8String)
    : Subject-CN
    :: A UTF8String of the vendor's choosing

- If the related attestation root certificate is used for multiple authenticator models, the Extension OID
    1.3.6.1.4.1.45724.1.1.4 (`id-fido-gen-ce-aaguid`) MUST be present, containing the AAGUID as a 16-byte OCTET STRING.
    The extension MUST NOT be marked as critical.

    Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
    Thus, the AAGUID must be wrapped in <i>two</i> OCTET STRINGS to be valid. Here is a sample, encoded Extension structure:

    <pre>
  30 21                                     -- SEQUENCE
    06 0b 2b 06 01 04 01 82 e5 1c 01 01 04  -- 1.3.6.1.4.1.45724.1.1.4
    04 12                                   -- OCTET STRING
      04 10                                 -- OCTET STRING
        cd 8c 39 5c 26 ed ee de             -- AAGUID
        65 3b 00 79 7d 03 ca 3c
    </pre>

- The Basic Constraints extension MUST have the CA component set to false.

- An Authority Information Access (AIA) extension with entry `id-ad-ocsp` and a CRL Distribution Point extension [[RFC5280]]
    are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata services.
    See, for example, the FIDO Metadata Service [[FIDOMetadataService]].


## TPM Attestation Statement Format ## {#tpm-attestation}

This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic
engine.

: Attestation statement format identifier
:: tpm

: Attestation types supported
:: [=AttCA=], [=ECDAA=]

: Syntax
:: The syntax of a TPM Attestation statement is as follows:

    ```
    $$attStmtType // = (
                           fmt: "tpm",
                           attStmt: tpmStmtFormat
                       )

    tpmStmtFormat = {
                        ver: "2.0",
                        (
                            alg: COSEAlgorithmIdentifier,
                            x5c: [ aikCert: bytes, * (caCert: bytes) ]
                        ) //
                        (
                            alg:  COSEAlgorithmIdentifier, (-260 for ED256 / -261 for ED512)
                            ecdaaKeyId: bytes
                        ),
                        sig: bytes,
                        certInfo: bytes,
                        pubArea: bytes
                    }
    ```

    The semantics of the above fields are as follows:

    : ver
    :: The version of the TPM specification to which the signature conforms.

    : alg
    :: A {{COSEAlgorithmIdentifier}} containing the identifier of the algorithm used to generate the attestation signature.

    : x5c
    :: The AIK certificate used for the attestation and its certificate chain, in X.509 encoding.

    : ecdaaKeyId
    :: The [=identifier of the ECDAA-Issuer public key=]. This is the
        BigNumberToB encoding of the component "c" as defined section 3.3,
        step 3.5 in [[!FIDOEcdaaAlgorithm]].

    : sig
    :: The attestation signature, in the form of a TPMT_SIGNATURE structure as specified in [[TPMv2-Part2]] section 11.3.4.

    : certInfo
    :: The TPMS_ATTEST structure over which the above signature was computed, as specified in [[TPMv2-Part2]] section 10.12.8.

    : pubArea
    :: The TPMT_PUBLIC structure (see [[TPMv2-Part2]] section 12.2.4) used by the TPM to represent the credential public key.

: Signing procedure
:: Let |authenticatorData| denote the [=authenticator data for the attestation=], and let |clientDataHash| denote the
    [=hash of the serialized client data=].

    Concatenate |authenticatorData| and |clientDataHash| to form |attToBeSigned|.

    Generate a signature using the procedure specified in [[TPMv2-Part3]] Section 18.2, using the attestation private key and
    setting the `extraData` parameter to the digest of |attToBeSigned| using the hash algorithm corresponding to the "alg" signature algorithm.
    (For the "RS256" algorithm, this would be a SHA-256 digest.)

    Set the |pubArea| field to the public area of the credential public key, the |certInfo| field to the output parameter of the
    same name, and the |sig| field to the signature obtained from the above procedure.

: Verification procedure
:: Given the [=verification procedure inputs=] |attStmt|, |authenticatorData| and |clientDataHash|, the verification procedure is
    as follows:

    Verify that |attStmt| is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
    contained fields.

    Verify that the public key specified by the `parameters` and `unique` fields of |pubArea| is identical to the
    <code>[=credentialPublicKey=]</code> in the <code>[=attestedCredentialData=]</code> in |authenticatorData|.

    Concatenate |authenticatorData| and |clientDataHash| to form |attToBeSigned|.

    Validate that |certInfo| is valid:
    - Verify that `magic` is set to `TPM_GENERATED_VALUE`.
    - Verify that `type` is set to `TPM_ST_ATTEST_CERTIFY`.
    - Verify that `extraData` is set to the hash of |attToBeSigned| using the hash algorithm employed in "alg".
    - Verify that `attested` contains a `TPMS_CERTIFY_INFO` structure as specified in [[TPMv2-Part2]] section 10.12.3,
        whose `name` field contains a valid Name for |pubArea|,
        as computed using the algorithm in the `nameAlg` field of |pubArea| using the procedure specified in [[TPMv2-Part1]]
        section 16.
    - Note that the remaining fields in the "Standard Attestation Structure" [[TPMv2-Part1]] 
        section 31.2, i.e., `qualifiedSigner`, `clockInfo` and `firmwareVersion` are ignored.
        These fields MAY be used as an input to risk engines.

    If |x5c| is present, this indicates that the attestation type is not [=ECDAA=]. In this case:
    - Verify the |sig| is a valid signature over |certInfo| using the attestation public key in |x5c| with the
        algorithm specified in |alg|.
    - Verify that |x5c| meets the requirements in [[#tpm-cert-requirements]].
    - If |x5c| contains an extension with OID `1 3 6 1 4 1 45724 1 1 4` (id-fido-gen-ce-aaguid) verify that the value of this
        extension matches the <code>[=aaguid=]</code> in |authenticatorData|.
    - If successful, return attestation type [=AttCA=] and [=attestation trust path=] |x5c|.

    If |ecdaaKeyId| is present, then the attestation type is [=ECDAA=].
    - Perform ECDAA-Verify on |sig| to verify that it is a valid signature over |certInfo| (see [[!FIDOEcdaaAlgorithm]]).
    - If successful, return attestation type [=ECDAA=] and the [=identifier of the ECDAA-Issuer public key=] |ecdaaKeyId|.


### TPM attestation statement certificate requirements ### {#tpm-cert-requirements}

TPM [=attestation certificate=] MUST have the following fields/extensions:

- Version MUST be set to 3.

- Subject field MUST be set to empty.

- The Subject Alternative Name extension MUST be set as defined in [[TPMv2-EK-Profile]] section 3.2.9.

- The Extended Key Usage extension MUST contain the
    "joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)" OID.

- The Basic Constraints extension MUST have the CA component set to false.

- An Authority Information Access (AIA) extension with entry `id-ad-ocsp` and a CRL Distribution Point extension [[RFC5280]] are
    both OPTIONAL as the status of many attestation certificates is available through metadata services.
    See, for example, the FIDO Metadata Service [[FIDOMetadataService]].


## Android Key Attestation Statement Format ## {#android-key-attestation}

When the [=authenticator=] in question is a platform-provided Authenticator on the Android "N" or later platform, the
attestation statement is based on the [Android key
attestation](https://developer.android.com/preview/api-overview.html#key_attestation). In these cases, the attestation statement
is produced by a component running in a secure operating environment, but the [=authenticator data for the attestation=] is
produced outside this environment. The [=[RP]=] is expected to check that the [=authenticator data claimed to have been used for
the attestation=] is consistent with the fields of the attestation certificate's extension data.


: Attestation statement format identifier
:: android-key

: Attestation types supported
:: [=Basic=]

: Syntax
:: An Android key attestation statement consists simply of the Android attestation statement, which is a series of
    DER encoded X.509 certificates. See
    [the Android developer documentation](https://developer.android.com/training/articles/security-key-attestation.html). Its
    syntax is defined as follows:

    ```
    $$attStmtType //= (
                          fmt: "android-key",
                          attStmt: androidStmtFormat
                      )

    androidStmtFormat = {
                          alg: COSEAlgorithmIdentifier,
                          sig: bytes,
                          x5c: [ credCert: bytes, * (caCert: bytes) ]
                        }

    ```

: Signing procedure
:: Let |authenticatorData| denote the [=authenticator data for the attestation=], and let |clientDataHash| denote the
    [=hash of the serialized client data=].

    Request an Android Key Attestation by calling <code>keyStore.getCertificateChain(myKeyUUID)</code> providing |clientDataHash| as the
    challenge value (e.g., by using <a
    href="https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder.html#setAttestationChallenge(byte%5B%5D)">
    setAttestationChallenge</a>). Set |x5c| to the returned value.

    The authenticator produces |sig| by concatenating |authenticatorData| and |clientDataHash|,
    and signing the result using the credential private key. It sets |alg| to the algorithm of the signature format.


: Verification procedure
:: Given the [=verification procedure inputs=] |attStmt|, |authenticatorData| and |clientDataHash|, the verification procedure is
    as follows:
    - Verify that |attStmt| is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
        contained fields.
    - Verify that |sig| is a valid signature over the concatenation of |authenticatorData| and |clientDataHash| using the
        public key in the first certificate in |x5c| with the algorithm specified in |alg|.
    - Verify that the public key in the first certificate in in |x5c| matches the
        <code>[=credentialPublicKey=]</code> in the <code>[=attestedCredentialData=]</code> in |authenticatorData|.
    - Verify that in the attestation certificate extension data:
        - The value of the `attestationChallenge` field is identical to |clientDataHash|.
        - The `AuthorizationList.allApplications` field is <em>not</em> present, since PublicKeyCredential must be bound to the
            [=RP ID=].
        - The value in the `AuthorizationList.origin` field is equal to `KM_TAG_GENERATED`.
        - The value in the `AuthorizationList.purpose` field is equal to `KM_PURPOSE_SIGN`.
    - If successful, return attestation type [=Basic=] with the [=attestation trust path=] set to |x5c|.


## Android SafetyNet Attestation Statement Format ## {#android-safetynet-attestation}

When the [=authenticator=] in question is a platform-provided Authenticator on certain Android platforms, the attestation
statement is based on the [SafetyNet API](https://developer.android.com/training/safetynet/index.html#compat-check-response). In
this case the [=authenticator data=] is completely controlled by the caller of the SafetyNet API (typically an application
running on the Android platform) and the attestation statement only provides some statements about the health of the platform
and the identity of the calling application.  This attestation does not provide information regarding provenance of the authenticator
and its associated data.  Therefore platform-provided authenticators should make use of the Android Key Attestation when available,
even if the SafetyNet API is also present.

: Attestation statement format identifier
:: android-safetynet

: Attestation types supported
:: [=Basic=]

: Syntax
:: The syntax of an Android Attestation statement is defined as follows:

    ```
    $$attStmtType //= (
                          fmt: "android-safetynet",
                          attStmt: safetynetStmtFormat
                      )

    safetynetStmtFormat = {
                              ver: text,
                              response: bytes
                          }
    ```

    The semantics of the above fields are as follows:

    : ver
    :: The version number of Google Play Services responsible for providing the SafetyNet API.

    : response
    :: The [=UTF-8 encoded=] result of the getJwsResult() call of the SafetyNet API. This value is a JWS [[RFC7515]] object (see
        [SafetyNet online documentation](https://developer.android.com/training/safetynet/index.html#compat-check-response))
        in Compact Serialization.

: Signing procedure
:: Let |authenticatorData| denote the [=authenticator data for the attestation=], and let |clientDataHash| denote the
    [=hash of the serialized client data=].

    Concatenate |authenticatorData| and |clientDataHash| to form |attToBeSigned|.

    Request a SafetyNet attestation, providing |attToBeSigned| as the nonce value. Set |response| to the result, and |ver| to
    the version of Google Play Services running in the authenticator.

: Verification procedure
:: Given the [=verification procedure inputs=] |attStmt|, |authenticatorData| and |clientDataHash|, the verification procedure is
    as follows:
    - Verify that |attStmt| is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
        contained fields.
    - Verify that |response| is a valid SafetyNet response of version |ver|.
    - Verify that the nonce in the |response| is identical to the concatenation of |authenticatorData| and |clientDataHash|.
    - Verify that the attestation certificate is issued to the hostname "attest.android.com" (see
        [SafetyNet online documentation](https://developer.android.com/training/safetynet/index.html#compat-check-response)).
    - Verify that the `ctsProfileMatch` attribute in the payload of |response| is true.
    - If successful, return attestation type [=Basic=] with the [=attestation trust path=] set to the above attestation certificate.


## FIDO U2F Attestation Statement Format ## {#fido-u2f-attestation}

This attestation statement format is used with FIDO U2F authenticators using the formats defined in
[[FIDO-U2F-Message-Formats]].

: Attestation statement format identifier
:: fido-u2f

: Attestation types supported
:: [=Basic=], [=AttCA=]

: Syntax
:: The syntax of a FIDO U2F attestation statement is defined as follows:

    ```
    $$attStmtType //= (
                          fmt: "fido-u2f",
                          attStmt: u2fStmtFormat
                      )

    u2fStmtFormat = {
                        x5c: [ attestnCert: bytes, * (caCert: bytes) ],
                        sig: bytes
                    }
    ```

    The semantics of the above fields are as follows:

    : x5c
    :: The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format.
        The attestation certificate MUST be the first element in the array.

    : sig
    :: The [=attestation signature=].  
        The signature was calculated over the (raw) U2F registration response message [[!FIDO-U2F-Message-Formats]]
        received by the platform from the authenticator.

: Signing procedure
:: If the credential public key of the given credential is not of algorithm -7 ("ES256"), stop and return an error.
    Otherwise, let |authenticatorData| denote the [=authenticator data for the attestation=],
    and let |clientDataHash| denote the [=hash of the serialized client data=]. (Since SHA-256 is used to hash the
    serialized client data, |clientDataHash| will be 32 bytes long.)

    Generate a Registration Response Message as specified in [[FIDO-U2F-Message-Formats]] section 4.3, with the application parameter set to the
    SHA-256 hash of the [=RP ID=] associated with the given credential, the challenge parameter set to |clientDataHash|, and the key handle
    parameter set to the [=credential ID=] of the given credential. Set the raw signature part of this Registration Response Message (i.e., without the user public key,
    key handle, and attestation certificates) as |sig| and set the attestation certificates of
    the attestation public key as |x5c|.

: Verification procedure
:: Given the [=verification procedure inputs=] |attStmt|, |authenticatorData| and |clientDataHash|, the verification procedure is
    as follows:
    1. Verify that |attStmt| is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
        contained fields.
    1. Let |attCert| be the value of the first element of |x5c|. Let |certificate public key| be the public key
        conveyed by |attCert|. If |certificate public key| is not an Elliptic Curve (EC) public 
        key over the P-256 curve, terminate this algorithm and return an appropriate error. 
    1. Extract the claimed |rpIdHash| from |authenticatorData|, and the claimed |credentialId| and |credentialPublicKey| from
        |authenticatorData|.<code>[=attestedCredentialData=]</code>.
    1. Convert the COSE_KEY formatted |credentialPublicKey| (see Section 7 of [[!RFC8152]]) to CTAP1/U2F public Key
        format [[!FIDO-CTAP]]. 
        - Let |publicKeyU2F| represent the result of the 
            conversion operation and set its first byte to 0x04.
            Note: This signifies uncompressed ECC key format.
        - Extract the value corresponding to the "-2" key 
            (representing x coordinate) from |credentialPublicKey|, 
            confirm its size to be of 32 bytes and concatenate it with |publicKeyU2F|.
            If size differs or "-2" key is not found, terminate this algorithm and return an appropriate error.
        - Extract the value corresponding to the "-3" key 
            (representing y coordinate) from |credentialPublicKey|, 
            confirm its size to be of 32 bytes and concatenate it with |publicKeyU2F|.
            If size differs or "-3" key is not found, terminate this algorithm and return an appropriate error. 
    1. Let |verificationData| be the concatenation of (0x00 || |rpIdHash| ||
        |clientDataHash| || |credentialId| || |publicKeyU2F|) (see Section 4.3 of [[!FIDO-U2F-Message-Formats]]).
    1. Verify the |sig| using |verificationData| and |certificate public key| per [[!SEC1]].
    1. If successful, return attestation type [=Basic=] with the [=attestation trust path=] set to |x5c|.

## None Attestation Statement Format ## {#none-attestation}

The <dfn>none attestation statement format</dfn> is used to replace any [=authenticator=]-provided [=attestation statement=] when a [=[RP]=] indicates it does not wish to receive attestation information, see  [[#attestation-convey]].

: Attestation statement format identifier
:: none

: Attestation types supported
:: [=None=]

: Syntax
:: The syntax of a none attestation statement is defined as follows:

    ```
    $$attStmtType //= (
                          fmt: "none",
                          attStmt: emptyMap
                      )

    emptyMap = {}
    ```

: Signing procedure
:: Return the fixed attestation statement defined above.

: Verification procedure
:: Return attestation type [=None=] with an empty trust path.

# WebAuthn Extensions # {#extensions}

The mechanism for generating [=public key credentials=], as well as requesting and generating Authentication assertions, as
defined in [[#api]], can be extended to suit particular use cases. Each case is addressed by defining a <dfn>registration
extension</dfn> and/or an <dfn>authentication extension</dfn>.

Every extension is a <dfn>client extension</dfn>, meaning that the extension involves communication with and processing by the
client.
[=Client extensions=] define the following steps and data:

- {{CredentialsContainer/create()|navigator.credentials.create()}} extension request parameters and response values for [=registration extensions=].

- {{CredentialsContainer/get()|navigator.credentials.get()}} extension request parameters and response values for [=authentication extensions=].

- [=Client extension processing=] for [=registration extensions=] and [=authentication extensions=].

When creating a [=public key credential=] or requesting an [=authentication assertion=], a [=[RP]=] can request the use of a set
of extensions. These extensions will be invoked during the requested operation if they are supported by the client and/or the
authenticator. The [=[RP]=] sends the [=client extension input=] for each extension in the {{CredentialsContainer/get()}} call
(for [=authentication extensions=]) or {{CredentialsContainer/create()}} call (for [=registration extensions=]) to the client
platform. The client platform performs [=client extension processing=] for each extension that it supports, and augments the
[=client data=] as specified by each extension, by including the [=extension identifier=] and [=client extension output=]
values.

An extension can also be an <dfn>authenticator extension</dfn>, meaning that the extension involves communication with and
processing by the authenticator. [=Authenticator extensions=] define the following steps and data:

- [=authenticatorMakeCredential=] extension request parameters and response values for [=registration extensions=].

- [=authenticatorGetAssertion=] extension request parameters and response values for [=authentication extensions=].

- [=Authenticator extension processing=] for [=registration extensions=] and [=authentication extensions=].

For [=authenticator extensions=], as part of the [=client extension processing=], the client also creates the [=CBOR=]
[=authenticator extension input=] value for each extension (often based on the corresponding [=client extension input=] value),
and passes them to the authenticator in the {{CredentialsContainer/create()}} call (for [=registration extensions=]) or the
{{CredentialsContainer/get()}} call (for [=authentication extensions=]). These [=authenticator extension input=] values are
represented in [=CBOR=] and passed as name-value pairs, with the [=extension identifier=] as the name, and the corresponding
[=authenticator extension input=] as the value. The authenticator, in turn, performs additional processing for the extensions
that it supports, and returns the [=CBOR=] [=authenticator extension output=] for each as specified by the extension. Part of
the [=client extension processing=] for [=authenticator extensions=] is to use the [=authenticator extension output=] as an
input to creating the [=client extension output=].

All WebAuthn extensions are OPTIONAL for both clients and authenticators. Thus, any extensions requested by a [=[RP]=] MAY be
ignored by the client browser or OS and not passed to the authenticator at all, or they MAY be ignored by the authenticator.
Ignoring an extension is never considered a failure in WebAuthn API processing, so when [=[RPS]=] include extensions with any
API calls, they MUST be prepared to handle cases where some or all of those extensions are ignored.

Clients wishing to support the widest possible range of extensions MAY choose to pass through any extensions that they do not
recognize to authenticators, generating the [=authenticator extension input=] by simply encoding the [=client extension input=]
in CBOR. All WebAuthn extensions MUST be defined in such a way that this implementation choice does not endanger the user's
security or privacy. For instance, if an extension requires client processing, it could be defined in a manner that ensures such
a naïve pass-through will produce a semantically invalid [=authenticator extension input=] value, resulting in the extension
being ignored by the authenticator. Since all extensions are OPTIONAL, this will not cause a functional failure in the API
operation. Likewise, clients can choose to produce a [=client extension output=] value for an extension that it does not
understand by encoding the [=authenticator extension output=] value into JSON, provided that the CBOR output uses only types
present in JSON.

When clients choose to pass through extensions they do not recognize,
the JavaScript values in the [=client extension inputs=]
are converted to [=CBOR=] values in the [=authenticator extension inputs=].
When the JavaScript value is an [=%ArrayBuffer%=], it is converted to a [=CBOR=] byte array.
When the JavaScript value is a non-integer number, it is converted to a 64-bit CBOR floating point number.
Otherwise, when the JavaScript type corresponds to a JSON type, the conversion is done
using the rules defined in Section 4.2 of [[RFC7049]] (Converting from JSON to CBOR),
but operating on inputs of JavaScript type values rather than inputs of JSON type values.
Once these conversions are done,
canonicalization of the resulting [=CBOR=] MUST be performed using the [=CTAP2 canonical CBOR encoding form=].

Likewise, when clients receive outputs from extensions they have passed through that they do not recognize,
the [=CBOR=] values in the [=authenticator extension outputs=]
are converted to JavaScript values in the [=client extension outputs=].
When the CBOR value is a byte string, it is converted to a JavaScript [=%ArrayBuffer%=]
(rather than a base64url-encoded string).
Otherwise, when the CBOR type corresponds to a JSON type, the conversion is done
using the rules defined in Section 4.1 of [[RFC7049]] (Converting from CBOR to JSON),
but producing outputs of JavaScript type values rather than outputs of JSON type values.

Note that some clients may choose to implement this pass-through capability under a feature flag.
Supporting this capability can facilitate innovation, allowing authenticators to experiment with new extensions
and [=[RPS]=] to use them before there is explicit support for them in clients.

The IANA "WebAuthn Extension Identifier" registry established by [[!WebAuthn-Registries]] can be consulted
for an up-to-date list of registered WebAuthn Extensions.


## Extension Identifiers ## {#sctn-extension-id}

Extensions are identified by a string, called an <dfn>extension identifier</dfn>, chosen by the extension author.

Extension identifiers SHOULD be registered per [[!WebAuthn-Registries]] "Registries for Web Authentication (WebAuthn)".
All registered extension identifiers are unique amongst themselves as a matter of course.

Unregistered extension identifiers SHOULD aim to be globally unique, e.g., by including the defining entity such as
`myCompany_extension`.

All extension identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters,
excluding backslash and doublequote, i.e., VCHAR as defined in [[!RFC5234]] but without %x22 and %x5c. Implementations MUST
match WebAuthn extension identifiers in a case-sensitive fashion.

Extensions that may exist in multiple versions should take care to include a version in their identifier. In effect, different
versions are thus treated as different extensions, e.g., `myCompany_extension_01`

[[#sctn-defined-extensions]] defines an initial set of extensions and their identifiers.
See the IANA "WebAuthn Extension Identifier" registry established by [[!WebAuthn-Registries]]
for an up-to-date list of registered WebAuthn Extension Identifiers.


## Defining extensions ## {#sctn-extension-specification}

A definition of an extension MUST specify an [=extension identifier=], a [=client extension input=] argument
to be sent via the {{CredentialsContainer/get()}} or {{CredentialsContainer/create()}} call,
the [=client extension processing=] rules, and a [=client extension output=] value.
If the extension communicates with the authenticator (meaning it is an [=authenticator extension=]),
it MUST also specify the [=CBOR=] [=authenticator extension input=] argument
sent via the [=authenticatorGetAssertion=] or [=authenticatorMakeCredential=] call,
the [=authenticator extension processing=] rules, and the [=CBOR=] [=authenticator extension output=] value.

Any [=client extension=] that is processed by the client MUST return a [=client extension output=] value so that the [=[RP]=]
knows that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST return
an [=authenticator extension output=] to let the [=[RP]=] know that the extension was honored by the authenticator. If an
extension does not otherwise require any result values, it SHOULD be defined as returning a JSON Boolean [=client extension
output=] result, set to `true` to signify that the extension was understood and processed. Likewise, any [=authenticator
extension=] that does not otherwise require any result values MUST return a value and SHOULD return a CBOR Boolean
[=authenticator extension output=] result, set to `true` to signify that the extension was understood and processed.

## Extending request parameters ## {#sctn-extension-request-parameters}

An extension defines one or two request arguments. The <dfn>client extension input</dfn>,
which is a value that can be encoded in JSON, is passed from the [=[RP]=] to the client
in the {{CredentialsContainer/get()}} or {{CredentialsContainer/create()}} call,
while the [=CBOR=] <dfn>authenticator extension input</dfn> is
passed from the client to the authenticator for [=authenticator extensions=] during the processing of these calls.

A [=[RP]=] simultaneously requests the use of an extension and sets its [=client extension input=] by including an entry in the
{{PublicKeyCredentialCreationOptions/extensions}} option to the {{CredentialsContainer/create()}} or {{CredentialsContainer/get()}} call.
The entry key is the [=extension identifier=] and the value is the [=client extension input=].

<pre class="example" highlight="js">
    var assertionPromise = navigator.credentials.get({
        publicKey: {
            // The challenge must be produced by the server, see the Security Considerations
            challenge: new Uint8Array([4,99,22 /* 29 more random bytes generated by the server */]),
            extensions: {
                "webauthnExample_foobar": 42
            }
        }
    });
</pre>

Extension definitions MUST specify the valid values for their [=client extension input=]. Clients SHOULD ignore extensions with
an invalid [=client extension input=]. If an extension does not require any parameters from the [=[RP]=], it SHOULD be defined
as taking a Boolean client argument, set to `true` to signify that the extension is requested by the [=[RP]=].

Extensions that only affect client processing need not specify [=authenticator extension input=]. Extensions that have
authenticator processing MUST specify the method of computing the [=authenticator extension input=] from the [=client extension
input=]. For extensions that do not require input parameters and are defined as taking a Boolean [=client extension input=]
value set to `true`, this method SHOULD consist of passing an [=authenticator extension input=] value of `true` (CBOR major type
7, value 21).

Note: Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate
    over low-bandwidth links such as Bluetooth Low-Energy or NFC.


## <dfn>Client extension processing</dfn> ## {#sctn-client-extension-processing}

Extensions MAY define additional processing requirements on the client platform during the creation of credentials or the
generation of an assertion. The [=client extension input=] for the extension is used an input to this client processing.
Supported [=client extensions=] are recorded as a dictionary in the [=client data=] with the key
{{CollectedClientData/clientExtensions}}. For each such extension, the client adds an entry to this dictionary with the
[=extension identifier=] as the key, and the extension's [=client extension input=] as the value.

Likewise, the [=client extension outputs=] are represented as a dictionary in the result of {{PublicKeyCredential/getClientExtensionResults()}}
with [=extension identifiers=] as keys, and the <dfn>client extension output</dfn> value of each extension as the value.
Like the [=client extension input=], the [=client extension output=] is a value that can be encoded in JSON.

Extensions that require authenticator processing MUST define
the process by which the [=client extension input=] can be used to determine the [=CBOR=] [=authenticator extension input=] and
the process by which the [=CBOR=] [=authenticator extension output=] can be used to determine the [=client extension output=].

## <dfn>Authenticator extension processing</dfn> ## {#sctn-authenticator-extension-processing}

The [=CBOR=] [=authenticator extension input=] value of each processed [=authenticator extension=] is included in the |extensions|
parameter of the [=authenticatorMakeCredential=] and [=authenticatorGetAssertion=] operations. The |extensions| parameter is a
[=CBOR=] map where each key is an [=extension identifier=] and the corresponding value is the [=authenticator extension input=]
for that extension.

Likewise, the extension output is represented in the [=authdataextensions|extensions=] part of the [=authenticator data=]. The
[=authdataextensions|extensions=] part of the [=authenticator data=] is a CBOR map where each key is an [=extension identifier=]
and the corresponding value is the <dfn>authenticator extension output</dfn> for that extension.

For each supported extension, the [=authenticator extension processing=] rule for that extension is used create the
[=authenticator extension output=] from the [=authenticator extension input=] and possibly also other inputs.


# Defined Extensions # {#sctn-defined-extensions}

This section defines the initial set of extensions to be registered in the
IANA "WebAuthn Extension Identifier" registry established by [[!WebAuthn-Registries]].
These are RECOMMENDED for implementation by user agents targeting broad interoperability.


## FIDO AppID Extension (appid) ## {#sctn-appid-extension}

This [=client extension=] allows [=[RPS]=] that have previously registered a
credential using the legacy FIDO JavaScript APIs to request an [=assertion=]. The
FIDO APIs use an alternative identifier for [=relying parties=] called an |AppID|
[[FIDO-APPID]], and any credentials created using those APIs will be bound to
that identifier. Without this extension, they would need to be re-registered in
order to be bound to an [=RP ID=].

This extension does not allow FIDO-compatible credentials to be created. Thus,
credentials created with WebAuthn are not backwards compatible with the FIDO
JavaScript APIs.

: Extension identifier
:: `appid`

: Client extension input
:: A single USVString specifying a FIDO |AppID|.
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientInputs {
      USVString appid;
    };
    </xmp>

: Client extension processing
::  1. If present in a {{CredentialsContainer/create()}} call, return a
        "{{NotSupportedError}}" {{DOMException}}—this extension is only valid when
        requesting an assertion.
    1. Let |facetId| be the result of passing the caller's [=origin=] to the
        FIDO algorithm for [=determining the FacetID of a calling application=].
    1. Let |appId| be the extension input.
    1. Pass |facetId| and |appId| to the FIDO algorithm for [=determining if a
        caller's FacetID is authorized for an AppID=]. If that algorithm rejects
        |appId| then return a "{{SecurityError}}" {{DOMException}}.
    1. When [building allowCredentialDescriptorList](#allowCredentialDescriptorListCreation),
        if a U2F authenticator indicates that a credential is inapplicable (i.e. by
        returning `SW_WRONG_DATA`) then the client MUST retry with the U2F application
        parameter set to the SHA-256 hash of |appId|. If this results in an applicable
        credential, the client MUST include the credential in
        <var ignore>allowCredentialDescriptorList</var>. The value of |appId| then replaces the `rpId`
        parameter of [=authenticatorGetAssertion=].

: Client extension output
:: Returns the value `true` to indicate to the RP that the extension was acted upon.
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientOutputs {
      boolean appid;
    };
    </xmp>

: Authenticator extension input
:: None.

: Authenticator extension processing
:: None.

: Authenticator extension output
:: None.


## Simple Transaction Authorization Extension (txAuthSimple) ## {#sctn-simple-txauth-extension}

This [=registration extension=] and [=authentication extension=] allows for a simple form of transaction authorization. A
[=[RP]=] can specify a prompt string, intended for display on a trusted device on the authenticator.

: Extension identifier
:: `txAuthSimple`

: Client extension input
:: A single USVString prompt.
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientInputs {
      USVString txAuthSimple;
    };
    </xmp>

: Client extension processing
:: None, except creating the authenticator extension input from the client extension input.

: Client extension output
:: Returns the authenticator extension output string UTF-8 decoded into a USVString.
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientOutputs {
      USVString txAuthSimple;
    };
    </xmp>

: Authenticator extension input
:: The client extension input encoded as a CBOR text string (major type 3).

<pre>
CDDL:
txAuthSimpleInput = (tstr)
</pre>

: Authenticator extension processing
:: The authenticator MUST display the prompt to the user before performing either [=user verification=] or [=test of user
    presence=]. The authenticator MAY insert line breaks if needed.

: Authenticator extension output
:: A single CBOR string, representing the prompt as displayed (including any eventual line breaks).

<pre>
CDDL:
txAuthSimpleOutput = (tstr)
</pre>

## Generic Transaction Authorization Extension (txAuthGeneric) ## {#sctn-generic-txauth-extension}

This [=registration extension=] and [=authentication extension=] allows images to be used as transaction authorization prompts
as well. This allows authenticators without a font rendering engine to be used and also supports a richer visual appearance.

: Extension identifier
:: `txAuthGeneric`

: Client extension input
:: A JavaScript object defined as follows:
    <xmp class="idl">
    dictionary txAuthGenericArg {
        required USVString contentType;    // MIME-Type of the content, e.g., "image/png"
        required ArrayBuffer content;
    };

    partial dictionary AuthenticationExtensionsClientInputs {
      txAuthGenericArg txAuthGeneric;
    };
    </xmp>

: Client extension processing
:: None, except creating the authenticator extension input from the client extension input.

: Client extension output
:: Returns the authenticator extension output value as an ArrayBuffer.
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientOutputs {
      ArrayBuffer txAuthGeneric;
    };
    </xmp>

: Authenticator extension input
:: The client extension input encoded as a CBOR map.

: Authenticator extension processing
:: The authenticator MUST display the `content` to the user before performing either [=user verification=] or [=test of
    user presence=]. The authenticator MAY add other information below the `content`. No changes are allowed to the `content`
    itself, i.e., inside `content` boundary box.

: Authenticator extension output
:: The hash value of the `content` which was displayed. The authenticator MUST use the same hash algorithm as it uses for the
    signature itself.


## Authenticator Selection Extension (authnSel) ## {#sctn-authenticator-selection-extension}

This [=registration extension=] allows a [=[RP]=] to guide the selection of the authenticator that will be leveraged when
creating the credential. It is intended primarily for [=[RPS]=] that wish to tightly control the experience around credential
creation.

: Extension identifier
:: `authnSel`

: Client extension input
:: A sequence of AAGUIDs:

    <xmp class="idl">
    typedef sequence<AAGUID> AuthenticatorSelectionList;

    partial dictionary AuthenticationExtensionsClientInputs {
      AuthenticatorSelectionList authnSel;
    };
    </xmp>


    Each AAGUID corresponds to an authenticator model that is acceptable to the [=[RP]=] for this credential creation. The
    list is ordered by decreasing preference.

    An AAGUID is defined as an array containing the globally unique identifier of the authenticator model being sought.

    <xmp class="idl">
        typedef BufferSource      AAGUID;
    </xmp>

: Client extension processing
:: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports the Authenticator Selection
    Extension, it MUST use the first available authenticator whose AAGUID is present in the {{AuthenticatorSelectionList}}. If
    none of the available authenticators match a provided AAGUID, the client MUST select an authenticator from among the
    available authenticators to generate the credential.

: Client extension output
:: Returns the value `true` to indicate to the RP that the extension was acted upon.
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientOutputs {
      boolean authnSel;
    };
    </xmp>

: Authenticator extension input
:: None.

: Authenticator extension processing
:: None.

: Authenticator extension output
:: None.

## Supported Extensions Extension (exts) ## {#sctn-supported-extensions-extension}

This [=registration extension=] enables the [=[RP]=] to determine which extensions the authenticator supports.

: Extension identifier
:: `exts`

: Client extension input
:: The Boolean value `true` to indicate that this extension is requested by the [=[RP]=].
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientInputs {
      boolean exts;
    };
    </xmp>

: Client extension processing
:: None, except creating the authenticator extension input from the client extension input.

: Client extension output
:: Returns the list of supported extensions as an array of [=extension identifier=] strings.
    <xmp class="idl">
    typedef sequence<USVString> AuthenticationExtensionsSupported;

    partial dictionary AuthenticationExtensionsClientOutputs {
      AuthenticationExtensionsSupported exts;
    };
    </xmp>

: Authenticator extension input
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator extension processing
:: The [=authenticator=] sets the [=authenticator extension output=] to be a list of extensions that the authenticator supports, as
    defined below. This extension can be added to attestation objects.

: Authenticator extension output
:: The SupportedExtensions extension is a list (CBOR array) of [=extension identifier=] ([=UTF-8 encoded=]) strings.


## User Verification Index Extension (uvi) ## {#sctn-uvi-extension}

This [=registration extension=] and [=authentication extension=] enables use of a user verification index.

: Extension identifier
:: `uvi`

: Client extension input
:: The Boolean value `true` to indicate that this extension is requested by the [=[RP]=].
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientInputs {
      boolean uvi;
    };
    </xmp>

: Client extension processing
:: None, except creating the authenticator extension input from the client extension input.

: Client extension output
:: Returns the authenticator extension output as an ArrayBuffer.
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientOutputs {
      ArrayBuffer uvi;
    };
    </xmp>

: Authenticator extension input
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator extension processing
:: The [=authenticator=] sets the [=authenticator extension output=] to be a user verification index indicating the method used
    by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions.

: Authenticator extension output
:: The user verification index (UVI) is a value uniquely identifying a user verification data record. The UVI is encoded as CBOR
    byte string (type 0x58). Each UVI value MUST be specific to the related key (in order to provide unlinkability). It also
    MUST contain sufficient entropy that makes guessing impractical. UVI values MUST NOT be reused by the Authenticator (for
    other biometric data or users).

    The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data
    as the initial key generation. This allows the detection and prevention of "friendly fraud".

    As an example, the UVI could be computed as SHA256(KeyID || SHA256(rawUVI)), where `||` represents concatenation, and the
    rawUVI reflects (a) the biometric reference data, (b) the related OS level user ID and (c) an identifier which changes
    whenever a factory reset is performed for the device, e.g. rawUVI = biometricReferenceData || OSLevelUserID ||
    FactoryResetCounter.

    Servers supporting UVI extensions MUST support a length of up to 32 bytes for the UVI value.

    Example for [=authenticator data=] containing one UVI extension
    <pre>
        ...                                         -- [=RP ID=] hash (32 bytes)
        81                                          -- UP and ED set
        00 00 00 01                                 -- (initial) signature counter
        ...                                         -- all public key alg etc.
        A1                                          -- extension: CBOR map of one element
            63                                      -- Key 1: CBOR text string of 3 bytes
                75 76 69                            -- "uvi" [=UTF-8 encoded=] string
            58 20                                   -- Value 1: CBOR byte string with 0x20 bytes
                43 B8 E3 BE 27 95 8C 28             -- the UVI value itself
                D5 74 BF 46 8A 85 CF 46
                9A 14 F0 E5 16 69 31 DA
                4B CF FF C1 BB 11 32 82
    </pre>

## Location Extension (loc) ## {#sctn-location-extension}

The location [=registration extension=] and [=authentication extension=] provides the client device's current location to the
WebAuthn [=[RP]=].  

: Extension identifier
:: `loc`

: Client extension input
:: The Boolean value `true` to indicate that this extension is requested by the [=[RP]=].
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientInputs {
      boolean loc;
    };
    </xmp>

: Client extension processing
:: None, except creating the authenticator extension input from the client extension input.

: Client extension output
:: Returns a JavaScript object that encodes the location information in the authenticator extension output as a {{Coordinates}} value,
    as defined by [[Geolocation-API]].
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientOutputs {
      Coordinates loc;
    };
    </xmp>

: Authenticator extension input
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator extension processing
:: Determine the Geolocation value.

: Authenticator extension output
:: A 
    [[Geolocation-API]]
    {{Coordinates}} record encoded as a CBOR map.
    Values represented by the "double" type in JavaScript are represented as 64-bit CBOR floating point numbers.
    Per the Geolocation specification, the "latitude", "longitude", and "accuracy" values are required
    and other values such as "altitude" are optional.

## User Verification Method Extension (uvm) ## {#sctn-uvm-extension}

This [=registration extension=] and [=authentication extension=] enables use of a user verification method.

: Extension identifier
:: `uvm`

: Client extension input
:: The Boolean value `true` to indicate that this extension is requested by the [=[RP]=].
    <xmp class="idl">
    partial dictionary AuthenticationExtensionsClientInputs {
      boolean uvm;
    };
    </xmp>

: Client extension processing
:: None, except creating the authenticator extension input from the client extension input.

: Client extension output
:: Returns a JSON array of 3-element arrays of numbers that encodes the factors in the authenticator extension output.
    <xmp class="idl">
    typedef sequence<unsigned long> UvmEntry;
    typedef sequence<UvmEntry> UvmEntries;

    partial dictionary AuthenticationExtensionsClientOutputs {
      UvmEntries uvm;
    };
    </xmp>

: Authenticator extension input
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator extension processing
:: The [=authenticator=] sets the [=authenticator extension output=] to be one or more user verification methods indicating the method(s) used
    by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions.

: Authenticator extension output
:: Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance,
    using the CBOR syntax defined below:

    ```
    uvmFormat = [ 1*3 uvmEntry ]
    uvmEntry = [
                   userVerificationMethod: uint .size 4,
                   keyProtectionType: uint .size 2,
                   matcherProtectionType: uint .size 2
               ]
    ```

    The semantics of the fields in each `uvmEntry` are as follows:
    : userVerificationMethod
    :: The authentication method/factor used by the authenticator to verify the user. Available values are defined in
        [[!FIDOReg]], "User Verification Methods" section.

    : keyProtectionType
    :: The method used by the authenticator to protect the FIDO registration private key material. Available values are defined
        in [[!FIDOReg]], "Key Protection Types" section.

    : matcherProtectionType
    :: The method used by the authenticator to protect the matcher that performs user verification. Available values are defined
        in [[!FIDOReg]], "Matcher Protection Types" section.

    If >3 factors can be used in an authentication instance the authenticator vendor MUST select the 3 factors it believes
    will be most relevant to the Server to include in the UVM.

    Example for [=authenticator data=] containing one UVM extension for a multi-factor authentication instance where 2 factors
    were used:
    <pre>
        ...                    -- [=RP ID=] hash (32 bytes)
        81                     -- UP and ED set
        00 00 00 01            -- (initial) signature counter
        ...                    -- all public key alg etc.
        A1                     -- extension: CBOR map of one element
            63                 -- Key 1: CBOR text string of 3 bytes
                75 76 6d       -- "uvm" [=UTF-8 encoded=] string
            82                 -- Value 1: CBOR array of length 2 indicating two factor usage
                83              -- Item 1: CBOR array of length 3
                    02           -- Subitem 1: CBOR integer for User Verification Method Fingerprint
                    04           -- Subitem 2: CBOR short for Key Protection Type TEE
                    02           -- Subitem 3: CBOR short for Matcher Protection Type TEE
                83              -- Item 2: CBOR array of length 3
                    04           -- Subitem 1: CBOR integer for User Verification Method Passcode
                    01           -- Subitem 2: CBOR short for Key Protection Type Software
                    01           -- Subitem 3: CBOR short for Matcher Protection Type Software
    </pre>


## Biometric Authenticator Performance Bounds Extension (biometricPerfBounds) ## {#sctn-authenticator-biometric-criteria-extension}

This [=registration extension=] allows [=[RPS]=] to specify the desired performance bounds for selecting [=biometric authenticators=]
as candidates to be employed in a [=registration=] ceremony. 

: Extension identifier
:: `biometricPerfBounds`

: Client extension input
:: Biometric performance bounds:

    <pre class="idl">
    dictionary authenticatorBiometricPerfBounds{
        float FAR;
        float FRR;
        };
    </pre>

    The FAR is the maximum false acceptance rate for a biometric authenticator allowed by the [=[RP]=].

    The FAR is the maximum false rejection rate for a biometric authenticator allowed by the [=[RP]=].

: Client extension processing
:: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports this
    extension, it MUST NOT use a biometric authenticator whose FAR or FRR does not match the bounds as provided.  The client
    can obtain information about the biometric authenticator's performance from authoritative sources such as the FIDO
    Metadata Service [[FIDOMetadataService]] (see Sec. 3.2 of [[FIDOUAFAuthenticatorMetadataStatements]]).  

: Client extension output
:: Returns the JSON value `true` to indicate to the RP that the extension was acted upon

: Authenticator extension input
:: None.

: Authenticator extension processing
:: None.

: Authenticator extension output
:: None.

# IANA Considerations # {#sctn-IANA}

## WebAuthn Attestation Statement Format Identifier Registrations ## {#sctn-att-fmt-reg}

This section registers the attestation statement formats defined in Section [[#defined-attestation-formats]] in the
IANA "WebAuthn Attestation Statement Format Identifier" registry established by [[!WebAuthn-Registries]].

- WebAuthn Attestation Statement Format Identifier: packed
- Description: The "packed" attestation statement format is a WebAuthn-optimized format for [=attestation=]. It uses a very
    compact but still extensible encoding method. This format is implementable by authenticators with limited resources (e.g.,
    secure elements).
- Specification Document: Section [[#packed-attestation]] of this specification
    <br/><br/>
- WebAuthn Attestation Statement Format Identifier: tpm
- Description: The TPM attestation statement format returns an attestation statement in the same format as the packed
    attestation statement format, although the rawData and signature fields are computed differently.
- Specification Document: Section [[#tpm-attestation]] of this specification
    <br/><br/>
- WebAuthn Attestation Statement Format Identifier: android-key
- Description: Platform-provided authenticators based on versions "N", and later, may provide this proprietary "hardware
    attestation" statement.
- Specification Document: Section [[#android-key-attestation]] of this specification
    <br/><br/>
- WebAuthn Attestation Statement Format Identifier: android-safetynet
- Description: Android-based, platform-provided authenticators MAY produce an attestation statement based on the Android
    SafetyNet API.
- Specification Document: Section [[#android-safetynet-attestation]] of this specification
    <br/><br/>
- WebAuthn Attestation Statement Format Identifier: fido-u2f
- Description: Used with FIDO U2F authenticators
- Specification Document: Section [[#fido-u2f-attestation]] of this specification

## WebAuthn Extension Identifier Registrations ## {#sctn-extensions-reg}

This section registers the [=extension identifier=] values defined in Section [[#extensions]] in the
IANA "WebAuthn Extension Identifier" registry established by [[!WebAuthn-Registries]].

- WebAuthn Extension Identifier: appid
- Description: This [=authentication extension=] allows [=[RPS]=] that have previously registered a credential using the legacy
    FIDO JavaScript APIs to request an assertion.
- Specification Document: Section [[#sctn-appid-extension]] of this specification
    <br/><br/>
- WebAuthn Extension Identifier: txAuthSimple
- Description: This [=registration extension=] and [=authentication extension=] allows for a simple form of transaction
    authorization. A WebAuthn Relying Party can specify a prompt string, intended for display on a trusted device on the
    authenticator
- Specification Document: Section [[#sctn-simple-txauth-extension]] of this specification
    <br/><br/>
- WebAuthn Extension Identifier: txAuthGeneric
- Description: This [=registration extension=] and [=authentication extension=] allows images to be used as transaction
    authorization prompts as well. This allows authenticators without a font rendering engine to be used and also supports a
    richer visual appearance than accomplished with the webauthn.txauth.simple extension.
- Specification Document: Section [[#sctn-generic-txauth-extension]] of this specification
    <br/><br/>
- WebAuthn Extension Identifier: authnSel
- Description: This [=registration extension=] allows a WebAuthn Relying Party to guide the selection of the authenticator that
    will be leveraged when creating the credential. It is intended primarily for WebAuthn Relying Parties that wish to tightly
    control the experience around credential creation.
- Specification Document: Section [[#sctn-authenticator-selection-extension]] of this specification
    <br/><br/>
- WebAuthn Extension Identifier: exts
- Description: This [=registration extension=] enables the [=[RP]=] to determine which extensions the authenticator supports. The
    extension data is a list (CBOR array) of extension identifiers encoded as UTF-8 Strings. This extension is added
    automatically by the authenticator. This extension can be added to attestation statements.
- Specification Document: Section [[#sctn-supported-extensions-extension]] of this specification
    <br/><br/>
- WebAuthn Extension Identifier: uvi
- Description: This [=registration extension=] and [=authentication extension=] enables use of a user verification index. The
    user verification index is a value uniquely identifying a user verification data record. The UVI data can be used by servers
    to understand whether an authentication was authorized by the exact same biometric data as the initial key generation. This
    allows the detection and prevention of "friendly fraud".
- Specification Document: Section [[#sctn-uvi-extension]] of this specification
    <br/><br/>
- WebAuthn Extension Identifier: loc
- Description: The location [=registration extension=] and [=authentication extension=] provides the client device's current
    location to the WebAuthn relying party, if supported by the client device and subject to [=user consent=].
- Specification Document: Section [[#sctn-location-extension]] of this specification
    <br/><br/>
- WebAuthn Extension Identifier: uvm
- Description: This [=registration extension=] and [=authentication extension=] enables use of a user verification method.
    The user verification method extension returns to the Webauthn relying party which user verification methods (factors) were
    used for the WebAuthn operation.
- Specification Document: Section [[#sctn-uvm-extension]] of this specification

## COSE Algorithm Registrations ## {#sctn-cose-alg-reg}

This section registers identifiers for RSASSA-PKCS1-v1_5 [[RFC8017]] algorithms using SHA-2 and SHA-1 hash functions in the
IANA COSE Algorithms registry [[!IANA-COSE-ALGS-REG]].
It also registers identifiers for ECDAA algorithms.

- Name: RS256
- Value: TBD (requested assignment -257)
- Description: RSASSA-PKCS1-v1_5 w/ SHA-256
- Reference: Section 8.2 of [[RFC8017]]
- Recommended: No
    <br/><br/>
- Name: RS384
- Value: TBD (requested assignment -258)
- Description: RSASSA-PKCS1-v1_5 w/ SHA-384
- Reference: Section 8.2 of [[RFC8017]]
- Recommended: No
    <br/><br/>
- Name: RS512
- Value: TBD (requested assignment -259)
- Description: RSASSA-PKCS1-v1_5 w/ SHA-512
- Reference: Section 8.2 of [[RFC8017]]
- Recommended: No
    <br/><br/>
- Name: ED256
- Value: TBD (requested assignment -260)
- Description: TPM_ECC_BN_P256 curve w/ SHA-256
- Reference: Section 4.2 of [[!FIDOEcdaaAlgorithm]]
- Recommended: Yes
    <br/><br/>
- Name: ED512
- Value: TBD (requested assignment -261)
- Description: ECC_BN_ISOP512 curve w/ SHA-512
- Reference: Section 4.2 of [[!FIDOEcdaaAlgorithm]]
- Recommended: Yes
    <br/><br/>
- Name: RS1
- Value: TBD (requested assignment -262)
- Description: RSASSA-PKCS1-v1_5 w/ SHA-1
- Reference: Section 8.2 of [[RFC8017]]
- Recommended: No

# Sample scenarios # {#sample-scenarios}

[INFORMATIVE]

In this section, we walk through some events in the lifecycle of a [=public key credential=], along with the corresponding
sample code for using this API. Note that this is an example flow and does not limit the scope of how the API can be used.

As was the case in earlier sections, this flow focuses on a use case involving an external first-factor [=authenticator=]
with its own display. One example of such an authenticator would be a smart phone. Other authenticator types are also supported
by this API, subject to implementation by the platform. For instance, this flow also works without modification for the case of
an authenticator that is embedded in the client platform. The flow also works for the case of an authenticator without
its own display (similar to a smart card) subject to specific implementation considerations. Specifically, the client platform
needs to display any prompts that would otherwise be shown by the authenticator, and the authenticator needs to allow the client
platform to enumerate all the authenticator's credentials so that the client can have information to show appropriate prompts.


## Registration ## {#sample-registration}

This is the first-time flow, in which a new credential is created and registered with the server.
In this flow, the [=[RP]=] does not have a preference for [=platform authenticator=] or [=roaming authenticators=].

1. The user visits example.com, which serves up a script. At this point, the user may already be logged in using a legacy
    username and password, or additional authenticator, or other means acceptable to the [=[RP]=].
    Or the user may be in the process of creating a new account.

1. The [=[RP]=] script runs the code snippet below.

1. The client platform searches for and locates the authenticator.

1. The client platform connects to the authenticator, performing any pairing actions if necessary.

1. The authenticator shows appropriate UI for the user to select the authenticator on which the new credential will be
    created, and obtains a biometric or other authorization gesture from the user.

1. The authenticator returns a response to the client platform, which in turn returns a response to the [=[RP]=] script. If
    the user declined to select an authenticator or provide authorization, an appropriate error is returned.

1. If a new credential was created,
    - The [=[RP]=] script sends the newly generated [=credential public key=] to the server, along with additional information
        such as attestation regarding the provenance and characteristics of the authenticator.
    - The server stores the [=credential public key=] in its database and associates it with the user as well as with the
        characteristics of authentication indicated by attestation, also storing a friendly name for later use.
    - The script may store data such as the [=credential ID=] in local storage, to improve future UX by narrowing the choice of
        credential for the user.

The sample code for generating and registering a new key follows:

<pre class="example" highlight="js">
    if (!window.PublicKeyCredential) { /* Platform not capable. Handle error. */ }

    var publicKey = {
      // The challenge must be produced by the server, see the Security Considerations
      challenge: new Uint8Array([21,31,105 /* 29 more random bytes generated by the server */]),

      // Relying Party:
      rp: {
        name: "ACME Corporation"
      },

      // User:
      user: {
        id: Uint8Array.from(window.atob("MIIBkzCCATigAwIBAjCCAZMwggE4oAMCAQIwggGTMII="), c=>c.charCodeAt(0)),
        name: "alex.p.mueller@example.com",
        displayName: "Alex P. Müller",
        icon: "https://pics.example.com/00/p/aBjjjpqPb.png"
      },

      // This Relying Party will accept either an ES256 or RS256 credential, but
      // prefers an ES256 credential.
      pubKeyCredParams: [
        {
          type: "public-key",
          alg: -7 // "ES256" as registered in the IANA COSE Algorithms registry
        },
        {
          type: "public-key",
          alg: -257 // Value registered by this specification for "RS256"
        }
      ],

      timeout: 60000,  // 1 minute
      excludeCredentials: [], // No exclude list of PKCredDescriptors
      extensions: {"loc": true}  // Include location information
                                               // in attestation
    };

    // Note: The following call will cause the authenticator to display UI.
    navigator.credentials.create({ publicKey })
      .then(function (newCredentialInfo) {
        // Send new credential info to server for verification and registration.
      }).catch(function (err) {
        // No acceptable authenticator or user refused consent. Handle appropriately.
      });
</pre>

## Registration Specifically with User Verifying Platform Authenticator ## {#sample-registration-with-platform-authenticator}

This is flow for when the [=[RP]=] is specifically interested in creating a public key credential with
a [=user verification|user-verifying=] [=platform authenticator=].

1. The user visits example.com and clicks on the login button, which redirects the user to login.example.com.

1. The user enters a username and password to log in. After successful login, the user is redirected back to example.com.

1. The [=[RP]=] script runs the code snippet below.

1. The user agent asks the user whether they are willing to register with the [=[RP]=] using an available [=platform authenticator=].

1. If the user is not willing, terminate this flow.

1. The user is shown appropriate UI and guided in creating a credential using one of the available platform authenticators.
    Upon successful credential creation, the RP script conveys the new credential to the server.

<pre class="example" highlight="js">
    if (!window.PublicKeyCredential) { /* Platform not capable of the API. Handle error. */ }

    PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
        .then(function (userIntent) {

            // If the user has affirmed willingness to register with RP using an available platform authenticator
            if (userIntent) {
                var publicKeyOptions = { /* Public key credential creation options. */};

                // Create and register credentials.
                return navigator.credentials.create({ "publicKey": publicKeyOptions });
            } else {

                // Record that the user does not intend to use a platform authenticator
                // and default the user to a password-based flow in the future.
            }

        }).then(function (newCredentialInfo) {
            // Send new credential info to server for verification and registration.
        }).catch( function(err) {
            // Something went wrong. Handle appropriately.
        });
</pre>

## Authentication ## {#sample-authentication}

This is the flow when a user with an already registered credential visits a website and wants to authenticate using the
credential.

1. The user visits example.com, which serves up a script.

1. The script asks the client platform for an Authentication Assertion, providing as much information as possible to narrow
    the choice of acceptable credentials for the user. This can be obtained from the data that was stored locally after
    registration, or by other means such as prompting the user for a username.

1. The [=[RP]=] script runs one of the code snippets below.

1. The client platform searches for and locates the authenticator.

1. The client platform connects to the authenticator, performing any pairing actions if necessary.

1. The authenticator presents the user with a notification that their attention is needed. On opening the
    notification, the user is shown a friendly selection menu of acceptable credentials using the account information provided
    when creating the credentials, along with some information on the [=origin=] that is requesting these keys.

1. The authenticator obtains a biometric or other authorization gesture from the user.

1. The authenticator returns a response to the client platform, which in turn returns a response to the [=[RP]=] script.
    If the user declined to select a credential or provide an authorization, an appropriate error is returned.

1. If an assertion was successfully generated and returned,
    - The script sends the assertion to the server.
    - The server examines the assertion, extracts the [=credential ID=], looks up the registered
        credential public key it is database, and verifies the assertion's authentication signature.
        If valid, it looks up the identity associated with the assertion's [=credential ID=]; that
        identity is now authenticated. If the [=credential ID=] is not recognized by the server (e.g.,
        it has been deregistered due to inactivity) then the authentication has failed; each [=[RP]=]
        will handle this in its own way.
    - The server now does whatever it would otherwise do upon successful authentication -- return a success page, set
        authentication cookies, etc.

If the [=[RP]=] script does not have any hints available (e.g., from locally stored data) to help it narrow the list of
credentials, then the sample code for performing such an authentication might look like this:

<pre class="example" highlight="js">
    if (!window.PublicKeyCredential) { /* Platform not capable. Handle error. */ }

    var options = {
                    // The challenge must be produced by the server, see the Security Considerations
                    challenge: new Uint8Array([4,101,15 /* 29 more random bytes generated by the server */]),
                    timeout: 60000,  // 1 minute
                    allowCredentials: [{ type: "public-key" }]
                  };

    navigator.credentials.get({ "publicKey": options })
        .then(function (assertion) {
        // Send assertion to server for verification
    }).catch(function (err) {
        // No acceptable credential or user refused consent. Handle appropriately.
    });
</pre>

On the other hand, if the [=[RP]=] script has some hints to help it narrow the list of credentials, then the sample code for
performing such an authentication might look like the following. Note that this sample also demonstrates how to use the
extension for transaction authorization.

<pre class="example" highlight="js">
    if (!window.PublicKeyCredential) { /* Platform not capable. Handle error. */ }

    var encoder = new TextEncoder();
    var acceptableCredential1 = {
        type: "public-key",
        id: encoder.encode("!!!!!!!hi there!!!!!!!\n")
    };
    var acceptableCredential2 = {
        type: "public-key",
        id: encoder.encode("roses are red, violets are blue\n")
    };

    var options = {
                    // The challenge must be produced by the server, see the Security Considerations
                    challenge: new Uint8Array([8,18,33 /* 29 more random bytes generated by the server */]),
                    timeout: 60000,  // 1 minute
                    allowCredentials: [acceptableCredential1, acceptableCredential2],
                    extensions: { 'txAuthSimple':
                       "Wave your hands in the air like you just don't care" }
                  };

    navigator.credentials.get({ "publicKey": options })
        .then(function (assertion) {
        // Send assertion to server for verification
    }).catch(function (err) {
        // No acceptable credential or user refused consent. Handle appropriately.
    });
</pre>

## Aborting Authentication Operations ## {#sample-aborting}

The below example shows how a developer may use the AbortSignal parameter to abort a
credential registration operation. A similar procedure applies to an authentication operation.

<pre class="example" highlight="js">
    const authAbortController = new AbortController(); 
    const authAbortSignal = authAbortController.signal;

    authAbortSignal.onabort = function () {
        // Once the page knows the abort started, inform user it is attempting to abort.  
    }

    var options = {
        // A list of options. 
    }

    navigator.credentials.create({
        publicKey: options, 
        signal: authAbortSignal})
        .then(function (attestation) {
            // Register the user. 
        }).catch(function (error) {
            if (error == "AbortError") {
                // Inform user the credential hasn't been created. 
                // Let the server know a key hasn't been created. 
            }
        });

    // Assume widget shows up whenever authentication occurs.
    if (widget == "disappear") {
        authAbortSignal.abort(); 
    }
</pre>


## Decommissioning ## {#sample-decommissioning}

The following are possible situations in which decommissioning a credential might be desired. Note that all of these are
handled on the server side and do not need support from the API specified here.

- Possibility #1 -- user reports the credential as lost.
    * User goes to server.example.net, authenticates and follows a link to report a lost/stolen device.
    * Server returns a page showing the list of registered credentials with friendly names as configured during registration.
    * User selects a credential and the server deletes it from its database.
    * In future, the [=[RP]=] script does not specify this credential in any list of acceptable credentials, and assertions
        signed by this credential are rejected.

- Possibility #2 -- server deregisters the credential due to inactivity.
    * Server deletes credential from its database during maintenance activity.
    * In the future, the [=[RP]=] script does not specify this credential in any list of acceptable credentials, and assertions
        signed by this credential are rejected.

- Possibility #3 -- user deletes the credential from the device.
    * User employs a device-specific method (e.g., device settings UI) to delete a credential from their device.
    * From this point on, this credential will not appear in any selection prompts, and no assertions can be generated with it.
    * Sometime later, the server deregisters this credential due to inactivity.


# Security Considerations # {#security-considerations}

This specification defines a Web API and a cryptographic peer-entity authentication protocol.
The [=Web Authentication API=] allows Web developers (i.e., "authors") to utilize the Web Authentication protocol in their
[=registration=] and [=authentication=] [=ceremonies=].
The entities comprising the Web Authentication protocol endpoints are user-controlled [=authenticators=] and a [=[RP]=]'s
computing environment hosting the [=[RP]=]'s web application.
In this model, the user agent, together with the [=[WAC]=], comprise an intermediary between [=authenticators=] and [=[RPS]=].
Additionally, [=authenticators=] can [=attestation|attest=] to [=[RPS]=] as to their provenance.

At this time, this specification does not feature detailed security considerations. However, the [[FIDOSecRef]] document provides a security analysis which is overall applicable to this specification.
Also, the [[FIDOAuthnrSecReqs]] document suite defines [=authenticator=] security characteristics which are overall applicable for WebAuthn [=authenticators=].

The below subsections comprise the current Web Authentication-specific security considerations.


## Cryptographic Challenges ## {#cryptographic-challenges}

As a cryptographic protocol, Web Authentication is dependent upon randomized challenges
to avoid replay attacks. Therefore, both {{PublicKeyCredentialCreationOptions/challenge}}'s
and {{PublicKeyCredentialRequestOptions/challenge}}'s value MUST be randomly generated
by [=[RPS]=] in an environment they trust (e.g., on the server-side), and the
returned challenge value in the client's
response MUST match what was generated. This SHOULD be done in a fashion that does not rely
upon a client's behavior, e.g., the Relying Party SHOULD store the challenge temporarily
until the operation is complete. Tolerating a mismatch will compromise the security
of the protocol.

## Attestation Security Considerations ## {#sec-attestation-security-considerations}

### Attestation Certificate Hierarchy ### {#cert-hierarchy}

A 3-tier hierarchy for attestation certificates is RECOMMENDED (i.e., Attestation Root, Attestation Issuing CA, Attestation
Certificate). It is also RECOMMENDED that for each WebAuthn Authenticator device line (i.e., model), a separate issuing CA is
used to help facilitate isolating problems with a specific version of a device.

If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
SHOULD be specified in the attestation certificate itself, so that it can be verified against the [=authenticator data=].


### Attestation Certificate and Attestation Certificate CA Compromise ### {#ca-compromise}

When an intermediate CA or a root CA used for issuing attestation certificates is compromised, WebAuthn [=authenticator=]
attestation keys are still safe although their certificates can no longer be trusted. A WebAuthn Authenticator manufacturer that
has recorded the public attestation keys for their devices can issue new attestation certificates for these keys from a new
intermediate CA or from a new root CA. If the root CA changes, the [=[RPS]=]  MUST update their trusted root certificates
accordingly.

A WebAuthn Authenticator attestation certificate MUST be revoked by the issuing CA if its key has been compromised. A WebAuthn
Authenticator manufacturer may need to ship a firmware update and inject new attestation keys and certificates into already
manufactured WebAuthn Authenticators, if the exposure was due to a firmware flaw. (The process by which this happens is out of
scope for this specification.) If the WebAuthn Authenticator manufacturer does not have this capability, then it may not be
possible for [=[RPS]=] to trust any further attestation statements from the affected WebAuthn Authenticators.

If attestation certificate validation fails due to a revoked intermediate attestation CA certificate, and the [=[RP]=]'s policy
requires rejecting the registration/authentication request in these situations, then it is RECOMMENDED that the [=[RP]=] also
un-registers (or marks with a trust level equivalent to "[=self attestation=]") [=public key credentials=] that were registered
after the CA compromise date using an attestation certificate chaining up to the same intermediate CA. It is thus RECOMMENDED
that [=[RPS]=] remember intermediate attestation CA certificates during Authenticator registration in order to un-register
related [=public key credentials=] if the registration was performed after revocation of such certificates.

If an [=ECDAA=] attestation key has been compromised, it can be added to the RogueList (i.e., the list of revoked
authenticators) maintained by the related ECDAA-Issuer. The [=[RP]=] SHOULD verify whether an authenticator belongs to the
RogueList when performing ECDAA-Verify (see section 3.6 in [[!FIDOEcdaaAlgorithm]]). For example, the FIDO Metadata Service
[[FIDOMetadataService]] provides one way to access such information.


## credentialId Unsigned ## {#credentialIdSecurity}

The [=credential ID=] is not signed.
This is not a problem because all that would happen if an [=authenticator=] returns
the wrong [=credential ID=], or if an attacker intercepts and manipulates the [=credential ID=], is that the [=[RP]=] would not look up the correct
[=credential public key=] with which to verify the returned signed [=authenticator data=]
(a.k.a., [=assertion=]), and thus the interaction would end in an error.


## Browser Permissions Framework and Extensions ## {#browser-permissions-framework-extensions}

Web Authentication API implementations should leverage the browser permissions framework as much as possible when obtaining user
permissions for certain extensions. An example is the location extension (see [[#sctn-location-extension]]), implementations of
which should make use of the existing browser permissions framework for the Geolocation API.


# Privacy Considerations # {#sctn-privacy-considerations}

The privacy principles in [[!FIDO-Privacy-Principles]] also apply to this specification.

## Attestation Privacy ## {#sec-attestation-privacy}

Attestation keys can be used to track users or link various online identities of the same user together. This can be mitigated
in several ways, including:

- A WebAuthn [=authenticator=] manufacturer may choose to ship all of their devices with the same (or a fixed number of)
    attestation key(s) (called [=Basic Attestation=]). This will anonymize the user at the risk of not being able to revoke a
    particular attestation key if its private key is compromised.

    [[UAFProtocol]] requires that at least 100,000 devices share the same attestation certificate in order to produce
    sufficiently large groups. This may serve as guidance about suitable batch sizes.

- A WebAuthn [=authenticator=] may be capable of dynamically generating different attestation keys (and requesting related
    certificates) per-[=origin=] (similar to the [=Attestation CA=] approach). For example, an [=authenticator=] can ship with a
    master attestation key (and certificate), and combined with a cloud-operated <dfn>Anonymization CA</dfn>, can dynamically generate per-[=origin=] attestation keys and attestation certificates.

    Note: In various places outside this specification, the term "Privacy CA" is used to refer to what is termed here
        as an [=Anonymization CA=]. Because the Trusted Computing Group (TCG) also used the term "Privacy CA" to refer to what
        the TCG now refers to as an [=Attestation CA=] (ACA) [[!TCG-CMCProfile-AIKCertEnroll]], and the envisioned functionality
        of an [=Anonymization CA=] is not firmly established, we are using the term [=Anonymization CA=] here to try to mitigate
        confusion in the specific context of this specification.

- A WebAuthn Authenticator can implement [=Elliptic Curve based direct anonymous attestation=] (see [[FIDOEcdaaAlgorithm]]).
    Using this scheme, the authenticator generates a blinded attestation signature. This allows the [=[RP]=] to verify the
    signature using the [=ECDAA-Issuer public key=], but the attestation signature does not serve as a global correlation handle.


## Registration Ceremony Privacy ## {#sec-make-credential-privacy}

In order to protect users from being identified without [=user consent|consent=], implementations of the
{{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)}} method need to take care to not leak information that
could enable a malicious [=[RP]=] to distinguish between these cases, where "excluded" means that at least one of the [=public key
credential|credentials=] listed by the [=[RP]=] in {{MakePublicKeyCredentialOptions/excludeCredentials}} is bound to the
[=authenticator=]:

- No [=authenticators=] are present.
- At least one [=authenticator=] is present, and at least one present [=authenticator=] is excluded.

If the above cases are distinguishable, information is leaked by which a malicious [=[RP]=] could identify the user by probing for
which [=public key credential|credentials=] are available. For example, one such information leak is if the client returns a
failure response as soon as an excluded [=authenticator=] becomes available. In this case - especially if the excluded
[=authenticator=] is a [=platform authenticator=] - the [=[RP]=] could detect that the [=ceremony=] was canceled before the
timeout and before the user could feasibly have canceled it manually, and thus conclude that at least one of the [=public key
credential|credentials=] listed in the {{MakePublicKeyCredentialOptions/excludeCredentials}} parameter is available to the user.

The above is not a concern, however, if the user has [=user consent|consented=] to create a new credential before a
distinguishable error is returned, because in this case the user has confirmed intent to share the information that would be
leaked.


## Authentication Ceremony Privacy ## {#sec-assertion-privacy}

In order to protect users from being identified without [=user consent|consent=], implementations of the
{{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}} method need to take care to not
leak information that could enable a malicious [=[RP]=] to distinguish between these cases, where "named" means that the [=public
key credential|credential=] is listed by the [=[RP]=] in {{PublicKeyCredentialRequestOptions/allowCredentials}}:

- A named [=public key credential|credential=] is not available.
- A named [=public key credential|credential=] is available, but the user does not [=user consent|consent=] to use it.

If the above cases are distinguishable, information is leaked by which a malicious [=[RP]=] could identify the user by probing
for which [=public key credential|credentials=] are available. For example, one such information leak is if the client returns a
failure response as soon as the user denies [=user consent|consent=] to proceed with an [=authentication=] [=ceremony=]. In this
case the [=[RP]=] could detect that the [=ceremony=] was canceled by the user and not the timeout, and thus conclude that at least
one of the [=public key credential|credentials=] listed in the {{PublicKeyCredentialRequestOptions/allowCredentials}} parameter is
available to the user.


# Acknowledgements # {#acknowledgements}
We thank the following people for their reviews of, and contributions to, this specification:
Yuriy Ackermann,
James Barclay,
Richard Barnes,
Dominic Battré,
John Bradley,
Domenic Denicola,
Rahul Ghosh,
Brad Hill,
Jing Jin,
Wally Jones,
Ian Kilpatrick,
Axel Nennker,
Yoshikazu Nojima,
Kimberly Paulhamus,
Adam Powers,
Yaron Sheffer,
Anne van Kesteren,
and
Boris Zbarsky.

We thank
Anthony Nadalin,
John Fontana,
and
Richard Barnes
for their contributions as co-chairs of the <a href="https://www.w3.org/Webauthn/">Web Authentication Working Group</a>.

We also thank
Wendy Seltzer,
Samuel Weiler,
and
Harry Halpin
for their contributions as our W3C Team Contacts.


<pre class=biblio>
{
  "Ceremony": {
    "title": "Ceremony Design and Analysis",
    "href": "https://eprint.iacr.org/2007/399.pdf",
    "authors": ["Carl Ellison"],
    "date": "2007"
  },

  "WebAuthn-Registries": {
    "authors": [
        "Jeff Hodges",
        "Giridhar Mandyam",
        "Michael B. Jones"
    ],
    "date": "March 2017",
    "href": "https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?modeAsFormat=html/ascii&url=https://raw.githubusercontent.com/w3c/webauthn/master/draft-hodges-webauthn-registries.xml",
    "publisher": "W3C WebAuthn Working Draft",
    "status": "Active Internet-Draft",
    "title": "Registries for Web Authentication (WebAuthn)",
    "id": "WebAuthn-Registries"
  },

  "GeoJSON": {
    "title": "The GeoJSON Format Specification",
    "href": "http://geojson.org/geojson-spec.html"
  },

  "SP800-107r1": {
    "title": "NIST Special Publication 800-107: Recommendation for Applications Using Approved Hash Algorithms",
    "href": "http://csrc.nist.gov/publications/nistpubs/800-107-rev1/sp800-107-rev1.pdf",
    "authors": ["Quynh Dang"],
    "date": "August 2012"
  },

  "OSCCA-SM3": {
    "title": "SM3 Cryptographic Hash Algorithm",
    "href": "http://www.oscca.gov.cn/UpFile/20101222141857786.pdf",
    "date": "December 2010"
  },

  "UAFProtocol": {
    "authors": ["R. Lindemann", "D. Baghdasaryan", "E. Tiffany", "D. Balfanz", "B. Hill", "J. Hodges"],
    "title": "FIDO UAF Protocol Specification v1.0",
    "status": "FIDO Alliance Proposed Standard",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html"
  },

  "FIDOEcdaaAlgorithm": {
    "title": "FIDO ECDAA Algorithm",
    "authors": ["R. Lindemann", "Jan Camenisch", "Manu Drijvers", "Alec Edgington", "Anja Lehmann", "Rainer Urian"],
    "status": "FIDO Alliance Implementation Draft",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-ecdaa-algorithm-v1.1-id-20170202.html"
  },

  "SEC1": {
    "title": "SEC1: Elliptic Curve Cryptography, Version 2.0",
    "publisher": "Standards for Efficient Cryptography Group",
    "href": "http://www.secg.org/sec1-v2.pdf"
  },

  "FIDOMetadataService": {
    "authors": ["R. Lindemann", "B. Hill", "D. Baghdasaryan"],
    "title": "FIDO Metadata Service v1.0",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-metadata-service-v1.0-ps-20141208.html",
    "status": "FIDO Alliance Proposed Standard"
  },
  
  "FIDOUAFAuthenticatorMetadataStatements": {
    "authors": ["B. Hill", "D. Baghdasaryan", "J. Kemp"],
    "title": "FIDO UAF Authenticator Metadata Statements v1.0",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-authnr-metadata-v1.0-ps-20141208.html",
    "status": "FIDO Alliance Proposed Standard"
  },
  
  "TPMv2-Part1": {
    "title": "Trusted Platform Module Library, Part 1: Architecture",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf"
  },

  "TPMv2-Part2": {
    "title": "Trusted Platform Module Library, Part 2: Structures",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf"
  },

  "TPMv2-Part3": {
    "title": "Trusted Platform Module Library, Part 3: Commands",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf"
  },

  "TPMv2-EK-Profile": {
    "title": "TCG EK Credential Profile for TPM Family 2.0",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf"
  },

  "FIDOAuthnrSecReqs": {
    "authors": ["D. Biggs", "J.E. Hill", "L. Lundblade", "M. Karlsson"],
    "title": "FIDO Authenticator Security Requirements",
    "href": "https://fidoalliance.org/specs/fido-security-requirements-v1.0-fd-20170524/",
    "status": "FIDO Alliance Final Documents"
  },

  "FIDOSecRef": {
    "authors": ["R. Lindemann", "D. Baghdasaryan", "B. Hill"],
    "title": "FIDO Security Reference",
    "href": "https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-security-ref-v1.2-ps-20170411.html",
    "status": "FIDO Alliance Proposed Standard"
  },

  "FIDOReg": {
    "authors": ["R. Lindemann", "D. Baghdasaryan", "B. Hill"],
    "title": "FIDO UAF Registry of Predefined Values",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-reg-v1.0-ps-20141208.html",
    "status": "FIDO Alliance Proposed Standard"
  },

  "FIDO-APPID": {
    "authors": ["D. Balfanz", "B. Hill", "R. Lindemann", "D. Baghdasaryan"],
    "title": "FIDO AppID and Facets",
    "href": "https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-appid-and-facets-v2.0-ps-20170927.html",
    "status": "FIDO Alliance Proposed Standard"
  },

  "FIDO-U2F-Message-Formats": {
    "authors": ["D. Balfanz", "J. Ehrensvard", "J. Lang"],
    "title": "FIDO U2F Raw Message Formats",
    "href": "https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html",
    "status": "FIDO Alliance Implementation Draft"
  },

  "FIDO-CTAP": {
    "authors": ["R. Lindemann", "V. Bharadwaj", "A. Czeskis", "M. B. Jones", "J. Hodges", "A. Kumar", "C. Brand", "J. Verrept",
        "J. Ehrensvard"],
    "title": "FIDO 2.0: Client to Authenticator Protocol",
    "href": "https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html",
    "status": "FIDO Alliance Proposed Standard"
  },

  "FIDO-UAF-AUTHNR-CMDS": {
    "authors": ["R. Lindemann", "J. Kemp"],
    "title": "FIDO UAF Authenticator Commands",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-uaf-authnr-cmds-v1.1-id-20170202.html",
    "status": "FIDO Alliance Implementation Draft"
  },

  "FIDO-Privacy-Principles": {
    "authors": ["FIDO Alliance"],
    "title": "FIDO Privacy Principles",
    "href": "https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf",
    "status": "FIDO Alliance Whitepaper"
  },

  "CDDL": {
    "authors": ["C. Vigano", "H. Birkholz"],
    "title": "CBOR data definition language (CDDL): a notational convention to express CBOR data structures",
    "href": "https://tools.ietf.org/html/draft-greevenbosch-appsawg-cbor-cddl",
    "status": "Internet Draft (work in progress)",
    "date": "21 September 2016"
  },

  "ISOBiometricVocabulary": {
    "authors": ["ISO/IEC JTC1/SC37"],
    "title": "Information technology — Vocabulary — Biometrics",
    "href": "http://standards.iso.org/ittf/PubliclyAvailableStandards/c055194_ISOIEC_2382-37_2012.zip",
    "status": "International Standard: ISO/IEC 2382-37:2012(E) First Edition",
    "date": "15 December 2012"
  },

  "TokenBinding": {
    "authors": ["A. Popov", "M. Nystroem", "D. Balfanz", "A. Langley", "J. Hodges"],
    "title": "The Token Binding Protocol Version 1.0",
    "href": "https://tools.ietf.org/html/draft-ietf-tokbind-protocol",
    "status": "Internet-Draft",
    "date": "February 16, 2017"
  },

  "EduPersonObjectClassSpec": {
    "publisher": ["Internet2 Middleware Architecture Committee for Education, Directory Working Group (MACE-Dir)"],
    "title": "EduPerson Object Class Specification (200604a)",
    "href": "https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-200604.html",
    "date": "May 15, 2007"
  }

}
</pre>