Webauthn Framework
v4.0
v4.0
  • The project
    • Introduction
    • Web Browser Support
    • Installation
    • Contributing
  • Webauthn In A Nutshell
    • Authenticators
    • Ceremonies
    • Metadata Statement
    • User Verification
    • Extensions
    • Token Binding
  • Prerequisites
    • The Relying Party
    • Credential Source Repository
    • User Entity
    • Javascript
  • Pure PHP
    • Webauthn Server
    • Register Authenticators
    • Authenticate Your Users
    • Advanced Behaviours
      • Debugging
      • User Verification
      • Authenticator Selection Criteria
      • Attestation and Metadata Statement
      • Authentication without username
      • Extensions
      • Authenticator Counter
      • Dealing with “localhost”
  • Symfony Bundle
    • Bundle Installation
    • Credential Source Repository
    • User Entity Repository
    • Firewall
    • Configuration References
    • Advanced Behaviors
      • Register Additional Authenticators
      • Debugging
      • User Verification
      • Attestation and Metadata Statement
      • Authenticator Selection Criteria
      • Authentication without username
      • Extensions
      • Token Binding
      • Authenticator Counter
      • Dealing with “localhost”
  • Migration
    • From v3.x to v4.0
Powered by GitBook
On this page
  • Attestation Statement
  • Metadata Statement

Was this helpful?

Edit on GitHub
Export as PDF
  1. Webauthn In A Nutshell

Metadata Statement

PreviousCeremoniesNextUser Verification

Last updated 3 years ago

Was this helpful?

Disclaimer: you should not ask for the Attestation Statement unless you are working on an application that requires a high level of trust (e.g. Banking/Financial Company, Government Agency...).

Attestation Statement

During the Attestation Ceremony (i.e. the registration of the authenticator), you can ask for the Attestation Statement of the authenticator. The Attestation Statements have one of the following types:

  • None (none): no Attestation Statement is provided

  • Basic Attestation (basic): Authenticator’s attestation key pair is specific to an authenticator model.

  • Surrogate Basic Attestation (or Self Attestation - self): Authenticators that have no specific attestation key use the credential private key to create the attestation signature

  • Attestation CA (AttCA): Authenticators are based on a Trusted Platform Module (TPM). They can generate multiple attestation identity key pairs (AIK) and requests an Attestation CA to issue an AIK certificate for each.

  • Anonymization CA (AnonCA): Authenticators use an Anonymization CA, which dynamically generates per-credential attestation certificates such that the attestation statements presented to Relying Parties do not provide uniquely identifiable information.

  • Elliptic Curve based Direct Anonymous Attestation (ECDAA): Authenticator receives direct anonymous attestation (DAA) credentials from a single DAA-Issuer. These DAA credentials are used along with blinding to sign the attested credential data.

Metadata Statement

The Metadata Statements are issued by the manufacturers of the authenticators. These statements contain details about the authenticators (supported algorithms, biometric capabilities...) and all the necessary information to verify the Attestation Statements generated during the attestation ceremony.

There are several possible sources to get these Metadata Statements. The main source is the that allows fetching statements on-demand, but some of them may be provided by other means.

The FIDO Alliance Metadata Service provides a limited number of Metadata Statements. It is mandatory to get the statement from the manufacturer of your authenticators otherwise the Attestation Statement won't be verified and the Attestation Ceremony will fail.

FIDO Alliance Metadata Service