authenticatorData

Draft
This page is not complete.

This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

Secure context
This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

The data that is created and / or consumed by a WebAuthn authenticator device.

Syntax

var authnrData = assertion.response.authnrData;

Value

An ArrayBuffer that has a byteLength of at least 37 bytes containing the following fields:

  • rpIdHash (32 bytes) - A SHA256 hash of the relying party ID (i.e. - domain) that was seen by the browser. The server will ensure that this hash matches a hash of its own origin in order to prevent phishing or other man-in-the-middle attacks.
  • flags (1 bytes) - A bitfield that indicates various attributes that were asserted by the authenticator. The bits are as follows, where "bit 0" is the least significant bit and all bits not specifically mentioned below are "reserved for future use":
    • Bit 0, User Presence (UP) - If set, authenticator validated that the user was present through some Test of User Presence (TUP), such as touching a button on the authenticator.
    • Bit 2, User Verification (UV) - If set, authenticator verified the actual user, through a biometric, PIN, or other authentication method.
    • Bit 6, Attested Credential Data (AT) - If set, attestedCredentialData will immediately follow the first 37 bytes of this authenticatorData.
    • Bit 7, Extension data (ED) - If set, extension data is present. Extension data will follow attestedCredentialData if it is present, or will immediatelly follow the first 37 bytes of the authenticatorData if no attestedCredentialData is present.
  • signCount (4 bytes) - A signature count from the authenticator. The server will use this counter to detect authenticator cloning.
  • attestedCredentialData (variable length) - The credential that was created. This is only present during a navigator.credentials.create() call. This is a sequence of bytes with the following format:
    • AAGUID (16 bytes) - Authenticator Attestation Globally Unique Identifier, a unique number that identifies the model of the authenticator (not the specific instance of the authenticator) so that a relying party can understand the characteristics of the authenticator by looking up its metadata statement.
    • credentialIdLength (2 bytes) - The length of the credential ID that immediately follows these bytes.
    • credentialId (variable length) - A unqiue identifier for this credential so that it can be requested for future authentications. The credential is "credentialIdLength" bytes long.
    • credentialPublicKey (variable length) - A COSE encoded public key. This public key will be stored on the server associated with a user's account and be used for future authentications.
  • extensions (variable length) - An optional CBOR map of extensions.

Examples

TBD

Specifications

Specification Status Comment
Web Authentication: An API for accessing Public Key Credentials Level 1 Candidate Recommendation Initial definition.

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidEdge MobileFirefox for AndroidOpera for AndroidiOS SafariSamsung Internet
Basic supportChrome Full support 65
Notes Disabled
Full support 65
Notes Disabled
Notes Only support USB U2F tokens
Disabled From version 65: this feature is behind the Web Authentication API preference (needs to be set to true). To change preferences in Chrome, visit chrome://flags.
Edge Full support 18Firefox Full support 60
Notes
Full support 60
Notes
Notes Only support USB U2F tokens
IE ? Opera ? Safari ? WebView Android ? Chrome Android ? Edge Mobile ? Firefox Android ? Opera Android ? Safari iOS ? Samsung Internet Android ?
authenticatorDataChrome Full support 65
Notes Disabled
Full support 65
Notes Disabled
Notes Only support USB U2F tokens
Disabled From version 65: this feature is behind the Web Authentication API preference (needs to be set to true). To change preferences in Chrome, visit chrome://flags.
Edge Full support 18Firefox Full support 60
Notes
Full support 60
Notes
Notes Only support USB U2F tokens
IE ? Opera ? Safari ? WebView Android ? Chrome Android ? Edge Mobile ? Firefox Android ? Opera Android ? Safari iOS ? Samsung Internet Android ?
signatureChrome Full support 65
Notes Disabled
Full support 65
Notes Disabled
Notes Only support USB U2F tokens
Disabled From version 65: this feature is behind the Web Authentication API preference (needs to be set to true). To change preferences in Chrome, visit chrome://flags.
Edge Full support 18Firefox Full support 60
Notes
Full support 60
Notes
Notes Only support USB U2F tokens
IE ? Opera ? Safari ? WebView Android ? Chrome Android ? Edge Mobile ? Firefox Android ? Opera Android ? Safari iOS ? Samsung Internet Android ?
userHandleChrome Full support 65
Notes Disabled
Full support 65
Notes Disabled
Notes Only support USB U2F tokens
Disabled From version 65: this feature is behind the Web Authentication API preference (needs to be set to true). To change preferences in Chrome, visit chrome://flags.
Edge Full support 18Firefox Full support 60
Notes
Full support 60
Notes
Notes Only support USB U2F tokens
IE ? Opera ? Safari ? WebView Android ? Chrome Android ? Edge Mobile ? Firefox Android ? Opera Android ? Safari iOS ? Samsung Internet Android ?

Legend

Full support  
Full support
Compatibility unknown  
Compatibility unknown
See implementation notes.
See implementation notes.
User must explicitly enable this feature.
User must explicitly enable this feature.

Document Tags and Contributors

Contributors to this page: apowers313
Last updated by: apowers313,