As part of the WebAuthn create() call, an authenticator will create a new keypair as well as an attestationObject for that keypair. The attestationObject contains the new public key, as well as signature over the entire attestationObject with a private key that is stored in the authenticator when it is manufactured. The public key that corresponds to the private key that has created the attestation signature is well known; however, there are various well known attestation public key chains for different ecosystems (for example, Android or TPM attestations).
- A text string that indicates the format of the attStmt. The WebAuthn specification defines a number of formats; however, formats may also be defined in other specifications and registered in an IANA registry. Formats defined by WebAuthn are: "packed", "tpm", "android-key", "android-safetynet", "fido-u2f", and "none".
- A an attestation statement that is of the format defined by "fmt". For now, see the WebAuthn specification for details on each format.
|Web Authentication: An API for accessing Public Key Credentials Level 1||Candidate Recommendation||Initial definition.|
|Feature||Android webview||Chrome for Android||Edge mobile||Firefox for Android||Opera Android||iOS Safari||Samsung Internet|
1. Only support USB U2F tokens
2. From version 65: this feature is behind the
Web Authentication API preference (needs to be set to
true). To change preferences in Chrome, visit chrome://flags.