As part of the WebAuthn create() call, an authenticator will create a new keypair as well as an attestationObject for that keypair. The attestationObject contains the new public key, as well as signature over the entire attestationObject with a private key that is stored in the authenticator when it is manufactured. The public key that corresponds to the private key that has created the attestation signature is well known; however, there are various well known attestation public key chains for different ecosystems (for example, Android or TPM attestations).
|Web Authentication: An API for accessing Public Key Credentials Level 1||Candidate Recommendation||Initial definition.|
|Feature||Android webview||Chrome for Android||Edge mobile||Firefox for Android||Opera Android||iOS Safari||Samsung Internet|
1. Only support USB U2F tokens
2. From version 65: this feature is behind the
Web Authentication API preference (needs to be set to
true). To change preferences in Chrome, visit chrome://flags.