The authenticator data structure contains information from the authenticator about the processing of a credential creation or authentication request â such as the Relying Party ID Hash (rpIdHash), a signature counter, test of user presence, user verification flags, and any extensions processed by the authenticator. This page explains what is contained in the data structure.
Authenticator data is made available to the browser as an ArrayBuffer, and can be accessed in multiple ways. The two most convenient are:
PublicKeyCredential.response.authenticatorData property made available on the PublicKeyCredential returned from a successful navigator.credentials.create() (credential creation) call.PublicKeyCredential.response.getAuthenticatorData() method made available on the PublicKeyCredential returned from a successful navigator.credentials.get() (authentication) call.An authenticator data ArrayBuffer is at least 37 bytes in length, and contains the following fields:
The SHA-256 hash of the Relying Party ID that the credential is scoped to. The server will ensure that this hash matches the SHA256 hash of its own relying party ID in order to prevent phishing or other man-in-the-middle attacks.
A bitfield that indicates various attributes that were asserted by the authenticator. The bits are as follows, where Bit 0 is the least significant bit and all bits not specifically mentioned below are "reserved for future use":
1), the authenticator validated that the user was present through some Test of User Presence (TUP), such as touching a button on the authenticator.authenticatorData.authenticatorData if no attested credential data is present.A signature counter, if supported by the authenticator (set to 0 otherwise). Servers may optionally use this counter to detect authenticator cloning.
The credential that was created. This is only present during a navigator.credentials.create() call. This is a sequence of bytes with the following format:
AAGUID (16 bytes): The Authenticator Attestation Globally Unique Identifier, a unique number that identifies the model of the authenticator (not the specific instance of the authenticator). A relying party can use this to find out the characteristics of the authenticator by looking up its metadata statement via the FIDO metadata service. This is relevant in certain situations such as enterprise deployments or where regulatory requirements dictate a certain type of authenticator be used; it should be ignored otherwise.
credentialIdLength (2 bytes): The length of the credential ID that immediately follows these bytes.
credentialId (variable length): A unique identifier for this credential so that it can be requested for future authentications. The credential is "credentialIdLength" bytes long.
credentialPublicKey (variable length): A COSE-encoded public key. This public key will be stored on the server associated with a user's account and be used for future authentications. Relying parties can retrieve the DER-encoded form of it without parsing the COSE-encoded authenticator data via the AuthenticatorAttestationResponse.getPublicKey() method.
An optional CBOR map containing the response outputs from extensions processed by the authenticator
Extensions are optional and different browsers may recognize different extensions. Processing extensions is always optional for the browser: if a browser does not recognize a given extension, it will just ignore it. For information on using extensions, and which ones are supported by which browsers, see Web Authentication extensions.
Note: The authenticator data only contains the results from extensions processed by the authenticator. The results from extensions processed by the browser (client) can be accessed via PublicKeyCredential.getClientExtensionResults.
Authenticator data definition in the WebAuthn specification
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4