Home

attestationObject

attestationObject is a data structure used in the Web Authentication (WebAuthn) protocol. It is produced by the authenticator during the credential creation ceremony and delivered to the relying party (server) along with clientDataJSON. The object is CBOR-encoded and contains the attestation statement and the authenticator data that prove the credential's provenance and integrity.

The top-level attestationObject is a CBOR map with three fields: fmt, authData, and attStmt. fmt is a

attStmt is a map whose contents depend on the fmt value. It typically contains cryptographic data such

Use: During registration, the client sends the attestationObject and clientDataJSON to the server. The server uses

string
naming
the
attestation
format
used
by
the
authenticator
(for
example,
"packed",
"tpm",
"fido-u2f",
"android-safetynet",
or
"none").
authData
is
a
binary
blob
containing
the
authenticator
data,
which
starts
with
rpIdHash
(32
bytes),
followed
by
a
flags
byte
and
a
signature
counter.
If
the
Attested
Credential
Data
(AT)
flag
is
set
in
flags,
authData
also
includes
the
AAGUID
(16
bytes),
the
credentialId
length,
the
credentialId,
and
the
credentialPublicKey
(CBOR-encoded).
Optional
extension
data
may
be
present
if
the
ED
flag
is
set.
as
a
signature
and,
optionally,
a
certificate
chain
that
attests
to
the
credential.
In
the
"none"
format,
attStmt
may
be
empty.
the
attestationObject
to
verify
the
credential,
decide
whether
to
trust
it,
and
to
associate
the
credentialPublicKey
with
the
user
for
future
authentication.
Attestation
can
raise
privacy
concerns,
so
relying
parties
may
configure
conveyance
to
"none"
or
use
privacy-preserving
formats.