This document provides information about registering and authenticating with a Touch ID authenticator on a MacBook Pro using the Web Authentication API and FIDO2 standards. It includes code samples and explanations of the registration, attestation, and assertion response objects and flows. Key points covered include how Touch ID returns a packed SELF attestation in the registration response and includes attestedCredentialData in the early Chrome versions, which has since been fixed.
8. Registration
navigator.credentials.create({
publicKey: {
rp: {
id: "example.com”,
name: "Acme"
},
user: {
id: new Uint8Array(16),
name: "john.p.smith@example.com",
displayName: "John P. Smith "
},
pubKeyCredParams: [{
type: "public-key",
alg: -7
}],
attestation: "direct",
timeout: 60000,
// must be a cryptographically random number sent from a server
challenge: new Uint8Array([
0x8C, 0x0A, 0x26, 0xFF, 0x22, 0x91, 0xC1, 0xE9, ... ]).buffer
}
})
40. It can be longer than 37 bytes if extensions are sent (in which
case the extensions bit is set in the authenticatorData flags).
You are correct though, that the authenticator should not send
attestedCredentialData for a GetAssertion operation.
41. Should be in Chrome 75.
If you assume that we hit our six week cadence
then Chrome 75 would be ~mid June.
42. • Web Authentication: An API for accessing Public Key Credentials
https://www.w3.org/TR/webauthn/
• FIDO2 attestation format
https://techblog.yahoo.co.jp/advent-calendar-2018/webauthn-attestation-packed/
• FIDO2 Chrome MacBook Pro touch id
https://qiita.com/ifsec_56/items/0cc5f1d73e7d2e3029ad
• Issue 946993: Touch ID authenticator returns attestedCredentialData in GetAssertion response
http://kent056-n.hatenablog.com/entry/2019/03/31/140910
• WebAuthn/FIDO2: Verifying Packed Attestation
https://medium.com/@herrjemand/verifying-fido2-packed-attestation-a067a9b2facd