• caglararli@hotmail.com
  • 05386281520

Will sky fall if I don’t verify `AuthenticatorAttestationResponse`?

Çağlar Arlı      -    30 Views

Will sky fall if I don’t verify `AuthenticatorAttestationResponse`?

Through reading the WebAuthn spec and related MDN docs, I understand that unlike "certificate signing requests", FIDO/Passkey can have various different attestation formats and verification methods/algorithms during public-key credential registeration.

The documents recommend against "profiling" authenticators. I find that to support all those different and potentially more attestation formats to be very complex.

If I only send the public key (obtained through the convenience API of AuthenticatorAttestationResponse.getPublicKey()) to the server, then ask the user to sign-in to prove their posession of private key through CredentialsContainer.get() interface, what protection do I lose in terms of security?