This implementation of UAF, which appears to be FIDO certified, fails to correctly verify authenticator records and does not support TLS channel binding, which is essential for resisting certain man-in-the-middle attacks.
Notably, the implementation fails to verify any of the final challenge parameter (fcp) fields, potentially verifying attestations that do not even attest the appropriate challenge.
This implementation of UAF, which appears to be FIDO certified, fails to correctly verify authenticator records and does not support TLS channel binding, which is essential for resisting certain man-in-the-middle attacks.
Notably, the implementation fails to verify any of the final challenge parameter (fcp) fields, potentially verifying attestations that do not even attest the appropriate challenge.