Closed vanbukin closed 12 months ago
emlun
commented
1 year ago fido-u2f attestation is not deprecated, it will always continue to be used by U2F security keys from before the release of FIDO2. The deprecation of the U2F JavaScript API has no effect on this; these security keys still remain compatible with the WebAuthn API (though not all features, like User Verification and discoverable keys).
I don't know about the other formats, though.
vanbukin
commented
1 year ago @emlun Yes, you are correct about fido-u2f. I apologize if it was misleading. However, as far as I understand, for fido-u2f there will be no userHandle, which is mandatory for the usernameless sign-in scenario (If the user was not identified before the authentication ceremony was initiated). Perhaps this point is worth mentioning.
emlun
commented
1 year ago This is mentioned in §2.2.1. Backwards Compatibility with FIDO U2F, and implied by the description of PublicKeyCredential.response.userHandle:
[...] The authenticator MUST always return a user handle if the allowCredentials option used in the authentication ceremony is empty, and MAY return one otherwise.
Since U2F authenticators must always be used with non-empty allowCredentials, this implies that they always MAY (and in fact always do) return userHandle: null.
timcappalli
commented
1 year ago I'd also add that just because an authenticator implementation is not currently using an attestation format, does not mean it is deprecated and it could be used in the future.
vanbukin
commented
1 year ago Apologies, for fido-u2f there indeed are instructions about the nuances of its operation. Thank you for the clarification. And what about apple and android-safetynet? Is it suitable to mention deprecation for them?
emlun
commented
12 months ago 2023-10-25 WG call: Apple reports they are not comfortable with calling apple attestation deprecated at this time. Google confirms that SafetyNet attestation is deprecated, but judging by the deprecation timeline, SafetyNet attestation will still be supported in some form until January 2025. The WG feels we should not make any change to the spec so long as the attestation format is being produced by authenticators. We hope to release L3 of the spec well before January 2025 (the WG charter ends in April 2024), so we will not make any change for this in L3.
fido-u2f: Google Chrome, Edge, Firefox no longer supports U2Fapple: Apple has moved to Passkeys starting from iOS 16 and no longer provides an Attestation Statement (to be precise - returns 'none')android-safetynet: Google has announced the deprecation of SafetyNet Attestation.Perhaps it would be worthwhile to add notes to the specification about certain Attestation Statement Formats either not being supported from specific browser versions, or discontinuing support in the future (as is the case with SafetyNet).
This would be a good support when implementing libraries for WebAuthn. So that those who develop them would not spend effort supporting something that is either used by a very small percentage of the audience, or not used at all.