0

I have implemented some sort of password-less authentication using DUO lab's webauthn using Django. However, I keep getting this error:

Unable to verify attestation statement format..

when authenticating on my Android phone (at least for now). How can I include more attestation formats to incorporate Android, Windows hello and any other device in this library's attestation formats?

Sirjon
  • 175
  • 1
  • 8

1 Answers1

0

The current version of the webauthn library only supports the following attestation formats:

  • "fido-u2f"
  • "packed"
  • "none"

You mentioned you're trying to register an Android device - without seeing a response you're getting back from the call to navigator.credentials.create() I'd make an educated guess that you're getting responses with "android-safetynet" or "android-key" attestation statements which the library is unable to verify.

IAmKale
  • 3,146
  • 1
  • 25
  • 46
  • I actually got `Registration rejected. Unable to verify attestation statement format..` I later found it through the source code that `Android devices` ain't supported yet. Interestingly, some registrations on the same phone were successful. – Sirjon May 20 '21 at 18:27
  • If you don't request direct attestation during registration then you're probably getting back "none" formatted attestation statements that verify fine. Just a guess. – IAmKale May 20 '21 at 19:05
  • Absolutely, not a even a guess! I wish I could implement verifications for Android statements. – Sirjon May 21 '21 at 14:53