Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enterprise Attestation #398

Closed
mangoplane opened this issue Jun 6, 2023 · 6 comments
Closed

Enterprise Attestation #398

mangoplane opened this issue Jun 6, 2023 · 6 comments
Labels
question Further information is requested

Comments

@mangoplane
Copy link

As the title reads, I'm researching how to do enterprise attestation where the the devices serial number is attested to reduce the incidence of spam account creation.

Among other settings, it requires enterprise as the value for credentialCreationData.attestationConveyancePreferenceOption during registration.

I appreciate any insight from the community, and it may turn out this is supported by all good webauthn RP and clients by default. I'm not sure.
@abergs
Copy link
Collaborator

abergs commented Jun 8, 2023

@aseigler might have more intel on this? :)

@abergs abergs added the question Further information is requested label Jun 8, 2023
@aseigler
Copy link
Collaborator

aseigler commented Jun 8, 2023

I added enterprise as an option in #277. I don't think there is anything defined for an RP to do with it, it's more for the client to tell the user that the registration is going to supply the RP with the make/model/serial number of the authenticator, and that the authenticator supply the serial number in the attestation statement so the RP can ensure the user is registering the device with the serial number that was issued to that user.

I've never actually seen this kind of flow in action with a WebAuthn server, but this is a common scenario with smart card deployments.

@mangoplane
Copy link
Author

That's awesome. Sounds like it'll just work, and the data will appear in the statement for use by the RP for whatever the application requires.

If I understood how it works, I can essentially trust the serial number & make/model in the statement which would help me limit the number of registrations per authenticator. Since authenticators are expensive, and AFAIK can't simulate one via a standard VM (e.g. Android emulator), it would help reduce the number of bot accounts. In the same way getting everyone to pay a fee per account would mitigate bots, being prohibitively expensive to have millions of bots that way without handing over enormous amounts of money.

Without it, a single authenticator can hypothetically generate an unlimited number of accounts because there's no unique identifier without EA. IIUC.

I look forward to seeing this awesome library progress, and I'm grateful for your contributions. Keep it up 👍.

@mangoplane
Copy link
Author

mangoplane commented Jun 9, 2023
edited
Loading

Also I have an issue to raise, around how the current JSON seraliser is semi-broken, insofar as it doesn't work with Swagger client code gen without having to make manual changes to the code generated client.

For starters, the Enum attribute names that are linted above each enum value aren't respected, so what should be "xyz" is "XYZ" causing a lot of extra frontend work to get it working.

@abergs
Copy link
Collaborator

abergs commented Jun 9, 2023

@mangoplane Please file that as a different issue here on github so that we can track it.

@abergs
Copy link
Collaborator

abergs commented Aug 11, 2023

Merged in #410

@abergs abergs closed this as completed Aug 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@abergs @aseigler @mangoplane