<!doctype html><html lang="en">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  <title>Web Authentication: An API for accessing Public Key Credentials - Level 2</title>
  <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
  <meta content="REC" name="w3c-status">
  <meta content="Bikeshed version 4e8dd937, updated Fri Nov 13 16:49:31 2020 -0800" name="generator">
  <link href="https://www.w3.org/TR/webauthn-2/" rel="canonical">
<style type="text/css">
body {
    counter-reset: table;
}
/* For some reason, doing the counter-increment on the figcaption like Bikeshed does with figures does not seem to work here. */
figure.table {
    counter-increment: table;
}
figure.table figcaption {
    counter-increment: none;
}
figure.table figcaption:not(.no-marker)::before {
    content: "Table " counter(table) " ";
}
figure.table .overlarge {
    max-width: 50em;
}

.figure-num-following::before {
    counter-increment: figure;
    content: counter(figure)
}

.figure-num-following::after {
    counter-increment: figure -1;
    content: ""
}

.figure-num-previous::before {
    content: counter(figure);
}

.table-ref-previous::before {
    content: counter(table);
}

.table-ref-following::before {
    counter-increment: table;
    content: counter(table);
}

.table-ref-following::after {
    counter-increment: table -1;
    content: "";
}
</style>
<style>/* style-autolinks */

.css.css, .property.property, .descriptor.descriptor {
    color: var(--a-normal-text);
    font-size: inherit;
    font-family: inherit;
}
.css::before, .property::before, .descriptor::before {
    content: "‘";
}
.css::after, .property::after, .descriptor::after {
    content: "’";
}
.property, .descriptor {
    /* Don't wrap property and descriptor names */
    white-space: nowrap;
}
.type { /* CSS value <type> */
    font-style: italic;
}
pre .property::before, pre .property::after {
    content: "";
}
[data-link-type="property"]::before,
[data-link-type="propdesc"]::before,
[data-link-type="descriptor"]::before,
[data-link-type="value"]::before,
[data-link-type="function"]::before,
[data-link-type="at-rule"]::before,
[data-link-type="selector"]::before,
[data-link-type="maybe"]::before {
    content: "‘";
}
[data-link-type="property"]::after,
[data-link-type="propdesc"]::after,
[data-link-type="descriptor"]::after,
[data-link-type="value"]::after,
[data-link-type="function"]::after,
[data-link-type="at-rule"]::after,
[data-link-type="selector"]::after,
[data-link-type="maybe"]::after {
    content: "’";
}

[data-link-type].production::before,
[data-link-type].production::after,
.prod [data-link-type]::before,
.prod [data-link-type]::after {
    content: "";
}

[data-link-type=element],
[data-link-type=element-attr] {
    font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
    font-size: .9em;
}
[data-link-type=element]::before { content: "<" }
[data-link-type=element]::after  { content: ">" }

[data-link-type=biblio] {
    white-space: pre;
}</style>
<style>/* style-counters */

body {
    counter-reset: example figure issue;
}
.issue {
    counter-increment: issue;
}
.issue:not(.no-marker)::before {
    content: "Issue " counter(issue);
}

.example {
    counter-increment: example;
}
.example:not(.no-marker)::before {
    content: "Example " counter(example);
}
.invalid.example:not(.no-marker)::before,
.illegal.example:not(.no-marker)::before {
    content: "Invalid Example" counter(example);
}

figcaption {
    counter-increment: figure;
}
figcaption:not(.no-marker)::before {
    content: "Figure " counter(figure) " ";
}</style>
<style>/* style-dfn-panel */

:root {
    --dfnpanel-bg: #ddd;
    --dfnpanel-text: var(--text);
}
.dfn-panel {
    position: absolute;
    z-index: 35;
    height: auto;
    width: -webkit-fit-content;
    width: fit-content;
    max-width: 300px;
    max-height: 500px;
    overflow: auto;
    padding: 0.5em 0.75em;
    font: small Helvetica Neue, sans-serif, Droid Sans Fallback;
    background: var(--dfnpanel-bg);
    color: var(--dfnpanel-text);
    border: outset 0.2em;
}
.dfn-panel:not(.on) { display: none; }
.dfn-panel * { margin: 0; padding: 0; text-indent: 0; }
.dfn-panel > b { display: block; }
.dfn-panel a { color: var(--dfnpanel-text); }
.dfn-panel a:not(:hover) { text-decoration: none !important; border-bottom: none !important; }
.dfn-panel > b + b { margin-top: 0.25em; }
.dfn-panel ul { padding: 0; }
.dfn-panel li { list-style: inside; }
.dfn-panel.activated {
    display: inline-block;
    position: fixed;
    left: .5em;
    bottom: 2em;
    margin: 0 auto;
    max-width: calc(100vw - 1.5em - .4em - .5em);
    max-height: 30vh;
}

.dfn-paneled { cursor: pointer; }
</style>
<style>/* style-md-lists */

/* This is a weird hack for me not yet following the commonmark spec
   regarding paragraph and lists. */
[data-md] > :first-child {
    margin-top: 0;
}
[data-md] > :last-child {
    margin-bottom: 0;
}</style>
<style>/* style-mdn-anno */

            @media (max-width: 767px) { .mdn-anno { opacity: .1 } }
            .mdn-anno { font: 1em sans-serif; padding: 0.3em; position: absolute; z-index: 8; right: 0.3em; background: #EEE; color: black; box-shadow: 0 0 3px #999; overflow: hidden; border-collapse: initial; border-spacing: initial; min-width: 9em; max-width: min-content; white-space: nowrap; word-wrap: normal; hyphens: none}
            .mdn-anno:not(.wrapped) { opacity: 1}
            .mdn-anno:hover { z-index: 9 }
            .mdn-anno.wrapped { min-width: 0 }
            .mdn-anno.wrapped > :not(button) { display: none; }
            .mdn-anno > .mdn-anno-btn { cursor: pointer; border: none; color: #000; background: transparent; margin: -8px; float: right; padding: 10px 8px 8px 8px; outline: none; }
            .mdn-anno > .mdn-anno-btn > .less-than-two-engines-flag { color: red; padding-right: 2px; }
            .mdn-anno > .mdn-anno-btn > .all-engines-flag { color: green; padding-right: 2px; }
            .mdn-anno > .mdn-anno-btn > span { color: #fff; background-color: #000; font-weight: normal; font-family: zillaslab, Palatino, "Palatino Linotype", serif; padding: 2px 3px 0px 3px; line-height: 1.3em; vertical-align: top; }
            .mdn-anno > .feature { margin-top: 20px; }
            .mdn-anno > .feature:not(:first-of-type) { border-top: 1px solid #999; margin-top: 6px; padding-top: 2px; }
            .mdn-anno > .feature > .less-than-two-engines-text { color: red }
            .mdn-anno > .feature > .all-engines-text { color: green }
            .mdn-anno > .feature > p { font-size: .75em; margin-top: 6px; margin-bottom: 0; }
            .mdn-anno > .feature > p + p { margin-top: 3px; }
            .mdn-anno > .feature > .support { display: block; font-size: 0.6em; margin: 0; padding: 0; margin-top: 2px }
            .mdn-anno > .feature > .support + div { padding-top: 0.5em; }
            .mdn-anno > .feature > .support > hr { display: block; border: none; border-top: 1px dotted #999; padding: 3px 0px 0px 0px; margin: 2px 3px 0px 3px; }
            .mdn-anno > .feature > .support > hr::before { content: ""; }
            .mdn-anno > .feature > .support > span { padding: 0.2em 0; display: block; display: table; }
            .mdn-anno > .feature > .support > span.no { color: #CCCCCC; filter: grayscale(100%); }
            .mdn-anno > .feature > .support > span.no::before { opacity: 0.5; }
            .mdn-anno > .feature > .support > span:first-of-type { padding-top: 0.5em; }
            .mdn-anno > .feature > .support > span > span { padding: 0 0.5em; display: table-cell; }
            .mdn-anno > .feature > .support > span > span:first-child { width: 100%; }
            .mdn-anno > .feature > .support > span > span:last-child { width: 100%; white-space: pre; padding: 0; }
            .mdn-anno > .feature > .support > span::before { content: ' '; display: table-cell; min-width: 1.5em; height: 1.5em; background: no-repeat center center; background-size: contain; text-align: right; font-size: 0.75em; font-weight: bold; }
            .mdn-anno > .feature > .support > .chrome_android::before { background-image: url(https://resources.whatwg.org/browser-logos/chrome.svg); }
            .mdn-anno > .feature > .support > .firefox_android::before { background-image: url(https://resources.whatwg.org/browser-logos/firefox.png); }
            .mdn-anno > .feature > .support > .chrome::before { background-image: url(https://resources.whatwg.org/browser-logos/chrome.svg); }
            .mdn-anno > .feature > .support > .edge_blink::before { background-image: url(https://resources.whatwg.org/browser-logos/edge.svg); }
            .mdn-anno > .feature > .support > .edge::before { background-image: url(https://resources.whatwg.org/browser-logos/edge_legacy.svg); }
            .mdn-anno > .feature > .support > .firefox::before { background-image: url(https://resources.whatwg.org/browser-logos/firefox.png); }
            .mdn-anno > .feature > .support > .ie::before { background-image: url(https://resources.whatwg.org/browser-logos/ie.png); }
            .mdn-anno > .feature > .support > .safari_ios::before { background-image: url(https://resources.whatwg.org/browser-logos/safari-ios.svg); }
            .mdn-anno > .feature > .support > .nodejs::before { background-image: url(https://nodejs.org/static/images/favicons/favicon.ico); }
            .mdn-anno > .feature > .support > .opera_android::before { background-image: url(https://resources.whatwg.org/browser-logos/opera.svg); }
            .mdn-anno > .feature > .support > .opera::before { background-image: url(https://resources.whatwg.org/browser-logos/opera.svg); }
            .mdn-anno > .feature > .support > .safari::before { background-image: url(https://resources.whatwg.org/browser-logos/safari.png); }
            .mdn-anno > .feature > .support > .samsunginternet_android::before { background-image: url(https://resources.whatwg.org/browser-logos/samsung.svg); }
            .mdn-anno > .feature > .support > .webview_android::before { background-image: url(https://resources.whatwg.org/browser-logos/android-webview.png); }
            .name-slug-mismatch { color: red }
            .caniuse-status:hover { z-index: 9; }

            /* dt, li, .issue, .note, and .example are "position: relative", so to put annotation at right margin, must move to right of containing block */
            .h-entry:not(.status-LS) dt > .mdn-anno, .h-entry:not(.status-LS) li > .mdn-anno, .h-entry:not(.status-LS) .issue > .mdn-anno, .h-entry:not(.status-LS) .note > .mdn-anno, .h-entry:not(.status-LS) .example > .mdn-anno { right: -6.7em; }
            .h-entry p + .mdn-anno { margin-top: 0; }
            h2 + .mdn-anno.after { margin: -48px 0 0 0; }
            h3 + .mdn-anno.after { margin: -46px 0 0 0; }
            h4 + .mdn-anno.after { margin: -42px 0 0 0; }
            h5 + .mdn-anno.after { margin: -40px 0 0 0; }
            h6 + .mdn-anno.after { margin: -40px 0 0 0; }
            </style>
<style>/* style-selflinks */

:root {
    --selflink-text: white;
    --selflink-bg: gray;
    --selflink-hover-text: black;
}
.heading, .issue, .note, .example, li, dt {
    position: relative;
}
a.self-link {
    position: absolute;
    top: 0;
    left: calc(-1 * (3.5rem - 26px));
    width: calc(3.5rem - 26px);
    height: 2em;
    text-align: center;
    border: none;
    transition: opacity .2s;
    opacity: .5;
}
a.self-link:hover {
    opacity: 1;
}
.heading > a.self-link {
    font-size: 83%;
}
li > a.self-link {
    left: calc(-1 * (3.5rem - 26px) - 2em);
}
dfn > a.self-link {
    top: auto;
    left: auto;
    opacity: 0;
    width: 1.5em;
    height: 1.5em;
    background: var(--selflink-bg);
    color: var(--selflink-text);
    font-style: normal;
    transition: opacity .2s, background-color .2s, color .2s;
}
dfn:hover > a.self-link {
    opacity: 1;
}
dfn > a.self-link:hover {
    color: var(--selflink-hover-text);
}

a.self-link::before            { content: "¶"; }
.heading > a.self-link::before { content: "§"; }
dfn > a.self-link::before      { content: "#"; }
</style>
<style>/* style-syntax-highlighting */

            pre.idl.highlight {
                background: var(--borderedblock-bg, var(--def-bg));
            }
            
code.highlight { padding: .1em; border-radius: .3em; }
pre.highlight, pre > code.highlight { display: block; padding: 1em; margin: .5em 0; overflow: auto; border-radius: 0; }

.highlight:not(.idl) { background: rgba(0, 0, 0, .03); }
c-[a] { color: #990055 } /* Keyword.Declaration */
c-[b] { color: #990055 } /* Keyword.Type */
c-[c] { color: #708090 } /* Comment */
c-[d] { color: #708090 } /* Comment.Multiline */
c-[e] { color: #0077aa } /* Name.Attribute */
c-[f] { color: #669900 } /* Name.Tag */
c-[g] { color: #222222 } /* Name.Variable */
c-[k] { color: #990055 } /* Keyword */
c-[l] { color: #000000 } /* Literal */
c-[m] { color: #000000 } /* Literal.Number */
c-[n] { color: #0077aa } /* Name */
c-[o] { color: #999999 } /* Operator */
c-[p] { color: #999999 } /* Punctuation */
c-[s] { color: #a67f59 } /* Literal.String */
c-[t] { color: #a67f59 } /* Literal.String.Single */
c-[u] { color: #a67f59 } /* Literal.String.Double */
c-[cp] { color: #708090 } /* Comment.Preproc */
c-[c1] { color: #708090 } /* Comment.Single */
c-[cs] { color: #708090 } /* Comment.Special */
c-[kc] { color: #990055 } /* Keyword.Constant */
c-[kn] { color: #990055 } /* Keyword.Namespace */
c-[kp] { color: #990055 } /* Keyword.Pseudo */
c-[kr] { color: #990055 } /* Keyword.Reserved */
c-[ld] { color: #000000 } /* Literal.Date */
c-[nc] { color: #0077aa } /* Name.Class */
c-[no] { color: #0077aa } /* Name.Constant */
c-[nd] { color: #0077aa } /* Name.Decorator */
c-[ni] { color: #0077aa } /* Name.Entity */
c-[ne] { color: #0077aa } /* Name.Exception */
c-[nf] { color: #0077aa } /* Name.Function */
c-[nl] { color: #0077aa } /* Name.Label */
c-[nn] { color: #0077aa } /* Name.Namespace */
c-[py] { color: #0077aa } /* Name.Property */
c-[ow] { color: #999999 } /* Operator.Word */
c-[mb] { color: #000000 } /* Literal.Number.Bin */
c-[mf] { color: #000000 } /* Literal.Number.Float */
c-[mh] { color: #000000 } /* Literal.Number.Hex */
c-[mi] { color: #000000 } /* Literal.Number.Integer */
c-[mo] { color: #000000 } /* Literal.Number.Oct */
c-[sb] { color: #a67f59 } /* Literal.String.Backtick */
c-[sc] { color: #a67f59 } /* Literal.String.Char */
c-[sd] { color: #a67f59 } /* Literal.String.Doc */
c-[se] { color: #a67f59 } /* Literal.String.Escape */
c-[sh] { color: #a67f59 } /* Literal.String.Heredoc */
c-[si] { color: #a67f59 } /* Literal.String.Interpol */
c-[sx] { color: #a67f59 } /* Literal.String.Other */
c-[sr] { color: #a67f59 } /* Literal.String.Regex */
c-[ss] { color: #a67f59 } /* Literal.String.Symbol */
c-[vc] { color: #0077aa } /* Name.Variable.Class */
c-[vg] { color: #0077aa } /* Name.Variable.Global */
c-[vi] { color: #0077aa } /* Name.Variable.Instance */
c-[il] { color: #000000 } /* Literal.Number.Integer.Long */
</style>
  <link href="https://www.w3.org/StyleSheets/TR/2016/W3C-REC" rel="stylesheet" type="text/css">
 <body class="h-entry">
  <div class="head">
   <header>
    <p data-fill-with="logo"><a href="https://www.w3.org/"><img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"></a> </p>
    <h1>Web Authentication:<br>An API for accessing Public Key Credentials<br>Level 2</h1>
    <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">W3C Recommendation, <time class="dt-updated" datetime="2021-04-08">8 April 2021</time></span></h2>
   </header>
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/">https://www.w3.org/TR/2021/REC-webauthn-2-20210408/</a>
     <dt>Latest published version:
     <dd><a href="https://www.w3.org/TR/webauthn-2/">https://www.w3.org/TR/webauthn-2/</a>
     <dt>Editor's Draft:
     <dd><a href="https://w3c.github.io/webauthn/">https://w3c.github.io/webauthn/</a>
       <dt>Previous Versions:
     <dd><a href="https://www.w3.org/TR/2021/PR-webauthn-2-20210225/" rel="prev">https://www.w3.org/TR/2021/PR-webauthn-2-20210225/</a>
     <dd><a href="https://www.w3.org/TR/2020/CR-webauthn-2-20201222/" rel="prev">https://www.w3.org/TR/2020/CR-webauthn-2-20201222/</a>
     <dd><a href="https://www.w3.org/TR/2020/WD-webauthn-2-20201216/" rel="prev">https://www.w3.org/TR/2020/WD-webauthn-2-20201216/</a>
     <dd><a href="https://www.w3.org/TR/2020/WD-webauthn-2-20201116/" rel="prev">https://www.w3.org/TR/2020/WD-webauthn-2-20201116/</a>
     <dd><a href="https://www.w3.org/TR/2020/WD-webauthn-2-20200730/" rel="prev">https://www.w3.org/TR/2020/WD-webauthn-2-20200730/</a>
     <dd><a href="https://www.w3.org/TR/2019/WD-webauthn-2-20191126/" rel="prev">https://www.w3.org/TR/2019/WD-webauthn-2-20191126/</a>
     <dd><a href="https://www.w3.org/TR/2019/WD-webauthn-2-20190604/" rel="prev">https://www.w3.org/TR/2019/WD-webauthn-2-20190604/</a>
     <dd><a href="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/" rel="prev">https://www.w3.org/TR/2019/REC-webauthn-1-20190304/</a>
     <dt>Implementation Report:
     <dd><a href="https://www.w3.org/2020/12/webauthn-report.html">https://www.w3.org/2020/12/webauthn-report.html</a>
     <dt>Issue Tracking:
     <dd><a href="https://github.com/w3c/webauthn/issues">GitHub</a>
     <dt class="editor">Editors:
     <dd class="editor p-author h-card vcard" data-editor-id="43843"><a class="p-name fn u-email email" href="mailto:jdhodges@google.com">Jeff Hodges</a> (<span class="p-org org">Google</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="87240"><a class="p-name fn u-email email" href="mailto:jc@mozilla.com">J.C. Jones</a> (<span class="p-org org">Mozilla</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="38745"><a class="p-name fn u-email email" href="mailto:mbj@microsoft.com">Michael B. Jones</a> (<span class="p-org org">Microsoft</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="99318"><a class="p-name fn u-email email" href="mailto:akshayku@microsoft.com">Akshay Kumar</a> (<span class="p-org org">Microsoft</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="102508"><a class="p-name fn u-email email" href="mailto:emil@yubico.com">Emil Lundberg</a> (<span class="p-org org">Yubico</span>)
     <dt class="editor">Former Editors:
     <dd class="editor p-author h-card vcard" data-editor-id="47648"><a class="p-name fn u-email email" href="mailto:balfanz@google.com">Dirk Balfanz</a> (<span class="p-org org">Google</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="55440"><a class="p-name fn u-email email" href="mailto:vijay.bharadwaj@microsoft.com">Vijay Bharadwaj</a> (<span class="p-org org">Microsoft</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="87332"><a class="p-name fn u-email email" href="mailto:arnarb@google.com">Arnar Birgisson</a> (<span class="p-org org">Google</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="87258"><a class="p-name fn u-email email" href="mailto:aczeskis@google.com">Alexei Czeskis</a> (<span class="p-org org">Google</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="84817"><a class="p-name fn u-email email" href="mailto:hlevangong@paypal.com">Hubert Le Van Gong</a> (<span class="p-org org">PayPal</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="94342"><a class="p-name fn u-email email" href="mailto:huliao@microsoft.com">Angelo Liao</a> (<span class="p-org org">Microsoft</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="84447"><a class="p-name fn u-email email" href="mailto:rolf@noknok.com">Rolf Lindemann</a> (<span class="p-org org">Nok Nok Labs</span>)
     <dt>Contributors:
     <dd><a href="mailto:WebAuthn@ve7jtb.com">John Bradley</a> (Yubico)
     <dd><a href="mailto:cbrand@google.com">Christiaan Brand</a> (Google)
     <dd><a href="mailto:agl@google.com">Adam Langley</a> (Google)
     <dd><a href="mailto:mandyam@qti.qualcomm.com">Giridhar Mandyam</a> (Qualcomm)
     <dd><a href="mailto:nsatragno@google.com">Nina Satragno</a> (Google)
     <dd><a href="mailto:nick.steele@gemini.com">Nick Steele</a> (Gemini)
     <dd><a href="mailto:jiewen_tan@apple.com">Jiewen Tan</a> (Apple)
     <dd><a href="mailto:sweeden@au1.ibm.com">Shane Weeden</a> (IBM)
     <dd><a href="mailto:mkwst@google.com">Mike West</a> (Google)
     <dd><a href="mailto:jyasskin@google.com">Jeffrey Yasskin</a> (Google)
     <dt>Tests:
     <dd><a href="https://github.com/web-platform-tests/wpt/tree/master/webauthn">web-platform-tests webauthn/</a> (<a href="https://github.com/web-platform-tests/wpt/labels/webauthn">ongoing work</a>)
    </dl>
    <p>Please check the <a href="https://www.w3.org/2021/04/webauthn-2-errata.html"><strong>errata</strong></a> for any errors or issues reported since publication.</p>
   </div>
   <p class="copyright" data-fill-with="copyright"><a href="https://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2021 <a href="https://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="https://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="https://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="https://www.keio.ac.jp/">Keio</a>, <a href="https://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="https://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="https://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="https://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply. </p>
   <hr title="Separator for header">
  </div>
  <div class="p-summary" data-fill-with="abstract">
   <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>
   <p>This specification defines an API enabling the creation and use of strong, attested, <a data-link-type="dfn" href="#scope" id="ref-for-scope">scoped</a>, public key-based

 credentials by <a data-link-type="dfn" href="#web-application" id="ref-for-web-application">web applications</a>, for the purpose of strongly authenticating users. Conceptually, one or more <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential">public key
 credentials</a>, each <a data-link-type="dfn" href="#scope" id="ref-for-scope①">scoped</a> to a given <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party">WebAuthn Relying Party</a>, are created by and <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential">bound</a> to <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator">authenticators</a> as requested by the web application. The user agent mediates access to <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①">authenticators</a> and their <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential①">public
 key credentials</a> in order to preserve user
 privacy. <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②">Authenticators</a> are responsible for ensuring that no operation is performed without <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent">user consent</a>. <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③">Authenticators</a> provide cryptographic proof of their properties to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party">Relying Parties</a> via <a data-link-type="dfn" href="#attestation" id="ref-for-attestation">attestation</a>. This
 specification also describes the functional model for WebAuthn conformant <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator④">authenticators</a>, including their signature and <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①">attestation</a> functionality.</p>
  </div>
  <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>
  <div data-fill-with="status">
  
  <p>
    <em>This section describes the status of this document at the time of its publication. Other
    documents may supersede this document. A list of current
    <abbr title="World Wide Web Consortium">W3C</abbr> publications and the latest revision of this
    technical report can be found in the
    <a href="https://www.w3.org/TR/"><abbr title="World Wide Web Consortium">W3C</abbr> technical
    reports index</a> at https://www.w3.org/TR/.</em>
  </p>

 <p>
    This document was published by the <a href="https://www.w3.org/webauthn/">Web Authentication Working Group</a>
    as a Recommendation.</p>
   <p>Feedback and comments on this specification are welcome. Please use
    <a href="https://github.com/w3c/webauthn/issues">Github issues</a>.
    Discussions may also be found in the
    <a href="https://lists.w3.org/Archives/Public/public-webauthn/">public-webauthn@w3.org archives</a>.
  </p> 
  <p>A W3C Recommendation is a specification that, after extensive consensus-building, has received the endorsement of the W3C and its Members. W3C recommends the wide deployment of this specification as a standard for the Web.</p>
  <p>
      This document has been reviewed by <abbr title="World Wide Web Consortium">W3C<!---0.588276%--></abbr> Members, by
      software developers, and by other <abbr title="World Wide Web Consortium">W3C<!---0.588276%--></abbr> groups and
      interested parties, and is endorsed by the Director as a
      <abbr title="World Wide Web Consortium">W3C<!---0.588276%--></abbr> Recommendation. It is a stable document and may be
      used as reference material or cited from another
      document. <abbr title="World Wide Web Consortium">W3C<!---0.588276%--></abbr>'s role in making the Recommendation is to
      draw attention to the specification and to promote its
      widespread deployment. This enhances the functionality
      and interoperability of the Web.
    </p>
  <p>
    This document was produced by a group operating under the
    <a href="https://www.w3.org/Consortium/Patent-Policy-20170801/"> 1 August 2017
    <abbr title="World Wide Web Consortium">W3C</abbr> Patent Policy</a>.
    <abbr title="World Wide Web Consortium">W3C</abbr> maintains a
    <a href="https://www.w3.org/2004/01/pp-impl/87227/status" rel="disclosure">public list of any
    patent disclosures</a> made in connection with the deliverables of the group; that page also
    includes instructions for disclosing a patent. An individual who has actual knowledge of a
    patent which the individual believes contains
    <a href="https://www.w3.org/Consortium/Patent-Policy-20170801/#def-essential">Essential
    Claim(s)</a> must disclose the information in accordance with
    <a href="https://www.w3.org/Consortium/Patent-Policy-20170801/#sec-Disclosure">section 6 of the
    <abbr title="World Wide Web Consortium">W3C</abbr> Patent Policy</a>.
  </p>
	<p> This document is governed by the <a id="w3c_process_revision"
			href="https://www.w3.org/2020/Process-20200915/">15 September 2020 <abbr
      title="World Wide Web Consortium">W3C</abbr> Process Document</a>. </p>

 
  </div>
  <div data-fill-with="at-risk"></div>
  <nav data-fill-with="table-of-contents" id="toc">
   <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
   <ol class="toc" role="directory">
    <li>
     <a href="#sctn-intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
     <ol class="toc">
      <li><a href="#sctn-spec-roadmap"><span class="secno">1.1</span> <span class="content">Specification Roadmap</span></a>
      <li>
       <a href="#sctn-use-cases"><span class="secno">1.2</span> <span class="content">Use Cases</span></a>
       <ol class="toc">
        <li><a href="#sctn-usecase-registration"><span class="secno">1.2.1</span> <span class="content">Registration</span></a>
        <li><a href="#sctn-usecase-authentication"><span class="secno">1.2.2</span> <span class="content">Authentication</span></a>
        <li><a href="#sctn-usecase-new-device-registration"><span class="secno">1.2.3</span> <span class="content">New Device Registration</span></a>
        <li><a href="#sctn-other-configurations"><span class="secno">1.2.4</span> <span class="content">Other Use Cases and Configurations</span></a>
       </ol>
      <li>
       <a href="#sctn-sample-scenarios"><span class="secno">1.3</span> <span class="content">Sample API Usage Scenarios</span></a>
       <ol class="toc">
        <li><a href="#sctn-sample-registration"><span class="secno">1.3.1</span> <span class="content">Registration</span></a>
        <li><a href="#sctn-sample-registration-with-platform-authenticator"><span class="secno">1.3.2</span> <span class="content">Registration Specifically with User-Verifying Platform Authenticator</span></a>
        <li><a href="#sctn-sample-authentication"><span class="secno">1.3.3</span> <span class="content">Authentication</span></a>
        <li><a href="#sctn-sample-aborting"><span class="secno">1.3.4</span> <span class="content">Aborting Authentication Operations</span></a>
        <li><a href="#sctn-sample-decommissioning"><span class="secno">1.3.5</span> <span class="content">Decommissioning</span></a>
       </ol>
      <li><a href="#sctn-platform-impl-guidance"><span class="secno">1.4</span> <span class="content">Platform-Specific Implementation Guidance</span></a>
     </ol>
    <li>
     <a href="#sctn-conformance"><span class="secno">2</span> <span class="content">Conformance</span></a>
     <ol class="toc">
      <li>
       <a href="#sctn-conforming-user-agents"><span class="secno">2.1</span> <span class="content">User Agents</span></a>
       <ol class="toc">
        <li><a href="#sct-domstring-backwards-compatibility"><span class="secno">2.1.1</span> <span class="content">Enumerations as DOMString types</span></a>
       </ol>
      <li>
       <a href="#sctn-conforming-authenticators"><span class="secno">2.2</span> <span class="content">Authenticators</span></a>
       <ol class="toc">
        <li><a href="#sctn-conforming-authenticators-u2f"><span class="secno">2.2.1</span> <span class="content">Backwards Compatibility with FIDO U2F</span></a>
       </ol>
      <li><a href="#sctn-conforming-relying-parties"><span class="secno">2.3</span> <span class="content">WebAuthn Relying Parties</span></a>
      <li><a href="#sctn-conforming-all-classes"><span class="secno">2.4</span> <span class="content">All Conformance Classes</span></a>
     </ol>
    <li><a href="#sctn-dependencies"><span class="secno">3</span> <span class="content">Dependencies</span></a>
    <li><a href="#sctn-terminology"><span class="secno">4</span> <span class="content">Terminology</span></a>
    <li>
     <a href="#sctn-api"><span class="secno">5</span> <span class="content"><span>Web Authentication API</span></span></a>
     <ol class="toc">
      <li>
       <a href="#iface-pkcredential"><span class="secno">5.1</span> <span class="content"><span><code>PublicKeyCredential</code></span> Interface</span></a>
       <ol class="toc">
        <li><a href="#sctn-credentialcreationoptions-extension"><span class="secno">5.1.1</span> <span class="content"><code>CredentialCreationOptions</code> Dictionary Extension</span></a>
        <li><a href="#sctn-credentialrequestoptions-extension"><span class="secno">5.1.2</span> <span class="content"><code>CredentialRequestOptions</code> Dictionary Extension</span></a>
        <li><a href="#sctn-createCredential"><span class="secno">5.1.3</span> <span class="content">Create a New Credential - PublicKeyCredential’s <code>[[Create]](origin, options, sameOriginWithAncestors)</code> Method</span></a>
        <li>
         <a href="#sctn-getAssertion"><span class="secno">5.1.4</span> <span class="content">Use an Existing Credential to Make an Assertion - PublicKeyCredential’s <code>[[Get]](options)</code> Method</span></a>
         <ol class="toc">
          <li><a href="#sctn-discover-from-external-source"><span class="secno">5.1.4.1</span> <span class="content">PublicKeyCredential’s <code><span><code>[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</code></span></code> Method</span></a>
         </ol>
        <li><a href="#sctn-storeCredential"><span class="secno">5.1.5</span> <span class="content">Store an Existing Credential - PublicKeyCredential’s <code>[[Store]](credential, sameOriginWithAncestors)</code> Method</span></a>
        <li><a href="#sctn-preventSilentAccessCredential"><span class="secno">5.1.6</span> <span class="content">Preventing Silent Access to an Existing Credential - PublicKeyCredential’s <code>[[preventSilentAccess]](credential, sameOriginWithAncestors)</code> Method</span></a>
        <li><a href="#sctn-isUserVerifyingPlatformAuthenticatorAvailable"><span class="secno">5.1.7</span> <span class="content">Availability of <span>User-Verifying Platform Authenticator</span> - PublicKeyCredential’s <code>isUserVerifyingPlatformAuthenticatorAvailable()</code> Method</span></a>
       </ol>
      <li>
       <a href="#iface-authenticatorresponse"><span class="secno">5.2</span> <span class="content">Authenticator Responses (interface <span><code>AuthenticatorResponse</code></span>)</span></a>
       <ol class="toc">
        <li>
         <a href="#iface-authenticatorattestationresponse"><span class="secno">5.2.1</span> <span class="content">Information About Public Key Credential (interface <span><code>AuthenticatorAttestationResponse</code></span>)</span></a>
         <ol class="toc">
          <li><a href="#sctn-public-key-easy"><span class="secno">5.2.1.1</span> <span class="content">Easily accessing credential data</span></a>
         </ol>
        <li><a href="#iface-authenticatorassertionresponse"><span class="secno">5.2.2</span> <span class="content">Web Authentication Assertion (interface <span><code>AuthenticatorAssertionResponse</code></span>)</span></a>
       </ol>
      <li><a href="#dictionary-credential-params"><span class="secno">5.3</span> <span class="content">Parameters for Credential Generation (dictionary <span><code>PublicKeyCredentialParameters</code></span>)</span></a>
      <li>
       <a href="#dictionary-makecredentialoptions"><span class="secno">5.4</span> <span class="content">Options for Credential Creation (dictionary <span><code>PublicKeyCredentialCreationOptions</code></span>)</span></a>
       <ol class="toc">
        <li><a href="#dictionary-pkcredentialentity"><span class="secno">5.4.1</span> <span class="content">Public Key Entity Description (dictionary <span><code>PublicKeyCredentialEntity</code></span>)</span></a>
        <li><a href="#dictionary-rp-credential-params"><span class="secno">5.4.2</span> <span class="content">Relying Party Parameters for Credential Generation (dictionary <span><code>PublicKeyCredentialRpEntity</code></span>)</span></a>
        <li><a href="#dictionary-user-credential-params"><span class="secno">5.4.3</span> <span class="content">User Account Parameters for Credential Generation (dictionary <span><code>PublicKeyCredentialUserEntity</code></span>)</span></a>
        <li><a href="#dictionary-authenticatorSelection"><span class="secno">5.4.4</span> <span class="content">Authenticator Selection Criteria (dictionary <span><code>AuthenticatorSelectionCriteria</code></span>)</span></a>
        <li><a href="#enum-attachment"><span class="secno">5.4.5</span> <span class="content">Authenticator Attachment Enumeration (enum <span><code>AuthenticatorAttachment</code></span>)</span></a>
        <li><a href="#enum-residentKeyRequirement"><span class="secno">5.4.6</span> <span class="content">Resident Key Requirement Enumeration (enum <span><code>ResidentKeyRequirement</code></span>)</span></a>
        <li><a href="#enum-attestation-convey"><span class="secno">5.4.7</span> <span class="content"><span>Attestation Conveyance</span> Preference Enumeration (enum <span><code>AttestationConveyancePreference</code></span>)</span></a>
       </ol>
      <li><a href="#dictionary-assertion-options"><span class="secno">5.5</span> <span class="content">Options for Assertion Generation (dictionary <span><code>PublicKeyCredentialRequestOptions</code></span>)</span></a>
      <li><a href="#sctn-abortoperation"><span class="secno">5.6</span> <span class="content">Abort Operations with <code>AbortSignal</code></span></a>
      <li>
       <a href="#sctn-extensions-inputs-outputs"><span class="secno">5.7</span> <span class="content">WebAuthn Extensions Inputs and Outputs</span></a>
       <ol class="toc">
        <li><a href="#iface-authentication-extensions-client-inputs"><span class="secno">5.7.1</span> <span class="content">Authentication Extensions Client Inputs (dictionary <code class="idl"><span>AuthenticationExtensionsClientInputs</span></code>)</span></a>
        <li><a href="#iface-authentication-extensions-client-outputs"><span class="secno">5.7.2</span> <span class="content">Authentication Extensions Client Outputs (dictionary <code class="idl"><span>AuthenticationExtensionsClientOutputs</span></code>)</span></a>
        <li><a href="#iface-authentication-extensions-authenticator-inputs"><span class="secno">5.7.3</span> <span class="content">Authentication Extensions Authenticator Inputs (CDDL type <code>AuthenticationExtensionsAuthenticatorInputs</code>)</span></a>
        <li><a href="#iface-authentication-extensions-authenticator-outputs"><span class="secno">5.7.4</span> <span class="content">Authentication Extensions Authenticator Outputs (CDDL type <code>AuthenticationExtensionsAuthenticatorOutputs</code>)</span></a>
       </ol>
      <li>
       <a href="#sctn-supporting-data-structures"><span class="secno">5.8</span> <span class="content">Supporting Data Structures</span></a>
       <ol class="toc">
        <li>
         <a href="#dictionary-client-data"><span class="secno">5.8.1</span> <span class="content">Client Data Used in <span>WebAuthn Signatures</span> (dictionary <span><code>CollectedClientData</code></span>)</span></a>
         <ol class="toc">
          <li><a href="#clientdatajson-serialization"><span class="secno">5.8.1.1</span> <span class="content">Serialization</span></a>
          <li><a href="#clientdatajson-verification"><span class="secno">5.8.1.2</span> <span class="content">Limited Verification Algorithm</span></a>
          <li><a href="#clientdatajson-development"><span class="secno">5.8.1.3</span> <span class="content">Future development</span></a>
         </ol>
        <li><a href="#enum-credentialType"><span class="secno">5.8.2</span> <span class="content">Credential Type Enumeration (enum <span><code>PublicKeyCredentialType</code></span>)</span></a>
        <li><a href="#dictionary-credential-descriptor"><span class="secno">5.8.3</span> <span class="content">Credential Descriptor (dictionary <span><code>PublicKeyCredentialDescriptor</code></span>)</span></a>
        <li><a href="#enum-transport"><span class="secno">5.8.4</span> <span class="content">Authenticator Transport Enumeration (enum <span><code>AuthenticatorTransport</code></span>)</span></a>
        <li><a href="#sctn-alg-identifier"><span class="secno">5.8.5</span> <span class="content">Cryptographic Algorithm Identifier (typedef <code class="idl"><span>COSEAlgorithmIdentifier</span></code>)</span></a>
        <li><a href="#enum-userVerificationRequirement"><span class="secno">5.8.6</span> <span class="content">User Verification Requirement Enumeration (enum <span><code>UserVerificationRequirement</code></span>)</span></a>
       </ol>
      <li><a href="#sctn-permissions-policy"><span class="secno">5.9</span> <span class="content">Permissions Policy integration</span></a>
      <li><a href="#sctn-iframe-guidance"><span class="secno">5.10</span> <span class="content">Using Web Authentication within <code>iframe</code> elements</span></a>
     </ol>
    <li>
     <a href="#sctn-authenticator-model"><span class="secno">6</span> <span class="content">WebAuthn <span>Authenticator Model</span></span></a>
     <ol class="toc">
      <li>
       <a href="#sctn-authenticator-data"><span class="secno">6.1</span> <span class="content">Authenticator Data</span></a>
       <ol class="toc">
        <li><a href="#sctn-sign-counter"><span class="secno">6.1.1</span> <span class="content"><span>Signature Counter</span> Considerations</span></a>
        <li><a href="#sctn-fido-u2f-sig-format-compat"><span class="secno">6.1.2</span> <span class="content">FIDO U2F Signature Format Compatibility</span></a>
       </ol>
      <li>
       <a href="#sctn-authenticator-taxonomy"><span class="secno">6.2</span> <span class="content">Authenticator Taxonomy</span></a>
       <ol class="toc">
        <li><a href="#sctn-authenticator-attachment-modality"><span class="secno">6.2.1</span> <span class="content"><span>Authenticator Attachment Modality</span></span></a>
        <li><a href="#sctn-credential-storage-modality"><span class="secno">6.2.2</span> <span class="content">Credential Storage Modality</span></a>
        <li><a href="#sctn-authentication-factor-capability"><span class="secno">6.2.3</span> <span class="content"><span>Authentication Factor Capability</span></span></a>
       </ol>
      <li>
       <a href="#sctn-authenticator-ops"><span class="secno">6.3</span> <span class="content"><span>Authenticator Operations</span></span></a>
       <ol class="toc">
        <li><a href="#sctn-op-lookup-credsource-by-credid"><span class="secno">6.3.1</span> <span class="content">Lookup Credential Source by Credential ID Algorithm</span></a>
        <li><a href="#sctn-op-make-cred"><span class="secno">6.3.2</span> <span class="content">The <span>authenticatorMakeCredential</span> Operation</span></a>
        <li><a href="#sctn-op-get-assertion"><span class="secno">6.3.3</span> <span class="content">The <span>authenticatorGetAssertion</span> Operation</span></a>
        <li><a href="#sctn-op-cancel"><span class="secno">6.3.4</span> <span class="content">The <span>authenticatorCancel</span> Operation</span></a>
       </ol>
      <li>
       <a href="#sctn-strings"><span class="secno">6.4</span> <span class="content">String Handling</span></a>
       <ol class="toc">
        <li><a href="#sctn-strings-truncation"><span class="secno">6.4.1</span> <span class="content">String Truncation</span></a>
        <li><a href="#sctn-strings-langdir"><span class="secno">6.4.2</span> <span class="content">Language and Direction Encoding</span></a>
       </ol>
      <li>
       <a href="#sctn-attestation"><span class="secno">6.5</span> <span class="content">Attestation</span></a>
       <ol class="toc">
        <li>
         <a href="#sctn-attested-credential-data"><span class="secno">6.5.1</span> <span class="content">Attested Credential Data</span></a>
         <ol class="toc">
          <li><a href="#sctn-encoded-credPubKey-examples"><span class="secno">6.5.1.1</span> <span class="content">Examples of <code>credentialPublicKey</code> Values Encoded in COSE_Key Format</span></a>
         </ol>
        <li><a href="#sctn-attestation-formats"><span class="secno">6.5.2</span> <span class="content">Attestation Statement Formats</span></a>
        <li><a href="#sctn-attestation-types"><span class="secno">6.5.3</span> <span class="content">Attestation Types</span></a>
        <li><a href="#sctn-generating-an-attestation-object"><span class="secno">6.5.4</span> <span class="content">Generating an Attestation Object</span></a>
        <li><a href="#sctn-signature-attestation-types"><span class="secno">6.5.5</span> <span class="content">Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures</span></a>
       </ol>
     </ol>
    <li>
     <a href="#sctn-rp-operations"><span class="secno">7</span> <span class="content"><span>WebAuthn Relying Party</span> Operations</span></a>
     <ol class="toc">
      <li><a href="#sctn-registering-a-new-credential"><span class="secno">7.1</span> <span class="content">Registering a New Credential</span></a>
      <li><a href="#sctn-verifying-assertion"><span class="secno">7.2</span> <span class="content">Verifying an Authentication Assertion</span></a>
     </ol>
    <li>
     <a href="#sctn-defined-attestation-formats"><span class="secno">8</span> <span class="content">Defined Attestation Statement Formats</span></a>
     <ol class="toc">
      <li><a href="#sctn-attstn-fmt-ids"><span class="secno">8.1</span> <span class="content">Attestation Statement Format Identifiers</span></a>
      <li>
       <a href="#sctn-packed-attestation"><span class="secno">8.2</span> <span class="content">Packed Attestation Statement Format</span></a>
       <ol class="toc">
        <li><a href="#sctn-packed-attestation-cert-requirements"><span class="secno">8.2.1</span> <span class="content">Packed Attestation Statement Certificate Requirements</span></a>
       </ol>
      <li>
       <a href="#sctn-tpm-attestation"><span class="secno">8.3</span> <span class="content">TPM Attestation Statement Format</span></a>
       <ol class="toc">
        <li><a href="#sctn-tpm-cert-requirements"><span class="secno">8.3.1</span> <span class="content">TPM Attestation Statement Certificate Requirements</span></a>
       </ol>
      <li>
       <a href="#sctn-android-key-attestation"><span class="secno">8.4</span> <span class="content">Android Key Attestation Statement Format</span></a>
       <ol class="toc">
        <li><a href="#sctn-key-attstn-cert-requirements"><span class="secno">8.4.1</span> <span class="content">Android Key Attestation Statement Certificate Requirements</span></a>
       </ol>
      <li><a href="#sctn-android-safetynet-attestation"><span class="secno">8.5</span> <span class="content">Android SafetyNet Attestation Statement Format</span></a>
      <li><a href="#sctn-fido-u2f-attestation"><span class="secno">8.6</span> <span class="content">FIDO U2F Attestation Statement Format</span></a>
      <li><a href="#sctn-none-attestation"><span class="secno">8.7</span> <span class="content">None Attestation Statement Format</span></a>
      <li><a href="#sctn-apple-anonymous-attestation"><span class="secno">8.8</span> <span class="content">Apple Anonymous Attestation Statement Format</span></a>
     </ol>
    <li>
     <a href="#sctn-extensions"><span class="secno">9</span> <span class="content"><span>WebAuthn Extensions</span></span></a>
     <ol class="toc">
      <li><a href="#sctn-extension-id"><span class="secno">9.1</span> <span class="content">Extension Identifiers</span></a>
      <li><a href="#sctn-extension-specification"><span class="secno">9.2</span> <span class="content">Defining Extensions</span></a>
      <li><a href="#sctn-extension-request-parameters"><span class="secno">9.3</span> <span class="content">Extending Request Parameters</span></a>
      <li><a href="#sctn-client-extension-processing"><span class="secno">9.4</span> <span class="content"><span>Client Extension Processing</span></span></a>
      <li><a href="#sctn-authenticator-extension-processing"><span class="secno">9.5</span> <span class="content"><span>Authenticator Extension Processing</span></span></a>
     </ol>
    <li>
     <a href="#sctn-defined-extensions"><span class="secno">10</span> <span class="content">Defined Extensions</span></a>
     <ol class="toc">
      <li><a href="#sctn-appid-extension"><span class="secno">10.1</span> <span class="content">FIDO <span>AppID</span> Extension (appid)</span></a>
      <li><a href="#sctn-appid-exclude-extension"><span class="secno">10.2</span> <span class="content">FIDO AppID Exclusion Extension (appidExclude)</span></a>
      <li><a href="#sctn-uvm-extension"><span class="secno">10.3</span> <span class="content"><span>User Verification Method</span> Extension (uvm)</span></a>
      <li><a href="#sctn-authenticator-credential-properties-extension"><span class="secno">10.4</span> <span class="content">Credential Properties Extension (<span>credProps</span>)</span></a>
      <li><a href="#sctn-large-blob-extension"><span class="secno">10.5</span> <span class="content">Large blob storage extension (<span>largeBlob</span>)</span></a>
     </ol>
    <li>
     <a href="#sctn-automation"><span class="secno">11</span> <span class="content">User Agent Automation</span></a>
     <ol class="toc">
      <li>
       <a href="#sctn-automation-webdriver-capability"><span class="secno">11.1</span> <span class="content">WebAuthn WebDriver Extension Capability</span></a>
       <ol class="toc">
        <li><a href="#sctn-authenticator-extension-capabilities"><span class="secno">11.1.1</span> <span class="content"><span>Authenticator Extension Capabilities</span></span></a>
       </ol>
      <li><a href="#sctn-automation-virtual-authenticators"><span class="secno">11.2</span> <span class="content"><span>Virtual Authenticators</span></span></a>
      <li><a href="#sctn-automation-add-virtual-authenticator"><span class="secno">11.3</span> <span class="content"><span>Add Virtual Authenticator</span></span></a>
      <li><a href="#sctn-automation-remove-virtual-authenticator"><span class="secno">11.4</span> <span class="content"><span>Remove Virtual Authenticator</span></span></a>
      <li><a href="#sctn-automation-add-credential"><span class="secno">11.5</span> <span class="content"><span>Add Credential</span></span></a>
      <li><a href="#sctn-automation-get-credentials"><span class="secno">11.6</span> <span class="content"><span>Get Credentials</span></span></a>
      <li><a href="#sctn-automation-remove-credential"><span class="secno">11.7</span> <span class="content"><span>Remove Credential</span></span></a>
      <li><a href="#sctn-automation-remove-all-credentials"><span class="secno">11.8</span> <span class="content"><span>Remove All Credentials</span></span></a>
      <li><a href="#sctn-automation-set-user-verified"><span class="secno">11.9</span> <span class="content"><span>Set User Verified</span></span></a>
     </ol>
    <li>
     <a href="#sctn-IANA"><span class="secno">12</span> <span class="content">IANA Considerations</span></a>
     <ol class="toc">
      <li><a href="#sctn-att-fmt-reg-update"><span class="secno">12.1</span> <span class="content">WebAuthn Attestation Statement Format Identifier Registrations Updates</span></a>
      <li><a href="#sctn-att-fmt-reg"><span class="secno">12.2</span> <span class="content">WebAuthn Attestation Statement Format Identifier Registrations</span></a>
      <li><a href="#sctn-extensions-reg-update"><span class="secno">12.3</span> <span class="content">WebAuthn Extension Identifier Registrations Updates</span></a>
      <li><a href="#sctn-extensions-reg"><span class="secno">12.4</span> <span class="content">WebAuthn Extension Identifier Registrations</span></a>
     </ol>
    <li>
     <a href="#sctn-security-considerations"><span class="secno">13</span> <span class="content">Security Considerations</span></a>
     <ol class="toc">
      <li><a href="#sctn-credentialIdSecurity"><span class="secno">13.1</span> <span class="content">Credential ID Unsigned</span></a>
      <li><a href="#sctn-client-authenticator-proximity"><span class="secno">13.2</span> <span class="content">Physical Proximity between Client and Authenticator</span></a>
      <li>
       <a href="#sctn-security-considerations-authenticator"><span class="secno">13.3</span> <span class="content">Security considerations for <span>authenticators</span> <span></span></span></a>
       <ol class="toc">
        <li><a href="#sctn-cert-hierarchy"><span class="secno">13.3.1</span> <span class="content">Attestation Certificate Hierarchy</span></a>
        <li><a href="#sctn-ca-compromise"><span class="secno">13.3.2</span> <span class="content">Attestation Certificate and Attestation Certificate CA Compromise</span></a>
       </ol>
      <li>
       <a href="#sctn-security-considerations-rp"><span class="secno">13.4</span> <span class="content">Security considerations for <span>Relying Parties</span></span></a>
       <ol class="toc">
        <li><a href="#sctn-rp-benefits"><span class="secno">13.4.1</span> <span class="content">Security Benefits for WebAuthn Relying Parties</span></a>
        <li><a href="#sctn-seccons-visibility"><span class="secno">13.4.2</span> <span class="content">Visibility Considerations for Embedded Usage</span></a>
        <li><a href="#sctn-cryptographic-challenges"><span class="secno">13.4.3</span> <span class="content">Cryptographic Challenges</span></a>
        <li><a href="#sctn-attestation-limitations"><span class="secno">13.4.4</span> <span class="content">Attestation Limitations</span></a>
        <li><a href="#sctn-revoked-attestation-certificates"><span class="secno">13.4.5</span> <span class="content">Revoked Attestation Certificates</span></a>
        <li><a href="#sctn-credential-loss-key-mobility"><span class="secno">13.4.6</span> <span class="content">Credential Loss and Key Mobility</span></a>
        <li><a href="#sctn-unprotected-account-detection"><span class="secno">13.4.7</span> <span class="content">Unprotected account detection</span></a>
       </ol>
     </ol>
    <li>
     <a href="#sctn-privacy-considerations"><span class="secno">14</span> <span class="content">Privacy Considerations</span></a>
     <ol class="toc">
      <li><a href="#sctn-privacy-attacks"><span class="secno">14.1</span> <span class="content">De-anonymization Prevention Measures</span></a>
      <li><a href="#sctn-non-correlatable-credentials"><span class="secno">14.2</span> <span class="content">Anonymous, Scoped, Non-correlatable <span>Public Key Credentials</span></span></a>
      <li><a href="#sctn-biometric-privacy"><span class="secno">14.3</span> <span class="content">Authenticator-local <span>Biometric Recognition</span></span></a>
      <li>
       <a href="#sctn-privacy-considerations-authenticator"><span class="secno">14.4</span> <span class="content">Privacy considerations for <span>authenticators</span></span></a>
       <ol class="toc">
        <li><a href="#sctn-attestation-privacy"><span class="secno">14.4.1</span> <span class="content">Attestation Privacy</span></a>
        <li><a href="#sctn-pii-privacy"><span class="secno">14.4.2</span> <span class="content">Privacy of personally identifying information Stored in Authenticators</span></a>
       </ol>
      <li>
       <a href="#sctn-privacy-considerations-client"><span class="secno">14.5</span> <span class="content">Privacy considerations for <span>clients</span></span></a>
       <ol class="toc">
        <li><a href="#sctn-make-credential-privacy"><span class="secno">14.5.1</span> <span class="content">Registration Ceremony Privacy</span></a>
        <li><a href="#sctn-assertion-privacy"><span class="secno">14.5.2</span> <span class="content">Authentication Ceremony Privacy</span></a>
        <li><a href="#sctn-os-account-privacy"><span class="secno">14.5.3</span> <span class="content">Privacy Between Operating System Accounts</span></a>
       </ol>
      <li>
       <a href="#sctn-privacy-considerations-rp"><span class="secno">14.6</span> <span class="content">Privacy considerations for <span>Relying Parties</span></span></a>
       <ol class="toc">
        <li><a href="#sctn-user-handle-privacy"><span class="secno">14.6.1</span> <span class="content">User Handle Contents</span></a>
        <li><a href="#sctn-username-enumeration"><span class="secno">14.6.2</span> <span class="content">Username Enumeration</span></a>
        <li><a href="#sctn-credential-id-privacy-leak"><span class="secno">14.6.3</span> <span class="content">Privacy leak via credential IDs</span></a>
       </ol>
     </ol>
    <li><a href="#sctn-accessiblility-considerations"><span class="secno">15</span> <span class="content">Accessibility Considerations</span></a>
    <li><a href="#sctn-acknowledgements"><span class="secno">16</span> <span class="content">Acknowledgements</span></a>
    <li>
     <a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
     <ol class="toc">
      <li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
     </ol>
    <li>
     <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ol class="toc">
      <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ol>
    <li><a href="#idl-index"><span class="secno"></span> <span class="content">IDL Index</span></a>
    <li><a href="#issues-index"><span class="secno"></span> <span class="content">Issues Index</span></a>
   </ol>
  </nav>
  <main>
       <h2 class="heading settled" data-level="1" id="sctn-intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#sctn-intro"></a></h2>
   <p><em>This section is not normative.</em></p>
   <p>This specification defines an API enabling the creation and use of strong, attested, <a data-link-type="dfn" href="#scope" id="ref-for-scope②">scoped</a>, public key-based
credentials by <a data-link-type="dfn" href="#web-application" id="ref-for-web-application①">web applications</a>, for the purpose of strongly authenticating users. A <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential②">public key credential</a> is
created and stored by a <em><a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator">WebAuthn Authenticator</a></em> at the behest of a <em><a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party①">WebAuthn Relying Party</a></em>, subject to <em><a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①">user
consent</a></em>. Subsequently, the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③">public key credential</a> can only be accessed by <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin">origins</a> belonging to that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①">Relying Party</a>.
This scoping is enforced jointly by <em><a data-link-type="dfn" href="#conforming-user-agent" id="ref-for-conforming-user-agent">conforming User Agents</a></em> and <em><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑤">authenticators</a></em>.
Additionally, privacy across <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②">Relying Parties</a> is maintained; <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③">Relying Parties</a> are not able to detect any properties, or even
the existence, of credentials <a data-link-type="dfn" href="#scope" id="ref-for-scope③">scoped</a> to other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④">Relying Parties</a>.</p>
   <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑤">Relying Parties</a> employ the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api">Web Authentication API</a> during two distinct, but related, <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony">ceremonies</a> involving a user. The first
is <a data-link-type="dfn" href="#registration" id="ref-for-registration">Registration</a>, where a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④">public key credential</a> is created on an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑥">authenticator</a>, and <a data-link-type="dfn" href="#scope" id="ref-for-scope④">scoped</a> to a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑥">Relying Party</a> with the present user’s account (the account might already exist or might be created at this time). The second is <a data-link-type="dfn" href="#authentication" id="ref-for-authentication">Authentication</a>, where the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑦">Relying Party</a> is presented with an <em><a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion">Authentication Assertion</a></em> proving the presence
and <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②">consent</a> of the user who registered the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤">public key credential</a>. Functionally, the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①">Web Authentication
API</a> comprises a <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential">PublicKeyCredential</a></code> which extends the Credential Management API <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a>, and
infrastructure which allows those credentials to be used with <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create">navigator.credentials.create()</a></code> and <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get">navigator.credentials.get()</a></code>. The former is used during <a data-link-type="dfn" href="#registration" id="ref-for-registration①">Registration</a>, and the
latter during <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①">Authentication</a>.</p>
   <p>Broadly, compliant <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑦">authenticators</a> protect <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥">public key credentials</a>, and interact with user agents to implement the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api②">Web Authentication API</a>.
Implementing compliant authenticators is possible in software executing
(a) on a general-purpose computing device,
(b) on an on-device Secure Execution Environment, Trusted Platform Module (TPM), or a Secure Element (SE), or
(c) off device.
Authenticators being implemented on device are called <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators">platform authenticators</a>.
Authenticators being implemented off device (<a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators">roaming authenticators</a>) can be accessed over a transport such
as Universal Serial Bus (USB), Bluetooth Low Energy (BLE), or Near Field Communications (NFC).</p>
   <h3 class="heading settled" data-level="1.1" id="sctn-spec-roadmap"><span class="secno">1.1. </span><span class="content">Specification Roadmap</span><a class="self-link" href="#sctn-spec-roadmap"></a></h3>
   <p>While many W3C specifications are directed primarily to user agent developers and also to web application developers
(i.e., "Web authors"), the nature of Web Authentication requires that this specification be correctly used by multiple audiences,
as described below.</p>
   <p><strong>All audiences</strong> ought to begin with <a href="#sctn-use-cases">§ 1.2 Use Cases</a>, <a href="#sctn-sample-scenarios">§ 1.3 Sample API Usage Scenarios</a>, and <a href="#sctn-terminology">§ 4 Terminology</a>, and should also
refer to <a data-link-type="biblio" href="#biblio-webauthnapiguide">[WebAuthnAPIGuide]</a> for an overall tutorial.
Beyond that, the intended audiences for this document are the following main groups:</p>
   <ul>
    <li data-md>
     <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑧">Relying Party</a> web application developers, especially those responsible for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑨">Relying Party</a> <a data-link-type="dfn" href="#web-application" id="ref-for-web-application②">web application</a> login flows, account recovery flows,
user account database content, etc.</p>
    <li data-md>
     <p>Web framework developers</p>
     <ul>
      <li data-md>
       <p>The above two audiences should in particular refer to <a href="#sctn-rp-operations">§ 7 WebAuthn Relying Party Operations</a>.
The introduction to <a href="#sctn-api">§ 5 Web Authentication API</a> may be helpful, though readers should realize that the <a href="#sctn-api">§ 5 Web Authentication API</a> section is targeted specifically
at user agent developers, not web application developers.
Additionally, if they intend to verify <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑧">authenticator</a> <a data-link-type="dfn" href="#attestation" id="ref-for-attestation②">attestations</a>, then <a href="#sctn-attestation">§ 6.5 Attestation</a> and <a href="#sctn-defined-attestation-formats">§ 8 Defined Attestation Statement Formats</a> will also be relevant. <a href="#sctn-extensions">§ 9 WebAuthn Extensions</a>, and <a href="#sctn-defined-extensions">§ 10 Defined Extensions</a> will be of interest if they wish to make use of extensions.
Finally, they should read <a href="#sctn-security-considerations-rp">§ 13.4 Security considerations for Relying Parties</a> and <a href="#sctn-privacy-considerations-rp">§ 14.6 Privacy considerations for Relying Parties</a> and consider which challenges apply to their application and users.</p>
     </ul>
    <li data-md>
     <p>User agent developers</p>
    <li data-md>
     <p>OS platform developers, responsible for OS platform API design and implementation in regards to platform-specific <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑨">authenticator</a> APIs, platform <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client">WebAuthn Client</a> instantiation, etc.</p>
     <ul>
      <li data-md>
       <p>The above two audiences should read <a href="#sctn-api">§ 5 Web Authentication API</a> very carefully, along with <a href="#sctn-extensions">§ 9 WebAuthn Extensions</a> if they intend to support extensions.
They should also carefully read <a href="#sctn-privacy-considerations-client">§ 14.5 Privacy considerations for clients</a>.</p>
     </ul>
    <li data-md>
     <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⓪">Authenticator</a> developers. These readers will want to pay particular attention to <a href="#sctn-authenticator-model">§ 6 WebAuthn Authenticator Model</a>, <a href="#sctn-defined-attestation-formats">§ 8 Defined Attestation Statement Formats</a>, <a href="#sctn-extensions">§ 9 WebAuthn Extensions</a>, and <a href="#sctn-defined-extensions">§ 10 Defined Extensions</a>.
They should also carefully read <a href="#sctn-security-considerations-authenticator">§ 13.3 Security considerations for authenticators</a> and <a href="#sctn-privacy-considerations-authenticator">§ 14.4 Privacy considerations for authenticators</a>.</p>
   </ul>
   <div class="note" role="note">
     Note: Along with the <a href="#sctn-api">Web Authentication API</a> itself, this specification defines a
    request-response <em>cryptographic protocol</em>—the <dfn data-dfn-type="dfn" data-export id="webauthn-fido2-protocol">WebAuthn/FIDO2 protocol<a class="self-link" href="#webauthn-fido2-protocol"></a></dfn>—between
    a <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party②">WebAuthn Relying Party</a> server and an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①①">authenticator</a>, where the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⓪">Relying Party</a>'s request consists of a <a href="#sctn-cryptographic-challenges">challenge</a> and other
    input data supplied by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①①">Relying Party</a> and sent to the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②">authenticator</a>.
    The request is conveyed via the
    combination of HTTPS, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①②">Relying Party</a> <a data-link-type="dfn" href="#web-application" id="ref-for-web-application③">web application</a>, the <a href="#sctn-api">WebAuthn API</a>, and the platform-specific communications channel
    between the user agent and the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③">authenticator</a>.
    The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④">authenticator</a> replies with a digitally signed <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data">authenticator data</a> message and other output data, which is conveyed back to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③">Relying Party</a> server via the same path in reverse. Protocol details vary according to whether an <a data-link-type="dfn" href="#authentication" id="ref-for-authentication②">authentication</a> or <a data-link-type="dfn" href="#registration" id="ref-for-registration②">registration</a> operation is invoked by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④">Relying Party</a>.
    See also <a href="#fig-registration">Figure 1</a> and <a href="#fig-authentication">Figure 2</a>. 
    <p><strong>It is important for Web Authentication deployments' end-to-end security</strong> that the role of each
    component—the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤">Relying Party</a> server, the <a data-link-type="dfn" href="#client" id="ref-for-client">client</a>, and the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤">authenticator</a>—
    as well as <a href="#sctn-security-considerations">§ 13 Security Considerations</a> and <a href="#sctn-privacy-considerations">§ 14 Privacy Considerations</a>, are understood <em>by all audiences</em>.</p>
   </div>
   <h3 class="heading settled" data-level="1.2" id="sctn-use-cases"><span class="secno">1.2. </span><span class="content">Use Cases</span><a class="self-link" href="#sctn-use-cases"></a></h3>
   <p>The below use case scenarios illustrate use of two very different types of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥">authenticators</a>, as well as outline further
scenarios. Additional scenarios, including sample code, are given later in <a href="#sctn-sample-scenarios">§ 1.3 Sample API Usage Scenarios</a>.</p>
   <h4 class="heading settled" data-level="1.2.1" id="sctn-usecase-registration"><span class="secno">1.2.1. </span><span class="content">Registration</span><a class="self-link" href="#sctn-usecase-registration"></a></h4>
   <ul>
    <li data-md>
     <p>On a phone:</p>
     <ul>
      <li data-md>
       <p>User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using
(possibly a legacy method such as a password), or creates a new account.</p>
      <li data-md>
       <p>The phone prompts, "Do you want to register this device with example.com?"</p>
      <li data-md>
       <p>User agrees.</p>
      <li data-md>
       <p>The phone prompts the user for a previously configured <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture">authorization gesture</a> (PIN, biometric, etc.); the user
provides this.</p>
      <li data-md>
       <p>Website shows message, "Registration complete."</p>
     </ul>
   </ul>
   <h4 class="heading settled" data-level="1.2.2" id="sctn-usecase-authentication"><span class="secno">1.2.2. </span><span class="content">Authentication</span><a class="self-link" href="#sctn-usecase-authentication"></a></h4>
   <ul>
    <li data-md>
     <p>On a laptop or desktop:</p>
     <ul>
      <li data-md>
       <p>User pairs their phone with the laptop or desktop via Bluetooth.</p>
      <li data-md>
       <p>User navigates to example.com in a browser and initiates signing in.</p>
      <li data-md>
       <p>User gets a message from the browser, "Please complete this action on your phone."</p>
     </ul>
    <li data-md>
     <p>Next, on their phone:</p>
     <ul>
      <li data-md>
       <p>User sees a discrete prompt or notification, "Sign in to example.com."</p>
      <li data-md>
       <p>User selects this prompt / notification.</p>
      <li data-md>
       <p>User is shown a list of their example.com identities, e.g., "Sign in as Mohamed / Sign in as 张三".</p>
      <li data-md>
       <p>User picks an identity, is prompted for an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①">authorization gesture</a> (PIN, biometric, etc.) and provides this.</p>
     </ul>
    <li data-md>
     <p>Now, back on the laptop:</p>
     <ul>
      <li data-md>
       <p>Web page shows that the selected user is signed in, and navigates to the signed-in page.</p>
     </ul>
   </ul>
   <h4 class="heading settled" data-level="1.2.3" id="sctn-usecase-new-device-registration"><span class="secno">1.2.3. </span><span class="content">New Device Registration</span><a class="self-link" href="#sctn-usecase-new-device-registration"></a></h4>
   <p>This use case scenario illustrates how a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥">Relying Party</a> can leverage a combination of a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①">roaming authenticator</a> (e.g., a USB security
key fob) and a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①">platform authenticator</a> (e.g., a built-in fingerprint sensor) such that the user has:</p>
   <ul>
    <li data-md>
     <p>a "primary" <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②">roaming authenticator</a> that they use to authenticate on new-to-them <a data-link-type="dfn" href="#client-device" id="ref-for-client-device">client devices</a> (e.g., laptops,
desktops) or on such <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①">client devices</a> that lack a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②">platform authenticator</a>, and</p>
    <li data-md>
     <p>a low-friction means to strongly re-authenticate on <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②">client devices</a> having <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators③">platform authenticators</a>.</p>
   </ul>
   <p class="note" role="note"><span>Note:</span> This approach of registering multiple <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦">authenticators</a> for an account is also useful in account recovery use cases.</p>
   <ul>
    <li data-md>
     <p>First, on a desktop computer (lacking a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators④">platform authenticator</a>):</p>
     <ul>
      <li data-md>
       <p>User navigates to <code>example.com</code> in a browser and signs in to an existing account using whatever method they have been using
(possibly a legacy method such as a password), or creates a new account.</p>
      <li data-md>
       <p>User navigates to account security settings and selects "Register security key".</p>
      <li data-md>
       <p>Website prompts the user to plug in a USB security key fob; the user does.</p>
      <li data-md>
       <p>The USB security key blinks to indicate the user should press the button on it; the user does.</p>
      <li data-md>
       <p>Website shows message, "Registration complete."</p>
     </ul>
     <p class="note" role="note"><span>Note:</span> Since this computer lacks a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators⑤">platform authenticator</a>, the website may require the user to present their USB security
key from time to time or each time the user interacts with the website. This is at the website’s discretion.</p>
    <li data-md>
     <p>Later, on their laptop (which features a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators⑥">platform authenticator</a>):</p>
     <ul>
      <li data-md>
       <p>User navigates to example.com in a browser and initiates signing in.</p>
      <li data-md>
       <p>Website prompts the user to plug in their USB security key.</p>
      <li data-md>
       <p>User plugs in the previously registered USB security key and presses the button.</p>
      <li data-md>
       <p>Website shows that the user is signed in, and navigates to the signed-in page.</p>
      <li data-md>
       <p>Website prompts, "Do you want to register this computer with example.com?"</p>
      <li data-md>
       <p>User agrees.</p>
      <li data-md>
       <p>Laptop prompts the user for a previously configured <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②">authorization gesture</a> (PIN, biometric, etc.); the user provides this.</p>
      <li data-md>
       <p>Website shows message, "Registration complete."</p>
      <li data-md>
       <p>User signs out.</p>
     </ul>
    <li data-md>
     <p>Later, again on their laptop:</p>
     <ul>
      <li data-md>
       <p>User navigates to example.com in a browser and initiates signing in.</p>
      <li data-md>
       <p>Website shows message, "Please follow your computer’s prompts to complete sign in."</p>
      <li data-md>
       <p>Laptop prompts the user for an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture③">authorization gesture</a> (PIN, biometric, etc.); the user provides this.</p>
      <li data-md>
       <p>Website shows that the user is signed in, and navigates to the signed-in page.</p>
     </ul>
   </ul>
   <h4 class="heading settled" data-level="1.2.4" id="sctn-other-configurations"><span class="secno">1.2.4. </span><span class="content">Other Use Cases and Configurations</span><a class="self-link" href="#sctn-other-configurations"></a></h4>
   <p>A variety of additional use cases and configurations are also possible, including (but not limited to):</p>
   <ul>
    <li data-md>
     <p>A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.</p>
    <li data-md>
     <p>A user obtains a discrete, <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators③">roaming authenticator</a>, such as a "fob" with USB or USB+NFC/BLE connectivity options, loads
example.com in their browser on a laptop or phone, and is guided through a flow to create and register a credential on the
fob.</p>
    <li data-md>
     <p>A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦">Relying Party</a> prompts the user for their <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture④">authorization gesture</a> in order to authorize a single transaction, such as a payment
or other financial transaction.</p>
   </ul>
   <h3 class="heading settled" data-level="1.3" id="sctn-sample-scenarios"><span class="secno">1.3. </span><span class="content">Sample API Usage Scenarios</span><a class="self-link" href="#sctn-sample-scenarios"></a></h3>
   <p><em>This section is not normative.</em></p>
   <p>In this section, we walk through some events in the lifecycle of a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦">public key credential</a>, along with the corresponding
sample code for using this API. Note that this is an example flow and does not limit the scope of how the API can be used.</p>
   <p>As was the case in earlier sections, this flow focuses on a use case involving a <a data-link-type="dfn" href="#first-factor-roaming-authenticator" id="ref-for-first-factor-roaming-authenticator">first-factor roaming authenticator</a> with its own display. One example of such an authenticator would be a smart phone. Other authenticator types are also supported
by this API, subject to implementation by the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform">client platform</a>. For instance, this flow also works without modification for the case of
an authenticator that is embedded in the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③">client device</a>. The flow also works for the case of an authenticator without
its own display (similar to a smart card) subject to specific implementation considerations. Specifically, the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform①">client platform</a> needs to display any prompts that would otherwise be shown by the authenticator, and the authenticator needs to allow the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform②">client
platform</a> to enumerate all the authenticator’s credentials so that the client can have information to show appropriate prompts.</p>
   <h4 class="heading settled" data-level="1.3.1" id="sctn-sample-registration"><span class="secno">1.3.1. </span><span class="content">Registration</span><a class="self-link" href="#sctn-sample-registration"></a></h4>
   <p>This is the first-time flow, in which a new credential is created and registered with the server.
In this flow, the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③">WebAuthn Relying Party</a> does not have a preference for <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators⑦">platform authenticator</a> or <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators④">roaming authenticators</a>.</p>
   <ol>
    <li data-md>
     <p>The user visits example.com, which serves up a script. At this point, the user may already be logged in using a legacy
username and password, or additional authenticator, or other means acceptable to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧">Relying Party</a>.
Or the user may be in the process of creating a new account.</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨">Relying Party</a> script runs the code snippet below.</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③">client platform</a> searches for and locates the authenticator.</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#client" id="ref-for-client①">client</a> connects to the authenticator, performing any pairing actions if necessary.</p>
    <li data-md>
     <p>The authenticator shows appropriate UI for the user to provide a biometric or other <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture⑤">authorization gesture</a>.</p>
    <li data-md>
     <p>The authenticator returns a response to the <a data-link-type="dfn" href="#client" id="ref-for-client②">client</a>, which in turn returns a response to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪">Relying Party</a> script. If
the user declined to select an authenticator or provide authorization, an appropriate error is returned.</p>
    <li data-md>
     <p>If a new credential was created,</p>
     <ul>
      <li data-md>
       <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①">Relying Party</a> script sends the newly generated <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key">credential public key</a> to the server, along with additional information
such as attestation regarding the provenance and characteristics of the authenticator.</p>
      <li data-md>
       <p>The server stores the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key①">credential public key</a> in its database and associates it with the user as well as with the
characteristics of authentication indicated by attestation, also storing a friendly name for later use.</p>
      <li data-md>
       <p>The script may store data such as the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id">credential ID</a> in local storage, to improve future UX by narrowing the choice of
credential for the user.</p>
     </ul>
   </ol>
   <p>The sample code for generating and registering a new key follows:</p>
<pre class="example highlight" id="example-85f4c521"><a class="self-link" href="#example-85f4c521"></a><c- k>if</c-> <c- p>(</c-><c- o>!</c->window<c- p>.</c->PublicKeyCredential<c- p>)</c-> <c- p>{</c-> <c- d>/* Client not capable. Handle error. */</c-> <c- p>}</c->

<c- a>var</c-> publicKey <c- o>=</c-> <c- p>{</c->
  <c- c1>// The challenge is produced by the server; see the Security Considerations</c->
  challenge<c- o>:</c-> <c- k>new</c-> Uint8Array<c- p>([</c-><c- mf>21</c-><c- p>,</c-><c- mf>31</c-><c- p>,</c-><c- mf>105</c-> <c- d>/* 29 more random bytes generated by the server */</c-><c- p>]),</c->

  <c- c1>// Relying Party:</c->
  rp<c- o>:</c-> <c- p>{</c->
    name<c- o>:</c-> <c- u>"ACME Corporation"</c->
  <c- p>},</c->

  <c- c1>// User:</c->
  user<c- o>:</c-> <c- p>{</c->
    id<c- o>:</c-> Uint8Array<c- p>.</c->from<c- p>(</c->window<c- p>.</c->atob<c- p>(</c-><c- u>"MIIBkzCCATigAwIBAjCCAZMwggE4oAMCAQIwggGTMII="</c-><c- p>),</c-> c<c- p>=></c->c<c- p>.</c->charCodeAt<c- p>(</c-><c- mf>0</c-><c- p>)),</c->
    name<c- o>:</c-> <c- u>"alex.mueller@example.com"</c-><c- p>,</c->
    displayName<c- o>:</c-> <c- u>"Alex Müller"</c-><c- p>,</c->
  <c- p>},</c->

  <c- c1>// This Relying Party will accept either an ES256 or RS256 credential, but</c->
  <c- c1>// prefers an ES256 credential.</c->
  pubKeyCredParams<c- o>:</c-> <c- p>[</c->
    <c- p>{</c->
      type<c- o>:</c-> <c- u>"public-key"</c-><c- p>,</c->
      alg<c- o>:</c-> <c- o>-</c-><c- mf>7</c-> <c- c1>// "ES256" as registered in the IANA COSE Algorithms registry</c->
    <c- p>},</c->
    <c- p>{</c->
      type<c- o>:</c-> <c- u>"public-key"</c-><c- p>,</c->
      alg<c- o>:</c-> <c- o>-</c-><c- mf>257</c-> <c- c1>// Value registered by this specification for "RS256"</c->
    <c- p>}</c->
  <c- p>],</c->

  authenticatorSelection<c- o>:</c-> <c- p>{</c->
    <c- c1>// Try to use UV if possible. This is also the default.</c->
    userVerification<c- o>:</c-> <c- u>"preferred"</c->
  <c- p>},</c->

  timeout<c- o>:</c-> <c- mf>360000</c-><c- p>,</c->  <c- c1>// 6 minutes</c->
  excludeCredentials<c- o>:</c-> <c- p>[</c->
    <c- c1>// Don’t re-register any authenticator that has one of these credentials</c->
    <c- p>{</c-><c- u>"id"</c-><c- o>:</c-> Uint8Array<c- p>.</c->from<c- p>(</c->window<c- p>.</c->atob<c- p>(</c-><c- u>"ufJWp8YGlibm1Kd9XQBWN1WAw2jy5In2Xhon9HAqcXE="</c-><c- p>),</c-> c<c- p>=></c->c<c- p>.</c->charCodeAt<c- p>(</c-><c- mf>0</c-><c- p>)),</c-> <c- u>"type"</c-><c- o>:</c-> <c- u>"public-key"</c-><c- p>},</c->
    <c- p>{</c-><c- u>"id"</c-><c- o>:</c-> Uint8Array<c- p>.</c->from<c- p>(</c->window<c- p>.</c->atob<c- p>(</c-><c- u>"E/e1dhZc++mIsz4f9hb6NifAzJpF1V4mEtRlIPBiWdY="</c-><c- p>),</c-> c<c- p>=></c->c<c- p>.</c->charCodeAt<c- p>(</c-><c- mf>0</c-><c- p>)),</c-> <c- u>"type"</c-><c- o>:</c-> <c- u>"public-key"</c-><c- p>}</c->
  <c- p>],</c->

  <c- c1>// Make excludeCredentials check backwards compatible with credentials registered with U2F</c->
  extensions<c- o>:</c-> <c- p>{</c-><c- u>"appidExclude"</c-><c- o>:</c-> <c- u>"https://acme.example.com"</c-><c- p>}</c->
<c- p>};</c->

<c- c1>// Note: The following call will cause the authenticator to display UI.</c->
navigator<c- p>.</c->credentials<c- p>.</c->create<c- p>({</c-> publicKey <c- p>})</c->
  <c- p>.</c->then<c- p>(</c-><c- a>function</c-> <c- p>(</c->newCredentialInfo<c- p>)</c-> <c- p>{</c->
    <c- c1>// Send new credential info to server for verification and registration.</c->
  <c- p>}).</c-><c- k>catch</c-><c- p>(</c-><c- a>function</c-> <c- p>(</c->err<c- p>)</c-> <c- p>{</c->
    <c- c1>// No acceptable authenticator or user refused consent. Handle appropriately.</c->
  <c- p>});</c->
</pre>
   <h4 class="heading settled" data-level="1.3.2" id="sctn-sample-registration-with-platform-authenticator"><span class="secno">1.3.2. </span><span class="content">Registration Specifically with User-Verifying Platform Authenticator</span><a class="self-link" href="#sctn-sample-registration-with-platform-authenticator"></a></h4>
   <p>This is an example flow for when the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④">WebAuthn Relying Party</a> is specifically interested in creating a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑧">public key credential</a> with
a <a data-link-type="dfn" href="#user-verifying-platform-authenticator" id="ref-for-user-verifying-platform-authenticator">user-verifying platform authenticator</a>.</p>
   <ol>
    <li data-md>
     <p>The user visits example.com and clicks on the login button, which redirects the user to login.example.com.</p>
    <li data-md>
     <p>The user enters a username and password to log in. After successful login, the user is redirected back to example.com.</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②">Relying Party</a> script runs the code snippet below.</p>
     <ol>
      <li data-md>
       <p>The user agent checks if a <a data-link-type="dfn" href="#user-verifying-platform-authenticator" id="ref-for-user-verifying-platform-authenticator①">user-verifying platform authenticator</a> is available. If not, terminate this flow.</p>
      <li data-md>
       <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③">Relying Party</a> asks the user if they want to create a credential with it. If not, terminate this flow.</p>
      <li data-md>
       <p>The user agent and/or operating system shows appropriate UI and guides the user in creating a credential
using one of the available platform authenticators.</p>
      <li data-md>
       <p>Upon successful credential creation, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④">Relying Party</a> script conveys the new credential to the server.</p>
     </ol>
   </ol>
<pre class="example highlight" id="example-47a0ff57"><a class="self-link" href="#example-47a0ff57"></a><c- k>if</c-> <c- p>(</c-><c- o>!</c->window<c- p>.</c->PublicKeyCredential<c- p>)</c-> <c- p>{</c-> <c- d>/* Client not capable of the API. Handle error. */</c-> <c- p>}</c->

PublicKeyCredential<c- p>.</c->isUserVerifyingPlatformAuthenticatorAvailable<c- p>()</c->
    <c- p>.</c->then<c- p>(</c-><c- a>function</c-> <c- p>(</c->uvpaAvailable<c- p>)</c-> <c- p>{</c->
        <c- c1>// If there is a user-verifying platform authenticator</c->
        <c- k>if</c-> <c- p>(</c->uvpaAvailable<c- p>)</c-> <c- p>{</c->
            <c- c1>// Render some RP-specific UI and get a Promise for a Boolean value</c->
            <c- k>return</c-> askIfUserWantsToCreateCredential<c- p>();</c->
        <c- p>}</c->
    <c- p>}).</c->then<c- p>(</c-><c- a>function</c-> <c- p>(</c->userSaidYes<c- p>)</c-> <c- p>{</c->
        <c- c1>// If there is a user-verifying platform authenticator</c->
        <c- c1>// AND the user wants to create a credential</c->
        <c- k>if</c-> <c- p>(</c->userSaidYes<c- p>)</c-> <c- p>{</c->
            <c- a>var</c-> publicKeyOptions <c- o>=</c-> <c- p>{</c-> <c- d>/* Public key credential creation options. */</c-><c- p>};</c->
            <c- k>return</c-> navigator<c- p>.</c->credentials<c- p>.</c->create<c- p>({</c-> <c- u>"publicKey"</c-><c- o>:</c-> publicKeyOptions <c- p>});</c->
        <c- p>}</c->
    <c- p>}).</c->then<c- p>(</c-><c- a>function</c-> <c- p>(</c->newCredentialInfo<c- p>)</c-> <c- p>{</c->
        <c- k>if</c-> <c- p>(</c->newCredentialInfo<c- p>)</c-> <c- p>{</c->
            <c- c1>// Send new credential info to server for verification and registration.</c->
        <c- p>}</c->
    <c- p>}).</c-><c- k>catch</c-><c- p>(</c-><c- a>function</c-> <c- p>(</c->err<c- p>)</c-> <c- p>{</c->
        <c- c1>// Something went wrong. Handle appropriately.</c->
    <c- p>});</c->
</pre>
   <h4 class="heading settled" data-level="1.3.3" id="sctn-sample-authentication"><span class="secno">1.3.3. </span><span class="content">Authentication</span><a class="self-link" href="#sctn-sample-authentication"></a></h4>
   <p>This is the flow when a user with an already registered credential visits a website and wants to authenticate using the
credential.</p>
   <ol>
    <li data-md>
     <p>The user visits example.com, which serves up a script.</p>
    <li data-md>
     <p>The script asks the <a data-link-type="dfn" href="#client" id="ref-for-client③">client</a> for an Authentication Assertion, providing as much information as possible to narrow
the choice of acceptable credentials for the user. This can be obtained from the data that was stored locally after
registration, or by other means such as prompting the user for a username.</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤">Relying Party</a> script runs one of the code snippets below.</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④">client platform</a> searches for and locates the authenticator.</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#client" id="ref-for-client④">client</a> connects to the authenticator, performing any pairing actions if necessary.</p>
    <li data-md>
     <p>The authenticator presents the user with a notification that their attention is needed. On opening the
notification, the user is shown a friendly selection menu of acceptable credentials using the account information provided
when creating the credentials, along with some information on the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①">origin</a> that is requesting these keys.</p>
    <li data-md>
     <p>The authenticator obtains a biometric or other <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture⑥">authorization gesture</a> from the user.</p>
    <li data-md>
     <p>The authenticator returns a response to the <a data-link-type="dfn" href="#client" id="ref-for-client⑤">client</a>, which in turn returns a response to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥">Relying Party</a> script.
If the user declined to select a credential or provide an authorization, an appropriate error is returned.</p>
    <li data-md>
     <p>If an assertion was successfully generated and returned,</p>
     <ul>
      <li data-md>
       <p>The script sends the assertion to the server.</p>
      <li data-md>
       <p>The server examines the assertion, extracts the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id①">credential ID</a>, looks up the registered
credential public key in its database, and verifies the <a data-link-type="dfn" href="#assertion-signature" id="ref-for-assertion-signature">assertion signature</a>.
If valid, it looks up the identity associated with the assertion’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id②">credential ID</a>; that
identity is now authenticated. If the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③">credential ID</a> is not recognized by the server (e.g.,
it has been deregistered due to inactivity) then the authentication has failed; each <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦">Relying Party</a> will handle this in its own way.</p>
      <li data-md>
       <p>The server now does whatever it would otherwise do upon successful authentication -- return a success page, set
authentication cookies, etc.</p>
     </ul>
   </ol>
   <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧">Relying Party</a> script does not have any hints available (e.g., from locally stored data) to help it narrow the list of
credentials, then the sample code for performing such an authentication might look like this:</p>
<pre class="example highlight" id="example-b2bff2f5"><a class="self-link" href="#example-b2bff2f5"></a><c- k>if</c-> <c- p>(</c-><c- o>!</c->window<c- p>.</c->PublicKeyCredential<c- p>)</c-> <c- p>{</c-> <c- d>/* Client not capable. Handle error. */</c-> <c- p>}</c->

<c- c1>// credentialId is generated by the authenticator and is an opaque random byte array</c->
<c- a>var</c-> credentialId <c- o>=</c-> <c- k>new</c-> Uint8Array<c- p>([</c-><c- mf>183</c-><c- p>,</c-> <c- mf>148</c-><c- p>,</c-> <c- mf>245</c-> <c- d>/* more random bytes previously generated by the authenticator */</c-><c- p>]);</c->
<c- a>var</c-> options <c- o>=</c-> <c- p>{</c->
  <c- c1>// The challenge is produced by the server; see the Security Considerations</c->
  challenge<c- o>:</c-> <c- k>new</c-> Uint8Array<c- p>([</c-><c- mf>4</c-><c- p>,</c-><c- mf>101</c-><c- p>,</c-><c- mf>15</c-> <c- d>/* 29 more random bytes generated by the server */</c-><c- p>]),</c->
  timeout<c- o>:</c-> <c- mf>120000</c-><c- p>,</c->  <c- c1>// 2 minutes</c->
  allowCredentials<c- o>:</c-> <c- p>[{</c-> type<c- o>:</c-> <c- u>"public-key"</c-><c- p>,</c-> id<c- o>:</c-> credentialId <c- p>}]</c->
<c- p>};</c->

navigator<c- p>.</c->credentials<c- p>.</c->get<c- p>({</c-> <c- u>"publicKey"</c-><c- o>:</c-> options <c- p>})</c->
    <c- p>.</c->then<c- p>(</c-><c- a>function</c-> <c- p>(</c->assertion<c- p>)</c-> <c- p>{</c->
    <c- c1>// Send assertion to server for verification</c->
<c- p>}).</c-><c- k>catch</c-><c- p>(</c-><c- a>function</c-> <c- p>(</c->err<c- p>)</c-> <c- p>{</c->
    <c- c1>// No acceptable credential or user refused consent. Handle appropriately.</c->
<c- p>});</c->
</pre>
   <p>On the other hand, if the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨">Relying Party</a> script has some hints to help it narrow the list of credentials, then the sample code for
performing such an authentication might look like the following. Note that this sample also demonstrates how to use the <a data-link-type="dfn" href="#credprops" id="ref-for-credprops">Credential Properties Extension</a>.</p>
<pre class="example highlight" id="example-9b4290b6"><a class="self-link" href="#example-9b4290b6"></a><c- k>if</c-> <c- p>(</c-><c- o>!</c->window<c- p>.</c->PublicKeyCredential<c- p>)</c-> <c- p>{</c-> <c- d>/* Client not capable. Handle error. */</c-> <c- p>}</c->

<c- a>var</c-> encoder <c- o>=</c-> <c- k>new</c-> TextEncoder<c- p>();</c->
<c- a>var</c-> acceptableCredential1 <c- o>=</c-> <c- p>{</c->
    type<c- o>:</c-> <c- u>"public-key"</c-><c- p>,</c->
    id<c- o>:</c-> encoder<c- p>.</c->encode<c- p>(</c-><c- u>"BA44712732CE"</c-><c- p>)</c->
<c- p>};</c->
<c- a>var</c-> acceptableCredential2 <c- o>=</c-> <c- p>{</c->
    type<c- o>:</c-> <c- u>"public-key"</c-><c- p>,</c->
    id<c- o>:</c-> encoder<c- p>.</c->encode<c- p>(</c-><c- u>"BG35122345NF"</c-><c- p>)</c->
<c- p>};</c->

<c- a>var</c-> options <c- o>=</c-> <c- p>{</c->
  <c- c1>// The challenge is produced by the server; see the Security Considerations</c->
  challenge<c- o>:</c-> <c- k>new</c-> Uint8Array<c- p>([</c-><c- mf>8</c-><c- p>,</c-><c- mf>18</c-><c- p>,</c-><c- mf>33</c-> <c- d>/* 29 more random bytes generated by the server */</c-><c- p>]),</c->
  timeout<c- o>:</c-> <c- mf>120000</c-><c- p>,</c->  <c- c1>// 2 minutes</c->
  allowCredentials<c- o>:</c-> <c- p>[</c->acceptableCredential1<c- p>,</c-> acceptableCredential2<c- p>],</c->
  extensions<c- o>:</c-> <c- p>{</c-> <c- t>'credProps'</c-><c- o>:</c-> <c- kc>true</c-> <c- p>}</c->
<c- p>};</c->

navigator<c- p>.</c->credentials<c- p>.</c->get<c- p>({</c-> <c- u>"publicKey"</c-><c- o>:</c-> options <c- p>})</c->
    <c- p>.</c->then<c- p>(</c-><c- a>function</c-> <c- p>(</c->assertion<c- p>)</c-> <c- p>{</c->
    <c- c1>// Send assertion to server for verification</c->
<c- p>}).</c-><c- k>catch</c-><c- p>(</c-><c- a>function</c-> <c- p>(</c->err<c- p>)</c-> <c- p>{</c->
    <c- c1>// No acceptable credential or user refused consent. Handle appropriately.</c->
<c- p>});</c->
</pre>
   <h4 class="heading settled" data-level="1.3.4" id="sctn-sample-aborting"><span class="secno">1.3.4. </span><span class="content">Aborting Authentication Operations</span><a class="self-link" href="#sctn-sample-aborting"></a></h4>
   <p>The below example shows how a developer may use the AbortSignal parameter to abort a
credential registration operation. A similar procedure applies to an authentication operation.</p>
<pre class="example highlight" id="example-4c7ad12d"><a class="self-link" href="#example-4c7ad12d"></a><c- a>const</c-> authAbortController <c- o>=</c-> <c- k>new</c-> AbortController<c- p>();</c->
<c- a>const</c-> authAbortSignal <c- o>=</c-> authAbortController<c- p>.</c->signal<c- p>;</c->

authAbortSignal<c- p>.</c->onabort <c- o>=</c-> <c- a>function</c-> <c- p>()</c-> <c- p>{</c->
    <c- c1>// Once the page knows the abort started, inform user it is attempting to abort.</c->
<c- p>}</c->

<c- a>var</c-> options <c- o>=</c-> <c- p>{</c->
    <c- c1>// A list of options.</c->
<c- p>}</c->

navigator<c- p>.</c->credentials<c- p>.</c->create<c- p>({</c->
    publicKey<c- o>:</c-> options<c- p>,</c->
    signal<c- o>:</c-> authAbortSignal<c- p>})</c->
    <c- p>.</c->then<c- p>(</c-><c- a>function</c-> <c- p>(</c->attestation<c- p>)</c-> <c- p>{</c->
        <c- c1>// Register the user.</c->
    <c- p>}).</c-><c- k>catch</c-><c- p>(</c-><c- a>function</c-> <c- p>(</c->error<c- p>)</c-> <c- p>{</c->
        <c- k>if</c-> <c- p>(</c->error <c- o>==</c-> <c- u>"AbortError"</c-><c- p>)</c-> <c- p>{</c->
            <c- c1>// Inform user the credential hasn’t been created.</c->
            <c- c1>// Let the server know a key hasn’t been created.</c->
        <c- p>}</c->
    <c- p>});</c->

<c- c1>// Assume widget shows up whenever authentication occurs.</c->
<c- k>if</c-> <c- p>(</c->widget <c- o>==</c-> <c- u>"disappear"</c-><c- p>)</c-> <c- p>{</c->
    authAbortController<c- p>.</c->abort<c- p>();</c->
<c- p>}</c->
</pre>
   <h4 class="heading settled" data-level="1.3.5" id="sctn-sample-decommissioning"><span class="secno">1.3.5. </span><span class="content">Decommissioning</span><a class="self-link" href="#sctn-sample-decommissioning"></a></h4>
   <p>The following are possible situations in which decommissioning a credential might be desired. Note that all of these are
handled on the server side and do not need support from the API specified here.</p>
   <ul>
    <li data-md>
     <p>Possibility #1 -- user reports the credential as lost.</p>
     <ul>
      <li data-md>
       <p>User goes to server.example.net, authenticates and follows a link to report a lost/stolen <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧">authenticator</a>.</p>
      <li data-md>
       <p>Server returns a page showing the list of registered credentials with friendly names as configured during registration.</p>
      <li data-md>
       <p>User selects a credential and the server deletes it from its database.</p>
      <li data-md>
       <p>In the future, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪">Relying Party</a> script does not specify this credential in any list of acceptable credentials, and assertions
signed by this credential are rejected.</p>
     </ul>
    <li data-md>
     <p>Possibility #2 -- server deregisters the credential due to inactivity.</p>
     <ul>
      <li data-md>
       <p>Server deletes credential from its database during maintenance activity.</p>
      <li data-md>
       <p>In the future, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①">Relying Party</a> script does not specify this credential in any list of acceptable credentials, and assertions
signed by this credential are rejected.</p>
     </ul>
    <li data-md>
     <p>Possibility #3 -- user deletes the credential from the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨">authenticator</a>.</p>
     <ul>
      <li data-md>
       <p>User employs a <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪">authenticator</a>-specific method (e.g., device settings UI) to delete a credential from their <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①">authenticator</a>.</p>
      <li data-md>
       <p>From this point on, this credential will not appear in any selection prompts, and no assertions can be generated with it.</p>
      <li data-md>
       <p>Sometime later, the server deregisters this credential due to inactivity.</p>
     </ul>
   </ul>
   <h3 class="heading settled" data-level="1.4" id="sctn-platform-impl-guidance"><span class="secno">1.4. </span><span class="content">Platform-Specific Implementation Guidance</span><a class="self-link" href="#sctn-platform-impl-guidance"></a></h3>
   <p>This specification defines how to use Web Authentication in the general case. When using Web
Authentication in connection with specific platform support (e.g. apps), it is recommended to see
platform-specific documentation and guides for additional guidance and limitations.</p>
   <h2 class="heading settled" data-level="2" id="sctn-conformance"><span class="secno">2. </span><span class="content">Conformance</span><a class="self-link" href="#sctn-conformance"></a></h2>
   <p>This specification defines three conformance classes. Each of these classes is specified so that conforming members of the class
are secure against non-conforming or hostile members of the other classes.</p>
   <h3 class="heading settled" data-level="2.1" id="sctn-conforming-user-agents"><span class="secno">2.1. </span><span class="content">User Agents</span><a class="self-link" href="#sctn-conforming-user-agents"></a></h3>
   <p>A User Agent MUST behave as described by <a href="#sctn-api">§ 5 Web Authentication API</a> in order to be considered conformant. <a data-link-type="dfn" href="#conforming-user-agent" id="ref-for-conforming-user-agent①">Conforming User Agents</a> MAY implement
algorithms given in this specification in any way desired, so long as the end result is indistinguishable from the result that
would be obtained by the specification’s algorithms.</p>
   <p>A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this specification, as described in the
“Web IDL” specification. <a data-link-type="biblio" href="#biblio-webidl">[WebIDL]</a></p>
   <h4 class="heading settled" data-level="2.1.1" id="sct-domstring-backwards-compatibility"><span class="secno">2.1.1. </span><span class="content">Enumerations as DOMString types</span><a class="self-link" href="#sct-domstring-backwards-compatibility"></a></h4>
   <p>Enumeration types are not referenced by other parts of the Web IDL because that
would preclude other values from being used without updating this specification
and its implementations. It is important for backwards compatibility that <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤">client platforms</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②">Relying Parties</a> handle unknown values. Enumerations for this
specification exist here for documentation and as a registry. Where the
enumerations are represented elsewhere, they are typed as <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString">DOMString</a></code>s, for
example in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports">transports</a></code>.</p>
   <h3 class="heading settled" data-level="2.2" id="sctn-conforming-authenticators"><span class="secno">2.2. </span><span class="content">Authenticators</span><a class="self-link" href="#sctn-conforming-authenticators"></a></h3>
   <p>A <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①">WebAuthn Authenticator</a> MUST provide the operations defined by <a href="#sctn-authenticator-model">§ 6 WebAuthn Authenticator Model</a>, and those operations MUST behave as
described there. This is a set of functional and security requirements for an authenticator to be usable by a <a data-link-type="dfn" href="#conforming-user-agent" id="ref-for-conforming-user-agent②">Conforming User
Agent</a>.</p>
   <p>As described in <a href="#sctn-use-cases">§ 1.2 Use Cases</a>, an authenticator may be implemented in the operating system underlying the User Agent, or in
external hardware, or a combination of both.</p>
   <h4 class="heading settled" data-level="2.2.1" id="sctn-conforming-authenticators-u2f"><span class="secno">2.2.1. </span><span class="content">Backwards Compatibility with FIDO U2F</span><a class="self-link" href="#sctn-conforming-authenticators-u2f"></a></h4>
   <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②">Authenticators</a> that only support the <a href="#sctn-fido-u2f-attestation">§ 8.6 FIDO U2F Attestation Statement Format</a> have no mechanism to store a <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle">user handle</a>, so the returned <code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-userhandle" id="ref-for-dom-authenticatorassertionresponse-userhandle">userHandle</a></code> will always be null.</p>
   <h3 class="heading settled" data-level="2.3" id="sctn-conforming-relying-parties"><span class="secno">2.3. </span><span class="content">WebAuthn Relying Parties</span><a class="self-link" href="#sctn-conforming-relying-parties"></a></h3>
   <p>A <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑤">WebAuthn Relying Party</a> MUST behave as described in <a href="#sctn-rp-operations">§ 7 WebAuthn Relying Party Operations</a> to obtain all the security benefits offered by this specification. See <a href="#sctn-rp-benefits">§ 13.4.1 Security Benefits for WebAuthn Relying Parties</a> for further discussion of this.</p>
   <h3 class="heading settled" data-level="2.4" id="sctn-conforming-all-classes"><span class="secno">2.4. </span><span class="content">All Conformance Classes</span><a class="self-link" href="#sctn-conforming-all-classes"></a></h3>
   <p>All <a data-link-type="dfn" href="#cbor" id="ref-for-cbor">CBOR</a> encoding performed by the members of the above conformance classes MUST be done using the <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#ctap2-canonical-cbor-encoding-form" id="ref-for-ctap2-canonical-cbor-encoding-form">CTAP2 canonical CBOR encoding form</a>.
All decoders of the above conformance classes SHOULD reject CBOR that is not validly encoded
in the <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#ctap2-canonical-cbor-encoding-form" id="ref-for-ctap2-canonical-cbor-encoding-form①">CTAP2 canonical CBOR encoding form</a> and SHOULD reject messages with duplicate map keys.</p>
   <h2 class="heading settled" data-level="3" id="sctn-dependencies"><span class="secno">3. </span><span class="content">Dependencies</span><a class="self-link" href="#sctn-dependencies"></a></h2>
   <p>This specification relies on several other underlying specifications, listed
below and in <a href="#index-defined-elsewhere">Terms defined by reference</a>.</p>
   <dl>
    <dt data-md>Base64url encoding
    <dd data-md>
     <p>The term <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="base64url-encoding">Base64url Encoding</dfn> refers to the base64 encoding using the URL- and filename-safe character set defined
in Section 5 of <a data-link-type="biblio" href="#biblio-rfc4648">[RFC4648]</a>, with all trailing '=' characters omitted (as permitted by Section 3.2) and without the
inclusion of any line breaks, whitespace, or other additional characters.</p>
    <dt data-md>CBOR
    <dd data-md>
     <p>A number of structures in this specification, including attestation statements and extensions, are encoded using the <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#ctap2-canonical-cbor-encoding-form" id="ref-for-ctap2-canonical-cbor-encoding-form②">CTAP2 canonical CBOR encoding form</a> of the Compact Binary Object Representation (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="cbor">CBOR</dfn>) <a data-link-type="biblio" href="#biblio-rfc8949">[RFC8949]</a>,
as defined in <a data-link-type="biblio" href="#biblio-fido-ctap">[FIDO-CTAP]</a>.</p>
    <dt data-md>CDDL
    <dd data-md>
     <p>This specification describes the syntax of all <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①">CBOR</a>-encoded data using the CBOR Data Definition Language (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="cddl">CDDL</dfn>) <a data-link-type="biblio" href="#biblio-rfc8610">[RFC8610]</a>.</p>
    <dt data-md>COSE
    <dd data-md>
     <p>CBOR Object Signing and Encryption (COSE) <a data-link-type="biblio" href="#biblio-rfc8152">[RFC8152]</a>.  The IANA COSE Algorithms registry <a data-link-type="biblio" href="#biblio-iana-cose-algs-reg">[IANA-COSE-ALGS-REG]</a> established by this specification is also used.</p>
    <dt data-md>Credential Management
    <dd data-md>
     <p>The API described in this document is an extension of the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential">Credential</a></code> concept defined in <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a>.</p>
    <dt data-md>DOM
    <dd data-md>
     <p><code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException">DOMException</a></code> and the DOMException values used in this specification are defined in <a data-link-type="biblio" href="#biblio-dom4">[DOM4]</a>.</p>
    <dt data-md>ECMAScript
    <dd data-md>
     <p><a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor">%ArrayBuffer%</a> is defined in <a data-link-type="biblio" href="#biblio-ecmascript">[ECMAScript]</a>.</p>
    <dt data-md>HTML
    <dd data-md>
     <p>The concepts of <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context">browsing context</a>, <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin②">origin</a>, <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque" id="ref-for-concept-origin-opaque">opaque origin</a>, <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-tuple" id="ref-for-concept-origin-tuple">tuple origin</a>, <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object" id="ref-for-relevant-settings-object">relevant settings object</a>,
and <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to" id="ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to">is a registrable domain suffix of or is equal to</a> are defined in <a data-link-type="biblio" href="#biblio-html">[HTML]</a>.</p>
    <dt data-md>URL
    <dd data-md>
     <p>The concept of <a data-link-type="dfn" href="https://url.spec.whatwg.org/#host-same-site" id="ref-for-host-same-site">same site</a> is defined in <a data-link-type="biblio" href="#biblio-url">[URL]</a>.</p>
    <dt data-md>Web IDL
    <dd data-md>
     <p>Many of the interface definitions and all of the IDL in this specification depend on <a data-link-type="biblio" href="#biblio-webidl">[WebIDL]</a>. This updated version of
the Web IDL standard adds support for <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-promise" id="ref-for-idl-promise">Promise</a></code>s, which are now the preferred mechanism for asynchronous
interaction in all new web APIs.</p>
    <dt data-md>FIDO AppID
    <dd data-md>
     <p>The algorithms for <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application" id="ref-for-determining-the-facetid-of-a-calling-application">determining the FacetID of a calling application</a> and <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid" id="ref-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid">determining if a caller’s FacetID is authorized for an AppID</a> (used only in
the <a data-link-type="dfn" href="#appid" id="ref-for-appid">AppID extension</a>) are defined by <a data-link-type="biblio" href="#biblio-fido-appid">[FIDO-APPID]</a>.</p>
   </dl>
   <p>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
"OPTIONAL" in this document are to be interpreted as described in <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a>.</p>
   <h2 class="heading settled" data-level="4" id="sctn-terminology"><span class="secno">4. </span><span class="content">Terminology</span><a class="self-link" href="#sctn-terminology"></a></h2>
   <dl>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation">Attestation</dfn>
    <dd data-md>
     <p>Generally, <em>attestation</em> is a statement serving to bear witness, confirm, or authenticate.
In the WebAuthn context, <a data-link-type="dfn" href="#attestation" id="ref-for-attestation③">attestation</a> is employed to <em>attest</em> to the <em>provenance</em> of an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③">authenticator</a> and the data it emits; including, for example: <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④">credential IDs</a>, <a data-link-type="dfn" href="#credential-key-pair" id="ref-for-credential-key-pair">credential key pairs</a>, signature counters, etc. An <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement">attestation statement</a> is conveyed in an <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object">attestation object</a> during <a data-link-type="dfn" href="#registration" id="ref-for-registration③">registration</a>. See also <a href="#sctn-attestation">§ 6.5 Attestation</a> and <a href="#fig-attStructs">Figure 6</a>. Whether or how the <a data-link-type="dfn" href="#client" id="ref-for-client⑥">client</a> conveys the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①">attestation statement</a> and <a data-link-type="dfn" href="#aaguid" id="ref-for-aaguid">AAGUID</a> portions of the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①">attestation object</a> to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③">Relying Party</a> is described by <a data-link-type="dfn" href="#attestation-conveyance" id="ref-for-attestation-conveyance">attestation conveyance</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-certificate">Attestation Certificate</dfn>
    <dd data-md>
     <p>A X.509 Certificate for the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-key-pair">attestation key pair</dfn> used by an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④">authenticator</a> to attest to its manufacture
and capabilities. At <a data-link-type="dfn" href="#registration" id="ref-for-registration④">registration</a> time, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤">authenticator</a> uses the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-private-key">attestation private key</dfn> to sign
the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④">Relying Party</a>-specific <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②">credential public key</a> (and additional data) that it generates and returns via the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential">authenticatorMakeCredential</a> operation. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤">Relying Parties</a> use the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-public-key">attestation public key</dfn> conveyed in the <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate">attestation
certificate</a> to verify the <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature">attestation signature</a>. Note that in the case of <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation">self attestation</a>, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥">authenticator</a> has no distinct <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair">attestation key pair</a> nor <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①">attestation certificate</a>, see <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①">self
attestation</a> for details.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authentication">Authentication</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authentication-ceremony">Authentication Ceremony</dfn>
    <dd data-md>
     <p>The <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①">ceremony</a> where a user, and the user’s <a data-link-type="dfn" href="#client" id="ref-for-client⑦">client</a> (containing at least one <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦">authenticator</a>) work in
concert to cryptographically prove to a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥">Relying Party</a> that the user controls the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key">credential private key</a> of a
previously-registered <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑨">public key credential</a> (see <a data-link-type="dfn" href="#registration" id="ref-for-registration⑤">Registration</a>). Note that this includes a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence">test of user presence</a> or <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification">user verification</a>.</p>
     <p>The WebAuthn <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony">authentication ceremony</a> is defined in <a href="#sctn-verifying-assertion">§ 7.2 Verifying an Authentication Assertion</a>,
and is initiated by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦">Relying Party</a> calling <code><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①">navigator.credentials.get()</a></code></code> with a <code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-publickey" id="ref-for-dom-credentialrequestoptions-publickey">publicKey</a></code> argument.
See <a href="#sctn-api">§ 5 Web Authentication API</a> for an introductory overview and <a href="#sctn-sample-authentication">§ 1.3.3 Authentication</a> for implementation examples.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authentication-assertion">Authentication Assertion</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="assertion">Assertion</dfn>
    <dd data-md>
     <p>The cryptographically signed <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse">AuthenticatorAssertionResponse</a></code> object returned by an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧">authenticator</a> as the result of an <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion">authenticatorGetAssertion</a> operation.</p>
     <p>This corresponds to the <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a> specification’s single-use <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential">credentials</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator">Authenticator</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="webauthn-authenticator">WebAuthn Authenticator</dfn>
    <dd data-md>
     <p>A cryptographic entity, existing in hardware or software, that can <a data-link-type="dfn" href="#registration" id="ref-for-registration⑥">register</a> a user with a given <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧">Relying Party</a> and later <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①">assert possession</a> of the registered <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential①⓪">public key credential</a>, and optionally <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification①">verify the user</a>, when requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨">Relying Party</a>. <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨">Authenticators</a> can report information
regarding their <a data-link-type="dfn" href="#authenticator-type" id="ref-for-authenticator-type">type</a> and security characteristics via <a data-link-type="dfn" href="#attestation" id="ref-for-attestation④">attestation</a> during <a data-link-type="dfn" href="#registration" id="ref-for-registration⑦">registration</a>.</p>
     <p>A <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator②">WebAuthn Authenticator</a> could be a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators⑤">roaming authenticator</a>, a dedicated hardware subsystem integrated into the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④">client device</a>,
or a software component of the <a data-link-type="dfn" href="#client" id="ref-for-client⑧">client</a> or <a data-link-type="dfn" href="#client-device" id="ref-for-client-device⑤">client device</a>.</p>
     <p>In general, an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪">authenticator</a> is assumed to have only one user.
If multiple natural persons share access to an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①">authenticator</a>,
they are considered to represent the same user in the context of that <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③②">authenticator</a>.
If an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③">authenticator</a> implementation supports multiple users in separated compartments,
then each compartment is considered a separate <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③④">authenticator</a> with a single user with no access to other users' <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential①">credentials</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authorization-gesture">Authorization Gesture</dfn>
    <dd data-md>
     <p>An <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture⑦">authorization gesture</a> is a physical interaction performed by a user with an authenticator as part of a <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony②">ceremony</a>,
such as <a data-link-type="dfn" href="#registration" id="ref-for-registration⑧">registration</a> or <a data-link-type="dfn" href="#authentication" id="ref-for-authentication③">authentication</a>. By making such an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture⑧">authorization gesture</a>, a user <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent③">provides
consent</a> for (i.e., <em>authorizes</em>) a <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony③">ceremony</a> to proceed. This MAY involve <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②">user verification</a> if the
employed <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⑤">authenticator</a> is capable, or it MAY involve a simple <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence①">test of user presence</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="biometric-recognition">Biometric Recognition</dfn>
    <dd data-md>
     <p>The automated recognition of individuals based on their biological and behavioral characteristics <a data-link-type="biblio" href="#biblio-isobiometricvocabulary">[ISOBiometricVocabulary]</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="biometric-authenticator">Biometric Authenticator</dfn>
    <dd data-md>
     <p>Any <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⑥">authenticator</a> that implements <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition">biometric recognition</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="bound-credential">Bound credential</dfn>
    <dd data-md>
     <p>A <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source">public key credential source</a> or <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential①①">public key credential</a> is said to be <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①">bound</a> to its <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator">managing
authenticator</a>. This means that only the <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator①">managing authenticator</a> can generate <a data-link-type="dfn" href="#assertion" id="ref-for-assertion">assertions</a> for the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source①">public key
credential sources</a> <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential②">bound</a> to it.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="ceremony">Ceremony</dfn>
    <dd data-md>
     <p>The concept of a <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony④">ceremony</a> <a data-link-type="biblio" href="#biblio-ceremony">[Ceremony]</a> is an extension of the concept of a network protocol, with human nodes alongside
computer nodes and with communication links that include user interface(s), human-to-human communication, and transfers of
physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony. In this specification, <a data-link-type="dfn" href="#registration" id="ref-for-registration⑨">Registration</a> and <a data-link-type="dfn" href="#authentication" id="ref-for-authentication④">Authentication</a> are ceremonies, and an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture⑨">authorization gesture</a> is often a component of
those <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony⑤">ceremonies</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client">Client</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="webauthn-client">WebAuthn Client</dfn>
    <dd data-md>
     <p>Also referred to herein as simply a <a data-link-type="dfn" href="#client" id="ref-for-client⑨">client</a>. See also <a data-link-type="dfn" href="#conforming-user-agent" id="ref-for-conforming-user-agent③">Conforming User Agent</a>. A <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client①">WebAuthn Client</a> is an intermediary entity typically implemented in the user agent (in whole, or in part). Conceptually, it underlies the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api③">Web Authentication API</a> and embodies the implementation of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot">[[Create]](origin, options, sameOriginWithAncestors)</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots">internal methods</a>. It is responsible for both marshalling the inputs for the underlying <a data-link-type="dfn" href="#authenticator-operations" id="ref-for-authenticator-operations">authenticator operations</a>, and for returning the results of the latter operations to the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api④">Web Authentication API</a>'s callers.</p>
     <p>The <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client②">WebAuthn Client</a> runs on, and is distinct from, a <a data-link-type="dfn" href="#webauthn-client-device" id="ref-for-webauthn-client-device">WebAuthn Client Device</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-device">Client Device</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="webauthn-client-device">WebAuthn Client Device</dfn>
    <dd data-md>
     <p>The hardware device on which the <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client③">WebAuthn Client</a> runs, for example a smartphone, a laptop computer or a desktop computer, and the
operating system running on that hardware.</p>
     <p>The distinctions between a <a data-link-type="dfn" href="#webauthn-client-device" id="ref-for-webauthn-client-device①">WebAuthn Client device</a> and a <a data-link-type="dfn" href="#client" id="ref-for-client①⓪">client</a> are:</p>
     <ul>
      <li data-md>
       <p>a single <a data-link-type="dfn" href="#client-device" id="ref-for-client-device⑥">client device</a> MAY support running multiple <a data-link-type="dfn" href="#client" id="ref-for-client①①">clients</a>, i.e., browser implementations,
which all have access to the same <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⑦">authenticators</a> available on that <a data-link-type="dfn" href="#client-device" id="ref-for-client-device⑦">client device</a>, and</p>
      <li data-md>
       <p><a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators⑧">platform authenticators</a> are bound to a <a data-link-type="dfn" href="#client-device" id="ref-for-client-device⑧">client device</a> rather than a <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client④">WebAuthn Client</a>.</p>
     </ul>
     <p>A <a data-link-type="dfn" href="#client-device" id="ref-for-client-device⑨">client device</a> and a <a data-link-type="dfn" href="#client" id="ref-for-client①②">client</a> together constitute a <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑥">client platform</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-platform">Client Platform</dfn>
    <dd data-md>
     <p>A <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①⓪">client device</a> and a <a data-link-type="dfn" href="#client" id="ref-for-client①③">client</a> together make up a <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑦">client platform</a>. A single hardware device MAY be part of multiple
distinct <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑧">client platforms</a> at different times by running different operating systems and/or <a data-link-type="dfn" href="#client" id="ref-for-client①④">clients</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-side">Client-Side</dfn>
    <dd data-md>
     <p>This refers in general to the combination of the user’s <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑨">client platform</a>, <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⑧">authenticators</a>, and everything gluing
it all together.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-side-discoverable-public-key-credential-source">Client-side discoverable Public Key Credential Source</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-side-discoverable-credential">Client-side discoverable Credential</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="discoverable-credential">Discoverable Credential</dfn>
    <dt data-md>[DEPRECATED] <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="resident-credential">Resident Credential</dfn>
    <dt data-md>[DEPRECATED] <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="resident-key">Resident Key</dfn>
    <dd data-md>
     <p class="note" role="note"><span>Note:</span> Historically, <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential">client-side discoverable credentials</a> have  been known as <a data-link-type="dfn" href="#resident-credential" id="ref-for-resident-credential">resident credentials</a> or <a data-link-type="dfn" href="#resident-key" id="ref-for-resident-key">resident keys</a>.
Due to the phrases <code>ResidentKey</code> and <code>residentKey</code> being widely used in both the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api⑤">WebAuthn 
API</a> and also in the <a data-link-type="dfn" href="#authenticator-model" id="ref-for-authenticator-model">Authenticator Model</a> (e.g., in dictionary member names, algorithm variable names, and
operation parameters) the usage of <code>resident</code> within their
names has not been changed for backwards compatibility purposes. Also, the term <a data-link-type="dfn" href="#resident-key" id="ref-for-resident-key①">resident key</a> is
defined here as equivalent to a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①">client-side discoverable credential</a>.</p>
     <p>A <a data-link-type="dfn" href="#client-side-discoverable-public-key-credential-source" id="ref-for-client-side-discoverable-public-key-credential-source">Client-side discoverable Public Key Credential Source</a>, or <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential">Discoverable Credential</a> for short,
is a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source②">public key credential source</a> that is <strong><em>discoverable</em></strong> and usable in <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony①">authentication ceremonies</a> where the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪">Relying Party</a> does not provide any <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤">credential ID</a>s,
i.e., the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①">Relying Party</a> invokes <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②">navigator.credentials.get()</a></code> with an <strong><em><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty" id="ref-for-list-is-empty">empty</a></em></strong> <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials">allowCredentials</a></code> argument. This means that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②">Relying Party</a> does not necessarily need to first identify the user.</p>
     <p>As a consequence, a <a data-link-type="dfn" href="#discoverable-credential-capable" id="ref-for-discoverable-credential-capable">discoverable credential capable</a> <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⑨">authenticator</a> can generate an <a data-link-type="dfn" href="#assertion-signature" id="ref-for-assertion-signature①">assertion signature</a> for a <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①">discoverable credential</a> given only an <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id">RP ID</a>,
which in turn necessitates that the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source③">public key credential source</a> is stored in the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator④⓪">authenticator</a> or <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform①⓪">client platform</a>.
This is in contrast to a <a data-link-type="dfn" href="#server-side-public-key-credential-source" id="ref-for-server-side-public-key-credential-source">Server-side Public Key Credential Source</a>,
which requires that the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator④①">authenticator</a> is given both the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id①">RP ID</a> and the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑥">credential ID</a> but does not require <a data-link-type="dfn" href="#client-side" id="ref-for-client-side">client-side</a> storage of the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source④">public key credential source</a>.</p>
     <p>See also: <a data-link-type="dfn" href="#client-side-credential-storage-modality" id="ref-for-client-side-credential-storage-modality">client-side credential storage modality</a> and <a data-link-type="dfn" href="#non-discoverable-credential" id="ref-for-non-discoverable-credential">non-discoverable credential</a>.</p>
     <p class="note" role="note"><span>Note:</span> <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential②">Client-side discoverable credentials</a> are also usable in <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②">authentication ceremonies</a> where <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑦">credential ID</a>s are given,
i.e., when calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③">navigator.credentials.get()</a></code> with a non-<a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty" id="ref-for-list-is-empty①">empty</a> <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①">allowCredentials</a></code> argument.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="conforming-user-agent">Conforming User Agent</dfn>
    <dd data-md>
     <p>A user agent implementing, in cooperation with the underlying <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①①">client device</a>, the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api⑥">Web Authentication API</a> and algorithms
given in this specification, and handling communication between <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator④②">authenticators</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④③">Relying Parties</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="credential-id">Credential ID</dfn>
    <dd data-md>
     <p>A probabilistically-unique <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#byte-sequence" id="ref-for-byte-sequence">byte sequence</a> identifying a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑤">public key credential source</a> and its <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion②">authentication assertions</a>.</p>
     <p>Credential IDs are generated by <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator④③">authenticators</a> in two forms:</p>
     <ol>
      <li data-md>
       <p>At least 16 bytes that include at least 100 bits of entropy, or</p>
      <li data-md>
       <p>The <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑥">public key credential source</a>, without its <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑧">Credential ID</a> or <a data-link-type="dfn" href="#public-key-credential-source-mutable-item" id="ref-for-public-key-credential-source-mutable-item">mutable items</a>, encrypted so only its <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator②">managing authenticator</a> can
decrypt it. This form allows the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator④④">authenticator</a> to be nearly stateless, by having the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④④">Relying Party</a> store any necessary
state.</p>
       <p class="note" role="note"><span>Note:</span> <a data-link-type="biblio" href="#biblio-fido-uaf-authnr-cmds">[FIDO-UAF-AUTHNR-CMDS]</a> includes guidance on encryption techniques under "Security Guidelines".</p>
     </ol>
     <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⑤">Relying Parties</a> do not need to distinguish these two <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑨">Credential ID</a> forms.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="credential-key-pair">Credential Key Pair</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="credential-private-key">Credential Private Key</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="credential-public-key">Credential Public Key</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="user-public-key">User Public Key</dfn>
    <dd data-md>
     <p>A <a data-link-type="dfn" href="#credential-key-pair" id="ref-for-credential-key-pair①">credential key pair</a> is a pair of asymmetric cryptographic keys generated by an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator④⑤">authenticator</a> and <a data-link-type="dfn" href="#scope" id="ref-for-scope⑤">scoped</a> to a specific <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑥">WebAuthn Relying Party</a>. It is the central part of a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential①②">public key credential</a>.</p>
     <p>A <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③">credential public key</a> is the public key portion of a <a data-link-type="dfn" href="#credential-key-pair" id="ref-for-credential-key-pair②">credential key pair</a>.
The <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key④">credential public key</a> is returned to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⑥">Relying Party</a> during a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony">registration ceremony</a>.</p>
     <p>A <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①">credential private key</a> is the private key portion of a <a data-link-type="dfn" href="#credential-key-pair" id="ref-for-credential-key-pair③">credential key pair</a>.
The <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key②">credential private key</a> is bound to a particular <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator④⑥">authenticator</a> - its <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator③">managing authenticator</a> -
and is expected to never be exposed to any other party, not even to the owner of the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator④⑦">authenticator</a>.</p>
     <p>Note that in the case of <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation②">self
attestation</a>, the <a data-link-type="dfn" href="#credential-key-pair" id="ref-for-credential-key-pair④">credential key pair</a> is also used as the <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair①">attestation key pair</a>, see <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation③">self attestation</a> for details.</p>
     <p class="note" role="note"><span>Note:</span> The <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key⑤">credential public key</a> is referred to as the <a data-link-type="dfn" href="#user-public-key" id="ref-for-user-public-key">user public key</a> in FIDO UAF <a data-link-type="biblio" href="#biblio-uafprotocol">[UAFProtocol]</a>, and in FIDO U2F <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]</a> and some parts of this specification that relate to it.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="credential-properties">Credential Properties</dfn>
    <dd data-md>
     <p>A <a data-link-type="dfn" href="#credential-properties" id="ref-for-credential-properties">credential property</a> is some characteristic property of a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑦">public key credential source</a>, such as whether it is a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential③">client-side discoverable credential</a> or a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential">server-side credential</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="human-palatability">Human Palatability</dfn>
    <dd data-md>
     <p>An identifier that is <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability">human-palatable</a> is intended to be rememberable and reproducible by typical human
users, in contrast to identifiers that are, for example, randomly generated sequences of bits <a data-link-type="biblio" href="#biblio-edupersonobjectclassspec">[EduPersonObjectClassSpec]</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="non-discoverable-credential">Non-Discoverable Credential</dfn>
    <dd data-md>
     <p>This is a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②">credential</a> whose <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id①⓪">credential ID</a> must be provided in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②">allowCredentials</a></code> when calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get④">navigator.credentials.get()</a></code> because it is not <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential④">client-side discoverable</a>. See also <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①">server-side credentials</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="public-key-credential-source">Public Key Credential Source</dfn>
    <dd data-md>
     <p>A <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#credential-source" id="ref-for-credential-source">credential source</a> (<a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a>) used by an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator④⑧">authenticator</a> to generate <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion③">authentication assertions</a>. A <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑧">public key credential source</a> consists of a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#struct" id="ref-for-struct">struct</a> with the following <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#struct-item" id="ref-for-struct-item">items</a>:</p>
     <dl>
      <dt data-md><dfn class="dfn-paneled" data-dfn-for="public key credential source" data-dfn-type="dfn" data-noexport id="public-key-credential-source-type">type</dfn>
      <dd data-md>
       <p>whose value is of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype">PublicKeyCredentialType</a></code>, defaulting to <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialtype-public-key" id="ref-for-dom-publickeycredentialtype-public-key">public-key</a></code>.</p>
      <dt data-md><dfn class="dfn-paneled" data-dfn-for="public key credential source" data-dfn-type="dfn" data-noexport id="public-key-credential-source-id">id</dfn>
      <dd data-md>
       <p>A <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id①①">Credential ID</a>.</p>
      <dt data-md><dfn class="dfn-paneled" data-dfn-for="public key credential source" data-dfn-type="dfn" data-noexport id="public-key-credential-source-privatekey">privateKey</dfn>
      <dd data-md>
       <p>The <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key③">credential private key</a>.</p>
      <dt data-md><dfn class="dfn-paneled" data-dfn-for="public key credential source" data-dfn-type="dfn" data-noexport id="public-key-credential-source-rpid">rpId</dfn>
      <dd data-md>
       <p>The <a data-link-type="dfn" href="#relying-party-identifier" id="ref-for-relying-party-identifier">Relying Party Identifier</a>, for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⑦">Relying Party</a> this <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑨">public key credential source</a> is <a data-link-type="dfn" href="#scope" id="ref-for-scope⑥">scoped</a> to.</p>
      <dt data-md><dfn class="dfn-paneled" data-dfn-for="public key credential source" data-dfn-type="dfn" data-noexport id="public-key-credential-source-userhandle">userHandle</dfn>
      <dd data-md>
       <p>The <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①">user handle</a> associated when this <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source①⓪">public key credential source</a> was created. This <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#struct-item" id="ref-for-struct-item①">item</a> is
nullable.</p>
      <dt data-md><dfn class="dfn-paneled" data-dfn-for="public key credential source" data-dfn-type="dfn" data-noexport id="public-key-credential-source-otherui">otherUI</dfn>
      <dd data-md>
       <p>OPTIONAL other information used by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator④⑨">authenticator</a> to inform its UI. For example, this might include the user’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname">displayName</a></code>. <a data-link-type="dfn" href="#public-key-credential-source-otherui" id="ref-for-public-key-credential-source-otherui">otherUI</a> is a <dfn class="dfn-paneled" data-dfn-for="public key credential source" data-dfn-type="dfn" data-noexport id="public-key-credential-source-mutable-item">mutable item</dfn> and SHOULD NOT be bound to the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source①①">public key credential source</a> in a way that prevents <a data-link-type="dfn" href="#public-key-credential-source-otherui" id="ref-for-public-key-credential-source-otherui①">otherUI</a> from being updated.</p>
     </dl>
     <p>The <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①">authenticatorMakeCredential</a> operation creates a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source①②">public key credential source</a> <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential③">bound</a> to a <dfn class="dfn-paneled" data-dfn-for="public key
credential source" data-dfn-type="dfn" data-noexport id="public-key-credential-source-managing-authenticator">managing authenticator</dfn> and returns the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key⑥">credential public key</a> associated with its <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key④">credential
private key</a>. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⑧">Relying Party</a> can use this <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key⑦">credential public key</a> to verify the <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion④">authentication assertions</a> created by
this <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source①③">public key credential source</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="public-key-credential">Public Key Credential</dfn>
    <dd data-md>
     <p>Generically, a <em>credential</em> is data one entity presents to another in order to <em>authenticate</em> the former to the latter <a data-link-type="biblio" href="#biblio-rfc4949">[RFC4949]</a>. The term <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential①③">public key credential</a> refers to one of: a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source①④">public key credential source</a>, the
possibly-<a data-link-type="dfn" href="#attestation" id="ref-for-attestation⑤">attested</a> <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key⑧">credential public key</a> corresponding to a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source①⑤">public key credential source</a>, or an <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion⑤">authentication assertion</a>. Which one is generally determined by context.</p>
     <div class="note" role="note">
       Note: This is a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#willful-violation" id="ref-for-willful-violation">willful violation</a> of <a data-link-type="biblio" href="#biblio-rfc4949">[RFC4949]</a>. In English, a "credential" is both a) the thing presented to prove
    a statement and b) intended to be used multiple times. It’s impossible to achieve both criteria securely with a single
    piece of data in a public key system. <a data-link-type="biblio" href="#biblio-rfc4949">[RFC4949]</a> chooses to define a credential as the thing that can be used multiple
    times (the public key), while this specification gives "credential" the English term’s flexibility. This specification
    uses more specific terms to identify the data related to an <a data-link-type="biblio" href="#biblio-rfc4949">[RFC4949]</a> credential: 
      <dl>
       <dt data-md>"Authentication information" (possibly including a private key)
       <dd data-md>
        <p><a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source①⑥">Public key credential source</a></p>
       <dt data-md>"Signed value"
       <dd data-md>
        <p><a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion⑥">Authentication assertion</a></p>
       <dt data-md><a data-link-type="biblio" href="#biblio-rfc4949">[RFC4949]</a> "credential"
       <dd data-md>
        <p><a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key⑨">Credential public key</a> or <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object②">attestation object</a></p>
      </dl>
     </div>
     <p>At <a data-link-type="dfn" href="#registration" id="ref-for-registration①⓪">registration</a> time, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑤⓪">authenticator</a> creates an asymmetric key pair, and stores its <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key⑤">private key portion</a> and information from the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⑨">Relying Party</a> into a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source①⑦">public key credential source</a>. The <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key①⓪">public key portion</a> is returned to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑤⓪">Relying Party</a>, who then stores it in conjunction with the present user’s account.
Subsequently, only that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑤①">Relying Party</a>, as identified by its <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②">RP ID</a>, is able to employ the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential①④">public key credential</a> in <a data-link-type="dfn" href="#authentication" id="ref-for-authentication⑤">authentication ceremonies</a>, via the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get⑤">get()</a></code> method. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑤②">Relying Party</a> uses its stored
copy of the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key①①">credential public key</a> to verify the resultant <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion⑦">authentication assertion</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="rate-limiting">Rate Limiting</dfn>
    <dd data-md>
     <p>The process (also known as throttling) by which an authenticator implements controls against brute force attacks by limiting
the number of consecutive failed authentication attempts within a given period of time. If the limit is reached, the
authenticator should impose a delay that increases exponentially with each successive attempt, or disable the current
authentication modality and offer a different <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af">authentication factor</a> if available. <a data-link-type="dfn" href="#rate-limiting" id="ref-for-rate-limiting">Rate limiting</a> is often implemented as an
aspect of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③">user verification</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="registration">Registration</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="registration-ceremony">Registration Ceremony</dfn>
    <dd data-md>
     <p>The <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony⑥">ceremony</a> where a user, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑤③">Relying Party</a>, and the user’s <a data-link-type="dfn" href="#client" id="ref-for-client①⑤">client</a> (containing at least one <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑤①">authenticator</a>) work in concert to create a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential①⑤">public key credential</a> and associate it with the user’s <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑤④">Relying Party</a> account.
Note that this includes employing a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence②">test of user presence</a> or <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④">user verification</a>.
After a successful <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①">registration ceremony</a>, the user can be authenticated by an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③">authentication ceremony</a>.</p>
     <p>The WebAuthn <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony②">registration ceremony</a> is defined in <a href="#sctn-registering-a-new-credential">§ 7.1 Registering a New Credential</a>,
and is initiated by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑤⑤">Relying Party</a> calling <code><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①">navigator.credentials.create()</a></code></code> with a <code class="idl"><a data-link-type="idl" href="#dom-credentialcreationoptions-publickey" id="ref-for-dom-credentialcreationoptions-publickey">publicKey</a></code> argument.
See <a href="#sctn-api">§ 5 Web Authentication API</a> for an introductory overview and <a href="#sctn-sample-registration">§ 1.3.1 Registration</a> for implementation examples.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="relying-party">Relying Party</dfn>
    <dd data-md>
     <p>See <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑦">WebAuthn Relying Party</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="relying-party-identifier">Relying Party Identifier</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="rp-id">RP ID</dfn>
    <dd data-md>
     <p>In the context of the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api⑦">WebAuthn API</a>, a <a data-link-type="dfn" href="#relying-party-identifier" id="ref-for-relying-party-identifier①">relying party identifier</a> is a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#valid-domain-string" id="ref-for-valid-domain-string">valid domain string</a> identifying the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑧">WebAuthn Relying Party</a> on whose behalf a given <a data-link-type="dfn" href="#registration" id="ref-for-registration①①">registration</a> or <a data-link-type="dfn" href="#authentication" id="ref-for-authentication⑥">authentication ceremony</a> is being performed. A <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential①⑥">public key credential</a> can only be used for <a data-link-type="dfn" href="#authentication" id="ref-for-authentication⑦">authentication</a> with the same entity (as identified by <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③">RP ID</a>) it was registered with.</p>
     <p>By default, the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④">RP ID</a> for a
WebAuthn operation is set to the caller’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain">effective domain</a>. This default MAY be
overridden by the caller, as long as the caller-specified <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤">RP ID</a> value <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to" id="ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to①">is a registrable domain suffix of or is equal
to</a> the caller’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin①">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain①">effective domain</a>. See also <a href="#sctn-createCredential">§ 5.1.3 Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> and <a href="#sctn-getAssertion">§ 5.1.4 Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>.</p>
     <div class="note" id="note-pkcredscope" role="note">
      <a class="self-link" href="#note-pkcredscope"></a> Note: An <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑥">RP ID</a> is based on a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-host" id="ref-for-concept-url-host">host</a>'s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-domain" id="ref-for-concept-domain">domain</a> name. It does not itself include a <a data-link-type="dfn" href="https://url.spec.whatwg.org#concept-url-scheme" id="ref-for-concept-url-scheme">scheme</a> or <a data-link-type="dfn" href="https://url.spec.whatwg.org#concept-url-port" id="ref-for-concept-url-port">port</a>, as an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin③">origin</a> does. The <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑦">RP ID</a> of a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential①⑦">public key credential</a> determines its <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="scope">scope</dfn>. I.e., it <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised">determines the set of origins on which the public key credential may be exercised</dfn>, as follows: 
      <ul>
       <li data-md>
        <p>The <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑧">RP ID</a> must be equal to the <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain②">effective domain</a>, or a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to" id="ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to②">registrable domain suffix</a> of the <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised①">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain③">effective domain</a>.</p>
       <li data-md>
        <p>The <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised②">origin</a>'s <a data-link-type="dfn" href="https://url.spec.whatwg.org#concept-url-scheme" id="ref-for-concept-url-scheme①">scheme</a> must be <code>https</code>.</p>
       <li data-md>
        <p>The <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised③">origin</a>'s <a data-link-type="dfn" href="https://url.spec.whatwg.org#concept-url-port" id="ref-for-concept-url-port①">port</a> is unrestricted.</p>
      </ul>
      <p>For example, given a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑤⑥">Relying Party</a> whose origin is <code>https://login.example.com:1337</code>, then the following <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑨">RP ID</a>s are valid: <code>login.example.com</code> (default) and <code>example.com</code>, but not <code>m.login.example.com</code> and not <code>com</code>.</p>
      <p>This is done in order to match the behavior of pervasively deployed ambient credentials (e.g., cookies, <a data-link-type="biblio" href="#biblio-rfc6265">[RFC6265]</a>).
    Please note that this is a greater relaxation of "same-origin" restrictions than what <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#dom-document-domain" id="ref-for-dom-document-domain">document.domain</a>'s setter provides.</p>
      <p>These restrictions on origin values apply to <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client⑤">WebAuthn Clients</a>.</p>
     </div>
     <p>Other specifications mimicking the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api⑧">WebAuthn API</a> to enable WebAuthn <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential①⑧">public key credentials</a> on non-Web platforms (e.g. native mobile applications), MAY define different rules for binding a caller to a <a data-link-type="dfn" href="#relying-party-identifier" id="ref-for-relying-party-identifier②">Relying Party Identifier</a>. Though, the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id①⓪">RP ID</a> syntaxes MUST conform to either <a data-link-type="dfn" href="https://url.spec.whatwg.org/#valid-domain-string" id="ref-for-valid-domain-string①">valid domain strings</a> or URIs <a data-link-type="biblio" href="#biblio-rfc3986">[RFC3986]</a> <a data-link-type="biblio" href="#biblio-url">[URL]</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="server-side-public-key-credential-source">Server-side Public Key Credential Source</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="server-side-credential">Server-side Credential</dfn>
    <dt data-md>[DEPRECATED] <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="non-resident-credential">Non-Resident Credential</dfn>
    <dd data-md>
     <p class="note" role="note"><span>Note:</span> Historically, <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential②">server-side credentials</a> have been known as <a data-link-type="dfn" href="#non-resident-credential" id="ref-for-non-resident-credential">non-resident credentials</a>.
For backwards compatibility purposes, the various <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api⑨">WebAuthn API</a> and <a data-link-type="dfn" href="#authenticator-model" id="ref-for-authenticator-model①">Authenticator Model</a> components
with various forms of <code>resident</code> within their names have not been changed.</p>
     <p>A <a data-link-type="dfn" href="#server-side-public-key-credential-source" id="ref-for-server-side-public-key-credential-source①">Server-side Public Key Credential Source</a>, or <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential③">Server-side Credential</a> for short,
is a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source①⑧">public key credential source</a> that is only usable in an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④">authentication ceremony</a> when the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑤⑦">Relying Party</a> supplies its <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id①②">credential ID</a> in <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get⑥">navigator.credentials.get()</a></code>'s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③">allowCredentials</a></code> argument. This means that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑤⑧">Relying Party</a> must
manage the credential’s storage and discovery, as well as be able to first identify the user in order to
discover the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id①③">credential IDs</a> to supply in the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get⑦">navigator.credentials.get()</a></code> call.</p>
     <p><a data-link-type="dfn" href="#client-side" id="ref-for-client-side①">Client-side</a> storage of the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source①⑨">public key credential source</a> is not required for a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential④">server-side credential</a>.
This is in contrast to a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑤">client-side discoverable credential</a>,
which instead does not require the user to first be identified in order to provide the user’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id①④">credential ID</a>s
to a <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get⑧">navigator.credentials.get()</a></code> call.</p>
     <p>See also: <a data-link-type="dfn" href="#server-side-credential-storage-modality" id="ref-for-server-side-credential-storage-modality">server-side credential storage modality</a> and <a data-link-type="dfn" href="#non-discoverable-credential" id="ref-for-non-discoverable-credential①">non-discoverable credential</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="test-of-user-presence">Test of User Presence</dfn>
    <dd data-md>
     <p>A <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence③">test of user presence</a> is a simple form of <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①⓪">authorization gesture</a> and technical process where a user interacts with
an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑤②">authenticator</a> by (typically) simply touching it (other modalities may also exist), yielding a Boolean result. Note
that this does not constitute <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤">user verification</a> because a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence④">user presence test</a>, by definition,
is not capable of <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition①">biometric recognition</a>, nor does it involve the presentation of a shared secret such as a password or
PIN.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="user-consent">User Consent</dfn>
    <dd data-md>
     <p>User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts.
An <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①①">authorization gesture</a> is a <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony⑦">ceremony</a> component often employed to indicate <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent④">user consent</a>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="user-handle">User Handle</dfn>
    <dd data-md>
     <p>The user handle is specified by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑤⑨">Relying Party</a>, as the value of <code><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-user" id="ref-for-dom-publickeycredentialcreationoptions-user">user</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-id" id="ref-for-dom-publickeycredentialuserentity-id">id</a></code></code>, and used to <a data-link-type="dfn" href="#authenticator-credentials-map" id="ref-for-authenticator-credentials-map">map</a> a specific <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential①⑨">public key credential</a> to a specific user account with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑥⓪">Relying Party</a>. Authenticators in turn <a data-link-type="dfn" href="#authenticator-credentials-map" id="ref-for-authenticator-credentials-map①">map</a> <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id①①">RP ID</a>s and user handle pairs
to <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source②⓪">public key credential sources</a>.</p>
     <p>A user handle is an opaque <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#byte-sequence" id="ref-for-byte-sequence①">byte sequence</a> with a maximum size of 64 bytes, and is not meant to be displayed to the user.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="user-verification">User Verification</dfn>
    <dd data-md>
     <p>The technical process by which an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑤③">authenticator</a> <em>locally authorizes</em> the invocation of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential②">authenticatorMakeCredential</a> and <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①">authenticatorGetAssertion</a> operations. <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑥">User verification</a> MAY be instigated
through various <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①②">authorization gesture</a> modalities; for example, through a touch plus pin code, password entry, or <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition②">biometric recognition</a> (e.g., presenting a fingerprint) <a data-link-type="biblio" href="#biblio-isobiometricvocabulary">[ISOBiometricVocabulary]</a>. The intent is to
distinguish individual users.</p>
     <p>Note that <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑦">user verification</a> does not give the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑥①">Relying Party</a> a concrete identification of the user,
but when 2 or more ceremonies with <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑧">user verification</a> have been done with that <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential③">credential</a> it expresses that it was the same user that performed all of them.
The same user might not always be the same natural person, however,
if multiple natural persons share access to the same <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑤④">authenticator</a>.</p>
     <p class="note" role="note"><span>Note:</span> Distinguishing natural persons depends in significant part upon the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform①①">client platform</a>'s
and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑤⑤">authenticator</a>'s capabilities.
For example, some devices are intended to be used by a single individual,
yet they may allow multiple natural persons to enroll fingerprints or know the same PIN
and thus access the same <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑥②">Relying Party</a> account(s) using that device.</p>
     <div class="note" role="note">
       Note: Invocation of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential③">authenticatorMakeCredential</a> and <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion②">authenticatorGetAssertion</a> operations
    implies use of key material managed by the authenticator. 
      <p>Also, for security, <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑨">user verification</a> and use of <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key⑥">credential private keys</a> must all occur within the logical security boundary defining the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑤⑥">authenticator</a>.</p>
     </div>
     <p><a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification①⓪">User verification</a> procedures MAY implement <a data-link-type="dfn" href="#rate-limiting" id="ref-for-rate-limiting①">rate limiting</a> as a protection against brute force attacks.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="concept-user-present">User Present</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="up">UP</dfn>
    <dd data-md>
     <p>Upon successful completion of a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence⑤">user presence test</a>, the user is said to be
"<a data-link-type="dfn" href="#concept-user-present" id="ref-for-concept-user-present">present</a>".</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="concept-user-verified">User Verified</dfn>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="uv">UV</dfn>
    <dd data-md>
     <p>Upon successful completion of a <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification①①">user verification</a> process, the user is said to be "<a data-link-type="dfn" href="#concept-user-verified" id="ref-for-concept-user-verified">verified</a>".</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="webauthn-relying-party">WebAuthn Relying Party</dfn>
    <dd data-md>
     <p>The entity whose <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="web-application">web application</dfn> utilizes the <a href="#sctn-api">Web Authentication API</a> to <a data-link-type="dfn" href="#registration" id="ref-for-registration①②">register</a> and <a data-link-type="dfn" href="#authentication" id="ref-for-authentication⑧">authenticate</a> users.</p>
     <p>A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑥③">Relying Party</a> implementation typically consists of both some client-side script
that invokes the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①⓪">Web Authentication API</a> in the <a data-link-type="dfn" href="#client" id="ref-for-client①⑥">client</a>,
and a server-side component that executes the <a href="#sctn-rp-operations">Relying Party operations</a> and other application logic.
Communication between the two components MUST use HTTPS or equivalent transport security,
but is otherwise beyond the scope of this specification.</p>
     <p class="note" role="note"><span>Note:</span> While the term <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑥④">Relying Party</a> is also often used in other contexts (e.g., X.509 and OAuth), an entity acting as a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑥⑤">Relying Party</a> in one
    context is not necessarily a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑥⑥">Relying Party</a> in other contexts. In this specification, the term <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑨">WebAuthn Relying Party</a> is often shortened
    to be just <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑥⑦">Relying Party</a>, and explicitly refers to a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑥⑧">Relying Party</a> in the WebAuthn context. Note that in any concrete instantiation
    a WebAuthn context may be embedded in a broader overall context, e.g., one based on OAuth.</p>
   </dl>
   <h2 class="heading settled" data-level="5" id="sctn-api"><span class="secno">5. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="web-authentication-api">Web Authentication API</dfn></span><a class="self-link" href="#sctn-api"></a></h2>
   <p>This section normatively specifies the API for creating and using <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential②⓪">public key credentials</a>. The basic
idea is that the credentials belong to the user and are <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator④">managed</a> by a <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator③">WebAuthn Authenticator</a>, with which the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party①⓪">WebAuthn Relying Party</a> interacts through the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform①②">client platform</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑥⑨">Relying Party</a> scripts can (with the <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent⑤">user’s consent</a>) request the
browser to create a new credential for future use by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑦⓪">Relying Party</a>. See <a href="#fig-registration">Figure <span class="figure-num-following"></span></a>, below.</p>
   <figure id="fig-registration">
     <img src="images/webauthn-registration-flow-01.svg"> 
    <figcaption>Registration Flow</figcaption>
   </figure>
   <p>Scripts can also request the user’s permission to perform <a data-link-type="dfn" href="#authentication" id="ref-for-authentication⑨">authentication</a> operations with an existing credential. See <a href="#fig-authentication">Figure <span class="figure-num-following"></span></a>, below.</p>
   <figure id="fig-authentication">
     <img src="images/webauthn-authentication-flow-01.svg"> 
    <figcaption>Authentication Flow</figcaption>
   </figure>
   <p>All such operations are performed in the authenticator and are mediated by
the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform①③">client platform</a> on the user’s behalf. At no point does the script get access to the credentials themselves; it only
gets information about the credentials in the form of objects.</p>
   <p>In addition to the above script interface, the authenticator MAY implement (or come with client software that implements) a user
interface for management. Such an interface MAY be used, for example, to reset the authenticator to a clean state or to inspect
the current state of the authenticator. In other words, such an interface is similar to the user interfaces provided by browsers
for managing user state such as history, saved passwords, and cookies. Authenticator management actions such as credential
deletion are considered to be the responsibility of such a user interface and are deliberately omitted from the API exposed to
scripts.</p>
   <p>The security properties of this API are provided by the client and the authenticator working together. The authenticator, which
holds and <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator⑤">manages</a> credentials, ensures that all operations are <a data-link-type="dfn" href="#scope" id="ref-for-scope⑦">scoped</a> to a particular <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin④">origin</a>, and cannot be replayed against
a different <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin⑤">origin</a>, by incorporating the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin⑥">origin</a> in its responses. Specifically, as defined in <a href="#sctn-authenticator-ops">§ 6.3 Authenticator Operations</a>,
the full <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin⑦">origin</a> of the requester is included, and signed over, in the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object③">attestation object</a> produced when a new credential
is created as well as in all assertions produced by WebAuthn credentials.</p>
   <p>Additionally, to maintain user privacy and prevent malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑦①">Relying Parties</a> from probing for the presence of <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential②①">public key
credentials</a> belonging to other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑦②">Relying Parties</a>, each <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential②②">credential</a> is also <a data-link-type="dfn" href="#scope" id="ref-for-scope⑧">scoped</a> to a <a data-link-type="dfn" href="#relying-party-identifier" id="ref-for-relying-party-identifier③">Relying Party
Identifier</a>, or <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id①②">RP ID</a>. This <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id①③">RP ID</a> is provided by the client to the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑤⑦">authenticator</a> for all operations, and the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑤⑧">authenticator</a> ensures that <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential②③">credentials</a> created by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑦③">Relying Party</a> can only be used in operations
requested by the same <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id①④">RP ID</a>. Separating the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin⑧">origin</a> from the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id①⑤">RP ID</a> in this way allows the API to be used in cases
where a single <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑦④">Relying Party</a> maintains multiple <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin⑨">origins</a>.</p>
   <p>The client facilitates these security measures by providing the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑦⑤">Relying Party</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①⓪">origin</a> and <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id①⑥">RP ID</a> to the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑤⑨">authenticator</a> for
each operation. Since this is an integral part of the WebAuthn security model, user agents only expose this API to callers in <a data-link-type="dfn" href="https://w3c.github.io/webappsec-secure-contexts/#secure-contexts" id="ref-for-secure-contexts">secure contexts</a>.
For web contexts in particular,
this only includes those accessed via a secure transport (e.g., TLS) established without errors.</p>
   <p>The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL
listing is given in the <a href="#idl-index">IDL Index</a>.</p>
   <h3 class="heading settled" data-level="5.1" id="iface-pkcredential"><span class="secno">5.1. </span><span class="content"><dfn class="dfn-paneled idl-code" data-dfn-type="interface" data-export id="publickeycredential"><code>PublicKeyCredential</code></dfn> Interface</span><a class="self-link" href="#iface-pkcredential"></a></h3>
   <div class="mdn-anno wrapped after">
    <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
    <div class="feature">
     <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential" title="The PublicKeyCredential interface provides information about a public key / private key pair, which is a credential for logging in to a service using an un-phishable and data-breach resistant asymmetric key pair instead of a password. It inherits from Credential, and was created by the Web Authentication API extension to the Credential Management API. Other interfaces that inherit from Credential are PasswordCredential and FederatedCredential.">PublicKeyCredential</a></p>
     <p class="all-engines-text">In all current engines.</p>
     <div class="support">
      <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
      <hr>
      <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
      <hr>
      <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
      <hr>
      <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
     </div>
    </div>
   </div>
   <p>The <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential①">PublicKeyCredential</a></code> interface inherits from <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential①">Credential</a></code> <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a>, and contains the attributes
that are returned to the caller when a new credential is created, or a new assertion is requested.</p>
   <div class="mdn-anno wrapped">
    <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
    <div class="feature">
     <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/getClientExtensionResults" title="getClientExtensionResults() is a method of the PublicKeyCredential interface that returns an ArrayBuffer which contains a map between the extensions identifiers and their results after having being processed by the client.">PublicKeyCredential/getClientExtensionResults</a></p>
     <p class="all-engines-text">In all current engines.</p>
     <div class="support">
      <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
      <hr>
      <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
      <hr>
      <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
      <hr>
      <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
     </div>
    </div>
    <div class="feature">
     <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/rawId" title="The rawId read-only property of the PublicKeyCredential interface is an ArrayBuffer object containing the identifier of the credentials.">PublicKeyCredential/rawId</a></p>
     <p class="all-engines-text">In all current engines.</p>
     <div class="support">
      <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
      <hr>
      <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
      <hr>
      <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
      <hr>
      <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
     </div>
    </div>
   </div>
<pre class="idl highlight def">[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext" id="ref-for-SecureContext"><c- g>SecureContext</c-></a>, <a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed" id="ref-for-Exposed"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="#publickeycredential" id="ref-for-publickeycredential②"><c- g>PublicKeyCredential</c-></a> : <a data-link-type="idl-name" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential②"><c- n>Credential</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject" id="ref-for-SameObject"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer"><c- b>ArrayBuffer</c-></a>              <dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export data-readonly data-type="ArrayBuffer" id="dom-publickeycredential-rawid"><code><c- g>rawId</c-></code></dfn>;
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject" id="ref-for-SameObject①"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a data-link-type="idl-name" href="#authenticatorresponse" id="ref-for-authenticatorresponse"><c- n>AuthenticatorResponse</c-></a>    <a class="idl-code" data-link-type="attribute" data-readonly data-type="AuthenticatorResponse" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response"><c- g>response</c-></a>;
    <a data-link-type="idl-name" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs"><c- n>AuthenticationExtensionsClientOutputs</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="method" data-export data-lt="getClientExtensionResults()" id="dom-publickeycredential-getclientextensionresults"><code><c- g>getClientExtensionResults</c-></code></dfn>();
};
</pre>
   <dl>
    <dt data-md><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id" id="ref-for-dom-credential-id">id</a></code>
    <dd data-md>
     <p>This attribute is inherited from <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential③">Credential</a></code>, though <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential③">PublicKeyCredential</a></code> overrides <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential④">Credential</a></code>'s getter,
instead returning the <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding">base64url encoding</a> of the data contained in the object’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-identifier-slot" id="ref-for-dom-publickeycredential-identifier-slot">[[identifier]]</a></code> <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots①">internal slot</a>.</p>
    <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-rawid" id="ref-for-dom-publickeycredential-rawid">rawId</a></code>
    <dd data-md>
     <p>This attribute returns the <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer①">ArrayBuffer</a></code> contained in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-identifier-slot" id="ref-for-dom-publickeycredential-identifier-slot①">[[identifier]]</a></code> internal slot.</p>
    <dt data-md>
     <div class="mdn-anno wrapped">
      <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
      <div class="feature">
       <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/response" title="The response read-only property of the PublicKeyCredential interface is an AuthenticatorResponse object which is sent from the authenticator to the user agent for the creation/fetching of credentials. The information contained in this response will be used by the relying party&apos;s server to verify the demand is legitimate.">PublicKeyCredential/response</a></p>
       <p class="all-engines-text">In all current engines.</p>
       <div class="support">
        <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
        <hr>
        <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
        <hr>
        <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
        <hr>
        <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
       </div>
      </div>
     </div>
     <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export id="dom-publickeycredential-response"><code>response</code></dfn>, <span> of type <a data-link-type="idl-name" href="#authenticatorresponse" id="ref-for-authenticatorresponse①">AuthenticatorResponse</a>, readonly</span></p>
    <dd data-md>
     <p>This attribute contains the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑥⓪">authenticator</a>'s response to the client’s request to either create a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential②④">public key
credential</a>, or generate an <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion⑧">authentication assertion</a>. If the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential④">PublicKeyCredential</a></code> is created in response to <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②">create()</a></code>, this attribute’s value will be an <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse">AuthenticatorAttestationResponse</a></code>, otherwise,
the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential⑤">PublicKeyCredential</a></code> was created in response to <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get⑨">get()</a></code>, and this attribute’s value
will be an <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse①">AuthenticatorAssertionResponse</a></code>.</p>
    <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-getclientextensionresults" id="ref-for-dom-publickeycredential-getclientextensionresults">getClientExtensionResults()</a></code>
    <dd data-md>
     <p>This operation returns the value of <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-clientextensionsresults-slot" id="ref-for-dom-publickeycredential-clientextensionsresults-slot">[[clientExtensionsResults]]</a></code>, which is a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map">map</a> containing <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier">extension identifier</a> → <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output">client extension output</a> entries produced by the extension’s <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing">client extension processing</a>.</p>
    <dt data-md><dfn class="idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export id="dom-publickeycredential-type-slot"><code>[[type]]</code><a class="self-link" href="#dom-publickeycredential-type-slot"></a></dfn>
    <dd data-md>
     <p>The <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential⑥">PublicKeyCredential</a></code> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object" id="ref-for-dfn-interface-object">interface object</a>'s <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-type-slot" id="ref-for-dom-credential-type-slot">[[type]]</a></code> <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots②">internal slot</a>'s value is the string
"<code>public-key</code>".</p>
     <p class="note" role="note"><span>Note:</span> This is reflected via the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-type" id="ref-for-dom-credential-type">type</a></code> attribute getter inherited from <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential⑤">Credential</a></code>.</p>
    <dt data-md><dfn class="idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export id="dom-publickeycredential-discovery-slot"><code>[[discovery]]</code><a class="self-link" href="#dom-publickeycredential-discovery-slot"></a></dfn>
    <dd data-md>
     <p>The <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential⑦">PublicKeyCredential</a></code> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object" id="ref-for-dfn-interface-object①">interface object</a>'s <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-discovery-slot" id="ref-for-dom-credential-discovery-slot">[[discovery]]</a></code> <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots③">internal slot</a>'s value is
"<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-discovery-remote" id="ref-for-dom-credential-discovery-remote">remote</a></code>".</p>
    <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export id="dom-publickeycredential-identifier-slot"><code>[[identifier]]</code></dfn>
    <dd data-md>
     <p>This <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots④">internal slot</a> contains the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id①⑤">credential ID</a>, chosen by the authenticator.
The <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id①⑥">credential ID</a> is used to look up credentials for use, and is therefore expected to be globally unique
with high probability across all credentials of the same type, across all authenticators.</p>
     <p class="note" role="note"><span>Note:</span> This API does not constrain
the format or length of this identifier, except that it MUST be sufficient for the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑥①">authenticator</a> to uniquely select a key.
For example, an authenticator without on-board storage may create identifiers containing a <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key⑦">credential private key</a> wrapped with a symmetric key that is burned into the authenticator.</p>
    <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export id="dom-publickeycredential-clientextensionsresults-slot"><code>[[clientExtensionsResults]]</code></dfn>
    <dd data-md>
     <p>This <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots⑤">internal slot</a> contains the results of processing client extensions requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑦⑥">Relying Party</a> upon the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑦⑦">Relying Party</a>'s invocation of either <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create③">navigator.credentials.create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①⓪">navigator.credentials.get()</a></code>.</p>
   </dl>
   <p><code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential⑧">PublicKeyCredential</a></code>'s <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object" id="ref-for-dfn-interface-object②">interface object</a> inherits <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential⑥">Credential</a></code>'s implementation of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#collectfromcredentialstore-origin-options-sameoriginwithancestors" id="ref-for-collectfromcredentialstore-origin-options-sameoriginwithancestors">[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)</a></code>, and defines its own
implementation of <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot①">[[Create]](origin, options, sameOriginWithAncestors)</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot①">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code>, and <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#store-credential-sameoriginwithancestors" id="ref-for-store-credential-sameoriginwithancestors">[[Store]](credential, sameOriginWithAncestors)</a></code>.</p>
   <h4 class="heading settled" data-level="5.1.1" id="sctn-credentialcreationoptions-extension"><span class="secno">5.1.1. </span><span class="content"><code>CredentialCreationOptions</code> Dictionary Extension</span><a class="self-link" href="#sctn-credentialcreationoptions-extension"></a></h4>
   <p>To support registration via <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create④">navigator.credentials.create()</a></code>, this document extends
the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions" id="ref-for-dictdef-credentialcreationoptions">CredentialCreationOptions</a></code> dictionary as follows:</p>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions" id="ref-for-dictdef-credentialcreationoptions①"><c- g>CredentialCreationOptions</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions"><c- n>PublicKeyCredentialCreationOptions</c-></a>      <dfn class="dfn-paneled idl-code" data-dfn-for="CredentialCreationOptions" data-dfn-type="dict-member" data-export data-type="PublicKeyCredentialCreationOptions      " id="dom-credentialcreationoptions-publickey"><code><c- g>publicKey</c-></code></dfn>;
};
</pre>
   <h4 class="heading settled" data-level="5.1.2" id="sctn-credentialrequestoptions-extension"><span class="secno">5.1.2. </span><span class="content"><code>CredentialRequestOptions</code> Dictionary Extension</span><a class="self-link" href="#sctn-credentialrequestoptions-extension"></a></h4>
   <p>To support obtaining assertions via <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①①">navigator.credentials.get()</a></code>, this document extends the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions">CredentialRequestOptions</a></code> dictionary as follows:</p>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions①"><c- g>CredentialRequestOptions</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions"><c- n>PublicKeyCredentialRequestOptions</c-></a>      <dfn class="dfn-paneled idl-code" data-dfn-for="CredentialRequestOptions" data-dfn-type="dict-member" data-export data-type="PublicKeyCredentialRequestOptions      " id="dom-credentialrequestoptions-publickey"><code><c- g>publicKey</c-></code></dfn>;
};
</pre>
   <h4 class="heading settled" data-level="5.1.3" id="sctn-createCredential"><span class="secno">5.1.3. </span><span class="content">Create a New Credential - PublicKeyCredential’s <code>[[Create]](origin, options, sameOriginWithAncestors)</code> Method</span><a class="self-link" href="#sctn-createCredential"></a></h4>
   <div data-link-for-hint="PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)">
     <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential⑨">PublicKeyCredential</a></code>'s <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object" id="ref-for-dfn-interface-object③">interface object</a>'s implementation of the <dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="method" data-export data-lt="[[Create]](origin, options, sameOriginWithAncestors)" id="dom-publickeycredential-create-slot"><code>[[Create]](origin,
options, sameOriginWithAncestors)</code></dfn> <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots⑥">internal method</a> <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a> allows <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party①①">WebAuthn Relying Party</a> scripts to call <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create⑤">navigator.credentials.create()</a></code> to request the creation of a new <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source②①">public key credential source</a>, <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential④">bound</a> to an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑥②">authenticator</a>. This <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create⑥">navigator.credentials.create()</a></code> operation can be aborted by leveraging the <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#abortcontroller" id="ref-for-abortcontroller">AbortController</a></code>;
see <a href="https://dom.spec.whatwg.org/#abortcontroller-api-integration">DOM §3.3 Using AbortController and AbortSignal objects in APIs</a> for detailed instructions. 
    <p>This <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots⑦">internal method</a> accepts three arguments:</p>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)" data-dfn-type="argument" data-export id="dom-publickeycredential-create-origin-options-sameoriginwithancestors-origin"><code>origin</code></dfn>
     <dd data-md>
      <p>This argument is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object" id="ref-for-relevant-settings-object①">relevant settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin②">origin</a>, as determined by the
calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create⑦">create()</a></code> implementation.</p>
     <dt data-md><dfn class="idl-code" data-dfn-for="PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)" data-dfn-type="argument" data-export id="dom-publickeycredential-create-origin-options-sameoriginwithancestors-options"><code>options</code><a class="self-link" href="#dom-publickeycredential-create-origin-options-sameoriginwithancestors-options"></a></dfn>
     <dd data-md>
      <p>This argument is a <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions" id="ref-for-dictdef-credentialcreationoptions②">CredentialCreationOptions</a></code> object whose <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialcreationoptions-publickey" id="ref-for-dom-credentialcreationoptions-publickey①">publicKey</a></code></code> member contains a <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions①">PublicKeyCredentialCreationOptions</a></code> object specifying the desired attributes of the to-be-created <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential②⑤">public key credential</a>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)" data-dfn-type="argument" data-export id="dom-publickeycredential-create-origin-options-sameoriginwithancestors-sameoriginwithancestors"><code>sameOriginWithAncestors</code></dfn>
     <dd data-md>
      <p>This argument is a Boolean value which is <code>true</code> if and only if the caller’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object" id="ref-for-environment-settings-object">environment settings object</a> is <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors" id="ref-for-same-origin-with-its-ancestors">same-origin with its ancestors</a>. It is <code>false</code> if caller is cross-origin.</p>
      <p class="note" role="note"><span>Note:</span> Invocation of this <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots⑧">internal method</a> indicates that it was allowed by <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-permissions-policy" id="ref-for-concept-document-permissions-policy">permissions policy</a>, which is evaluated at the <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a> level.
See <a href="#sctn-permissions-policy">§ 5.9 Permissions Policy integration</a>.</p>
    </dl>
    <p class="note" role="note"><span>Note:</span> <strong>This algorithm is synchronous:</strong> the <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-promise" id="ref-for-idl-promise①">Promise</a></code> resolution/rejection is handled by <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create⑧">navigator.credentials.create()</a></code>.</p>
    <p class="note" role="note"><span>Note:</span> All <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource">BufferSource</a></code> objects used in this algorithm must be snapshotted when the algorithm begins, to
avoid potential synchronization issues. The algorithm implementations should <a data-link-type="dfn" href="https://heycam.github.io/webidl#dfn-get-buffer-source-reference" id="ref-for-dfn-get-buffer-source-reference">get a copy of the bytes held
by the buffer source</a> and use that copy for relevant portions of the algorithm.</p>
    <p>When this method is invoked, the user agent MUST execute the following algorithm:</p>
    <ol>
     <li data-md>
      <p class="assertion">Assert: <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialcreationoptions-publickey" id="ref-for-dom-credentialcreationoptions-publickey②">publicKey</a></code></code> is present.</p>
     <li data-md>
      <p>If <var>sameOriginWithAncestors</var> is <code>false</code>, return a "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror">NotAllowedError</a></code>" <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①">DOMException</a></code>.</p>
      <p class="note" role="note"><span>Note:</span> This "sameOriginWithAncestors" restriction aims to address a tracking concern raised in <a href="https://github.com/w3c/webauthn/issues/1336">Issue #1336</a>. This may be revised in future versions of this specification.</p>
     <li data-md>
      <p>Let <var>options</var> be the value of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialcreationoptions-publickey" id="ref-for-dom-credentialcreationoptions-publickey③">publicKey</a></code></code>.</p>
     <li data-md>
      <p>If the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-timeout" id="ref-for-dom-publickeycredentialcreationoptions-timeout">timeout</a></code> member of <var>options</var> is present, check if its value lies within a
reasonable range as defined by the <a data-link-type="dfn" href="#client" id="ref-for-client①⑦">client</a> and if not, correct it to the closest value lying within that range. Set a timer <var>lifetimeTimer</var> to this adjusted value. If the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-timeout" id="ref-for-dom-publickeycredentialcreationoptions-timeout①">timeout</a></code> member of <var>options</var> is not
present, then set <var>lifetimeTimer</var> to a <a data-link-type="dfn" href="#client" id="ref-for-client①⑧">client</a>-specific default.</p>
      <p>Recommended ranges and defaults for the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-timeout" id="ref-for-dom-publickeycredentialcreationoptions-timeout②">timeout</a></code> member of <var>options</var> are as follows.
      If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection">authenticatorSelection</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-userverification" id="ref-for-dom-authenticatorselectioncriteria-userverification">userVerification</a></code></code></p>
      <dl class="switch">
       <dt data-md>is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-discouraged" id="ref-for-dom-userverificationrequirement-discouraged">discouraged</a></code>
       <dd data-md>
        <p>Recommended range: 30000 milliseconds to 180000 milliseconds.</p>
       <dd data-md>
        <p>Recommended default value: 120000 milliseconds (2 minutes).</p>
       <dt data-md>is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-required" id="ref-for-dom-userverificationrequirement-required">required</a></code> or <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-preferred" id="ref-for-dom-userverificationrequirement-preferred">preferred</a></code>
       <dd data-md>
        <p>Recommended range: 30000 milliseconds to 600000 milliseconds.</p>
       <dd data-md>
        <p>Recommended default value: 300000 milliseconds (5 minutes).</p>
      </dl>
      <p class="note" role="note"><span>Note:</span> The user agent should take cognitive guidelines into considerations regarding timeout for users with special needs.</p>
     <li data-md>
      <p>If the length of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-user" id="ref-for-dom-publickeycredentialcreationoptions-user①">user</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-id" id="ref-for-dom-publickeycredentialuserentity-id①">id</a></code></code> is not between 1 and 64 bytes (inclusive) then return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#exceptiondef-typeerror" id="ref-for-exceptiondef-typeerror">TypeError</a></code>.</p>
     <li data-md>
      <p>Let <var>callerOrigin</var> be <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-origin-options-sameoriginwithancestors-origin" id="ref-for-dom-publickeycredential-create-origin-options-sameoriginwithancestors-origin">origin</a></code>. If <var>callerOrigin</var> is an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque" id="ref-for-concept-origin-opaque①">opaque origin</a>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException②">DOMException</a></code> whose name is
"<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror①">NotAllowedError</a></code>", and terminate this algorithm.</p>
     <li data-md>
      <p>Let <var>effectiveDomain</var> be the <var>callerOrigin</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain④">effective domain</a>.
If <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain⑤">effective domain</a> is not a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#valid-domain" id="ref-for-valid-domain">valid domain</a>, then return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException③">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#securityerror" id="ref-for-securityerror">SecurityError</a></code>" and terminate this algorithm.</p>
      <p class="note" role="note"><span>Note:</span> An <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain⑥">effective domain</a> may resolve to a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-host" id="ref-for-concept-url-host①">host</a>, which can be represented in various manners,
    such as <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-domain" id="ref-for-concept-domain①">domain</a>, <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-ipv4" id="ref-for-concept-ipv4">ipv4 address</a>, <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-ipv6" id="ref-for-concept-ipv6">ipv6 address</a>, <a data-link-type="dfn" href="https://url.spec.whatwg.org/#opaque-host" id="ref-for-opaque-host">opaque host</a>, or <a data-link-type="dfn" href="https://url.spec.whatwg.org/#empty-host" id="ref-for-empty-host">empty host</a>.
    Only the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-domain" id="ref-for-concept-domain②">domain</a> format of <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-host" id="ref-for-concept-url-host②">host</a> is allowed here. This is for simplification and also
    is in recognition of various issues with using direct IP address identification in concert
    with PKI-based security.</p>
     <li id="CreateCred-DetermineRpId">
      <a class="self-link" href="#CreateCred-DetermineRpId"></a> 
      <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-rp" id="ref-for-dom-publickeycredentialcreationoptions-rp">rp</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id">id</a></code></code></p>
      <dl class="switch">
       <dt data-md>is present
       <dd data-md>
        <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-rp" id="ref-for-dom-publickeycredentialcreationoptions-rp①">rp</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id①">id</a></code></code> <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to" id="ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to③">is not a
registrable domain suffix of and is not equal to</a> <var>effectiveDomain</var>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException④">DOMException</a></code> whose name
is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#securityerror" id="ref-for-securityerror①">SecurityError</a></code>", and terminate this algorithm.</p>
       <dt data-md>Is not present
       <dd data-md>
        <p>Set <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-rp" id="ref-for-dom-publickeycredentialcreationoptions-rp②">rp</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id②">id</a></code></code> to <var>effectiveDomain</var>.</p>
      </dl>
      <p class="note" role="note"><span>Note:</span> <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-rp" id="ref-for-dom-publickeycredentialcreationoptions-rp③">rp</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id③">id</a></code></code> represents the
        caller’s <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id①⑦">RP ID</a>. The <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id①⑧">RP ID</a> defaults to being the caller’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin③">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain⑦">effective domain</a> unless the caller has explicitly set <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-rp" id="ref-for-dom-publickeycredentialcreationoptions-rp④">rp</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id④">id</a></code></code> when calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create⑨">create()</a></code>.</p>
     <li data-md>
      <p>Let <var>credTypesAndPubKeyAlgs</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list">list</a> whose <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item">items</a> are pairs of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype①">PublicKeyCredentialType</a></code> and
a <code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier">COSEAlgorithmIdentifier</a></code>.</p>
     <li data-md>
      <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-pubkeycredparams" id="ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams">pubKeyCredParams</a></code></code>’s <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-size" id="ref-for-list-size">size</a></p>
      <dl class="switch">
       <dt data-md>is zero
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-append" id="ref-for-list-append">Append</a> the following pairs of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype②">PublicKeyCredentialType</a></code> and <code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier①">COSEAlgorithmIdentifier</a></code> values to <var>credTypesAndPubKeyAlgs</var>:</p>
        <ul>
         <li data-md>
          <p><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialtype-public-key" id="ref-for-dom-publickeycredentialtype-public-key①">public-key</a></code> and <code>-7</code> ("ES256").</p>
         <li data-md>
          <p><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialtype-public-key" id="ref-for-dom-publickeycredentialtype-public-key②">public-key</a></code> and <code>-257</code> ("RS256").</p>
        </ul>
       <dt data-md>is non-zero
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate">For each</a> <var>current</var> of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-pubkeycredparams" id="ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams①">pubKeyCredParams</a></code></code>:</p>
        <ol>
         <li data-md>
          <p>If <code><var>current</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialparameters-type" id="ref-for-dom-publickeycredentialparameters-type">type</a></code></code> does not contain a <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype③">PublicKeyCredentialType</a></code> supported
by this implementation, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue">continue</a>.</p>
         <li data-md>
          <p>Let <var>alg</var> be <code><var>current</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialparameters-alg" id="ref-for-dom-publickeycredentialparameters-alg">alg</a></code></code>.</p>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-append" id="ref-for-list-append①">Append</a> the pair of <code><var>current</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialparameters-type" id="ref-for-dom-publickeycredentialparameters-type①">type</a></code></code> and <var>alg</var> to <var>credTypesAndPubKeyAlgs</var>.</p>
        </ol>
        <p>If <var>credTypesAndPubKeyAlgs</var> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty" id="ref-for-list-is-empty②">is empty</a>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException⑤">DOMException</a></code> whose name is
   "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notsupportederror" id="ref-for-notsupportederror">NotSupportedError</a></code>", and terminate this algorithm.</p>
      </dl>
     <li data-md>
      <p>Let <var>clientExtensions</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map①">map</a> and let <var>authenticatorExtensions</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map②">map</a>.</p>
     <li data-md>
      <p>If the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions">extensions</a></code> member of <var>options</var> is present, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-iterate" id="ref-for-map-iterate">for each</a> <var>extensionId</var> → <var>clientExtensionInput</var> of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions①">extensions</a></code></code>:</p>
      <ol>
       <li data-md>
        <p>If <var>extensionId</var> is not supported by this <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform①④">client platform</a> or is not a <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension">registration extension</a>, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue①">continue</a>.</p>
       <li data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-set" id="ref-for-map-set">Set</a> <var>clientExtensions</var>[<var>extensionId</var>] to <var>clientExtensionInput</var>.</p>
       <li data-md>
        <p>If <var>extensionId</var> is not an <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension">authenticator extension</a>, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue②">continue</a>.</p>
       <li data-md>
        <p>Let <var>authenticatorExtensionInput</var> be the (<a data-link-type="dfn" href="#cbor" id="ref-for-cbor②">CBOR</a>) result of running <var>extensionId</var>’s <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing①">client extension processing</a> algorithm on <var>clientExtensionInput</var>. If the algorithm returned an error, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue③">continue</a>.</p>
       <li data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-set" id="ref-for-map-set①">Set</a> <var>authenticatorExtensions</var>[<var>extensionId</var>] to the <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①">base64url encoding</a> of <var>authenticatorExtensionInput</var>.</p>
      </ol>
     <li data-md>
      <p>Let <var>collectedClientData</var> be a new <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata">CollectedClientData</a></code> instance whose fields are:</p>
      <dl>
       <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-type" id="ref-for-dom-collectedclientdata-type">type</a></code>
       <dd data-md>
        <p>The string "webauthn.create".</p>
       <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge">challenge</a></code>
       <dd data-md>
        <p>The <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding②">base64url encoding</a> of <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-challenge" id="ref-for-dom-publickeycredentialcreationoptions-challenge">challenge</a></code>.</p>
       <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin">origin</a></code>
       <dd data-md>
        <p>The <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin" id="ref-for-ascii-serialisation-of-an-origin">serialization of</a> <var>callerOrigin</var>.</p>
       <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-crossorigin" id="ref-for-dom-collectedclientdata-crossorigin">crossOrigin</a></code>
       <dd data-md>
        <p>The inverse of the value of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-origin-options-sameoriginwithancestors-sameoriginwithancestors" id="ref-for-dom-publickeycredential-create-origin-options-sameoriginwithancestors-sameoriginwithancestors">sameOriginWithAncestors</a></code> argument passed to this <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots⑨">internal method</a>.</p>
       <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding">tokenBinding</a></code>
       <dd data-md>
        <p>The status of <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-1" id="ref-for-section-1">Token Binding</a> between the client and the <var>callerOrigin</var>, as well as the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-3.2" id="ref-for-section-3.2">Token Binding ID</a> associated with <var>callerOrigin</var>, if one is available.</p>
      </dl>
     <li data-md>
      <p>Let <var>clientDataJSON</var> be the <a data-link-type="dfn" href="#collectedclientdata-json-compatible-serialization-of-client-data" id="ref-for-collectedclientdata-json-compatible-serialization-of-client-data">JSON-compatible serialization of client data</a> constructed from <var>collectedClientData</var>.</p>
     <li data-md>
      <p>Let <var>clientDataHash</var> be the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data">hash of the serialized client data</a> represented by <var>clientDataJSON</var>.</p>
     <li data-md>
      <p>If the <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialcreationoptions-signal" id="ref-for-dom-credentialcreationoptions-signal">signal</a></code></code> is present and its <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#abortsignal-aborted-flag" id="ref-for-abortsignal-aborted-flag">aborted flag</a> is set to <code>true</code>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException⑥">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#aborterror" id="ref-for-aborterror">AbortError</a></code>"
and terminate this algorithm.</p>
     <li data-md>
      <p>Let <var>issuedRequests</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set">ordered set</a>.</p>
     <li data-md>
      <p>Let <var>authenticators</var> represent a value which at any given instant is a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set①">set</a> of <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform①⑤">client platform</a>-specific handles, where each <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item①">item</a> identifies an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑥③">authenticator</a> presently available on this <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform①⑥">client platform</a> at that instant.</p>
      <p class="note" role="note"><span>Note:</span> What qualifies an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑥④">authenticator</a> as "available" is intentionally unspecified; this is meant to represent how <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑥⑤">authenticators</a> can be <a href="https://en.wikipedia.org/w/index.php?title=Hot_plug">hot-plugged</a> into (e.g., via USB)
or discovered (e.g., via NFC or Bluetooth) by the <a data-link-type="dfn" href="#client" id="ref-for-client①⑨">client</a> by various mechanisms, or permanently built into the <a data-link-type="dfn" href="#client" id="ref-for-client②⓪">client</a>.</p>
     <li data-md>
      <p>Start <var>lifetimeTimer</var>.</p>
     <li data-md>
      <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-while" id="ref-for-iteration-while">While</a> <var>lifetimeTimer</var> has not expired, perform the following actions depending upon <var>lifetimeTimer</var>,
and the state and response <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate①">for each</a> <var>authenticator</var> in <var>authenticators</var>:</p>
      <dl class="switch">
       <dt data-md>If <var>lifetimeTimer</var> expires,
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate②">For each</a> <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove">remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
       <dt data-md>If the user exercises a user agent user-interface option to cancel the process,
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate③">For each</a> <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel①">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove①">remove</a> <var>authenticator</var> from <var>issuedRequests</var>. Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException⑦">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror②">NotAllowedError</a></code>".</p>
       <dt data-md>If the <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialcreationoptions-signal" id="ref-for-dom-credentialcreationoptions-signal①">signal</a></code></code> is present and its <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#abortsignal-aborted-flag" id="ref-for-abortsignal-aborted-flag①">aborted flag</a> is set to <code>true</code>,
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate④">For each</a> <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel②">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove②">remove</a> <var>authenticator</var> from <var>issuedRequests</var>. Then return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException⑧">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#aborterror" id="ref-for-aborterror①">AbortError</a></code>" and terminate this algorithm.</p>
       <dt data-md>If an <var>authenticator</var> becomes available on this <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①②">client device</a>,
       <dd data-md>
        <p class="note" role="note"><span>Note:</span> This includes the case where an <var>authenticator</var> was available upon <var>lifetimeTimer</var> initiation.</p>
        <ol>
         <li data-md>
          <p>This <var>authenticator</var> is now the <dfn class="dfn-paneled" data-dfn-for="create" data-dfn-type="dfn" data-noexport id="create-candidate-authenticator">candidate authenticator</dfn>.</p>
         <li data-md>
          <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection①">authenticatorSelection</a></code></code> is present:</p>
          <ol>
           <li data-md>
            <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection②">authenticatorSelection</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-authenticatorattachment" id="ref-for-dom-authenticatorselectioncriteria-authenticatorattachment">authenticatorAttachment</a></code></code> is
present and its value is not equal to <var>authenticator</var>’s <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality">authenticator attachment modality</a>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue④">continue</a>.</p>
           <li data-md>
            <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection③">authenticatorSelection</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey">residentKey</a></code></code></p>
            <dl class="switch">
             <dt data-md>is present and set to <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-required" id="ref-for-dom-residentkeyrequirement-required">required</a></code>
             <dd data-md>
              <p>If the <var>authenticator</var> is not capable of storing a <a data-link-type="dfn" href="#client-side-discoverable-public-key-credential-source" id="ref-for-client-side-discoverable-public-key-credential-source①">client-side discoverable public key credential
  source</a>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue⑤">continue</a>.</p>
             <dt data-md>is present and set to <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-preferred" id="ref-for-dom-residentkeyrequirement-preferred">preferred</a></code> or <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-discouraged" id="ref-for-dom-residentkeyrequirement-discouraged">discouraged</a></code>
             <dd data-md>
              <p>No effect.</p>
             <dt data-md>is not present
             <dd data-md>
              <p>if <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection④">authenticatorSelection</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-requireresidentkey" id="ref-for-dom-authenticatorselectioncriteria-requireresidentkey">requireResidentKey</a></code></code> is set to <code>true</code> and the <var>authenticator</var> is not capable of storing a <a data-link-type="dfn" href="#client-side-discoverable-public-key-credential-source" id="ref-for-client-side-discoverable-public-key-credential-source②">client-side discoverable public
  key credential source</a>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue⑥">continue</a>.</p>
            </dl>
           <li data-md>
            <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection⑤">authenticatorSelection</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-userverification" id="ref-for-dom-authenticatorselectioncriteria-userverification①">userVerification</a></code></code> is
set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-required" id="ref-for-dom-userverificationrequirement-required①">required</a></code> and the <var>authenticator</var> is not capable of performing <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification①②">user
verification</a>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue⑦">continue</a>.</p>
          </ol>
         <li data-md>
          <p>Let <var>requireResidentKey</var> be the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="effective-resident-key-requirement-for-credential-creation">effective resident key requirement for credential creation</dfn>, a Boolean value, as follows:</p>
          <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection⑥">authenticatorSelection</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey①">residentKey</a></code></code></p>
          <dl class="switch">
           <dt data-md>is present and set to <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-required" id="ref-for-dom-residentkeyrequirement-required①">required</a></code>
           <dd data-md>
            <p>Let <var>requireResidentKey</var> be <code>true</code>.</p>
           <dt data-md>is present and set to <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-preferred" id="ref-for-dom-residentkeyrequirement-preferred①">preferred</a></code>
           <dd data-md>
            <p>If the <var>authenticator</var></p>
            <dl class="switch">
             <dt data-md>is capable of <a data-link-type="dfn" href="#client-side-credential-storage-modality" id="ref-for-client-side-credential-storage-modality①">client-side credential storage modality</a>
             <dd data-md>
              <p>Let <var>requireResidentKey</var> be <code>true</code>.</p>
             <dt data-md>is not capable of <a data-link-type="dfn" href="#client-side-credential-storage-modality" id="ref-for-client-side-credential-storage-modality②">client-side credential storage modality</a>, or if the <a data-link-type="dfn" href="#client" id="ref-for-client②①">client</a> cannot determine authenticator capability,
             <dd data-md>
              <p>Let <var>requireResidentKey</var> be <code>false</code>.</p>
            </dl>
           <dt data-md>is present and set to <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-discouraged" id="ref-for-dom-residentkeyrequirement-discouraged①">discouraged</a></code>
           <dd data-md>
            <p>Let <var>requireResidentKey</var> be <code>false</code>.</p>
           <dt data-md>is not present
           <dd data-md>
            <p>Let <var>requireResidentKey</var> be the value of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection⑦">authenticatorSelection</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-requireresidentkey" id="ref-for-dom-authenticatorselectioncriteria-requireresidentkey①">requireResidentKey</a></code></code>.</p>
          </dl>
         <li data-md>
          <p>Let <var>userVerification</var> be the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="effective-user-verification-requirement-for-credential-creation">effective user verification requirement for credential creation</dfn>, a Boolean value,
as follows. If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection⑧">authenticatorSelection</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-userverification" id="ref-for-dom-authenticatorselectioncriteria-userverification②">userVerification</a></code></code></p>
          <dl class="switch">
           <dt data-md>is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-required" id="ref-for-dom-userverificationrequirement-required②">required</a></code>
           <dd data-md>
            <p>Let <var>userVerification</var> be <code>true</code>.</p>
           <dt data-md>is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-preferred" id="ref-for-dom-userverificationrequirement-preferred①">preferred</a></code>
           <dd data-md>
            <p>If the <var>authenticator</var></p>
            <dl class="switch">
             <dt data-md>is capable of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification①③">user verification</a>
             <dd data-md>
              <p>Let <var>userVerification</var> be <code>true</code>.</p>
             <dt data-md>is not capable of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification①④">user verification</a>
             <dd data-md>
              <p>Let <var>userVerification</var> be <code>false</code>.</p>
            </dl>
           <dt data-md>is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-discouraged" id="ref-for-dom-userverificationrequirement-discouraged①">discouraged</a></code>
           <dd data-md>
            <p>Let <var>userVerification</var> be <code>false</code>.</p>
          </dl>
         <li data-md>
          <p>Let <var>enterpriseAttestationPossible</var> be a Boolean value, as follows. If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-attestation" id="ref-for-dom-publickeycredentialcreationoptions-attestation">attestation</a></code></code></p>
          <dl class="switch">
           <dt data-md>is set to <code class="idl"><a data-link-type="idl" href="#dom-attestationconveyancepreference-enterprise" id="ref-for-dom-attestationconveyancepreference-enterprise">enterprise</a></code>
           <dd data-md>
            <p>Let <var>enterpriseAttestationPossible</var> be <code>true</code> if the user agent wishes to support enterprise attestation for <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-rp" id="ref-for-dom-publickeycredentialcreationoptions-rp⑤">rp</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id⑤">id</a></code></code> (see <a href="#CreateCred-DetermineRpId">Step 8</a>, above). Otherwise <code>false</code>.</p>
           <dt data-md>otherwise
           <dd data-md>
            <p>Let <var>enterpriseAttestationPossible</var> be <code>false</code>.</p>
          </dl>
         <li data-md>
          <p>Let <var>excludeCredentialDescriptorList</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list①">list</a>.</p>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate⑤">For each</a> credential descriptor <var>C</var> in <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials">excludeCredentials</a></code></code>:</p>
          <ol>
           <li data-md>
            <p>If <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports①">transports</a></code></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty" id="ref-for-list-is-empty③">is not empty</a>, and <var>authenticator</var> is connected over a transport not
mentioned in <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports②">transports</a></code></code>, the client MAY <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue⑧">continue</a>.</p>
            <p class="note" role="note"><span>Note:</span> If the client chooses to <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue⑨">continue</a>, this could result in
inadvertently registering multiple credentials <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential⑤">bound to</a> the same <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑥⑥">authenticator</a> if the transport hints in <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports③">transports</a></code></code> are not accurate.
For example, stored transport hints could become inaccurate
as a result of software upgrades adding new connectivity options.</p>
           <li data-md>
            <p>Otherwise, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-append" id="ref-for-list-append②">Append</a> <var>C</var> to <var>excludeCredentialDescriptorList</var>.</p>
           <li id="CreateCred-InvokeAuthnrMakeCred">
            <a class="self-link" href="#CreateCred-InvokeAuthnrMakeCred"></a> 
            <p>Invoke the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential④">authenticatorMakeCredential</a> operation on <var>authenticator</var> with <var>clientDataHash</var>, <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-rp" id="ref-for-dom-publickeycredentialcreationoptions-rp⑥">rp</a></code></code>, <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-user" id="ref-for-dom-publickeycredentialcreationoptions-user②">user</a></code></code>, <var>requireResidentKey</var>, <var>userVerification</var>, <var>credTypesAndPubKeyAlgs</var>, <var>excludeCredentialDescriptorList</var>, <var>enterpriseAttestationPossible</var>,
        and <var>authenticatorExtensions</var> as parameters.</p>
          </ol>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#set-append" id="ref-for-set-append">Append</a> <var>authenticator</var> to <var>issuedRequests</var>.</p>
        </ol>
       <dt data-md>If an <var>authenticator</var> ceases to be available on this <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①③">client device</a>,
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove③">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
       <dt data-md>If any <var>authenticator</var> returns a status indicating that the user cancelled the operation,
       <dd data-md>
        <ol>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove④">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate⑥">For each</a> remaining <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel③">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove⑤">remove</a> it from <var>issuedRequests</var>.</p>
          <p class="note" role="note"><span>Note:</span> <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑥⑦">Authenticators</a> may return an indication of "the user cancelled the entire operation".
How a user agent manifests this state to users is unspecified.</p>
        </ol>
       <dt data-md>If any <var>authenticator</var> returns an error status equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#invalidstateerror" id="ref-for-invalidstateerror">InvalidStateError</a></code>",
       <dd data-md>
        <ol>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove⑥">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate⑦">For each</a> remaining <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel④">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove⑦">remove</a> it from <var>issuedRequests</var>.</p>
         <li data-md>
          <p>Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException⑨">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#invalidstateerror" id="ref-for-invalidstateerror①">InvalidStateError</a></code>" and terminate this algorithm.</p>
        </ol>
        <p class="note" role="note"><span>Note:</span> This error status is handled separately because the <var>authenticator</var> returns it only if <var>excludeCredentialDescriptorList</var> identifies a credential <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential⑥">bound</a> to the <var>authenticator</var> and the user has <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent⑥">consented</a> to the operation. Given this explicit consent, it is acceptable for this case to be
distinguishable to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑦⑧">Relying Party</a>.</p>
       <dt data-md>If any <var>authenticator</var> returns an error status not equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#invalidstateerror" id="ref-for-invalidstateerror②">InvalidStateError</a></code>",
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove⑧">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
        <p class="note" role="note"><span>Note:</span> This case does not imply <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent⑦">user consent</a> for the operation, so details about the error are hidden from the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑦⑨">Relying Party</a> in order to prevent leak of potentially identifying information. See <a href="#sctn-make-credential-privacy">§ 14.5.1 Registration Ceremony Privacy</a> for
details.</p>
       <dt data-md>If any <var>authenticator</var> indicates success,
       <dd data-md>
        <ol>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove⑨">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>. This authenticator is now the <dfn class="dfn-paneled" data-dfn-for="create" data-dfn-type="dfn" data-noexport id="create-selected-authenticator">selected authenticator</dfn>.</p>
         <li data-md>
          <p>Let <var>credentialCreationData</var> be a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#struct" id="ref-for-struct①">struct</a> whose <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#struct-item" id="ref-for-struct-item②">items</a> are:</p>
          <dl>
           <dt data-md><code><dfn class="dfn-paneled" data-dfn-for="credentialCreationData" data-dfn-type="dfn" data-noexport id="credentialcreationdata-attestationobjectresult">attestationObjectResult</dfn></code>
           <dd data-md>
            <p>whose value is the bytes returned from the successful <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential⑤">authenticatorMakeCredential</a> operation.</p>
            <p class="note" role="note"><span>Note:</span> this value is <code>attObj</code>, as defined in <a href="#sctn-generating-an-attestation-object">§ 6.5.4 Generating an Attestation Object</a>.</p>
           <dt data-md><code><dfn class="dfn-paneled" data-dfn-for="credentialCreationData" data-dfn-type="dfn" data-noexport id="credentialcreationdata-clientdatajsonresult">clientDataJSONResult</dfn></code>
           <dd data-md>
            <p>whose value is the bytes of <var>clientDataJSON</var>.</p>
           <dt data-md><code><dfn class="dfn-paneled" data-dfn-for="credentialCreationData" data-dfn-type="dfn" data-noexport id="credentialcreationdata-attestationconveyancepreferenceoption">attestationConveyancePreferenceOption</dfn></code>
           <dd data-md>
            <p>whose value is the value of <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-attestation" id="ref-for-dom-publickeycredentialcreationoptions-attestation①">attestation</a></code>.</p>
           <dt data-md><code><dfn class="dfn-paneled" data-dfn-for="credentialCreationData" data-dfn-type="dfn" data-noexport id="credentialcreationdata-clientextensionresults">clientExtensionResults</dfn></code>
           <dd data-md>
            <p>whose value is an <code class="idl"><a data-link-type="idl" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs①">AuthenticationExtensionsClientOutputs</a></code> object containing <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①">extension identifier</a> → <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①">client extension output</a> entries. The entries are created by running each extension’s <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing②">client extension processing</a> algorithm to create the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output②">client extension outputs</a>, for each <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension">client extension</a> in <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions②">extensions</a></code></code>.</p>
          </dl>
         <li data-md>
          <p>Let <var>constructCredentialAlg</var> be an algorithm that takes a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global" id="ref-for-concept-settings-object-global">global object</a> <var>global</var>, and whose steps are:</p>
          <ol>
           <li data-md>
            <p>If <code><var>credentialCreationData</var>.<a data-link-type="dfn" href="#credentialcreationdata-attestationconveyancepreferenceoption" id="ref-for-credentialcreationdata-attestationconveyancepreferenceoption">attestationConveyancePreferenceOption</a></code>’s value is</p>
            <dl class="switch">
             <dt data-md>"none"
             <dd data-md>
              <p>Replace potentially uniquely identifying information with non-identifying versions of the
same:</p>
              <ol>
               <li data-md>
                <p>If the <a data-link-type="dfn" href="#aaguid" id="ref-for-aaguid①">AAGUID</a> in the <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data">attested credential data</a> is 16 zero bytes, <code><var>credentialCreationData</var>.<a data-link-type="dfn" href="#credentialcreationdata-attestationobjectresult" id="ref-for-credentialcreationdata-attestationobjectresult">attestationObjectResult</a>.fmt</code> is "packed", and "x5c" is absent from <code><var>credentialCreationData</var>.<a data-link-type="dfn" href="#credentialcreationdata-attestationobjectresult" id="ref-for-credentialcreationdata-attestationobjectresult①">attestationObjectResult</a></code>, then <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation④">self attestation</a> is being used and no further action is needed.</p>
               <li data-md>
                <p>Otherwise</p>
                <ol>
                 <li data-md>
                  <p>Replace the <a data-link-type="dfn" href="#aaguid" id="ref-for-aaguid②">AAGUID</a> in the <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data①">attested credential data</a> with 16 zero bytes.</p>
                 <li data-md>
                  <p>Set the value of <code><var>credentialCreationData</var>.<a data-link-type="dfn" href="#credentialcreationdata-attestationobjectresult" id="ref-for-credentialcreationdata-attestationobjectresult②">attestationObjectResult</a>.fmt</code> to "none", and set the value of <code><var>credentialCreationData</var>.<a data-link-type="dfn" href="#credentialcreationdata-attestationobjectresult" id="ref-for-credentialcreationdata-attestationobjectresult③">attestationObjectResult</a>.attStmt</code> to be an empty <a data-link-type="dfn" href="#cbor" id="ref-for-cbor③">CBOR</a> map. (See <a href="#sctn-none-attestation">§ 8.7 None Attestation Statement Format</a> and <a href="#sctn-generating-an-attestation-object">§ 6.5.4 Generating an Attestation Object</a>).</p>
                </ol>
              </ol>
             <dt data-md>"indirect"
             <dd data-md>
              <p>The client MAY replace the <a data-link-type="dfn" href="#aaguid" id="ref-for-aaguid③">AAGUID</a> and <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②">attestation statement</a> with a more privacy-friendly
and/or more easily verifiable version of the same data (for example, by employing an <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca">Anonymization CA</a>).</p>
             <dt data-md>"direct" or "enterprise"
             <dd data-md>
              <p>Convey the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑥⑧">authenticator</a>'s <a data-link-type="dfn" href="#aaguid" id="ref-for-aaguid④">AAGUID</a> and <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③">attestation statement</a>, unaltered, to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑧⓪">Relying Party</a>.</p>
            </dl>
           <li data-md>
            <p>Let <var>attestationObject</var> be a new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer②">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor①">%ArrayBuffer%</a>, containing the
bytes of <code><var>credentialCreationData</var>.<a data-link-type="dfn" href="#credentialcreationdata-attestationobjectresult" id="ref-for-credentialcreationdata-attestationobjectresult④">attestationObjectResult</a></code>’s value.</p>
           <li data-md>
            <p>Let <var>id</var> be <code><var>attestationObject</var>.authData.<a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata">attestedCredentialData</a>.<a data-link-type="dfn" href="#credentialid" id="ref-for-credentialid">credentialId</a></code>.</p>
           <li data-md>
            <p>Let <var>pubKeyCred</var> be a new <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential①⓪">PublicKeyCredential</a></code> object associated with <var>global</var> whose fields are:</p>
            <dl>
             <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-identifier-slot" id="ref-for-dom-publickeycredential-identifier-slot②">[[identifier]]</a></code>
             <dd data-md>
              <p><var>id</var></p>
             <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response①">response</a></code>
             <dd data-md>
              <p>A new <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse①">AuthenticatorAttestationResponse</a></code> object associated with <var>global</var> whose fields are:</p>
              <dl>
               <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson">clientDataJSON</a></code>
               <dd data-md>
                <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer③">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor②">%ArrayBuffer%</a>, containing the bytes of <code><var>credentialCreationData</var>.<a data-link-type="dfn" href="#credentialcreationdata-clientdatajsonresult" id="ref-for-credentialcreationdata-clientdatajsonresult">clientDataJSONResult</a></code>.</p>
               <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-attestationobject" id="ref-for-dom-authenticatorattestationresponse-attestationobject">attestationObject</a></code>
               <dd data-md>
                <p><var>attestationObject</var></p>
               <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-transports-slot" id="ref-for-dom-authenticatorattestationresponse-transports-slot">[[transports]]</a></code>
               <dd data-md>
                <p>A sequence of zero or more unique <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①">DOMString</a></code>s, in lexicographical order, that the <var>authenticator</var> is believed to support. The values SHOULD be members of <code class="idl"><a data-link-type="idl" href="#enumdef-authenticatortransport" id="ref-for-enumdef-authenticatortransport">AuthenticatorTransport</a></code>, but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform①⑦">client platforms</a> MUST ignore unknown values.</p>
                <p>If a user agent does not wish to divulge this information it MAY substitute an arbitrary sequence designed to preserve privacy. This sequence MUST still be valid, i.e. lexicographically sorted and free of duplicates. For example, it may use the empty sequence. Either way, in this case the user agent takes the risk that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑧①">Relying Party</a> behavior may be suboptimal.</p>
                <p>If the user agent does not have any transport information, it SHOULD set this field to the empty sequence.</p>
                <p class="note" role="note"><span>Note:</span> How user agents discover transports supported by a given <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑥⑨">authenticator</a> is outside the scope of this specification, but may include information from an <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate②">attestation certificate</a> (for example <a data-link-type="biblio" href="#biblio-fido-transports-ext">[FIDO-Transports-Ext]</a>), metadata communicated in an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑦⓪">authenticator</a> protocol such as CTAP2, or special-case knowledge about a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators⑨">platform authenticator</a>.</p>
              </dl>
             <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-clientextensionsresults-slot" id="ref-for-dom-publickeycredential-clientextensionsresults-slot①">[[clientExtensionsResults]]</a></code>
             <dd data-md>
              <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer④">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor③">%ArrayBuffer%</a>, containing the bytes of <code><var>credentialCreationData</var>.<a data-link-type="dfn" href="#credentialcreationdata-clientextensionresults" id="ref-for-credentialcreationdata-clientextensionresults">clientExtensionResults</a></code>.</p>
            </dl>
           <li data-md>
            <p>Return <var>pubKeyCred</var>.</p>
          </ol>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate⑧">For each</a> remaining <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel⑤">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove①⓪">remove</a> it from <var>issuedRequests</var>.</p>
         <li data-md>
          <p>Return <var>constructCredentialAlg</var> and terminate this algorithm.</p>
        </ol>
      </dl>
     <li data-md>
      <p>Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①⓪">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror③">NotAllowedError</a></code>". In order to prevent information leak that could identify the
user without <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent⑧">consent</a>, this step MUST NOT be executed before <var>lifetimeTimer</var> has expired. See <a href="#sctn-make-credential-privacy">§ 14.5.1 Registration Ceremony Privacy</a> for details.</p>
    </ol>
    <p>During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator.</p>
   </div>
   <h4 class="heading settled" data-level="5.1.4" id="sctn-getAssertion"><span class="secno">5.1.4. </span><span class="content">Use an Existing Credential to Make an Assertion - PublicKeyCredential’s <code>[[Get]](options)</code> Method</span><a class="self-link" href="#sctn-getAssertion"></a></h4>
   <p><a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party①②">WebAuthn Relying Parties</a> call <code><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①②">navigator.credentials.get({publicKey:..., ...})</a></code> to
discover and use an existing <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential②⑥">public key credential</a>, with the <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent⑨">user’s consent</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑧②">Relying Party</a> script optionally specifies some criteria
to indicate what <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#credential-source" id="ref-for-credential-source①">credential sources</a> are acceptable to it. The <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform①⑧">client platform</a> locates <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#credential-source" id="ref-for-credential-source②">credential sources</a> matching the specified criteria, and guides the user to pick one that the script will be allowed to use. The user may choose to
decline the entire interaction even if a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#credential-source" id="ref-for-credential-source③">credential source</a> is present, for example to maintain privacy. If the user picks a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#credential-source" id="ref-for-credential-source④">credential source</a>, the user agent then uses <a href="#sctn-op-get-assertion">§ 6.3.3 The authenticatorGetAssertion Operation</a> to sign a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑧③">Relying Party</a>-provided challenge and other collected data into an assertion, which is used as a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential④">credential</a>.</p>
   <p>The <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①③">get()</a></code> implementation <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a> calls <code>PublicKeyCredential.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-collectfromcredentialstore-slot" id="ref-for-dom-publickeycredential-collectfromcredentialstore-slot">[[CollectFromCredentialStore]]()</a></code></code> to collect any <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential⑤">credentials</a> that
should be available without <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#user-mediated" id="ref-for-user-mediated">user mediation</a> (roughly, this specification’s <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①③">authorization gesture</a>), and if it does not find
exactly one of those, it then calls <code>PublicKeyCredential.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot②">[[DiscoverFromExternalSource]]()</a></code></code> to have
the user select a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#credential-source" id="ref-for-credential-source⑤">credential source</a>.</p>
   <p>Since this specification requires an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①④">authorization gesture</a> to create any <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential⑥">credentials</a>, the <code>PublicKeyCredential.<dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="method" data-export id="dom-publickeycredential-collectfromcredentialstore-slot"><code>[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)</code></dfn></code> <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots①⓪">internal method</a> inherits the default behavior of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#collectfromcredentialstore-origin-options-sameoriginwithancestors" id="ref-for-collectfromcredentialstore-origin-options-sameoriginwithancestors①">Credential.[[CollectFromCredentialStore]]()</a></code>, of returning an empty set.</p>
   <p>This <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①④">navigator.credentials.get()</a></code> operation can be aborted by leveraging the <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#abortcontroller" id="ref-for-abortcontroller①">AbortController</a></code>;
see <a href="https://dom.spec.whatwg.org/#abortcontroller-api-integration">DOM §3.3 Using AbortController and AbortSignal objects in APIs</a> for detailed instructions.</p>
   <h5 class="heading settled" data-level="5.1.4.1" id="sctn-discover-from-external-source"><span class="secno">5.1.4.1. </span><span class="content">PublicKeyCredential’s <code><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="method" data-export id="dom-publickeycredential-discoverfromexternalsource-slot"><code>[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</code></dfn></code> Method</span><a class="self-link" href="#sctn-discover-from-external-source"></a></h5>
   <div data-link-for-hint="PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)">
    <p>This <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots①①">internal method</a> accepts three arguments:</p>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)" data-dfn-type="argument" data-export id="dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-origin"><code>origin</code></dfn>
     <dd data-md>
      <p>This argument is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object" id="ref-for-relevant-settings-object②">relevant settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin④">origin</a>, as determined by the
calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①⑤">get()</a></code> implementation, i.e., <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer" id="ref-for-credentialscontainer">CredentialsContainer</a></code>'s <a data-link-type="abstract-op" href="https://w3c.github.io/webappsec-credential-management/#abstract-opdef-request-a-credential" id="ref-for-abstract-opdef-request-a-credential">Request a <code>Credential</code></a> abstract operation.</p>
     <dt data-md><dfn class="idl-code" data-dfn-for="PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)" data-dfn-type="argument" data-export id="dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-options"><code>options</code><a class="self-link" href="#dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-options"></a></dfn>
     <dd data-md>
      <p>This argument is a <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions②">CredentialRequestOptions</a></code> object whose <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-publickey" id="ref-for-dom-credentialrequestoptions-publickey①">publicKey</a></code></code> member contains a <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions①">PublicKeyCredentialRequestOptions</a></code> object specifying the desired attributes of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential②⑦">public key credential</a> to discover.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)" data-dfn-type="argument" data-export id="dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-sameoriginwithancestors"><code>sameOriginWithAncestors</code></dfn>
     <dd data-md>
      <p>This argument is a Boolean value which is <code>true</code> if and only if the caller’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object" id="ref-for-environment-settings-object①">environment settings object</a> is <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors" id="ref-for-same-origin-with-its-ancestors①">same-origin with its ancestors</a>. It is <code>false</code> if caller is cross-origin.</p>
      <p class="note" role="note"><span>Note:</span> Invocation of this <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots①②">internal method</a> indicates that it was allowed by <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-permissions-policy" id="ref-for-concept-document-permissions-policy①">permissions policy</a>, which is evaluated at the <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a> level.
See <a href="#sctn-permissions-policy">§ 5.9 Permissions Policy integration</a>.</p>
    </dl>
    <p class="note" role="note"><span>Note:</span> <strong>This algorithm is synchronous:</strong> the <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-promise" id="ref-for-idl-promise②">Promise</a></code> resolution/rejection is handled by <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①⑥">navigator.credentials.get()</a></code>.</p>
    <p class="note" role="note"><span>Note:</span> All <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource①">BufferSource</a></code> objects used in this algorithm must be snapshotted when the algorithm begins, to
avoid potential synchronization issues. The algorithm implementations should <a data-link-type="dfn" href="https://heycam.github.io/webidl#dfn-get-buffer-source-reference" id="ref-for-dfn-get-buffer-source-reference①">get a copy of the bytes held
by the buffer source</a> and use that copy for relevant portions of the algorithm.</p>
    <p>When this method is invoked, the user agent MUST execute the following algorithm:</p>
    <ol>
     <li data-md>
      <p class="assertion">Assert: <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-publickey" id="ref-for-dom-credentialrequestoptions-publickey②">publicKey</a></code></code> is present.</p>
     <li data-md>
      <p>Let <var>options</var> be the value of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-publickey" id="ref-for-dom-credentialrequestoptions-publickey③">publicKey</a></code></code>.</p>
     <li data-md>
      <p>If the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-timeout" id="ref-for-dom-publickeycredentialrequestoptions-timeout">timeout</a></code> member of <var>options</var> is present, check if its value lies
within a reasonable range as defined by the <a data-link-type="dfn" href="#client" id="ref-for-client②②">client</a> and if not, correct it to the closest value lying within that range.
Set a timer <var>lifetimeTimer</var> to this adjusted value. If the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-timeout" id="ref-for-dom-publickeycredentialrequestoptions-timeout①">timeout</a></code> member of <var>options</var> is not present, then set <var>lifetimeTimer</var> to a <a data-link-type="dfn" href="#client" id="ref-for-client②③">client</a>-specific default.</p>
      <p>Recommended ranges and defaults for the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-timeout" id="ref-for-dom-publickeycredentialrequestoptions-timeout②">timeout</a></code> member of <var>options</var> are as follows.
      If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-userverification" id="ref-for-dom-publickeycredentialrequestoptions-userverification">userVerification</a></code></code></p>
      <dl class="switch">
       <dt data-md>is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-discouraged" id="ref-for-dom-userverificationrequirement-discouraged②">discouraged</a></code>
       <dd data-md>
        <p>Recommended range: 30000 milliseconds to 180000 milliseconds.</p>
       <dd data-md>
        <p>Recommended default value: 120000 milliseconds (2 minutes).</p>
       <dt data-md>is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-required" id="ref-for-dom-userverificationrequirement-required③">required</a></code> or <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-preferred" id="ref-for-dom-userverificationrequirement-preferred②">preferred</a></code>
       <dd data-md>
        <p>Recommended range: 30000 milliseconds to 600000 milliseconds.</p>
       <dd data-md>
        <p>Recommended default value: 300000 milliseconds (5 minutes).</p>
      </dl>
      <p class="note" role="note"><span>Note:</span> The user agent should take cognitive guidelines into considerations regarding timeout for users with special needs.</p>
     <li data-md>
      <p>Let <var>callerOrigin</var> be <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-origin" id="ref-for-dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-origin">origin</a></code>. If <var>callerOrigin</var> is
an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque" id="ref-for-concept-origin-opaque②">opaque origin</a>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①①">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror④">NotAllowedError</a></code>", and terminate this algorithm.</p>
     <li data-md>
      <p>Let <var>effectiveDomain</var> be the <var>callerOrigin</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain⑧">effective domain</a>.
If <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain⑨">effective domain</a> is not a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#valid-domain" id="ref-for-valid-domain①">valid domain</a>, then return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①②">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#securityerror" id="ref-for-securityerror②">SecurityError</a></code>" and terminate this algorithm.</p>
      <p class="note" role="note"><span>Note:</span> An <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain①⓪">effective domain</a> may resolve to a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-host" id="ref-for-concept-url-host③">host</a>, which can be represented in various manners,
    such as <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-domain" id="ref-for-concept-domain③">domain</a>, <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-ipv4" id="ref-for-concept-ipv4①">ipv4 address</a>, <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-ipv6" id="ref-for-concept-ipv6①">ipv6 address</a>, <a data-link-type="dfn" href="https://url.spec.whatwg.org/#opaque-host" id="ref-for-opaque-host①">opaque host</a>, or <a data-link-type="dfn" href="https://url.spec.whatwg.org/#empty-host" id="ref-for-empty-host①">empty host</a>.
    Only the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-domain" id="ref-for-concept-domain④">domain</a> format of <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-host" id="ref-for-concept-url-host④">host</a> is allowed here. This is for simplification and also is
    in recognition of various issues with using direct IP address identification in concert with
    PKI-based security.</p>
     <li id="GetAssn-DetermineRpId">
      <a class="self-link" href="#GetAssn-DetermineRpId"></a> If <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid">rpId</a></code> is not present, then set <var>rpId</var> to <var>effectiveDomain</var>. 
      <p>Otherwise:</p>
      <ol>
       <li data-md>
        <p>If <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid①">rpId</a></code> <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to" id="ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to④">is not a registrable domain suffix of and is not
equal to</a> <var>effectiveDomain</var>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①③">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#securityerror" id="ref-for-securityerror③">SecurityError</a></code>", and terminate
this algorithm.</p>
       <li data-md>
        <p>Set <var>rpId</var> to <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid②">rpId</a></code>.</p>
        <p class="note" role="note"><span>Note:</span> <var>rpId</var> represents the caller’s <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id①⑨">RP ID</a>. The <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⓪">RP ID</a> defaults to being the caller’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin⑤">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain①①">effective domain</a> unless the caller has explicitly set <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid③">rpId</a></code> when calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①⑦">get()</a></code>.</p>
      </ol>
     <li data-md>
      <p>Let <var>clientExtensions</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map③">map</a> and let <var>authenticatorExtensions</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map④">map</a>.</p>
     <li data-md>
      <p>If the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions">extensions</a></code> member of <var>options</var> is present, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-iterate" id="ref-for-map-iterate①">for each</a> <var>extensionId</var> → <var>clientExtensionInput</var> of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions①">extensions</a></code></code>:</p>
      <ol>
       <li data-md>
        <p>If <var>extensionId</var> is not supported by this <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform①⑨">client platform</a> or is not an <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension">authentication extension</a>, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue①⓪">continue</a>.</p>
       <li data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-set" id="ref-for-map-set②">Set</a> <var>clientExtensions</var>[<var>extensionId</var>] to <var>clientExtensionInput</var>.</p>
       <li data-md>
        <p>If <var>extensionId</var> is not an <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension①">authenticator extension</a>, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue①①">continue</a>.</p>
       <li data-md>
        <p>Let <var>authenticatorExtensionInput</var> be the (<a data-link-type="dfn" href="#cbor" id="ref-for-cbor④">CBOR</a>) result of running <var>extensionId</var>’s <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing③">client extension processing</a> algorithm on <var>clientExtensionInput</var>. If the algorithm returned an error, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue①②">continue</a>.</p>
       <li data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-set" id="ref-for-map-set③">Set</a> <var>authenticatorExtensions</var>[<var>extensionId</var>] to the <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding③">base64url encoding</a> of <var>authenticatorExtensionInput</var>.</p>
      </ol>
     <li data-md>
      <p>Let <var>collectedClientData</var> be a new <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata①">CollectedClientData</a></code> instance whose fields are:</p>
      <dl>
       <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-type" id="ref-for-dom-collectedclientdata-type①">type</a></code>
       <dd data-md>
        <p>The string "webauthn.get".</p>
       <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge①">challenge</a></code>
       <dd data-md>
        <p>The <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding④">base64url encoding</a> of <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-challenge" id="ref-for-dom-publickeycredentialrequestoptions-challenge">challenge</a></code></p>
       <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①">origin</a></code>
       <dd data-md>
        <p>The <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin" id="ref-for-ascii-serialisation-of-an-origin①">serialization of</a> <var>callerOrigin</var>.</p>
       <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-crossorigin" id="ref-for-dom-collectedclientdata-crossorigin①">crossOrigin</a></code>
       <dd data-md>
        <p>The inverse of the value of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-sameoriginwithancestors" id="ref-for-dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-sameoriginwithancestors">sameOriginWithAncestors</a></code> argument passed to this <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots①③">internal method</a>.</p>
       <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding①">tokenBinding</a></code>
       <dd data-md>
        <p>The status of <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-1" id="ref-for-section-1①">Token Binding</a> between the client and the <var>callerOrigin</var>, as well as the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-3.2" id="ref-for-section-3.2①">Token Binding ID</a> associated with <var>callerOrigin</var>, if one is available.</p>
      </dl>
     <li data-md>
      <p>Let <var>clientDataJSON</var> be the <a data-link-type="dfn" href="#collectedclientdata-json-compatible-serialization-of-client-data" id="ref-for-collectedclientdata-json-compatible-serialization-of-client-data①">JSON-compatible serialization of client data</a> constructed from <var>collectedClientData</var>.</p>
     <li data-md>
      <p>Let <var>clientDataHash</var> be the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①">hash of the serialized client data</a> represented by <var>clientDataJSON</var>.</p>
     <li data-md>
      <p>If the <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialrequestoptions-signal" id="ref-for-dom-credentialrequestoptions-signal">signal</a></code></code> is present and its <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#abortsignal-aborted-flag" id="ref-for-abortsignal-aborted-flag②">aborted flag</a> is set to <code>true</code>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①④">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#aborterror" id="ref-for-aborterror②">AbortError</a></code>"
and terminate this algorithm.</p>
     <li data-md>
      <p>Let <var>issuedRequests</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set②">ordered set</a>.</p>
     <li data-md>
      <p>Let <var>savedCredentialIds</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map⑤">map</a>.</p>
     <li data-md>
      <p>Let <var>authenticators</var> represent a value which at any given instant is a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set③">set</a> of <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform②⓪">client platform</a>-specific handles, where each <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item②">item</a> identifies an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑦①">authenticator</a> presently available on this <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform②①">client platform</a> at that instant.</p>
      <p class="note" role="note"><span>Note:</span> What qualifies an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑦②">authenticator</a> as "available" is intentionally unspecified; this is meant to represent how <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑦③">authenticators</a> can be <a href="https://en.wikipedia.org/w/index.php?title=Hot_plug">hot-plugged</a> into (e.g., via USB)
or discovered (e.g., via NFC or Bluetooth) by the <a data-link-type="dfn" href="#client" id="ref-for-client②④">client</a> by various mechanisms, or permanently built into the <a data-link-type="dfn" href="#client" id="ref-for-client②⑤">client</a>.</p>
     <li data-md>
      <p>Start <var>lifetimeTimer</var>.</p>
     <li data-md>
      <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-while" id="ref-for-iteration-while①">While</a> <var>lifetimeTimer</var> has not expired, perform the following actions depending upon <var>lifetimeTimer</var>,
and the state and response <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate⑨">for each</a> <var>authenticator</var> in <var>authenticators</var>:</p>
      <dl class="switch">
       <dt data-md>If <var>lifetimeTimer</var> expires,
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate①⓪">For each</a> <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel⑥">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove①①">remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
       <dt data-md>If the user exercises a user agent user-interface option to cancel the process,
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate①①">For each</a> <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel⑦">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove①②">remove</a> <var>authenticator</var> from <var>issuedRequests</var>. Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①⑤">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror⑤">NotAllowedError</a></code>".</p>
       <dt data-md>If the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialrequestoptions-signal" id="ref-for-dom-credentialrequestoptions-signal①">signal</a></code> member is present and the <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#abortsignal-aborted-flag" id="ref-for-abortsignal-aborted-flag③">aborted flag</a> is set to <code>true</code>,
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate①②">For each</a> <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel⑧">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove①③">remove</a> <var>authenticator</var> from <var>issuedRequests</var>. Then
return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①⑥">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#aborterror" id="ref-for-aborterror③">AbortError</a></code>" and terminate this algorithm.</p>
       <dt data-md>If <var>issuedRequests</var> is empty, <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials④">allowCredentials</a></code></code> is not empty, and no <var>authenticator</var> will become available for any <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential②⑧">public key credentials</a> therein,
       <dd data-md>
        <p>Indicate to the user that no eligible credential could be found. When the user acknowledges the dialog, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①⑦">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror⑥">NotAllowedError</a></code>".</p>
        <p class="note" role="note"><span>Note:</span> One way a <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform②②">client platform</a> can determine that no <var>authenticator</var> will become available is by examining the <code><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports④">transports</a></code></code> members of the present <code><code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor">PublicKeyCredentialDescriptor</a></code></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item③">items</a> of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials⑤">allowCredentials</a></code></code>, if any. For example, if all <code><code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor①">PublicKeyCredentialDescriptor</a></code></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item④">items</a> list only <code><code class="idl"><a data-link-type="idl" href="#dom-authenticatortransport-internal" id="ref-for-dom-authenticatortransport-internal">internal</a></code></code>, but all <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①⓪">platform</a> <var>authenticator</var>s have been tried, then there is no possibility of satisfying the request. Alternatively, all <code><code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor②">PublicKeyCredentialDescriptor</a></code></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item⑤">items</a> may list <code><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports⑤">transports</a></code></code> that the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform②③">client platform</a> does not support.</p>
       <dt data-md>If an <var>authenticator</var> becomes available on this <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①④">client device</a>,
       <dd data-md>
        <p class="note" role="note"><span>Note:</span> This includes the case where an <var>authenticator</var> was available upon <var>lifetimeTimer</var> initiation.</p>
        <ol>
         <li data-md>
          <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-userverification" id="ref-for-dom-publickeycredentialrequestoptions-userverification①">userVerification</a></code></code> is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-required" id="ref-for-dom-userverificationrequirement-required④">required</a></code> and the <var>authenticator</var> is not capable of performing <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification①⑤">user verification</a>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue①③">continue</a>.</p>
         <li data-md>
          <p>Let <var>userVerification</var> be the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="effective-user-verification-requirement-for-assertion">effective user verification requirement for assertion</dfn>, a Boolean value, as
follows. If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-userverification" id="ref-for-dom-publickeycredentialrequestoptions-userverification②">userVerification</a></code></code></p>
          <dl class="switch">
           <dt data-md>is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-required" id="ref-for-dom-userverificationrequirement-required⑤">required</a></code>
           <dd data-md>
            <p>Let <var>userVerification</var> be <code>true</code>.</p>
           <dt data-md>is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-preferred" id="ref-for-dom-userverificationrequirement-preferred③">preferred</a></code>
           <dd data-md>
            <p>If the <var>authenticator</var></p>
            <dl class="switch">
             <dt data-md>is capable of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification①⑥">user verification</a>
             <dd data-md>
              <p>Let <var>userVerification</var> be <code>true</code>.</p>
             <dt data-md>is not capable of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification①⑦">user verification</a>
             <dd data-md>
              <p>Let <var>userVerification</var> be <code>false</code>.</p>
            </dl>
           <dt data-md>is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-discouraged" id="ref-for-dom-userverificationrequirement-discouraged③">discouraged</a></code>
           <dd data-md>
            <p>Let <var>userVerification</var> be <code>false</code>.</p>
          </dl>
         <li data-md>
          <p><span id="allowCredentialDescriptorListCreation"></span> If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials⑥">allowCredentials</a></code></code></p>
          <dl class="switch">
           <dt data-md><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty" id="ref-for-list-is-empty④">is not empty</a>
           <dd data-md>
            <ol>
             <li data-md>
              <p>Let <var>allowCredentialDescriptorList</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list②">list</a>.</p>
             <li data-md>
              <p>Execute a <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform②④">client platform</a>-specific procedure to determine which, if any, <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential②⑨">public key credentials</a> described by <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials⑦">allowCredentials</a></code></code> are <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential⑦">bound</a> to this <var>authenticator</var>, by matching with <var>rpId</var>, <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials⑧">allowCredentials</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id">id</a></code></code>,
and <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials⑨">allowCredentials</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-type" id="ref-for-dom-publickeycredentialdescriptor-type">type</a></code></code>.
Set <var>allowCredentialDescriptorList</var> to this filtered list.</p>
             <li data-md>
              <p>If <var>allowCredentialDescriptorList</var> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty" id="ref-for-list-is-empty⑤">is empty</a>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue①④">continue</a>.</p>
             <li data-md>
              <p>Let <var>distinctTransports</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set④">ordered set</a>.</p>
             <li data-md>
              <p>If <var>allowCredentialDescriptorList</var> has exactly one value, set <code><var>savedCredentialIds</var>[<var>authenticator</var>]</code> to <code><var>allowCredentialDescriptorList</var>[0].id</code>’s
value (see <a href="#authenticatorGetAssertion-return-values">here</a> in <a href="#sctn-op-get-assertion">§ 6.3.3 The authenticatorGetAssertion Operation</a> for more information).</p>
             <li data-md>
              <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate①③">For each</a> credential descriptor <var>C</var> in <var>allowCredentialDescriptorList</var>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#set-append" id="ref-for-set-append①">append</a> each value, if any, of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports⑥">transports</a></code></code> to <var>distinctTransports</var>.</p>
              <p class="note" role="note"><span>Note:</span> This will aggregate only distinct values of <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports⑦">transports</a></code> (for this <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑦④">authenticator</a>) in <var>distinctTransports</var> due to the properties of <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set⑤">ordered sets</a>.</p>
             <li data-md>
              <p>If <var>distinctTransports</var></p>
              <dl class="switch">
               <dt data-md><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty" id="ref-for-list-is-empty⑥">is not empty</a>
               <dd data-md>
                <p>The client selects one <var>transport</var> value from <var>distinctTransports</var>, possibly incorporating local
configuration knowledge of the appropriate transport to use with <var>authenticator</var> in making its
selection.</p>
                <p>Then, using <var>transport</var>, invoke the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion③">authenticatorGetAssertion</a> operation on <var>authenticator</var>, with <var>rpId</var>, <var>clientDataHash</var>, <var>allowCredentialDescriptorList</var>, <var>userVerification</var>, and <var>authenticatorExtensions</var> as parameters.</p>
               <dt data-md><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty" id="ref-for-list-is-empty⑦">is empty</a>
               <dd data-md>
                <p>Using local configuration knowledge of the appropriate transport to use with <var>authenticator</var>,
invoke the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion④">authenticatorGetAssertion</a> operation on <var>authenticator</var> with <var>rpId</var>, <var>clientDataHash</var>, <var>allowCredentialDescriptorList</var>, <var>userVerification</var>, and <var>authenticatorExtensions</var> as parameters.</p>
              </dl>
            </ol>
           <dt data-md><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty" id="ref-for-list-is-empty⑧">is empty</a>
           <dd data-md>
            <p>Using local configuration knowledge of the appropriate transport to use with <var>authenticator</var>, invoke the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion⑤">authenticatorGetAssertion</a> operation on <var>authenticator</var> with <var>rpId</var>, <var>clientDataHash</var>, <var>userVerification</var> and <var>authenticatorExtensions</var> as parameters.</p>
            <p class="note" role="note"><span>Note:</span> In this case, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑧④">Relying Party</a> did not supply a list of acceptable credential descriptors. Thus, the
    authenticator is being asked to exercise any credential it may possess that is <a data-link-type="dfn" href="#scope" id="ref-for-scope⑨">scoped</a> to
    the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑧⑤">Relying Party</a>, as identified by <var>rpId</var>.</p>
          </dl>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#set-append" id="ref-for-set-append②">Append</a> <var>authenticator</var> to <var>issuedRequests</var>.</p>
        </ol>
       <dt data-md>If an <var>authenticator</var> ceases to be available on this <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①⑤">client device</a>,
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove①④">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
       <dt data-md>If any <var>authenticator</var> returns a status indicating that the user cancelled the operation,
       <dd data-md>
        <ol>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove①⑤">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate①④">For each</a> remaining <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel⑨">authenticatorCancel</a> operation
on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove①⑥">remove</a> it from <var>issuedRequests</var>.</p>
          <p class="note" role="note"><span>Note:</span> <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑦⑤">Authenticators</a> may return an indication of "the user cancelled the entire operation".
How a user agent manifests this state to users is unspecified.</p>
        </ol>
       <dt data-md>If any <var>authenticator</var> returns an error status,
       <dd data-md>
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove①⑦">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
       <dt data-md>If any <var>authenticator</var> indicates success,
       <dd data-md>
        <ol>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove①⑧">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
         <li data-md>
          <p><span id="assertionCreationDataCreation"></span> Let <var>assertionCreationData</var> be a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#struct" id="ref-for-struct②">struct</a> whose <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#struct-item" id="ref-for-struct-item③">items</a> are:</p>
          <dl>
           <dt data-md><code><dfn class="dfn-paneled" data-dfn-for="assertionCreationData" data-dfn-type="dfn" data-noexport id="assertioncreationdata-credentialidresult">credentialIdResult</dfn></code>
           <dd data-md>
            <p>If <code><var>savedCredentialIds</var>[<var>authenticator</var>]</code> exists, set the value of <a data-link-type="dfn" href="#assertioncreationdata-credentialidresult" id="ref-for-assertioncreationdata-credentialidresult">credentialIdResult</a> to be
the bytes of <code><var>savedCredentialIds</var>[<var>authenticator</var>]</code>. Otherwise, set the value of <a data-link-type="dfn" href="#assertioncreationdata-credentialidresult" id="ref-for-assertioncreationdata-credentialidresult①">credentialIdResult</a> to be the bytes of the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id①⑦">credential ID</a> returned from the successful <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion⑥">authenticatorGetAssertion</a> operation, as defined in <a href="#sctn-op-get-assertion">§ 6.3.3 The authenticatorGetAssertion Operation</a>.</p>
           <dt data-md><code><dfn class="dfn-paneled" data-dfn-for="assertionCreationData" data-dfn-type="dfn" data-noexport id="assertioncreationdata-clientdatajsonresult">clientDataJSONResult</dfn></code>
           <dd data-md>
            <p>whose value is the bytes of <var>clientDataJSON</var>.</p>
           <dt data-md><code><dfn class="dfn-paneled" data-dfn-for="assertionCreationData" data-dfn-type="dfn" data-noexport id="assertioncreationdata-authenticatordataresult">authenticatorDataResult</dfn></code>
           <dd data-md>
            <p>whose value is the bytes of the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①">authenticator data</a> returned by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑦⑥">authenticator</a>.</p>
           <dt data-md><code><dfn class="dfn-paneled" data-dfn-for="assertionCreationData" data-dfn-type="dfn" data-noexport id="assertioncreationdata-signatureresult">signatureResult</dfn></code>
           <dd data-md>
            <p>whose value is the bytes of the signature value returned by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑦⑦">authenticator</a>.</p>
           <dt data-md><code><dfn class="dfn-paneled" data-dfn-for="assertionCreationData" data-dfn-type="dfn" data-noexport id="assertioncreationdata-userhandleresult">userHandleResult</dfn></code>
           <dd data-md>
            <p>If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑦⑧">authenticator</a> returned a <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②">user handle</a>, set the value of <a data-link-type="dfn" href="#assertioncreationdata-userhandleresult" id="ref-for-assertioncreationdata-userhandleresult">userHandleResult</a> to be the bytes of
the returned <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle③">user handle</a>. Otherwise, set the value of <a data-link-type="dfn" href="#assertioncreationdata-userhandleresult" id="ref-for-assertioncreationdata-userhandleresult①">userHandleResult</a> to null.</p>
           <dt data-md><code><dfn class="dfn-paneled" data-dfn-for="assertionCreationData" data-dfn-type="dfn" data-noexport id="assertioncreationdata-clientextensionresults">clientExtensionResults</dfn></code>
           <dd data-md>
            <p>whose value is an <code class="idl"><a data-link-type="idl" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs②">AuthenticationExtensionsClientOutputs</a></code> object containing <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier②">extension identifier</a> → <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output③">client extension output</a> entries. The entries are created by running each extension’s <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing④">client extension processing</a> algorithm to create the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output④">client extension outputs</a>, for each <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension①">client extension</a> in <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions②">extensions</a></code></code>.</p>
          </dl>
         <li data-md>
          <p>Let <var>constructAssertionAlg</var> be an algorithm that takes a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global" id="ref-for-concept-settings-object-global①">global object</a> <var>global</var>, and whose steps are:</p>
          <ol>
           <li data-md>
            <p>Let <var>pubKeyCred</var> be a new <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential①①">PublicKeyCredential</a></code> object associated with <var>global</var> whose fields are:</p>
            <dl>
             <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-identifier-slot" id="ref-for-dom-publickeycredential-identifier-slot③">[[identifier]]</a></code>
             <dd data-md>
              <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer⑤">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor④">%ArrayBuffer%</a>, containing the bytes of <code><var>assertionCreationData</var>.<a data-link-type="dfn" href="#assertioncreationdata-credentialidresult" id="ref-for-assertioncreationdata-credentialidresult②">credentialIdResult</a></code>.</p>
             <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response②">response</a></code>
             <dd data-md>
              <p>A new <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse②">AuthenticatorAssertionResponse</a></code> object associated with <var>global</var> whose fields are:</p>
              <dl>
               <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson①">clientDataJSON</a></code>
               <dd data-md>
                <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer⑥">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor⑤">%ArrayBuffer%</a>, containing the bytes of <code><var>assertionCreationData</var>.<a data-link-type="dfn" href="#assertioncreationdata-clientdatajsonresult" id="ref-for-assertioncreationdata-clientdatajsonresult">clientDataJSONResult</a></code>.</p>
               <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-authenticatordata" id="ref-for-dom-authenticatorassertionresponse-authenticatordata">authenticatorData</a></code>
               <dd data-md>
                <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer⑦">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor⑥">%ArrayBuffer%</a>, containing the bytes of <code><var>assertionCreationData</var>.<a data-link-type="dfn" href="#assertioncreationdata-authenticatordataresult" id="ref-for-assertioncreationdata-authenticatordataresult">authenticatorDataResult</a></code>.</p>
               <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-signature" id="ref-for-dom-authenticatorassertionresponse-signature">signature</a></code>
               <dd data-md>
                <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer⑧">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor⑦">%ArrayBuffer%</a>, containing the bytes of <code><var>assertionCreationData</var>.<a data-link-type="dfn" href="#assertioncreationdata-signatureresult" id="ref-for-assertioncreationdata-signatureresult">signatureResult</a></code>.</p>
               <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-userhandle" id="ref-for-dom-authenticatorassertionresponse-userhandle①">userHandle</a></code>
               <dd data-md>
                <p>If <code><var>assertionCreationData</var>.<a data-link-type="dfn" href="#assertioncreationdata-userhandleresult" id="ref-for-assertioncreationdata-userhandleresult②">userHandleResult</a></code> is null, set this
field to null. Otherwise, set this field to a new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer⑨">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor⑧">%ArrayBuffer%</a>, containing the bytes of <code><var>assertionCreationData</var>.<a data-link-type="dfn" href="#assertioncreationdata-userhandleresult" id="ref-for-assertioncreationdata-userhandleresult③">userHandleResult</a></code>.</p>
              </dl>
             <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-clientextensionsresults-slot" id="ref-for-dom-publickeycredential-clientextensionsresults-slot②">[[clientExtensionsResults]]</a></code>
             <dd data-md>
              <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer①⓪">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor⑨">%ArrayBuffer%</a>, containing the bytes of <code><var>assertionCreationData</var>.<a data-link-type="dfn" href="#assertioncreationdata-clientextensionresults" id="ref-for-assertioncreationdata-clientextensionresults">clientExtensionResults</a></code>.</p>
            </dl>
           <li data-md>
            <p>Return <var>pubKeyCred</var>.</p>
          </ol>
         <li data-md>
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate①⑤">For each</a> remaining <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel①⓪">authenticatorCancel</a> operation
on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove①⑨">remove</a> it from <var>issuedRequests</var>.</p>
         <li data-md>
          <p>Return <var>constructAssertionAlg</var> and terminate this algorithm.</p>
        </ol>
      </dl>
     <li data-md>
      <p>Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①⑧">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror⑦">NotAllowedError</a></code>". In order to prevent information leak that could identify the
user without <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①⓪">consent</a>, this step MUST NOT be executed before <var>lifetimeTimer</var> has expired. See <a href="#sctn-assertion-privacy">§ 14.5.2 Authentication Ceremony Privacy</a> for details.</p>
    </ol>
    <p>During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator with which to complete the operation.</p>
   </div>
   <h4 class="heading settled" data-level="5.1.5" id="sctn-storeCredential"><span class="secno">5.1.5. </span><span class="content">Store an Existing Credential - PublicKeyCredential’s <code>[[Store]](credential, sameOriginWithAncestors)</code> Method</span><a class="self-link" href="#sctn-storeCredential"></a></h4>
   <div data-link-for-hint="PublicKeyCredential/[[Store]](credential, sameOriginWithAncestors)">
    <p>The <dfn class="idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="method" data-export id="dom-publickeycredential-store-slot"><code>[[Store]](credential, sameOriginWithAncestors)</code><a class="self-link" href="#dom-publickeycredential-store-slot"></a></dfn> method is not supported
for Web Authentication’s <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential①②">PublicKeyCredential</a></code> type, so it always returns an error.</p>
    <p class="note" role="note"><span>Note:</span> This algorithm is synchronous; the <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-promise" id="ref-for-idl-promise③">Promise</a></code> resolution/rejection is handled by <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-store" id="ref-for-dom-credentialscontainer-store">navigator.credentials.store()</a></code>.</p>
    <p>This <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots①④">internal method</a> accepts two arguments:</p>
    <dl>
     <dt data-md><dfn class="idl-code" data-dfn-for="PublicKeyCredential/[[Store]](credential, sameOriginWithAncestors)" data-dfn-type="argument" data-export id="dom-publickeycredential-store-credential-sameoriginwithancestors-credential"><code>credential</code><a class="self-link" href="#dom-publickeycredential-store-credential-sameoriginwithancestors-credential"></a></dfn>
     <dd data-md>
      <p>This argument is a <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential①③">PublicKeyCredential</a></code> object.</p>
     <dt data-md><dfn class="idl-code" data-dfn-for="PublicKeyCredential/[[Store]](credential, sameOriginWithAncestors)" data-dfn-type="argument" data-export id="dom-publickeycredential-store-credential-sameoriginwithancestors-sameoriginwithancestors"><code>sameOriginWithAncestors</code><a class="self-link" href="#dom-publickeycredential-store-credential-sameoriginwithancestors-sameoriginwithancestors"></a></dfn>
     <dd data-md>
      <p>This argument is a Boolean value which is <code>true</code> if and only if the caller’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object" id="ref-for-environment-settings-object②">environment settings object</a> is <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors" id="ref-for-same-origin-with-its-ancestors②">same-origin with its ancestors</a>.</p>
    </dl>
    <p>When this method is invoked, the user agent MUST execute the following algorithm:</p>
    <ol>
     <li data-md>
      <p>Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①⑨">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notsupportederror" id="ref-for-notsupportederror①">NotSupportedError</a></code>", and terminate this algorithm</p>
    </ol>
   </div>
   <h4 class="heading settled" data-level="5.1.6" id="sctn-preventSilentAccessCredential"><span class="secno">5.1.6. </span><span class="content">Preventing Silent Access to an Existing Credential - PublicKeyCredential’s <code>[[preventSilentAccess]](credential, sameOriginWithAncestors)</code> Method</span><a class="self-link" href="#sctn-preventSilentAccessCredential"></a></h4>
   <div data-link-for-hint="PublicKeyCredential/[[preventSilentAccess]](credential, sameOriginWithAncestors)">
    <p>Calling the <dfn class="idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="method" data-export id="dom-publickeycredential-preventsilentaccess-slot"><code>[[preventSilentAccess]](credential, sameOriginWithAncestors)</code><a class="self-link" href="#dom-publickeycredential-preventsilentaccess-slot"></a></dfn> method
will have no effect on authenticators that require an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①⑤">authorization gesture</a>,
but setting that flag may potentially exclude authenticators that can operate without user intervention.</p>
    <p>This <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots①⑤">internal method</a> accepts no arguments.</p>
   </div>
   <h4 class="heading settled" data-level="5.1.7" id="sctn-isUserVerifyingPlatformAuthenticatorAvailable"><span class="secno">5.1.7. </span><span class="content">Availability of <a data-link-type="dfn" href="#user-verifying-platform-authenticator" id="ref-for-user-verifying-platform-authenticator②">User-Verifying Platform Authenticator</a> - PublicKeyCredential’s <code>isUserVerifyingPlatformAuthenticatorAvailable()</code> Method</span><a class="self-link" href="#sctn-isUserVerifyingPlatformAuthenticatorAvailable"></a></h4>
   <div data-link-for-hint="WebAuthentication/isUserVerifyingPlatformAuthenticatorAvailable">
    <p><a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party①③">WebAuthn Relying Parties</a> use this method to determine whether they can create a new credential using a <a data-link-type="dfn" href="#user-verifying-platform-authenticator" id="ref-for-user-verifying-platform-authenticator③">user-verifying platform authenticator</a>.
Upon invocation, the <a data-link-type="dfn" href="#client" id="ref-for-client②⑥">client</a> employs a <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform②⑤">client platform</a>-specific procedure to discover available <a data-link-type="dfn" href="#user-verifying-platform-authenticator" id="ref-for-user-verifying-platform-authenticator④">user-verifying platform authenticators</a>.
If any are discovered, the promise is resolved with the value of <code>true</code>.
Otherwise, the promise is resolved with the value of <code>false</code>.
Based on the result, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑧⑥">Relying Party</a> can take further actions to guide the user to create a credential.</p>
    <p>This method has no arguments and returns a Boolean value.</p>
    <div class="mdn-anno wrapped">
     <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
     <div class="feature">
      <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/isUserVerifyingPlatformAuthenticatorAvailable" title="isUserVerifyingPlatformAuthenticatorAvailable() is a static method of the PublicKeyCredential interface that returns a Promise which resolves to true if a user-verifying platform authenticator is available.">PublicKeyCredential/isUserVerifyingPlatformAuthenticatorAvailable</a></p>
      <p class="all-engines-text">In all current engines.</p>
      <div class="support">
       <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
       <hr>
       <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
       <hr>
       <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
       <hr>
       <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
      </div>
     </div>
    </div>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="#publickeycredential" id="ref-for-publickeycredential①④"><c- g>PublicKeyCredential</c-></a> {
    <c- b>static</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-promise" id="ref-for-idl-promise④"><c- b>Promise</c-></a>&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean"><c- b>boolean</c-></a>> <dfn class="idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="method" data-export data-lt="isUserVerifyingPlatformAuthenticatorAvailable()" id="dom-publickeycredential-isuserverifyingplatformauthenticatoravailable"><code><c- g>isUserVerifyingPlatformAuthenticatorAvailable</c-></code><a class="self-link" href="#dom-publickeycredential-isuserverifyingplatformauthenticatoravailable"></a></dfn>();
};
</pre>
    <p class="note" role="note"><span>Note:</span> Invoking this method from a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context①">browsing context</a> where the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①①">Web Authentication API</a> is "disabled" according to the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use" id="ref-for-allowed-to-use">allowed to use</a> algorithm—i.e., by a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-permissions-policy" id="ref-for-concept-document-permissions-policy②">permissions policy</a>—will result in the promise being rejected with a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException②⓪">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror⑧">NotAllowedError</a></code>". See also <a href="#sctn-permissions-policy">§ 5.9 Permissions Policy integration</a>.</p>
   </div>
   <h3 class="heading settled" data-level="5.2" id="iface-authenticatorresponse"><span class="secno">5.2. </span><span class="content">Authenticator Responses (interface <dfn class="dfn-paneled idl-code" data-dfn-type="interface" data-export id="authenticatorresponse"><code>AuthenticatorResponse</code></dfn>)</span><a class="self-link" href="#iface-authenticatorresponse"></a></h3>
   <div class="mdn-anno wrapped after">
    <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
    <div class="feature">
     <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorResponse" title="The AuthenticatorResponse interface of the Web Authentication API is the base interface for interfaces that provide a cryptographic root of trust for a key pair. The child interfaces include information from the browser such as the challenge origin and either may be returned from PublicKeyCredential.response.">AuthenticatorResponse</a></p>
     <p class="all-engines-text">In all current engines.</p>
     <div class="support">
      <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
      <hr>
      <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
      <hr>
      <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
      <hr>
      <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
     </div>
    </div>
   </div>
   <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑦⑨">Authenticators</a> respond to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑧⑦">Relying Party</a> requests by returning an object derived from the <code class="idl"><a data-link-type="idl" href="#authenticatorresponse" id="ref-for-authenticatorresponse②">AuthenticatorResponse</a></code> interface:</p>
<pre class="idl highlight def">[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext" id="ref-for-SecureContext①"><c- g>SecureContext</c-></a>, <a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed" id="ref-for-Exposed①"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="#authenticatorresponse" id="ref-for-authenticatorresponse③"><c- g>AuthenticatorResponse</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject" id="ref-for-SameObject②"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer①①"><c- b>ArrayBuffer</c-></a>      <a class="idl-code" data-link-type="attribute" data-readonly data-type="ArrayBuffer" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson②"><c- g>clientDataJSON</c-></a>;
};
</pre>
   <div>
    <dl>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorResponse/clientDataJSON" title="The clientDataJSON property of the AuthenticatorResponse interface stores a JSON string in an ArrayBuffer, representing the client data that was passed to CredentialsContainer.create() or CredentialsContainer.get(). This property is only accessed on one of the child objects of AuthenticatorResponse, specifically AuthenticatorAttestationResponse or AuthenticatorAssertionResponse.">AuthenticatorResponse/clientDataJSON</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorResponse" data-dfn-type="attribute" data-export id="dom-authenticatorresponse-clientdatajson"><code>clientDataJSON</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer①②">ArrayBuffer</a>, readonly</span></p>
     <dd data-md>
      <p>This attribute contains a <a href="#clientdatajson-serialization">JSON-compatible serialization</a> of the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data">client data</a>, the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data②">hash of which</a> is passed to the
authenticator by the client in its call to either <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①⓪">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①⑧">get()</a></code> (i.e., the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data①">client data</a> itself is not sent to the authenticator).</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="5.2.1" id="iface-authenticatorattestationresponse"><span class="secno">5.2.1. </span><span class="content">Information About Public Key Credential (interface <dfn class="dfn-paneled idl-code" data-dfn-type="interface" data-export id="authenticatorattestationresponse"><code>AuthenticatorAttestationResponse</code></dfn>)</span><a class="self-link" href="#iface-authenticatorattestationresponse"></a></h4>
   <div class="mdn-anno wrapped after">
    <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
    <div class="feature">
     <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAttestationResponse" title="The AuthenticatorAttestationResponse interface of the Web Authentication API is returned by CredentialsContainer.create() when a PublicKeyCredential is passed, and provides a cryptographic root of trust for the new key pair that has been generated. This response should be sent to the relying party&apos;s server to complete the creation of the credential.">AuthenticatorAttestationResponse</a></p>
     <p class="all-engines-text">In all current engines.</p>
     <div class="support">
      <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
      <hr>
      <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
      <hr>
      <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
      <hr>
      <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android yes"><span>Samsung Internet</span><span>10.0+</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
     </div>
    </div>
   </div>
   <p>The <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse②">AuthenticatorAttestationResponse</a></code> interface represents the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑧⓪">authenticator</a>'s response to a client’s request
for the creation of a new <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③⓪">public key credential</a>. It contains information about the new credential that can be used to
identify it for later use, and metadata that can be used by the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party①④">WebAuthn Relying Party</a> to assess the characteristics of the credential
during registration.</p>
   <div class="mdn-anno wrapped">
    <button class="mdn-anno-btn"><b class="less-than-two-engines-flag" title="This feature is in less than two current engines.">⚠</b><span>MDN</span></button>
    <div class="feature">
     <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAttestationResponse/getTransports" title="getTransports() is a method of the AuthenticatorAttestationResponse interface that returns an Array containing strings describing the different transports which may be used by the authenticator.">AuthenticatorAttestationResponse/getTransports</a></p>
     <p class="less-than-two-engines-text">In no current engines.</p>
     <div class="support">
      <span class="firefox no"><span>Firefox</span><span>None</span></span><span class="safari no"><span>Safari</span><span>None</span></span><span class="chrome no"><span>Chrome</span><span>None</span></span>
      <hr>
      <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink no"><span>Edge</span><span>None</span></span>
      <hr>
      <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
      <hr>
      <span class="firefox_android no"><span>Firefox for Android</span><span>None</span></span><span class="safari_ios no"><span>iOS Safari</span><span>None</span></span><span class="chrome_android no"><span>Chrome for Android</span><span>None</span></span><span class="webview_android no"><span>Android WebView</span><span>None</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
     </div>
    </div>
   </div>
<pre class="idl highlight def">[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext" id="ref-for-SecureContext②"><c- g>SecureContext</c-></a>, <a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed" id="ref-for-Exposed②"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse③"><c- g>AuthenticatorAttestationResponse</c-></a> : <a data-link-type="idl-name" href="#authenticatorresponse" id="ref-for-authenticatorresponse④"><c- n>AuthenticatorResponse</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject" id="ref-for-SameObject③"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer①③"><c- b>ArrayBuffer</c-></a>      <a class="idl-code" data-link-type="attribute" data-readonly data-type="ArrayBuffer" href="#dom-authenticatorattestationresponse-attestationobject" id="ref-for-dom-authenticatorattestationresponse-attestationobject①"><c- g>attestationObject</c-></a>;
    <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence" id="ref-for-idl-sequence"><c- b>sequence</c-></a>&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②"><c- b>DOMString</c-></a>>                              <dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAttestationResponse" data-dfn-type="method" data-export data-lt="getTransports()" id="dom-authenticatorattestationresponse-gettransports"><code><c- g>getTransports</c-></code></dfn>();
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer①④"><c- b>ArrayBuffer</c-></a>                                      <dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAttestationResponse" data-dfn-type="method" data-export data-lt="getAuthenticatorData()" id="dom-authenticatorattestationresponse-getauthenticatordata"><code><c- g>getAuthenticatorData</c-></code></dfn>();
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer①⑤"><c- b>ArrayBuffer</c-></a>?                                     <dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAttestationResponse" data-dfn-type="method" data-export data-lt="getPublicKey()" id="dom-authenticatorattestationresponse-getpublickey"><code><c- g>getPublicKey</c-></code></dfn>();
    <a data-link-type="idl-name" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier②"><c- n>COSEAlgorithmIdentifier</c-></a>                          <dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAttestationResponse" data-dfn-type="method" data-export data-lt="getPublicKeyAlgorithm()" id="dom-authenticatorattestationresponse-getpublickeyalgorithm"><code><c- g>getPublicKeyAlgorithm</c-></code></dfn>();
};
</pre>
   <div>
    <dl>
     <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson③">clientDataJSON</a></code>
     <dd data-md>
      <p>This attribute, inherited from <code class="idl"><a data-link-type="idl" href="#authenticatorresponse" id="ref-for-authenticatorresponse⑤">AuthenticatorResponse</a></code>, contains the <a data-link-type="dfn" href="#collectedclientdata-json-compatible-serialization-of-client-data" id="ref-for-collectedclientdata-json-compatible-serialization-of-client-data②">JSON-compatible serialization of client data</a> (see <a href="#sctn-attestation">§ 6.5 Attestation</a>) passed to the authenticator by the client in order to generate this credential. The
exact JSON serialization MUST be preserved, as the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data③">hash of the serialized client data</a> has been computed
over it.</p>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAttestationResponse/attestationObject" title="The attestationObject property of the AuthenticatorAttestationResponse interface returns an ArrayBuffer containing the new public key, as well as signature over the entire attestationObject with a private key that is stored in the authenticator when it is manufactured.">AuthenticatorAttestationResponse/attestationObject</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android yes"><span>Samsung Internet</span><span>10.0+</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAttestationResponse" data-dfn-type="attribute" data-export id="dom-authenticatorattestationresponse-attestationobject"><code>attestationObject</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer①⑥">ArrayBuffer</a>, readonly</span></p>
     <dd data-md>
      <p>This attribute contains an <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object④">attestation object</a>, which is opaque to, and cryptographically protected against
tampering by, the client. The <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object⑤">attestation object</a> contains both <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②">authenticator data</a> and an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement④">attestation
statement</a>. The former contains the AAGUID, a unique <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id①⑧">credential ID</a>, and the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key①②">credential public key</a>. The
contents of the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement⑤">attestation statement</a> are determined by the <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format">attestation statement format</a> used by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑧①">authenticator</a>. It also contains any additional information that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑧⑧">Relying Party</a>'s server requires to validate the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement⑥">attestation statement</a>, as well as to decode and validate the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③">authenticator data</a> along with the <a data-link-type="dfn" href="#collectedclientdata-json-compatible-serialization-of-client-data" id="ref-for-collectedclientdata-json-compatible-serialization-of-client-data③">JSON-compatible serialization of client data</a>. For more details, see <a href="#sctn-attestation">§ 6.5 Attestation</a>, <a href="#sctn-generating-an-attestation-object">§ 6.5.4 Generating an Attestation Object</a>,
and <a href="#fig-attStructs">Figure 6</a>.</p>
     <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-gettransports" id="ref-for-dom-authenticatorattestationresponse-gettransports">getTransports()</a></code>
     <dd data-md>
      <p>This operation returns the value of <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-transports-slot" id="ref-for-dom-authenticatorattestationresponse-transports-slot①">[[transports]]</a></code>.</p>
     <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-getauthenticatordata" id="ref-for-dom-authenticatorattestationresponse-getauthenticatordata">getAuthenticatorData()</a></code>
     <dd data-md>
      <p>This operation returns the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④">authenticator data</a> contained within <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-attestationobject" id="ref-for-dom-authenticatorattestationresponse-attestationobject②">attestationObject</a></code>. See <a href="#sctn-public-key-easy">§ 5.2.1.1 Easily accessing credential data</a>.</p>
     <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-getpublickey" id="ref-for-dom-authenticatorattestationresponse-getpublickey">getPublicKey()</a></code>
     <dd data-md>
      <p>This operation returns the DER <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc5280#section-4.1.2.7" id="ref-for-section-4.1.2.7">SubjectPublicKeyInfo</a> of the new credential, or null if this is not available. See <a href="#sctn-public-key-easy">§ 5.2.1.1 Easily accessing credential data</a>.</p>
     <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-getpublickeyalgorithm" id="ref-for-dom-authenticatorattestationresponse-getpublickeyalgorithm">getPublicKeyAlgorithm()</a></code>
     <dd data-md>
      <p>This operation returns the <code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier③">COSEAlgorithmIdentifier</a></code> of the new credential. See <a href="#sctn-public-key-easy">§ 5.2.1.1 Easily accessing credential data</a>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAttestationResponse" data-dfn-type="attribute" data-export id="dom-authenticatorattestationresponse-transports-slot"><code>[[transports]]</code></dfn>
     <dd data-md>
      <p>This <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots①⑥">internal slot</a> contains a sequence of zero or more unique <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③">DOMString</a></code>s in lexicographical order. These values are the transports that the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑧②">authenticator</a> is believed to support, or an empty sequence if the information is unavailable. The values SHOULD be members of <code class="idl"><a data-link-type="idl" href="#enumdef-authenticatortransport" id="ref-for-enumdef-authenticatortransport①">AuthenticatorTransport</a></code> but <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑧⑨">Relying Parties</a> MUST ignore unknown values.</p>
    </dl>
   </div>
   <h5 class="heading settled" data-level="5.2.1.1" id="sctn-public-key-easy"><span class="secno">5.2.1.1. </span><span class="content">Easily accessing credential data</span><a class="self-link" href="#sctn-public-key-easy"></a></h5>
   <p>Every user of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot②">[[Create]](origin, options, sameOriginWithAncestors)</a></code> method will need to parse and store the returned <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key①③">credential public key</a> in order to verify future <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion⑨">authentication assertions</a>. However, the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key①④">credential public key</a> is in <a data-link-type="biblio" href="#biblio-rfc8152">[RFC8152]</a> (COSE) format, inside the <a data-link-type="dfn" href="#credentialpublickey" id="ref-for-credentialpublickey">credentialPublicKey</a> member of the <a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata①">attestedCredentialData</a>, inside the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data⑤">authenticator data</a>, inside the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object⑥">attestation object</a> conveyed by <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse④">AuthenticatorAttestationResponse</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-attestationobject" id="ref-for-dom-authenticatorattestationresponse-attestationobject③">attestationObject</a></code>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑨⓪">Relying Parties</a> wishing to use <a data-link-type="dfn" href="#attestation" id="ref-for-attestation⑥">attestation</a> are obliged to do the work of parsing the <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-attestationobject" id="ref-for-dom-authenticatorattestationresponse-attestationobject④">attestationObject</a></code> and obtaining the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key①⑤">credential public key</a> because that public key copy is the one the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑧③">authenticator</a> <a href="#signing-procedure" id="ref-for-signing-procedure">signed</a>. However, many valid WebAuthn use cases do not require <a data-link-type="dfn" href="#attestation" id="ref-for-attestation⑦">attestation</a>. For those uses, user agents can do the work of parsing, expose the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data⑥">authenticator data</a> directly, and translate the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key①⑥">credential public key</a> into a more convenient format.</p>
   <p>The <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-getpublickey" id="ref-for-dom-authenticatorattestationresponse-getpublickey①">getPublicKey()</a></code> operation thus returns the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key①⑦">credential public key</a> as a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc5280#section-4.1.2.7" id="ref-for-section-4.1.2.7①">SubjectPublicKeyInfo</a>. This <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer①⑦">ArrayBuffer</a></code> can, for example, be passed to Java’s <code>java.security.spec.X509EncodedKeySpec</code>, .NET’s <code>System.Security.Cryptography.ECDsa.ImportSubjectPublicKeyInfo</code>, or Go’s <code>crypto/x509.ParsePKIXPublicKey</code>.</p>
   <p>Use of <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-getpublickey" id="ref-for-dom-authenticatorattestationresponse-getpublickey②">getPublicKey()</a></code> does impose some limitations: by using <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-pubkeycredparams" id="ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams②">pubKeyCredParams</a></code>, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑨①">Relying Party</a> can negotiate with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑧④">authenticator</a> to use public key algorithms that the user agent may not understand. However, if the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑨②">Relying Party</a> does so, the user agent will not be able to translate the resulting <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key①⑧">credential public key</a> into <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc5280#section-4.1.2.7" id="ref-for-section-4.1.2.7②">SubjectPublicKeyInfo</a> format and the return value of <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-getpublickey" id="ref-for-dom-authenticatorattestationresponse-getpublickey③">getPublicKey()</a></code> will be null.</p>
   <p>User agents MUST be able to return a non-null value for <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-getpublickey" id="ref-for-dom-authenticatorattestationresponse-getpublickey④">getPublicKey()</a></code> when the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key①⑨">credential public key</a> has a <code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier④">COSEAlgorithmIdentifier</a></code> value of:</p>
   <ul>
    <li data-md>
     <p>-7 (ES256), where <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-7.1" id="ref-for-section-7.1">kty</a> is 2 (with uncompressed points) and <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-13.1.1" id="ref-for-section-13.1.1">crv</a> is 1 (P-256).</p>
    <li data-md>
     <p>-257 (RS256).</p>
    <li data-md>
     <p>-8 (EdDSA), where <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-13.1.1" id="ref-for-section-13.1.1①">crv</a> is 6 (Ed25519).</p>
   </ul>
   <p>A <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc5280#section-4.1.2.7" id="ref-for-section-4.1.2.7③">SubjectPublicKeyInfo</a> does not include information about the signing algorithm (for example, which hash function to use) that is included in the COSE public key. To provide this, <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-getpublickeyalgorithm" id="ref-for-dom-authenticatorattestationresponse-getpublickeyalgorithm①">getPublicKeyAlgorithm()</a></code> returns the <code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier⑤">COSEAlgorithmIdentifier</a></code> for the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②⓪">credential public key</a>.</p>
   <p>To remove the need to parse CBOR at all in many cases, <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-getauthenticatordata" id="ref-for-dom-authenticatorattestationresponse-getauthenticatordata①">getAuthenticatorData()</a></code> returns the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data⑦">authenticator data</a> from <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-attestationobject" id="ref-for-dom-authenticatorattestationresponse-attestationobject⑤">attestationObject</a></code>. The <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data⑧">authenticator data</a> contains other fields that are encoded in a binary format. However, helper functions are not provided to access them because <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑨③">Relying Parties</a> already need to extract those fields when <a href="#sctn-getAssertion">getting an assertion</a>. In contrast to <a href="#sctn-createCredential">credential creation</a>, where signature verification is <a href="#enumdef-attestationconveyancepreference" id="ref-for-enumdef-attestationconveyancepreference">optional</a>, <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑨④">Relying Parties</a> should always be verifying signatures from an assertion and thus must extract fields from the signed <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data⑨">authenticator data</a>. The same functions used there will also serve during credential creation.</p>
   <p class="note" role="note"><span>Note:</span> <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-getpublickey" id="ref-for-dom-authenticatorattestationresponse-getpublickey⑤">getPublicKey()</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-getauthenticatordata" id="ref-for-dom-authenticatorattestationresponse-getauthenticatordata②">getAuthenticatorData()</a></code> were only added in level two of this spec. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑨⑤">Relying Parties</a> SHOULD use feature detection before using these functions by testing the value of <code>'getPublicKey' in AuthenticatorAttestationResponse.prototype</code>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑨⑥">Relying Parties</a> that require this function to exist may not interoperate with older user-agents.</p>
   <h4 class="heading settled" data-level="5.2.2" id="iface-authenticatorassertionresponse"><span class="secno">5.2.2. </span><span class="content">Web Authentication Assertion (interface <dfn class="dfn-paneled idl-code" data-dfn-type="interface" data-export id="authenticatorassertionresponse"><code>AuthenticatorAssertionResponse</code></dfn>)</span><a class="self-link" href="#iface-authenticatorassertionresponse"></a></h4>
   <div class="mdn-anno wrapped after">
    <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
    <div class="feature">
     <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse" title="The AuthenticatorAssertionResponse interface of the Web Authentication API is returned by CredentialsContainer.get() when a PublicKeyCredential is passed, and provides proof to a service that it has a key pair and that the authentication request is valid and approved.">AuthenticatorAssertionResponse</a></p>
     <p class="all-engines-text">In all current engines.</p>
     <div class="support">
      <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
      <hr>
      <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
      <hr>
      <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
      <hr>
      <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
     </div>
    </div>
   </div>
   <p>The <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse③">AuthenticatorAssertionResponse</a></code> interface represents an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑧⑤">authenticator</a>'s response to a client’s request for
generation of a new <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①⓪">authentication assertion</a> given the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party①⑤">WebAuthn Relying Party</a>'s challenge and OPTIONAL list of credentials it is
aware of. This response contains a cryptographic signature proving possession of the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key⑧">credential private key</a>, and
optionally evidence of <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①①">user consent</a> to a specific transaction.</p>
<pre class="idl highlight def">[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext" id="ref-for-SecureContext③"><c- g>SecureContext</c-></a>, <a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed" id="ref-for-Exposed③"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse④"><c- g>AuthenticatorAssertionResponse</c-></a> : <a data-link-type="idl-name" href="#authenticatorresponse" id="ref-for-authenticatorresponse⑥"><c- n>AuthenticatorResponse</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject" id="ref-for-SameObject④"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer①⑧"><c- b>ArrayBuffer</c-></a>      <a class="idl-code" data-link-type="attribute" data-readonly data-type="ArrayBuffer" href="#dom-authenticatorassertionresponse-authenticatordata" id="ref-for-dom-authenticatorassertionresponse-authenticatordata①"><c- g>authenticatorData</c-></a>;
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject" id="ref-for-SameObject⑤"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer①⑨"><c- b>ArrayBuffer</c-></a>      <a class="idl-code" data-link-type="attribute" data-readonly data-type="ArrayBuffer" href="#dom-authenticatorassertionresponse-signature" id="ref-for-dom-authenticatorassertionresponse-signature①"><c- g>signature</c-></a>;
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject" id="ref-for-SameObject⑥"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer②⓪"><c- b>ArrayBuffer</c-></a>?     <a class="idl-code" data-link-type="attribute" data-readonly data-type="ArrayBuffer?" href="#dom-authenticatorassertionresponse-userhandle" id="ref-for-dom-authenticatorassertionresponse-userhandle②"><c- g>userHandle</c-></a>;
};
</pre>
   <div>
    <dl>
     <dt data-md><code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson④">clientDataJSON</a></code>
     <dd data-md>
      <p>This attribute, inherited from <code class="idl"><a data-link-type="idl" href="#authenticatorresponse" id="ref-for-authenticatorresponse⑦">AuthenticatorResponse</a></code>, contains the <a data-link-type="dfn" href="#collectedclientdata-json-compatible-serialization-of-client-data" id="ref-for-collectedclientdata-json-compatible-serialization-of-client-data④">JSON-compatible serialization of client data</a> (see <a href="#dictionary-client-data">§ 5.8.1 Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>) passed to the authenticator by the client in order to generate this assertion. The
exact JSON serialization MUST be preserved, as the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data④">hash of the serialized client data</a> has been computed
over it.</p>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse/authenticatorData" title="The authenticatorData property of the AuthenticatorAssertionResponse interface returns an ArrayBuffer containing information from the authenticator such as the Relying Party ID Hash (rpIdHash), a signature counter, test of user presence, user verification flags, and any extensions processed by the authenticator.">AuthenticatorAssertionResponse/authenticatorData</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAssertionResponse" data-dfn-type="attribute" data-export id="dom-authenticatorassertionresponse-authenticatordata"><code>authenticatorData</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer②①">ArrayBuffer</a>, readonly</span></p>
     <dd data-md>
      <p>This attribute contains the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①⓪">authenticator data</a> returned by the authenticator. See <a href="#sctn-authenticator-data">§ 6.1 Authenticator Data</a>.</p>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse/signature" title="The signature read-only property of the AuthenticatorAssertionResponse interface is an ArrayBuffer object which is the signature of the authenticator for both AuthenticatorAssertionResponse.authenticatorData and a SHA-256 hash of the client data (AuthenticatorAssertionResponse.clientDataJSON).">AuthenticatorAssertionResponse/signature</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAssertionResponse" data-dfn-type="attribute" data-export id="dom-authenticatorassertionresponse-signature"><code>signature</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer②②">ArrayBuffer</a>, readonly</span></p>
     <dd data-md>
      <p>This attribute contains the raw signature returned from the authenticator. See <a href="#sctn-op-get-assertion">§ 6.3.3 The authenticatorGetAssertion Operation</a>.</p>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse/userHandle" title="The userHandle read-only property of the AuthenticatorAssertionResponse interface is an ArrayBuffer object which is an opaque identifier for the given user. Such an identifier can be used by the relying party&apos;s server to link the user account with its corresponding credentials and other data.">AuthenticatorAssertionResponse/userHandle</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge yes"><span>Edge (Legacy)</span><span>18</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android yes"><span>Firefox for Android</span><span>60+</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>70+</span></span><span class="webview_android yes"><span>Android WebView</span><span>70+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAssertionResponse" data-dfn-type="attribute" data-export id="dom-authenticatorassertionresponse-userhandle"><code>userHandle</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer②③">ArrayBuffer</a>, readonly, nullable</span></p>
     <dd data-md>
      <p>This attribute contains the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle④">user handle</a> returned from the authenticator, or null if the authenticator did not return a <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle⑤">user handle</a>. See <a href="#sctn-op-get-assertion">§ 6.3.3 The authenticatorGetAssertion Operation</a>.</p>
    </dl>
   </div>
   <h3 class="heading settled" data-level="5.3" id="dictionary-credential-params"><span class="secno">5.3. </span><span class="content">Parameters for Credential Generation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-publickeycredentialparameters"><code>PublicKeyCredentialParameters</code></dfn>)</span><a class="self-link" href="#dictionary-credential-params"></a></h3>
<pre class="idl highlight def"><c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialparameters" id="ref-for-dictdef-publickeycredentialparameters"><c- g>PublicKeyCredentialParameters</c-></a> {
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString④"><c- b>DOMString</c-></a>                    <a class="idl-code" data-link-type="dict-member" data-type="DOMString                    " href="#dom-publickeycredentialparameters-type" id="ref-for-dom-publickeycredentialparameters-type②"><c- g>type</c-></a>;
    <c- b>required</c-> <a data-link-type="idl-name" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier⑥"><c- n>COSEAlgorithmIdentifier</c-></a>      <a class="idl-code" data-link-type="dict-member" data-type="COSEAlgorithmIdentifier      " href="#dom-publickeycredentialparameters-alg" id="ref-for-dom-publickeycredentialparameters-alg①"><c- g>alg</c-></a>;
};
</pre>
   <div>
     This dictionary is used to supply additional parameters when creating a new credential. 
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialParameters" data-dfn-type="dict-member" data-export id="dom-publickeycredentialparameters-type"><code>type</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑤">DOMString</a></span>
     <dd data-md>
      <p>This member specifies the type of credential to be created. The value SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype④">PublicKeyCredentialType</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform②⑥">client platforms</a> MUST ignore unknown values, ignoring any <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialparameters" id="ref-for-dictdef-publickeycredentialparameters①">PublicKeyCredentialParameters</a></code> with an unknown <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialparameters-type" id="ref-for-dom-publickeycredentialparameters-type③">type</a></code>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialParameters" data-dfn-type="dict-member" data-export id="dom-publickeycredentialparameters-alg"><code>alg</code></dfn>, <span> of type <a data-link-type="idl-name" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier⑦">COSEAlgorithmIdentifier</a></span>
     <dd data-md>
      <p>This member specifies the cryptographic signature algorithm with which the newly generated credential will be used, and
thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.</p>
    </dl>
    <p class="note" role="note"><span>Note:</span> we use "alg" as the latter member name, rather than spelling-out "algorithm", because it will be serialized into
        a message to the authenticator, which may be sent over a low-bandwidth link.</p>
   </div>
   <h3 class="heading settled" data-level="5.4" id="dictionary-makecredentialoptions"><span class="secno">5.4. </span><span class="content">Options for Credential Creation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-publickeycredentialcreationoptions"><code>PublicKeyCredentialCreationOptions</code></dfn>)</span><a class="self-link" href="#dictionary-makecredentialoptions"></a></h3>
   <div class="mdn-anno wrapped after">
    <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
    <div class="feature">
     <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions" title="The PublicKeyCredentialCreationOptions dictionary of the Web Authentication API holds options passed to navigators.credentials.create() in order to create a PublicKeyCredential.">PublicKeyCredentialCreationOptions</a></p>
     <p class="all-engines-text">In all current engines.</p>
     <div class="support">
      <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
      <hr>
      <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
      <hr>
      <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
      <hr>
      <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android no"><span>Android WebView</span><span>None</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
     </div>
    </div>
   </div>
<pre class="idl highlight def"><c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions②"><c- g>PublicKeyCredentialCreationOptions</c-></a> {
    <c- b>required</c-> <a data-link-type="idl-name" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity"><c- n>PublicKeyCredentialRpEntity</c-></a>         <a class="idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialRpEntity         " href="#dom-publickeycredentialcreationoptions-rp" id="ref-for-dom-publickeycredentialcreationoptions-rp⑦"><c- g>rp</c-></a>;
    <c- b>required</c-> <a data-link-type="idl-name" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity"><c- n>PublicKeyCredentialUserEntity</c-></a>       <a class="idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialUserEntity       " href="#dom-publickeycredentialcreationoptions-user" id="ref-for-dom-publickeycredentialcreationoptions-user③"><c- g>user</c-></a>;

    <c- b>required</c-> <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource②"><c- n>BufferSource</c-></a>                             <a class="idl-code" data-link-type="dict-member" data-type="BufferSource                             " href="#dom-publickeycredentialcreationoptions-challenge" id="ref-for-dom-publickeycredentialcreationoptions-challenge①"><c- g>challenge</c-></a>;
    <c- b>required</c-> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence" id="ref-for-idl-sequence①"><c- b>sequence</c-></a>&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialparameters" id="ref-for-dictdef-publickeycredentialparameters②"><c- n>PublicKeyCredentialParameters</c-></a>>  <a class="idl-code" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialParameters>  " href="#dom-publickeycredentialcreationoptions-pubkeycredparams" id="ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams③"><c- g>pubKeyCredParams</c-></a>;

    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-long" id="ref-for-idl-unsigned-long"><c- b>unsigned</c-> <c- b>long</c-></a>                                <a class="idl-code" data-link-type="dict-member" data-type="unsigned long                                " href="#dom-publickeycredentialcreationoptions-timeout" id="ref-for-dom-publickeycredentialcreationoptions-timeout③"><c- g>timeout</c-></a>;
    <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence" id="ref-for-idl-sequence②"><c- b>sequence</c-></a>&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor③"><c- n>PublicKeyCredentialDescriptor</c-></a>>      <a class="idl-code" data-default="[]" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialDescriptor>      " href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials①"><c- g>excludeCredentials</c-></a> = [];
    <a data-link-type="idl-name" href="#dictdef-authenticatorselectioncriteria" id="ref-for-dictdef-authenticatorselectioncriteria"><c- n>AuthenticatorSelectionCriteria</c-></a>               <a class="idl-code" data-link-type="dict-member" data-type="AuthenticatorSelectionCriteria               " href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection⑨"><c- g>authenticatorSelection</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑥"><c- b>DOMString</c-></a>                                    <a class="idl-code" data-default="&quot;none&quot;" data-link-type="dict-member" data-type="DOMString                                    " href="#dom-publickeycredentialcreationoptions-attestation" id="ref-for-dom-publickeycredentialcreationoptions-attestation②"><c- g>attestation</c-></a> = "none";
    <a data-link-type="idl-name" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs"><c- n>AuthenticationExtensionsClientInputs</c-></a>         <a class="idl-code" data-link-type="dict-member" data-type="AuthenticationExtensionsClientInputs         " href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions③"><c- g>extensions</c-></a>;
};
</pre>
   <div>
    <dl>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/rp" title="The rp property of the PublicKeyCredentialCreationOptions dictionary is an object describing the relying party which requested the credential creation (via navigator.credentials.create()).">PublicKeyCredentialCreationOptions/rp</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android no"><span>Android WebView</span><span>None</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialCreationOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialcreationoptions-rp"><code>rp</code></dfn>, <span> of type <a data-link-type="idl-name" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity①">PublicKeyCredentialRpEntity</a></span></p>
     <dd data-md>
      <p>This member contains data about the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑨⑦">Relying Party</a> responsible for the request.</p>
      <p>Its value’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name">name</a></code> member is REQUIRED. See <a href="#dictionary-pkcredentialentity">§ 5.4.1 Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a> for further
details.</p>
      <p>Its value’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id⑥">id</a></code> member specifies the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②①">RP ID</a> the credential
should be <a data-link-type="dfn" href="#scope" id="ref-for-scope①⓪">scoped</a> to. If omitted, its value will be the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer" id="ref-for-credentialscontainer①">CredentialsContainer</a></code> object’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object" id="ref-for-relevant-settings-object③">relevant
settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin⑥">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain①②">effective domain</a>. See <a href="#dictionary-rp-credential-params">§ 5.4.2 Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)</a> for further details.</p>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/user" title="The user property of the PublicKeyCredentialCreationOptions dictionary is an object describing the user account for which the credentials are generated (via navigator.credentials.create()).">PublicKeyCredentialCreationOptions/user</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android no"><span>Android WebView</span><span>None</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialCreationOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialcreationoptions-user"><code>user</code></dfn>, <span> of type <a data-link-type="idl-name" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity①">PublicKeyCredentialUserEntity</a></span></p>
     <dd data-md>
      <p>This member contains data about the user account for which the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑨⑧">Relying Party</a> is requesting attestation.</p>
      <p>Its value’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name①">name</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname①">displayName</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-id" id="ref-for-dom-publickeycredentialuserentity-id②">id</a></code> members are REQUIRED. See <a href="#dictionary-pkcredentialentity">§ 5.4.1 Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a> and <a href="#dictionary-user-credential-params">§ 5.4.3 User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a> for further details.</p>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/challenge" title="The challenge property of the PublicKeyCredentialCreationOptions dictionary is a BufferSource used as a cryptographic challenge. This is randomly generated then sent from the relying party&apos;s server. This value (among other client data) will be signed by the authenticator, using its private key, and must be sent back for verification to the server as part of AuthenticatorAttestationResponse.attestationObject.">PublicKeyCredentialCreationOptions/challenge</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android no"><span>Android WebView</span><span>None</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialCreationOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialcreationoptions-challenge"><code>challenge</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource③">BufferSource</a></span></p>
     <dd data-md>
      <p>This member contains a challenge intended to be used for generating the newly created credential’s <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object⑦">attestation
object</a>. See the <a href="#sctn-cryptographic-challenges">§ 13.4.3 Cryptographic Challenges</a> security consideration.</p>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/pubKeyCredParams" title="The pubKeyCredParams property of the PublicKeyCredentialCreationOptions dictionary is an Array whose elements are objects describing the desired features of the credential to be created. These objects define the type of public-key and the algorithm used for cryptographic signature operations.">PublicKeyCredentialCreationOptions/pubKeyCredParams</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android no"><span>Android WebView</span><span>None</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialCreationOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialcreationoptions-pubkeycredparams"><code>pubKeyCredParams</code></dfn>, <span> of type sequence&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialparameters" id="ref-for-dictdef-publickeycredentialparameters③">PublicKeyCredentialParameters</a>></span></p>
     <dd data-md>
      <p>This member contains information about the desired properties of the credential to be created. The sequence is ordered
from most preferred to least preferred. The <a data-link-type="dfn" href="#client" id="ref-for-client②⑦">client</a> makes a best-effort to create the most preferred credential that it
can.</p>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/timeout" title="The timeout property, of the PublicKeyCredentialCreationOptions dictionary, represents an hint, given in milliseconds, for the time the script is willing to wait for the completion of the creation operation.">PublicKeyCredentialCreationOptions/timeout</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android no"><span>Android WebView</span><span>None</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialCreationOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialcreationoptions-timeout"><code>timeout</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-unsigned-long" id="ref-for-idl-unsigned-long①">unsigned long</a></span></p>
     <dd data-md>
      <p>This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is
treated as a hint, and MAY be overridden by the <a data-link-type="dfn" href="#client" id="ref-for-client②⑧">client</a>.</p>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/excludeCredentials" title="excludeCredentials, an optional property of the PublicKeyCredentialCreationOptions dictionary, is an Array whose elements are descriptors for the public keys already existing for a given user. This is provided by the relying party&apos;s server if it wants to prevent creation of new credentials for an existing user.">PublicKeyCredentialCreationOptions/excludeCredentials</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android no"><span>Android WebView</span><span>None</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialCreationOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialcreationoptions-excludecredentials"><code>excludeCredentials</code></dfn>, <span> of type sequence&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor④">PublicKeyCredentialDescriptor</a>>, defaulting to <code>[]</code></span></p>
     <dd data-md>
      <p>This member is intended for use by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party⑨⑨">Relying Parties</a> that wish to limit the creation of multiple credentials for the same
account on a single authenticator. The <a data-link-type="dfn" href="#client" id="ref-for-client②⑨">client</a> is requested to return an error if the new credential would be created
on an authenticator that also contains one of the credentials enumerated in this parameter.</p>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/authenticatorSelection" title="authenticatorSelection, an optional property of the PublicKeyCredentialCreationOptions dictionary, is an object giving criteria to filter out the authenticators to be used for the creation operation.">PublicKeyCredentialCreationOptions/authenticatorSelection</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android no"><span>Android WebView</span><span>None</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialCreationOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialcreationoptions-authenticatorselection"><code>authenticatorSelection</code></dfn>, <span> of type <a data-link-type="idl-name" href="#dictdef-authenticatorselectioncriteria" id="ref-for-dictdef-authenticatorselectioncriteria①">AuthenticatorSelectionCriteria</a></span></p>
     <dd data-md>
      <p>This member is intended for use by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⓪⓪">Relying Parties</a> that wish to select the appropriate authenticators to participate in
the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①①">create()</a></code> operation.</p>
     <dt data-md>
      <div class="mdn-anno wrapped">
       <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
       <div class="feature">
        <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/attestation" title="attestation is an optional property of the PublicKeyCredentialCreationOptions dictionary. This is a string whose value indicates the preference regarding the attestation transport, between the authenticator, the client and the relying party.">PublicKeyCredentialCreationOptions/attestation</a></p>
        <p class="all-engines-text">In all current engines.</p>
        <div class="support">
         <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
         <hr>
         <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
         <hr>
         <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
         <hr>
         <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android no"><span>Android WebView</span><span>None</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
        </div>
       </div>
      </div>
      <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialCreationOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialcreationoptions-attestation"><code>attestation</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑦">DOMString</a>, defaulting to <code>"none"</code></span></p>
     <dd data-md>
      <p>This member is intended for use by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⓪①">Relying Parties</a> that wish to express their preference for <a data-link-type="dfn" href="#attestation-conveyance" id="ref-for-attestation-conveyance①">attestation conveyance</a>.
Its values SHOULD be members of <code class="idl"><a data-link-type="idl" href="#enumdef-attestationconveyancepreference" id="ref-for-enumdef-attestationconveyancepreference④">AttestationConveyancePreference</a></code>. <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform②⑦">Client platforms</a> MUST ignore unknown values, treating an unknown value as if the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists" id="ref-for-map-exists">member does not exist</a>.
Its default value is "none".</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialCreationOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialcreationoptions-extensions"><code>extensions</code></dfn>, <span> of type <a data-link-type="idl-name" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs①">AuthenticationExtensionsClientInputs</a></span>
     <dd data-md>
      <p>This member contains additional parameters requesting additional processing by the client and authenticator. For
example, the caller may request that only authenticators with certain capabilities be used to create the credential, or
that particular information be returned in the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object⑧">attestation object</a>. Some extensions are defined in <a href="#sctn-extensions">§ 9 WebAuthn Extensions</a>;
consult the IANA "WebAuthn Extension Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a> for an up-to-date list
of registered <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions">WebAuthn Extensions</a>.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="5.4.1" id="dictionary-pkcredentialentity"><span class="secno">5.4.1. </span><span class="content">Public Key Entity Description (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-publickeycredentialentity"><code>PublicKeyCredentialEntity</code></dfn>)</span><a class="self-link" href="#dictionary-pkcredentialentity"></a></h4>
   <p>The <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity">PublicKeyCredentialEntity</a></code> dictionary describes a user account, or a <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party①⑥">WebAuthn Relying Party</a>, which a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③①">public key credential</a> is
associated with or <a data-link-type="dfn" href="#scope" id="ref-for-scope①①">scoped</a> to, respectively.</p>
<pre class="idl highlight def"><c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity①"><c- g>PublicKeyCredentialEntity</c-></a> {
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑧"><c- b>DOMString</c-></a>    <a class="idl-code" data-link-type="dict-member" data-type="DOMString    " href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name②"><c- g>name</c-></a>;
};
</pre>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialEntity" data-dfn-type="dict-member" data-export id="dom-publickeycredentialentity-name"><code>name</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑨">DOMString</a></span>
     <dd data-md>
      <p>A <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability①">human-palatable</a> name for the entity. Its function depends on what the <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity②">PublicKeyCredentialEntity</a></code> represents:</p>
      <ul>
       <li data-md>
        <p>When inherited by <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity②">PublicKeyCredentialRpEntity</a></code> it is a <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability②">human-palatable</a> identifier for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⓪②">Relying Party</a>, intended only
for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "ОАО Примертех".</p>
        <ul>
         <li data-md>
          <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⓪③">Relying Parties</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264">[RFC8264]</a>,
when setting <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name③">name</a></code>'s value, or displaying the value to the user.</p>
         <li data-md>
          <p>This string MAY contain language and direction metadata. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⓪④">Relying Parties</a> SHOULD consider providing this information. See <a href="#sctn-strings-langdir">§ 6.4.2 Language and Direction Encoding</a> about how this metadata is encoded.</p>
         <li data-md>
          <p><a data-link-type="dfn" href="#client" id="ref-for-client③⓪">Clients</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264">[RFC8264]</a>,
on <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name④">name</a></code>'s value prior to displaying the value to the user or
including the value as a parameter of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential⑥">authenticatorMakeCredential</a> operation.</p>
        </ul>
       <li data-md>
        <p>When inherited by <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity②">PublicKeyCredentialUserEntity</a></code>, it is a <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability③">human-palatable</a> identifier for a
user account. It is intended only for display, i.e., aiding the user in determining the difference between user
accounts with similar <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname②">displayName</a></code>s. For example, "alexm", "alex.mueller@example.com"
or "+14255551234".</p>
        <ul>
         <li data-md>
          <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⓪⑤">Relying Party</a> MAY let the user choose this value. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⓪⑥">Relying Party</a> SHOULD perform enforcement,
as prescribed in Section 3.4.3 of <a data-link-type="biblio" href="#biblio-rfc8265">[RFC8265]</a> for the UsernameCasePreserved Profile of the PRECIS
IdentifierClass <a data-link-type="biblio" href="#biblio-rfc8264">[RFC8264]</a>, when setting <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name⑤">name</a></code>'s value, or displaying the value
to the user.</p>
         <li data-md>
          <p>This string MAY contain language and direction metadata. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⓪⑦">Relying Parties</a> SHOULD consider providing this information. See <a href="#sctn-strings-langdir">§ 6.4.2 Language and Direction Encoding</a> about how this metadata is encoded.</p>
         <li data-md>
          <p><a data-link-type="dfn" href="#client" id="ref-for-client③①">Clients</a> SHOULD perform enforcement, as prescribed in Section 3.4.3 of <a data-link-type="biblio" href="#biblio-rfc8265">[RFC8265]</a> for the UsernameCasePreserved Profile of the PRECIS IdentifierClass <a data-link-type="biblio" href="#biblio-rfc8264">[RFC8264]</a>,
on <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name⑥">name</a></code>'s value prior to displaying the value to the user or
including the value as a parameter of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential⑦">authenticatorMakeCredential</a> operation.</p>
        </ul>
      </ul>
      <p>When <a data-link-type="dfn" href="#client" id="ref-for-client③②">clients</a>, <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform②⑧">client platforms</a>, or <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑧⑥">authenticators</a> display a <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name⑦">name</a></code>'s value, they should always use UI elements to provide a clear boundary around the displayed value, and not allow overflow into other elements <a data-link-type="biblio" href="#biblio-css-overflow-3">[css-overflow-3]</a>.</p>
      <p>Authenticators MAY truncate a <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name⑧">name</a></code> member’s value so that it fits within 64 bytes, if the authenticator stores the value. See <a href="#sctn-strings-truncation">§ 6.4.1 String Truncation</a> about truncation and other considerations.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="5.4.2" id="dictionary-rp-credential-params"><span class="secno">5.4.2. </span><span class="content">Relying Party Parameters for Credential Generation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-publickeycredentialrpentity"><code>PublicKeyCredentialRpEntity</code></dfn>)</span><a class="self-link" href="#dictionary-rp-credential-params"></a></h4>
   <p>The <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity③">PublicKeyCredentialRpEntity</a></code> dictionary is used to supply additional <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⓪⑧">Relying Party</a> attributes when creating a new credential.</p>
<pre class="idl highlight def"><c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity④"><c- g>PublicKeyCredentialRpEntity</c-></a> : <a data-link-type="idl-name" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity③"><c- n>PublicKeyCredentialEntity</c-></a> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⓪"><c- b>DOMString</c-></a>      <a class="idl-code" data-link-type="dict-member" data-type="DOMString      " href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id⑦"><c- g>id</c-></a>;
};
</pre>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRpEntity" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrpentity-id"><code>id</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①①">DOMString</a></span>
     <dd data-md>
      <p>A unique identifier for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⓪⑨">Relying Party</a> entity, which sets the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②②">RP ID</a>.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="5.4.3" id="dictionary-user-credential-params"><span class="secno">5.4.3. </span><span class="content">User Account Parameters for Credential Generation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-publickeycredentialuserentity"><code>PublicKeyCredentialUserEntity</code></dfn>)</span><a class="self-link" href="#dictionary-user-credential-params"></a></h4>
   <p>The <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity③">PublicKeyCredentialUserEntity</a></code> dictionary is used to supply additional user account attributes when creating a new
credential.</p>
<pre class="idl highlight def"><c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity④"><c- g>PublicKeyCredentialUserEntity</c-></a> : <a data-link-type="idl-name" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity④"><c- n>PublicKeyCredentialEntity</c-></a> {
    <c- b>required</c-> <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource④"><c- n>BufferSource</c-></a>   <a class="idl-code" data-link-type="dict-member" data-type="BufferSource   " href="#dom-publickeycredentialuserentity-id" id="ref-for-dom-publickeycredentialuserentity-id③"><c- g>id</c-></a>;
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①②"><c- b>DOMString</c-></a>      <a class="idl-code" data-link-type="dict-member" data-type="DOMString      " href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname③"><c- g>displayName</c-></a>;
};
</pre>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialUserEntity" data-dfn-type="dict-member" data-export id="dom-publickeycredentialuserentity-id"><code>id</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource⑤">BufferSource</a></span>
     <dd data-md>
      <p>The <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle⑥">user handle</a> of the user account entity.
A <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle⑦">user handle</a> is an opaque <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#byte-sequence" id="ref-for-byte-sequence②">byte sequence</a> with a maximum size of 64 bytes,
and is not meant to be displayed to the user.</p>
      <p>To ensure secure operation, authentication and authorization
decisions MUST be made on the basis of this <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-id" id="ref-for-dom-publickeycredentialuserentity-id④">id</a></code> member,  not the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname④">displayName</a></code> nor <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name⑨">name</a></code> members. See Section 6.1 of <a data-link-type="biblio" href="#biblio-rfc8266">[RFC8266]</a>.</p>
      <p>The <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle⑧">user handle</a> MUST NOT contain personally identifying information about the user, such as a username or e-mail address;
see <a href="#sctn-user-handle-privacy">§ 14.6.1 User Handle Contents</a> for details. The <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle⑨">user handle</a> MUST NOT be empty, though it MAY be null.</p>
      <p class="note" role="note"><span>Note:</span> the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①⓪">user handle</a> <i>ought not</i> be a constant value across different accounts, even for <a data-link-type="dfn" href="#non-discoverable-credential" id="ref-for-non-discoverable-credential②">non-discoverable credentials</a>, because some authenticators always create <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential②">discoverable credentials</a>. Thus a constant <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①①">user handle</a> would prevent a user from using such an authenticator with more than one account at the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①①⓪">Relying Party</a>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialUserEntity" data-dfn-type="dict-member" data-export id="dom-publickeycredentialuserentity-displayname"><code>displayName</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①③">DOMString</a></span>
     <dd data-md>
      <p>A <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability④">human-palatable</a> name for the user account, intended only for display. For example, "Alex Müller" or "田中倫". The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①①①">Relying Party</a> SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary.</p>
      <ul>
       <li data-md>
        <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①①②">Relying Parties</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264">[RFC8264]</a>,
when setting <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname⑤">displayName</a></code>'s value, or displaying the value to the user.</p>
       <li data-md>
        <p>This string MAY contain language and direction metadata. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①①③">Relying Parties</a> SHOULD consider providing this information. See <a href="#sctn-strings-langdir">§ 6.4.2 Language and Direction Encoding</a> about how this metadata is encoded.</p>
       <li data-md>
        <p><a data-link-type="dfn" href="#client" id="ref-for-client③③">Clients</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264">[RFC8264]</a>,
on <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname⑥">displayName</a></code>'s value prior to displaying the value to the user or
including the value as a parameter of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential⑧">authenticatorMakeCredential</a> operation.</p>
      </ul>
      <p>When <a data-link-type="dfn" href="#client" id="ref-for-client③④">clients</a>, <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform②⑨">client platforms</a>, or <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑧⑦">authenticators</a> display a <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname⑦">displayName</a></code>'s value, they should always use UI elements to provide a clear boundary around the displayed value, and not allow overflow into other elements <a data-link-type="biblio" href="#biblio-css-overflow-3">[css-overflow-3]</a>.</p>
      <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑧⑧">Authenticators</a> MUST accept and store a 64-byte minimum length for a <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname⑧">displayName</a></code> member’s value. Authenticators MAY truncate a <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname⑨">displayName</a></code> member’s value so that it fits within 64 bytes. See <a href="#sctn-strings-truncation">§ 6.4.1 String Truncation</a> about truncation and other considerations.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="5.4.4" id="dictionary-authenticatorSelection"><span class="secno">5.4.4. </span><span class="content">Authenticator Selection Criteria (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-authenticatorselectioncriteria"><code>AuthenticatorSelectionCriteria</code></dfn>)</span><a class="self-link" href="#dictionary-authenticatorSelection"></a></h4>
   <p><a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party①⑦">WebAuthn Relying Parties</a> may use the <code class="idl"><a data-link-type="idl" href="#dictdef-authenticatorselectioncriteria" id="ref-for-dictdef-authenticatorselectioncriteria②">AuthenticatorSelectionCriteria</a></code> dictionary to specify their requirements regarding authenticator
attributes.</p>
<pre class="idl highlight def"><c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticatorselectioncriteria" id="ref-for-dictdef-authenticatorselectioncriteria③"><c- g>AuthenticatorSelectionCriteria</c-></a> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①④"><c- b>DOMString</c-></a>                    <a class="idl-code" data-link-type="dict-member" data-type="DOMString                    " href="#dom-authenticatorselectioncriteria-authenticatorattachment" id="ref-for-dom-authenticatorselectioncriteria-authenticatorattachment①"><c- g>authenticatorAttachment</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⑤"><c- b>DOMString</c-></a>                    <a class="idl-code" data-link-type="dict-member" data-type="DOMString                    " href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey②"><c- g>residentKey</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean①"><c- b>boolean</c-></a>                      <a class="idl-code" data-default="false" data-link-type="dict-member" data-type="boolean                      " href="#dom-authenticatorselectioncriteria-requireresidentkey" id="ref-for-dom-authenticatorselectioncriteria-requireresidentkey②"><c- g>requireResidentKey</c-></a> = <c- b>false</c->;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⑥"><c- b>DOMString</c-></a>                    <a class="idl-code" data-default="&quot;preferred&quot;" data-link-type="dict-member" data-type="DOMString                    " href="#dom-authenticatorselectioncriteria-userverification" id="ref-for-dom-authenticatorselectioncriteria-userverification③"><c- g>userVerification</c-></a> = "preferred";
};
</pre>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorSelectionCriteria" data-dfn-type="dict-member" data-export id="dom-authenticatorselectioncriteria-authenticatorattachment"><code>authenticatorAttachment</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⑦">DOMString</a></span>
     <dd data-md>
      <p>If this member is present, eligible authenticators are filtered to only authenticators attached with the
specified <a href="#enum-attachment">§ 5.4.5 Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>. The value SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-authenticatorattachment" id="ref-for-enumdef-authenticatorattachment">AuthenticatorAttachment</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⓪">client platforms</a> MUST ignore unknown values, treating an unknown value as if the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists" id="ref-for-map-exists①">member does not exist</a>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorSelectionCriteria" data-dfn-type="dict-member" data-export id="dom-authenticatorselectioncriteria-residentkey"><code>residentKey</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⑧">DOMString</a></span>
     <dd data-md>
      <p>Specifies the extent to which the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①①④">Relying Party</a> desires to create a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑥">client-side discoverable credential</a>. For historical reasons the naming retains the deprecated “resident” terminology. The value SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-residentkeyrequirement" id="ref-for-enumdef-residentkeyrequirement">ResidentKeyRequirement</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③①">client platforms</a> MUST ignore unknown values, treating an unknown value as if the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists" id="ref-for-map-exists②">member does not exist</a>. If no value is given then the effective value is <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-required" id="ref-for-dom-residentkeyrequirement-required②">required</a></code> if <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-requireresidentkey" id="ref-for-dom-authenticatorselectioncriteria-requireresidentkey③">requireResidentKey</a></code> is <code>true</code> or <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-discouraged" id="ref-for-dom-residentkeyrequirement-discouraged②">discouraged</a></code> if it is <code>false</code> or absent.</p>
      <p>See <code class="idl"><a data-link-type="idl" href="#enumdef-residentkeyrequirement" id="ref-for-enumdef-residentkeyrequirement①">ResidentKeyRequirement</a></code> for the description of <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey③">residentKey</a></code>'s values and semantics.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorSelectionCriteria" data-dfn-type="dict-member" data-export id="dom-authenticatorselectioncriteria-requireresidentkey"><code>requireResidentKey</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean②">boolean</a>, defaulting to <code>false</code></span>
     <dd data-md>
      <p>This member is retained for backwards compatibility with WebAuthn Level 1 and, for historical reasons, its naming retains the deprecated “resident” terminology for <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential③">discoverable credentials</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①①⑤">Relying Parties</a> SHOULD set it to <code>true</code> if, and only if, <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey④">residentKey</a></code> is set to <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-required" id="ref-for-dom-residentkeyrequirement-required③">required</a></code>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorSelectionCriteria" data-dfn-type="dict-member" data-export id="dom-authenticatorselectioncriteria-userverification"><code>userVerification</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⑨">DOMString</a>, defaulting to <code>"preferred"</code></span>
     <dd data-md>
      <p>This member describes the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①①⑥">Relying Party</a>'s requirements regarding <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification①⑧">user verification</a> for the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①②">create()</a></code> operation. Eligible authenticators are filtered to only those capable of satisfying this
requirement. The value SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-userverificationrequirement" id="ref-for-enumdef-userverificationrequirement">UserVerificationRequirement</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③②">client platforms</a> MUST ignore unknown values, treating an unknown value as if the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists" id="ref-for-map-exists③">member does not exist</a>.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="5.4.5" id="enum-attachment"><span class="secno">5.4.5. </span><span class="content">Authenticator Attachment Enumeration (enum <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-authenticatorattachment"><code>AuthenticatorAttachment</code></dfn>)</span><a class="self-link" href="#enum-attachment"></a></h4>
   <p>This enumeration’s values describe <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑧⑨">authenticators</a>' <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality①">attachment modalities</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①①⑦">Relying Parties</a> use this to express a preferred <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality②">authenticator attachment modality</a> when calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①③">navigator.credentials.create()</a></code> to <a href="#sctn-createCredential">create a credential</a>.</p>
<pre class="idl highlight def"><c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-authenticatorattachment" id="ref-for-enumdef-authenticatorattachment①"><c- g>AuthenticatorAttachment</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatorattachment-platform" id="ref-for-dom-authenticatorattachment-platform"><c- s>"platform"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatorattachment-cross-platform" id="ref-for-dom-authenticatorattachment-cross-platform"><c- s>"cross-platform"</c-></a>
};
</pre>
   <p class="note" role="note"><span>Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-authenticatorattachment" id="ref-for-enumdef-authenticatorattachment②">AuthenticatorAttachment</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAttachment" data-dfn-type="enum-value" data-export data-lt="&quot;platform&quot;|platform" id="dom-authenticatorattachment-platform"><code>platform</code></dfn>
     <dd data-md>
      <p>This value indicates <a data-link-type="dfn" href="#platform-attachment" id="ref-for-platform-attachment">platform attachment</a>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAttachment" data-dfn-type="enum-value" data-export data-lt="&quot;cross-platform&quot;|cross-platform" id="dom-authenticatorattachment-cross-platform"><code>cross-platform</code></dfn>
     <dd data-md>
      <p>This value indicates <a data-link-type="dfn" href="#cross-platform-attachment" id="ref-for-cross-platform-attachment">cross-platform attachment</a>.</p>
    </dl>
   </div>
   <p class="note" role="note"><span>Note:</span> An <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality③">authenticator attachment modality</a> selection option is available only in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot③">[[Create]](origin, options,
sameOriginWithAncestors)</a></code> operation. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①①⑧">Relying Party</a> may use it to, for example, ensure the user has a <a data-link-type="dfn" href="#roaming-credential" id="ref-for-roaming-credential">roaming credential</a> for
authenticating on another <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①⑥">client device</a>; or to specifically register a <a data-link-type="dfn" href="#platform-credential" id="ref-for-platform-credential">platform credential</a> for easier reauthentication using a
particular <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①⑦">client device</a>. The <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot③">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> operation has no <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality④">authenticator attachment modality</a> selection option, so the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①①⑨">Relying Party</a> SHOULD accept any of the user’s registered <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③②">credentials</a>. The <a data-link-type="dfn" href="#client" id="ref-for-client③⑤">client</a> and user will then use whichever is available and convenient at the time.</p>
   <h4 class="heading settled" data-level="5.4.6" id="enum-residentKeyRequirement"><span class="secno">5.4.6. </span><span class="content">Resident Key Requirement Enumeration (enum <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-residentkeyrequirement"><code>ResidentKeyRequirement</code></dfn>)</span><a class="self-link" href="#enum-residentKeyRequirement"></a></h4>
<pre class="idl highlight def"><c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-residentkeyrequirement" id="ref-for-enumdef-residentkeyrequirement②"><c- g>ResidentKeyRequirement</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-residentkeyrequirement-discouraged" id="ref-for-dom-residentkeyrequirement-discouraged③"><c- s>"discouraged"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-residentkeyrequirement-preferred" id="ref-for-dom-residentkeyrequirement-preferred②"><c- s>"preferred"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-residentkeyrequirement-required" id="ref-for-dom-residentkeyrequirement-required④"><c- s>"required"</c-></a>
};
</pre>
   <p class="note" role="note"><span>Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-residentkeyrequirement" id="ref-for-enumdef-residentkeyrequirement③">ResidentKeyRequirement</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p>
   <p>This enumeration’s values describe the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①②⓪">Relying Party</a>'s requirements for <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑦">client-side discoverable credentials</a> (formerly known as <a data-link-type="dfn" href="#resident-credential" id="ref-for-resident-credential①">resident credentials</a> or <a data-link-type="dfn" href="#resident-key" id="ref-for-resident-key②">resident keys</a>):</p>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="ResidentKeyRequirement" data-dfn-type="enum-value" data-export data-lt="&quot;discouraged&quot;|discouraged" id="dom-residentkeyrequirement-discouraged"><code>discouraged</code></dfn>
     <dd data-md>
      <p>This value indicates the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①②①">Relying Party</a> prefers creating a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑤">server-side credential</a>, but will accept a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑧">client-side discoverable credential</a>.</p>
      <p class="note" role="note"><span>Note:</span> A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①②②">Relying Party</a> cannot require that a created credential is a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑥">server-side credential</a> and the <a data-link-type="dfn" href="#credprops" id="ref-for-credprops①">Credential Properties Extension</a> may not return a value for the <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk">rk</a></code> property. Because of this, it may be the case that it does not know if a credential is a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑦">server-side credential</a> or not and thus does not know whether creating a second credential with the same <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①②">user handle</a> will evict the first.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="ResidentKeyRequirement" data-dfn-type="enum-value" data-export data-lt="&quot;preferred&quot;|preferred" id="dom-residentkeyrequirement-preferred"><code>preferred</code></dfn>
     <dd data-md>
      <p>This value indicates the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①②③">Relying Party</a> strongly prefers creating a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑨">client-side discoverable credential</a>, but will accept a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑧">server-side credential</a>. For example, user agents SHOULD guide the user through setting up <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification①⑨">user verification</a> if needed to create a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①⓪">client-side discoverable credential</a> in this case. This takes precedence over the setting of <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-userverification" id="ref-for-dom-authenticatorselectioncriteria-userverification④">userVerification</a></code>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="ResidentKeyRequirement" data-dfn-type="enum-value" data-export data-lt="&quot;required&quot;|required" id="dom-residentkeyrequirement-required"><code>required</code></dfn>
     <dd data-md>
      <p>This value indicates the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①②④">Relying Party</a> requires a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①①">client-side discoverable credential</a>, and is prepared to receive an error
if a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①②">client-side discoverable credential</a> cannot be created.</p>
    </dl>
   </div>
   <p class="note" role="note"><span>Note:</span> <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①②⑤">Relying Parties</a> can seek information on whether or not the authenticator created a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①③">client-side discoverable credential</a> by inspecting the <a data-link-type="dfn" href="#credprops" id="ref-for-credprops②">Credential Properties Extension</a>'s return value in light of
the value provided for <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection①⓪">authenticatorSelection</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey⑤">residentKey</a></code></code>.
This is useful when values of <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-discouraged" id="ref-for-dom-residentkeyrequirement-discouraged④">discouraged</a></code> or <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-preferred" id="ref-for-dom-residentkeyrequirement-preferred③">preferred</a></code> are used for <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection①①">authenticatorSelection</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey⑥">residentKey</a></code></code>, because in those cases it is possible for an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑨⓪">authenticator</a> to create <em>either</em> a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①④">client-side discoverable credential</a> or a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑨">server-side credential</a>.</p>
   <h4 class="heading settled" data-level="5.4.7" id="enum-attestation-convey"><span class="secno">5.4.7. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-conveyance">Attestation Conveyance</dfn> Preference Enumeration (enum <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-attestationconveyancepreference"><code>AttestationConveyancePreference</code></dfn>)</span><a class="self-link" href="#enum-attestation-convey"></a></h4>
   <p><a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party①⑧">WebAuthn Relying Parties</a> may use <code class="idl"><a data-link-type="idl" href="#enumdef-attestationconveyancepreference" id="ref-for-enumdef-attestationconveyancepreference①">AttestationConveyancePreference</a></code> to specify their preference regarding <a data-link-type="dfn" href="#attestation-conveyance" id="ref-for-attestation-conveyance②">attestation conveyance</a> during credential generation.</p>
<pre class="idl highlight def"><c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-attestationconveyancepreference" id="ref-for-enumdef-attestationconveyancepreference②"><c- g>AttestationConveyancePreference</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-attestationconveyancepreference-none" id="ref-for-dom-attestationconveyancepreference-none"><c- s>"none"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-attestationconveyancepreference-indirect" id="ref-for-dom-attestationconveyancepreference-indirect"><c- s>"indirect"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-attestationconveyancepreference-direct" id="ref-for-dom-attestationconveyancepreference-direct"><c- s>"direct"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-attestationconveyancepreference-enterprise" id="ref-for-dom-attestationconveyancepreference-enterprise①"><c- s>"enterprise"</c-></a>
};
</pre>
   <p class="note" role="note"><span>Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-attestationconveyancepreference" id="ref-for-enumdef-attestationconveyancepreference③">AttestationConveyancePreference</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AttestationConveyancePreference" data-dfn-type="enum-value" data-export data-lt="&quot;none&quot;|none" id="dom-attestationconveyancepreference-none"><code>none</code></dfn>
     <dd data-md>
      <p>This value indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①②⑥">Relying Party</a> is not interested in <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑨①">authenticator</a> <a data-link-type="dfn" href="#attestation" id="ref-for-attestation⑧">attestation</a>. For example, in order to
potentially avoid having to obtain <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①②">user consent</a> to relay identifying information to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①②⑦">Relying Party</a>, or to save a
roundtrip to an <a data-link-type="dfn" href="#attestation-ca" id="ref-for-attestation-ca">Attestation CA</a> or <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca①">Anonymization CA</a>.</p>
      <p>This is the default value.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AttestationConveyancePreference" data-dfn-type="enum-value" data-export data-lt="&quot;indirect&quot;|indirect" id="dom-attestationconveyancepreference-indirect"><code>indirect</code></dfn>
     <dd data-md>
      <p>This value indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①②⑧">Relying Party</a> prefers an <a data-link-type="dfn" href="#attestation" id="ref-for-attestation⑨">attestation</a> conveyance yielding verifiable <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement⑦">attestation
statements</a>, but allows the client to decide how to obtain such <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement⑧">attestation statements</a>.  The client MAY replace the
authenticator-generated <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement⑨">attestation statements</a> with <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⓪">attestation statements</a> generated by an <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca②">Anonymization CA</a>,
in order to protect the user’s privacy, or to assist <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①②⑨">Relying Parties</a> with attestation verification in a heterogeneous ecosystem.</p>
      <p class="note" role="note"><span>Note:</span> There is no guarantee that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⓪">Relying Party</a> will obtain a verifiable <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①①">attestation statement</a> in this case.
For example, in the case that the authenticator employs <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation⑤">self attestation</a>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AttestationConveyancePreference" data-dfn-type="enum-value" data-export data-lt="&quot;direct&quot;|direct" id="dom-attestationconveyancepreference-direct"><code>direct</code></dfn>
     <dd data-md>
      <p>This value indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③①">Relying Party</a> wants to receive the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①②">attestation statement</a> as generated by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑨②">authenticator</a>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AttestationConveyancePreference" data-dfn-type="enum-value" data-export data-lt="&quot;enterprise&quot;|enterprise" id="dom-attestationconveyancepreference-enterprise"><code>enterprise</code></dfn>
     <dd data-md>
      <p>This value indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③②">Relying Party</a> wants to receive an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①③">attestation statement</a> that may include uniquely identifying information. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration permits it for the requested <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②③">RP ID</a>.</p>
      <p>If permitted, the user agent SHOULD signal to the authenticator (at <a href="#CreateCred-InvokeAuthnrMakeCred">invocation time</a>) that enterprise attestation is requested, and convey the resulting <a data-link-type="dfn" href="#aaguid" id="ref-for-aaguid⑤">AAGUID</a> and <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①④">attestation statement</a>, unaltered, to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③③">Relying Party</a>.</p>
    </dl>
   </div>
   <h3 class="heading settled" data-level="5.5" id="dictionary-assertion-options"><span class="secno">5.5. </span><span class="content">Options for Assertion Generation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-publickeycredentialrequestoptions"><code>PublicKeyCredentialRequestOptions</code></dfn>)</span><a class="self-link" href="#dictionary-assertion-options"></a></h3>
   <div class="mdn-anno wrapped after">
    <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
    <div class="feature">
     <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions" title="The PublicKeyCredentialRequestOptions dictionary of the Web Authentication API holds the options passed to navigator.credentials.get() in order to fetch a given PublicKeyCredential.">PublicKeyCredentialRequestOptions</a></p>
     <p class="all-engines-text">In all current engines.</p>
     <div class="support">
      <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
      <hr>
      <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
      <hr>
      <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
      <hr>
      <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android yes"><span>Android WebView</span><span>67+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
     </div>
    </div>
   </div>
   <p>The <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions②">PublicKeyCredentialRequestOptions</a></code> dictionary supplies <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①⑨">get()</a></code> with the data it needs to generate
an assertion. Its <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-challenge" id="ref-for-dom-publickeycredentialrequestoptions-challenge①">challenge</a></code> member MUST be present, while its other members are OPTIONAL.</p>
<pre class="idl highlight def"><c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions③"><c- g>PublicKeyCredentialRequestOptions</c-></a> {
    <c- b>required</c-> <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource⑥"><c- n>BufferSource</c-></a>                <a class="idl-code" data-link-type="dict-member" data-type="BufferSource                " href="#dom-publickeycredentialrequestoptions-challenge" id="ref-for-dom-publickeycredentialrequestoptions-challenge②"><c- g>challenge</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-long" id="ref-for-idl-unsigned-long②"><c- b>unsigned</c-> <c- b>long</c-></a>                        <a class="idl-code" data-link-type="dict-member" data-type="unsigned long                        " href="#dom-publickeycredentialrequestoptions-timeout" id="ref-for-dom-publickeycredentialrequestoptions-timeout③"><c- g>timeout</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-USVString" id="ref-for-idl-USVString"><c- b>USVString</c-></a>                            <a class="idl-code" data-link-type="dict-member" data-type="USVString                            " href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid④"><c- g>rpId</c-></a>;
    <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence" id="ref-for-idl-sequence③"><c- b>sequence</c-></a>&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor⑤"><c- n>PublicKeyCredentialDescriptor</c-></a>> <a class="idl-code" data-default="[]" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialDescriptor> " href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⓪"><c- g>allowCredentials</c-></a> = [];
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②⓪"><c- b>DOMString</c-></a>                            <a class="idl-code" data-default="&quot;preferred&quot;" data-link-type="dict-member" data-type="DOMString                            " href="#dom-publickeycredentialrequestoptions-userverification" id="ref-for-dom-publickeycredentialrequestoptions-userverification③"><c- g>userVerification</c-></a> = "preferred";
    <a data-link-type="idl-name" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs②"><c- n>AuthenticationExtensionsClientInputs</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="AuthenticationExtensionsClientInputs " href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions③"><c- g>extensions</c-></a>;
};
</pre>
   <dl>
    <dt data-md>
     <div class="mdn-anno wrapped">
      <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
      <div class="feature">
       <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/challenge" title="The challenge property of the PublicKeyCredentialRequestOptions dictionary is a BufferSource used as a cryptographic challenge. This is randomly generated then sent from the relying party&apos;s server. This value (among other client data) will be signed by the authenticator&apos;s private key and produce AuthenticatorAssertionResponse.signature which should be sent back to the server as part of the response.">PublicKeyCredentialRequestOptions/challenge</a></p>
       <p class="all-engines-text">In all current engines.</p>
       <div class="support">
        <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
        <hr>
        <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
        <hr>
        <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
        <hr>
        <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android yes"><span>Android WebView</span><span>67+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
       </div>
      </div>
     </div>
     <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-challenge"><code>challenge</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource⑦">BufferSource</a></span></p>
    <dd data-md>
     <p>This member represents a challenge that the selected <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑨③">authenticator</a> signs, along with other data, when producing an <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①①">authentication assertion</a>. See the <a href="#sctn-cryptographic-challenges">§ 13.4.3 Cryptographic Challenges</a> security consideration.</p>
    <dt data-md>
     <div class="mdn-anno wrapped">
      <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
      <div class="feature">
       <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/timeout" title="The timeout property, of the PublicKeyCredentialRequestOptions dictionary, represents an hint, given in milliseconds, for the time the script is willing to wait for the completion of the retrieval operation.">PublicKeyCredentialRequestOptions/timeout</a></p>
       <p class="all-engines-text">In all current engines.</p>
       <div class="support">
        <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
        <hr>
        <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
        <hr>
        <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
        <hr>
        <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android yes"><span>Android WebView</span><span>67+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
       </div>
      </div>
     </div>
     <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-timeout"><code>timeout</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-unsigned-long" id="ref-for-idl-unsigned-long③">unsigned long</a></span></p>
    <dd data-md>
     <p>This OPTIONAL member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete.
The value is treated as a hint, and MAY be overridden by the <a data-link-type="dfn" href="#client" id="ref-for-client③⑥">client</a>.</p>
    <dt data-md>
     <div class="mdn-anno wrapped">
      <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
      <div class="feature">
       <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/rpId" title="The rpId property, of the PublicKeyCredentialRequestOptions dictionary, is an optional property which indicates the relying party&apos;s identifier as a USVString. Its value can only be a suffix of the current origin&apos;s domain. For example, if you are browsing on foo.example.com, the rpId value may be &quot;example.com&quot; but not &quot;bar.org&quot; or &quot;baz.example.com&quot;.">PublicKeyCredentialRequestOptions/rpId</a></p>
       <p class="all-engines-text">In all current engines.</p>
       <div class="support">
        <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
        <hr>
        <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
        <hr>
        <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
        <hr>
        <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android yes"><span>Android WebView</span><span>67+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
       </div>
      </div>
     </div>
     <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-rpid"><code>rpId</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-USVString" id="ref-for-idl-USVString①">USVString</a></span></p>
    <dd data-md>
     <p>This OPTIONAL member specifies the <a data-link-type="dfn" href="#relying-party-identifier" id="ref-for-relying-party-identifier④">relying party identifier</a> claimed by the caller. If omitted, its value will
be the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer" id="ref-for-credentialscontainer②">CredentialsContainer</a></code> object’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object" id="ref-for-relevant-settings-object④">relevant settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin⑦">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain①③">effective domain</a>.</p>
    <dt data-md>
     <div class="mdn-anno wrapped">
      <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
      <div class="feature">
       <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/allowCredentials" title="allowCredentials is an optional property of the PublicKeyCredentialRequestOptions dictionary which indicates the existing credentials acceptable for retrieval. This is an Array of credential descriptors.">PublicKeyCredentialRequestOptions/allowCredentials</a></p>
       <p class="all-engines-text">In all current engines.</p>
       <div class="support">
        <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
        <hr>
        <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
        <hr>
        <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
        <hr>
        <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android yes"><span>Android WebView</span><span>67+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
       </div>
      </div>
     </div>
     <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-allowcredentials"><code>allowCredentials</code></dfn>, <span> of type sequence&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor⑥">PublicKeyCredentialDescriptor</a>>, defaulting to <code>[]</code></span></p>
    <dd data-md>
     <p>This OPTIONAL member contains a list of <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor⑦">PublicKeyCredentialDescriptor</a></code> objects representing <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③③">public key credentials</a> acceptable to the caller, in descending order of the caller’s preference (the first item in the list is the most
preferred credential, and so on down the list).</p>
    <dt data-md>
     <div class="mdn-anno wrapped">
      <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
      <div class="feature">
       <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/userVerification" title="userVerification is an optional property of the PublicKeyCredentialRequestOptions. This is a string which indicates how the user verification should be part of the authentication process.">PublicKeyCredentialRequestOptions/userVerification</a></p>
       <p class="all-engines-text">In all current engines.</p>
       <div class="support">
        <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
        <hr>
        <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
        <hr>
        <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
        <hr>
        <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android yes"><span>Android WebView</span><span>67+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
       </div>
      </div>
     </div>
     <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-userverification"><code>userVerification</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②①">DOMString</a>, defaulting to <code>"preferred"</code></span></p>
    <dd data-md>
     <p>This OPTIONAL member describes the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③④">Relying Party</a>'s requirements regarding <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⓪">user verification</a> for the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②⓪">get()</a></code> operation. The value SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-userverificationrequirement" id="ref-for-enumdef-userverificationrequirement①">UserVerificationRequirement</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③③">client platforms</a> MUST ignore unknown values, treating an unknown value as if the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists" id="ref-for-map-exists④">member does not exist</a>. Eligible authenticators are filtered to only those capable of satisfying this requirement.</p>
    <dt data-md>
     <div class="mdn-anno wrapped">
      <button class="mdn-anno-btn"><b class="all-engines-flag" title="This feature is in all current engines.">✔</b><span>MDN</span></button>
      <div class="feature">
       <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/extensions" title="extensions, an optional property of the PublicKeyCredentialCreationOptions dictionary, is an object providing the client extensions and their input values.">PublicKeyCredentialCreationOptions/extensions</a></p>
       <p class="all-engines-text">In all current engines.</p>
       <div class="support">
        <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
        <hr>
        <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
        <hr>
        <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
        <hr>
        <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android no"><span>Android WebView</span><span>None</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
       </div>
      </div>
      <div class="feature">
       <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/extensions" title="extensions, an optional property of the PublicKeyCredentialRequestOptions dictionary, is an object providing the client extensions and their input values.">PublicKeyCredentialRequestOptions/extensions</a></p>
       <p class="all-engines-text">In all current engines.</p>
       <div class="support">
        <span class="firefox yes"><span>Firefox</span><span>60+</span></span><span class="safari yes"><span>Safari</span><span>13+</span></span><span class="chrome yes"><span>Chrome</span><span>67+</span></span>
        <hr>
        <span class="opera yes"><span>Opera</span><span>54+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span>
        <hr>
        <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
        <hr>
        <span class="firefox_android no"><span>Firefox for Android</span><span>?</span></span><span class="safari_ios yes"><span>iOS Safari</span><span>13.3+</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>67+</span></span><span class="webview_android yes"><span>Android WebView</span><span>67+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android yes"><span>Opera Mobile</span><span>48+</span></span>
       </div>
      </div>
     </div>
     <p><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-extensions"><code>extensions</code></dfn>, <span> of type <a data-link-type="idl-name" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs③">AuthenticationExtensionsClientInputs</a></span></p>
    <dd data-md>
     <p>This OPTIONAL member contains additional parameters requesting additional processing by the client and authenticator.
For example, if transaction confirmation is sought from the user, then the prompt string might be included as an
extension.</p>
   </dl>
   <h3 class="heading settled" data-level="5.6" id="sctn-abortoperation"><span class="secno">5.6. </span><span class="content">Abort Operations with <code>AbortSignal</code></span><a class="self-link" href="#sctn-abortoperation"></a></h3>
   <p>Developers are encouraged to leverage the <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#abortcontroller" id="ref-for-abortcontroller②">AbortController</a></code> to manage the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot④">[[Create]](origin, options, sameOriginWithAncestors)</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot④">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> operations.
See <a href="https://dom.spec.whatwg.org/#abortcontroller-api-integration">DOM §3.3 Using AbortController and AbortSignal objects in APIs</a> section for detailed instructions.</p>
   <p class="note" role="note"><span>Note:</span> <a href="https://dom.spec.whatwg.org/#abortcontroller-api-integration">DOM §3.3 Using AbortController and AbortSignal objects in APIs</a> section specifies that web platform APIs integrating with the <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#abortcontroller" id="ref-for-abortcontroller③">AbortController</a></code> must reject the promise immediately once the <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#abortsignal-aborted-flag" id="ref-for-abortsignal-aborted-flag④">aborted flag</a> is set.
    Given the complex inheritance and parallelization structure of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot⑤">[[Create]](origin, options, sameOriginWithAncestors)</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑤">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> methods, the algorithms for the two APIs fulfills this
    requirement by checking the <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#abortsignal-aborted-flag" id="ref-for-abortsignal-aborted-flag⑤">aborted flag</a> in three places. In the case of <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot⑥">[[Create]](origin, options, sameOriginWithAncestors)</a></code>, the aborted flag is checked first in <a href="https://www.w3.org/TR/credential-management-1/#algorithm-create">Credential Management 1 §2.5.4 Create a Credential</a> immediately before calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#create-origin-options-sameoriginwithancestors" id="ref-for-create-origin-options-sameoriginwithancestors">[[Create]](origin, options, sameOriginWithAncestors)</a></code>,
    then in <a href="#sctn-createCredential">§ 5.1.3 Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> right before <a data-link-type="dfn" href="#authenticator-session" id="ref-for-authenticator-session">authenticator sessions</a> start, and finally
    during <a data-link-type="dfn" href="#authenticator-session" id="ref-for-authenticator-session①">authenticator sessions</a>. The same goes for <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑥">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code>.</p>
   <p>The <a data-link-type="dfn" href="https://www.w3.org/TR/page-visibility/#visibility-states" id="ref-for-visibility-states">visibility</a> and <a data-link-type="dfn" href="https://html.spec.whatwg.org/#focus" id="ref-for-focus">focus</a> state of the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-window" id="ref-for-concept-request-window">Window</a> object determines whether the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot⑦">[[Create]](origin, options, sameOriginWithAncestors)</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑦">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> operations
should continue. When the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-window" id="ref-for-concept-request-window①">Window</a> object associated with the [<a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document" id="ref-for-concept-document">Document</a> loses focus, <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot⑧">[[Create]](origin, options, sameOriginWithAncestors)</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑧">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> operations
SHOULD be aborted.</p>
   <p class="issue" id="issue-c0359d2a"><a class="self-link" href="#issue-c0359d2a"></a> The WHATWG HTML WG is discussing whether to provide a hook when a browsing context gains or
    loses focuses. If a hook is provided, the above paragraph will be updated to include the hook.
    See <a href="https://github.com/whatwg/html/issues/2711">WHATWG HTML WG Issue #2711</a> for more details.</p>
   <h3 class="heading settled" data-level="5.7" id="sctn-extensions-inputs-outputs"><span class="secno">5.7. </span><span class="content">WebAuthn Extensions Inputs and Outputs</span><a class="self-link" href="#sctn-extensions-inputs-outputs"></a></h3>
   <p>The subsections below define the data types used for conveying <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions①">WebAuthn extension</a> inputs and outputs.</p>
   <p class="note" role="note"><span>Note:</span> <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output">Authenticator extension outputs</a> are conveyed as a part of <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①①">Authenticator data</a> (see <a href="#table-authData">Table 1</a>).</p>
   <p class="note" role="note"><span>Note:</span> The types defined below — <code class="idl"><a data-link-type="idl" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs④">AuthenticationExtensionsClientInputs</a></code> and <code class="idl"><a data-link-type="idl" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs③">AuthenticationExtensionsClientOutputs</a></code> — are applicable to both <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①">registration extensions</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①">authentication extensions</a>. The "Authentication..." portion of their names should be regarded as meaning "WebAuthentication..."</p>
   <h4 class="heading settled" data-level="5.7.1" id="iface-authentication-extensions-client-inputs"><span class="secno">5.7.1. </span><span class="content">Authentication Extensions Client Inputs (dictionary <code class="idl"><a data-link-type="idl" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs⑤">AuthenticationExtensionsClientInputs</a></code>)</span><a class="self-link" href="#iface-authentication-extensions-client-inputs"></a></h4>
<pre class="idl highlight def"><c- b>dictionary</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-authenticationextensionsclientinputs"><code><c- g>AuthenticationExtensionsClientInputs</c-></code></dfn> {
};
</pre>
   <p>This is a dictionary containing the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input">client extension input</a> values for zero or more <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions②">WebAuthn Extensions</a>.</p>
   <h4 class="heading settled" data-level="5.7.2" id="iface-authentication-extensions-client-outputs"><span class="secno">5.7.2. </span><span class="content">Authentication Extensions Client Outputs (dictionary <code class="idl"><a data-link-type="idl" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs④">AuthenticationExtensionsClientOutputs</a></code>)</span><a class="self-link" href="#iface-authentication-extensions-client-outputs"></a></h4>
<pre class="idl highlight def"><c- b>dictionary</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-authenticationextensionsclientoutputs"><code><c- g>AuthenticationExtensionsClientOutputs</c-></code></dfn> {
};
</pre>
   <p>This is a dictionary containing the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output⑤">client extension output</a> values for zero or more <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions③">WebAuthn Extensions</a>.</p>
   <h4 class="heading settled" data-level="5.7.3" id="iface-authentication-extensions-authenticator-inputs"><span class="secno">5.7.3. </span><span class="content">Authentication Extensions Authenticator Inputs (CDDL type <code>AuthenticationExtensionsAuthenticatorInputs</code>)</span><a class="self-link" href="#iface-authentication-extensions-authenticator-inputs"></a></h4>
<pre>AuthenticationExtensionsAuthenticatorInputs = {
  * $$extensionInput .within ( tstr => any )
}
</pre>
   <p>The <a data-link-type="dfn" href="#cddl" id="ref-for-cddl">CDDL</a> type <code>AuthenticationExtensionsAuthenticatorInputs</code> defines a <a data-link-type="dfn" href="#cbor" id="ref-for-cbor⑤">CBOR</a> map
containing the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input">authenticator extension input</a> values for zero or more <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions④">WebAuthn Extensions</a>.
Extensions can add members as described in <a href="#sctn-extension-request-parameters">§ 9.3 Extending Request Parameters</a>.</p>
   <p>This type is not exposed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑤">Relying Party</a>, but is used by the <a data-link-type="dfn" href="#client" id="ref-for-client③⑦">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑨④">authenticator</a>.</p>
   <h4 class="heading settled" data-level="5.7.4" id="iface-authentication-extensions-authenticator-outputs"><span class="secno">5.7.4. </span><span class="content">Authentication Extensions Authenticator Outputs (CDDL type <code>AuthenticationExtensionsAuthenticatorOutputs</code>)</span><a class="self-link" href="#iface-authentication-extensions-authenticator-outputs"></a></h4>
<pre>AuthenticationExtensionsAuthenticatorOutputs = {
  * $$extensionOutput .within ( tstr => any )
}
</pre>
   <p>The <a data-link-type="dfn" href="#cddl" id="ref-for-cddl①">CDDL</a> type <code>AuthenticationExtensionsAuthenticatorOutputs</code> defines a <a data-link-type="dfn" href="#cbor" id="ref-for-cbor⑥">CBOR</a> map
containing the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①">authenticator extension output</a> values for zero or more <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions⑤">WebAuthn Extensions</a>.
Extensions can add members as described in <a href="#sctn-extension-request-parameters">§ 9.3 Extending Request Parameters</a>.</p>
   <h3 class="heading settled" data-level="5.8" id="sctn-supporting-data-structures"><span class="secno">5.8. </span><span class="content">Supporting Data Structures</span><a class="self-link" href="#sctn-supporting-data-structures"></a></h3>
   <p>The <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③④">public key credential</a> type uses certain data structures that are specified in supporting specifications. These are as
follows.</p>
   <h4 class="heading settled" data-level="5.8.1" id="dictionary-client-data"><span class="secno">5.8.1. </span><span class="content">Client Data Used in <a data-link-type="dfn" href="#webauthn-signature" id="ref-for-webauthn-signature">WebAuthn Signatures</a> (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-collectedclientdata"><code>CollectedClientData</code></dfn>)</span><a class="self-link" href="#dictionary-client-data"></a></h4>
   <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-data">client data</dfn> represents the contextual bindings of both the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party①⑨">WebAuthn Relying Party</a> and the <a data-link-type="dfn" href="#client" id="ref-for-client③⑧">client</a>. It is a key-value
mapping whose keys are strings. Values can be any type that has a valid encoding in JSON. Its structure is defined by the
following Web IDL.</p>
   <p class="note" role="note"><span>Note:</span> The <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata②">CollectedClientData</a></code> may be extended in the future. Therefore it’s critical when parsing to be tolerant of unknown keys and of any reordering of the keys. See also <a href="#clientdatajson-verification">§ 5.8.1.2 Limited Verification Algorithm</a>.</p>
<pre class="idl highlight def"><c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata③"><c- g>CollectedClientData</c-></a> {
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②②"><c- b>DOMString</c-></a>           <a class="idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-type" id="ref-for-dom-collectedclientdata-type②"><c- g>type</c-></a>;
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②③"><c- b>DOMString</c-></a>           <a class="idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge②"><c- g>challenge</c-></a>;
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②④"><c- b>DOMString</c-></a>           <a class="idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin②"><c- g>origin</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean③"><c- b>boolean</c-></a>                      <a class="idl-code" data-link-type="dict-member" data-type="boolean                      " href="#dom-collectedclientdata-crossorigin" id="ref-for-dom-collectedclientdata-crossorigin②"><c- g>crossOrigin</c-></a>;
    <a data-link-type="idl-name" href="#dictdef-tokenbinding" id="ref-for-dictdef-tokenbinding"><c- n>TokenBinding</c-></a>                 <a class="idl-code" data-link-type="dict-member" data-type="TokenBinding                 " href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding②"><c- g>tokenBinding</c-></a>;
};

<c- b>dictionary</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-tokenbinding"><code><c- g>TokenBinding</c-></code></dfn> {
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②⑤"><c- b>DOMString</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-tokenbinding-status" id="ref-for-dom-tokenbinding-status"><c- g>status</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②⑥"><c- b>DOMString</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-tokenbinding-id" id="ref-for-dom-tokenbinding-id"><c- g>id</c-></a>;
};

<c- b>enum</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-tokenbindingstatus"><code><c- g>TokenBindingStatus</c-></code></dfn> { <a class="idl-code" data-link-type="enum-value" href="#dom-tokenbindingstatus-present" id="ref-for-dom-tokenbindingstatus-present"><c- s>"present"</c-></a>, <a class="idl-code" data-link-type="enum-value" href="#dom-tokenbindingstatus-supported" id="ref-for-dom-tokenbindingstatus-supported"><c- s>"supported"</c-></a> };
</pre>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export id="dom-collectedclientdata-type"><code>type</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②⑦">DOMString</a></span>
     <dd data-md>
      <p>This member contains the string "webauthn.create" when creating new credentials, and "webauthn.get" when getting an
assertion from an existing credential. The purpose of this member is to prevent certain types of signature confusion
attacks (where an attacker substitutes one legitimate signature for another).</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export id="dom-collectedclientdata-challenge"><code>challenge</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②⑧">DOMString</a></span>
     <dd data-md>
      <p>This member contains the base64url encoding of the challenge provided by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑥">Relying Party</a>. See the <a href="#sctn-cryptographic-challenges">§ 13.4.3 Cryptographic Challenges</a> security consideration.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export id="dom-collectedclientdata-origin"><code>origin</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②⑨">DOMString</a></span>
     <dd data-md>
      <p>This member contains the fully qualified <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①①">origin</a> of the requester, as provided to the authenticator by the client, in
the syntax defined by <a data-link-type="biblio" href="#biblio-rfc6454">[RFC6454]</a>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export id="dom-collectedclientdata-crossorigin"><code>crossOrigin</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean④">boolean</a></span>
     <dd data-md>
      <p>This member contains the inverse of the <code>sameOriginWithAncestors</code> argument value
that was passed into the <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots①⑦">internal method</a>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export id="dom-collectedclientdata-tokenbinding"><code>tokenBinding</code></dfn>, <span> of type <a data-link-type="idl-name" href="#dictdef-tokenbinding" id="ref-for-dictdef-tokenbinding①">TokenBinding</a></span>
     <dd data-md>
      <p>This OPTIONAL member contains information about the state of the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-1" id="ref-for-section-1②">Token Binding</a> protocol <a data-link-type="biblio" href="#biblio-tokenbinding">[TokenBinding]</a> used when communicating
with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑦">Relying Party</a>. Its absence indicates that the client doesn’t support token binding.</p>
      <div>
       <dl>
        <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="TokenBinding" data-dfn-type="dict-member" data-export id="dom-tokenbinding-status"><code>status</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③⓪">DOMString</a></span>
        <dd data-md>
         <p>This member SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-tokenbindingstatus" id="ref-for-enumdef-tokenbindingstatus">TokenBindingStatus</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③④">client platforms</a> MUST ignore unknown values, treating an unknown value as if the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding③">tokenBinding</a></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists" id="ref-for-map-exists⑤">member does not exist</a>. When known, this member is one of the following:</p>
         <div>
          <dl>
           <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="TokenBindingStatus" data-dfn-type="enum-value" data-export data-lt="&quot;supported&quot;|supported" id="dom-tokenbindingstatus-supported"><code>supported</code></dfn>
           <dd data-md>
            <p>Indicates the client supports token binding, but it was not negotiated when communicating with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑧">Relying Party</a>.</p>
           <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="TokenBindingStatus" data-dfn-type="enum-value" data-export data-lt="&quot;present&quot;|present" id="dom-tokenbindingstatus-present"><code>present</code></dfn>
           <dd data-md>
            <p>Indicates token binding was used when communicating with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑨">Relying Party</a>. In this case, the <code class="idl"><a data-link-type="idl" href="#dom-tokenbinding-id" id="ref-for-dom-tokenbinding-id①">id</a></code> member MUST be present.</p>
          </dl>
         </div>
         <p class="note" role="note"><span>Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-tokenbindingstatus" id="ref-for-enumdef-tokenbindingstatus①">TokenBindingStatus</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p>
        <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="TokenBinding" data-dfn-type="dict-member" data-export id="dom-tokenbinding-id"><code>id</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③①">DOMString</a></span>
        <dd data-md>
         <p>This member MUST be present if <code class="idl"><a data-link-type="idl" href="#dom-tokenbinding-status" id="ref-for-dom-tokenbinding-status①">status</a></code> is <code class="idl"><a data-link-type="idl" href="#dom-tokenbindingstatus-present" id="ref-for-dom-tokenbindingstatus-present①">present</a></code>, and MUST be a <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding⑤">base64url
encoding</a> of the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-3.2" id="ref-for-section-3.2②">Token Binding ID</a> that was used when communicating with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⓪">Relying Party</a>.</p>
       </dl>
      </div>
      <p class="note" role="note"><span>Note:</span> Obtaining a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-3.2" id="ref-for-section-3.2③">Token Binding ID</a> is a <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⑤">client platform</a>-specific operation.</p>
    </dl>
    <p>The <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata④">CollectedClientData</a></code> structure is used by the client to compute the following quantities:</p>
    <dl>
     <dt data-md><dfn class="dfn-paneled" data-dfn-for="CollectedClientData" data-dfn-type="dfn" data-noexport id="collectedclientdata-json-compatible-serialization-of-client-data">JSON-compatible serialization of client data</dfn>
     <dd data-md>
      <p>This is the result of performing the <a href="#clientdatajson-serialization">JSON-compatible serialization algorithm</a> on the <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata⑤">CollectedClientData</a></code> dictionary.</p>
     <dt data-md><dfn class="dfn-paneled" data-dfn-for="CollectedClientData" data-dfn-type="dfn" data-noexport id="collectedclientdata-hash-of-the-serialized-client-data">Hash of the serialized client data</dfn>
     <dd data-md>
      <p>This is the hash (computed using SHA-256) of the <a data-link-type="dfn" href="#collectedclientdata-json-compatible-serialization-of-client-data" id="ref-for-collectedclientdata-json-compatible-serialization-of-client-data⑤">JSON-compatible serialization of client data</a>, as constructed by the client.</p>
    </dl>
   </div>
   <h5 class="heading settled" data-level="5.8.1.1" id="clientdatajson-serialization"><span class="secno">5.8.1.1. </span><span class="content">Serialization</span><a class="self-link" href="#clientdatajson-serialization"></a></h5>
   <p>The serialization of the <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata⑥">CollectedClientData</a></code> is a subset of the algorithm for <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-json-bytes" id="ref-for-serialize-a-javascript-value-to-json-bytes">JSON-serializing to bytes</a>. I.e. it produces a valid JSON encoding of the <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata⑦">CollectedClientData</a></code> but also provides additional structure that may be exploited by verifiers to avoid integrating a full JSON parser. While verifiers are recommended to perform standard JSON parsing, they may use the <a href="#clientdatajson-verification">more limited algorithm</a> below in contexts where a full JSON parser is too large. This verification algorithm requires only <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding⑥">base64url encoding</a>, appending of bytestrings (which could be implemented by writing into a fixed template), and three conditional checks (assuming that inputs are known not to need escaping).</p>
   <p>The serialization algorithm works by appending successive byte strings to an, initially empty, partial result until the complete result is obtained.</p>
   <ol>
    <li data-md>
     <p>Let <var>result</var> be an empty byte string.</p>
    <li data-md>
     <p>Append 0x7b2274797065223a (<code>{"type":</code>) to <var>result</var>.</p>
    <li data-md>
     <p>Append <a data-link-type="dfn" href="#ccdtostring" id="ref-for-ccdtostring">CCDToString</a>(<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-type" id="ref-for-dom-collectedclientdata-type③">type</a></code>) to <var>result</var>.</p>
    <li data-md>
     <p>Append 0x2c226368616c6c656e6765223a (<code>,"challenge":</code>) to <var>result</var>.</p>
    <li data-md>
     <p>Append <a data-link-type="dfn" href="#ccdtostring" id="ref-for-ccdtostring①">CCDToString</a>(<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge③">challenge</a></code>) to <var>result</var>.</p>
    <li data-md>
     <p>Append 0x2c226f726967696e223a (<code>,"origin":</code>) to <var>result</var>.</p>
    <li data-md>
     <p>Append <a data-link-type="dfn" href="#ccdtostring" id="ref-for-ccdtostring②">CCDToString</a>(<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin③">origin</a></code>) to <var>result</var>.</p>
    <li data-md>
     <p>Append 0x2c2263726f73734f726967696e223a (<code>,"crossOrigin":</code>) to <var>result</var>.</p>
    <li data-md>
     <p>If <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-crossorigin" id="ref-for-dom-collectedclientdata-crossorigin③">crossOrigin</a></code> is not present, or is <code>false</code>:</p>
     <ol>
      <li data-md>
       <p>Append 0x66616c7365 (<code>false</code>) to <var>result</var>.</p>
     </ol>
    <li data-md>
     <p>Otherwise:</p>
     <ol>
      <li data-md>
       <p>Append 0x74727565 (<code>true</code>) to <var>result</var>.</p>
     </ol>
    <li data-md>
     <p>Create a temporary copy of the <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata⑧">CollectedClientData</a></code> and remove the fields <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-type" id="ref-for-dom-collectedclientdata-type④">type</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge④">challenge</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin④">origin</a></code>, and <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-crossorigin" id="ref-for-dom-collectedclientdata-crossorigin④">crossOrigin</a></code> (if present).</p>
    <li data-md>
     <p>If no fields remain in the temporary copy then:</p>
     <ol>
      <li data-md>
       <p>Append 0x7d (<code>}</code>) to <var>result</var>.</p>
     </ol>
    <li data-md>
     <p>Otherwise:</p>
     <ol>
      <li data-md>
       <p>Invoke <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-json-bytes" id="ref-for-serialize-a-javascript-value-to-json-bytes①">serialize JSON to bytes</a> on the temporary copy to produce a byte string <var>remainder</var>.</p>
      <li data-md>
       <p>Append 0x2c (<code>,</code>) to <var>result</var>.</p>
      <li data-md>
       <p>Remove the leading byte from <var>remainder</var>.</p>
      <li data-md>
       <p>Append <var>remainder</var> to <var>result</var>.</p>
     </ol>
    <li data-md>
     <p>The result of the serialization is the value of <var>result</var>.</p>
   </ol>
   <p>The function <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="ccdtostring">CCDToString</dfn> is used in the above algorithm and is defined as:</p>
   <ol>
    <li data-md>
     <p>Let <var>encoded</var> be an empty byte string.</p>
    <li data-md>
     <p>Append 0x22 (<code>"</code>) to <var>encoded</var>.</p>
    <li data-md>
     <p>Invoke <a href="https://tc39.es/ecma262/#sec-tostring">ToString</a> on the given object to convert to a string.</p>
    <li data-md>
     <p>For each code point in the resulting string, if the code point:</p>
     <dl class="switch">
      <dt data-md>is in the set {U+0020, U+0021, U+0023–U+005B, U+005D–U+10FFFF}
      <dd data-md>
       <p>Append the UTF-8 encoding of that code point to <var>encoded</var>.</p>
      <dt data-md>is U+0022
      <dd data-md>
       <p>Append 0x5c22 (<code>\"</code>) to <var>encoded</var>.</p>
      <dt data-md>is U+005C
      <dd data-md>
       <p>Append 0x5c5c (<kbd>\\</kbd>) to <var>encoded</var>.</p>
      <dt data-md>otherwise
      <dd data-md>
       <p>Append 0x5c75 (<code>\u</code>) to <var>encoded</var>, followed by four, lower-case hex digits that, when interpreted as a base-16 number, represent that code point.</p>
     </dl>
    <li data-md>
     <p>Append 0x22 (<code>"</code>) to <var>encoded</var>.</p>
    <li data-md>
     <p>The result of this function is the value of <var>encoded</var>.</p>
   </ol>
   <h5 class="heading settled" data-level="5.8.1.2" id="clientdatajson-verification"><span class="secno">5.8.1.2. </span><span class="content">Limited Verification Algorithm</span><a class="self-link" href="#clientdatajson-verification"></a></h5>
   <p>Verifiers may use the following algorithm to verify an encoded <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata⑨">CollectedClientData</a></code> if they cannot support a full JSON parser:</p>
   <ol>
    <li data-md>
     <p>The inputs to the algorithm are:</p>
     <ol>
      <li data-md>
       <p>A bytestring, <var>clientDataJSON</var>, that contains <code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson⑤">clientDataJSON</a></code> — the serialized <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata①⓪">CollectedClientData</a></code> that is to be verified.</p>
      <li data-md>
       <p>A string, <var>type</var>, that contains the expected <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-type" id="ref-for-dom-collectedclientdata-type⑤">type</a></code>.</p>
      <li data-md>
       <p>A byte string, <var>challenge</var>, that contains the challenge byte string that was given in the <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions④">PublicKeyCredentialRequestOptions</a></code> or <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions③">PublicKeyCredentialCreationOptions</a></code>.</p>
      <li data-md>
       <p>A string, <var>origin</var>, that contains the expected <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin⑤">origin</a></code> that issued the request to the user agent.</p>
      <li data-md>
       <p>A boolean, <var>crossOrigin</var>, that is true if, and only if, the request should have been performed within a cross-origin <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element">iframe</a></code>.</p>
     </ol>
    <li data-md>
     <p>Let <var>expected</var> be an empty byte string.</p>
    <li data-md>
     <p>Append 0x7b2274797065223a (<code>{"type":</code>) to <var>expected</var>.</p>
    <li data-md>
     <p>Append <a data-link-type="dfn" href="#ccdtostring" id="ref-for-ccdtostring③">CCDToString</a>(<var>type</var>) to <var>expected</var>.</p>
    <li data-md>
     <p>Append 0x2c226368616c6c656e6765223a (<code>,"challenge":</code>) to <var>expected</var>.</p>
    <li data-md>
     <p>Perform <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding⑦">base64url encoding</a> on <var>challenge</var> to produce a string, <var>challengeBase64</var>.</p>
    <li data-md>
     <p>Append <a data-link-type="dfn" href="#ccdtostring" id="ref-for-ccdtostring④">CCDToString</a>(<var>challengeBase64</var>) to <var>expected</var>.</p>
    <li data-md>
     <p>Append 0x2c226f726967696e223a (<code>,"origin":</code>) to <var>expected</var>.</p>
    <li data-md>
     <p>Append <a data-link-type="dfn" href="#ccdtostring" id="ref-for-ccdtostring⑤">CCDToString</a>(<var>origin</var>) to <var>expected</var>.</p>
    <li data-md>
     <p>Append 0x2c2263726f73734f726967696e223a (<code>,"crossOrigin":</code>) to <var>expected</var>.</p>
    <li data-md>
     <p>If <var>crossOrigin</var> is true:</p>
     <ol>
      <li data-md>
       <p>Append 0x74727565 (<code>true</code>) to <var>expected</var>.</p>
     </ol>
    <li data-md>
     <p>Otherwise, i.e. <var>crossOrigin</var> is false:</p>
     <ol>
      <li data-md>
       <p>Append 0x66616c7365 (<code>false</code>) to <var>expected</var>.</p>
     </ol>
    <li data-md>
     <p>If <var>expected</var> is not a prefix of <var>clientDataJSON</var> then the verification has failed.</p>
    <li data-md>
     <p>If <var>clientDataJSON</var> is not at least one byte longer than <var>expected</var> then the verification has failed.</p>
    <li data-md>
     <p>If the byte of <var>clientDataJSON</var> at the offset equal to the length of <var>expected</var>:</p>
     <dl class="switch">
      <dt data-md>is 0x7d
      <dd data-md>
       <p>The verification is successful.</p>
      <dt data-md>is 0x2c
      <dd data-md>
       <p>The verification is successful.</p>
      <dt data-md>otherwise
      <dd data-md>
       <p>The verification has failed.</p>
     </dl>
   </ol>
   <h5 class="heading settled" data-level="5.8.1.3" id="clientdatajson-development"><span class="secno">5.8.1.3. </span><span class="content">Future development</span><a class="self-link" href="#clientdatajson-development"></a></h5>
   <p>In order to remain compatible with the <a href="#clientdatajson-verification">limited verification algorithm</a>, future versions of this specification must not remove any of the fields <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-type" id="ref-for-dom-collectedclientdata-type⑥">type</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge⑤">challenge</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin⑥">origin</a></code>, or <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-crossorigin" id="ref-for-dom-collectedclientdata-crossorigin⑤">crossOrigin</a></code> from <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata①①">CollectedClientData</a></code>. They also must not change the <a href="#clientdatajson-verification">serialization algorithm</a> to change the order in which those fields are serialized.</p>
   <p>If additional fields are added to <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata①②">CollectedClientData</a></code> then verifiers that employ the <a href="#clientdatajson-verification">limited verification algorithm</a> will not be able to consider them until the two algorithms above are updated to include them. Once such an update occurs then the added fields inherit the same limitations as described in the previous paragraph. Such an algorithm update would have to accomodate serializations produced by previous versions. I.e. the verification algorithm would have to handle the fact that a fifth key–value pair may not appear fifth (or at all) if generated by a user agent working from a previous version.</p>
   <h4 class="heading settled" data-level="5.8.2" id="enum-credentialType"><span class="secno">5.8.2. </span><span class="content">Credential Type Enumeration (enum <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-publickeycredentialtype"><code>PublicKeyCredentialType</code></dfn>)</span><a class="self-link" href="#enum-credentialType"></a></h4>
<pre class="idl highlight def"><c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype⑤"><c- g>PublicKeyCredentialType</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-publickeycredentialtype-public-key" id="ref-for-dom-publickeycredentialtype-public-key③"><c- s>"public-key"</c-></a>
};
</pre>
   <p class="note" role="note"><span>Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype⑥">PublicKeyCredentialType</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p>
   <div>
     This enumeration defines the valid credential types. It is an extension point; values can be added to it in the future, as
    more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and
    attestation structures according to the type of the authenticator. 
    <p>Currently one credential type is defined, namely "<dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialType" data-dfn-type="enum-value" data-export data-lt="&quot;public-key&quot;|public-key" id="dom-publickeycredentialtype-public-key"><code>public-key</code></dfn>".</p>
   </div>
   <h4 class="heading settled" data-level="5.8.3" id="dictionary-credential-descriptor"><span class="secno">5.8.3. </span><span class="content">Credential Descriptor (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-publickeycredentialdescriptor"><code>PublicKeyCredentialDescriptor</code></dfn>)</span><a class="self-link" href="#dictionary-credential-descriptor"></a></h4>
<pre class="idl highlight def"><c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor⑧"><c- g>PublicKeyCredentialDescriptor</c-></a> {
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③②"><c- b>DOMString</c-></a>                    <a class="idl-code" data-link-type="dict-member" data-type="DOMString                    " href="#dom-publickeycredentialdescriptor-type" id="ref-for-dom-publickeycredentialdescriptor-type①"><c- g>type</c-></a>;
    <c- b>required</c-> <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource⑧"><c- n>BufferSource</c-></a>                 <a class="idl-code" data-link-type="dict-member" data-type="BufferSource                 " href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id①"><c- g>id</c-></a>;
    <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence" id="ref-for-idl-sequence④"><c- b>sequence</c-></a>&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③③"><c- b>DOMString</c-></a>>                   <a class="idl-code" data-link-type="dict-member" data-type="sequence<DOMString>                   " href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports⑧"><c- g>transports</c-></a>;
};
</pre>
   <p>This dictionary contains the attributes that are specified by a caller when referring to a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③⑤">public key credential</a> as an input
parameter to the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①④">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②①">get()</a></code> methods. It mirrors the fields of the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential①⑤">PublicKeyCredential</a></code> object returned by the latter methods.</p>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialDescriptor" data-dfn-type="dict-member" data-export id="dom-publickeycredentialdescriptor-type"><code>type</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③④">DOMString</a></span>
     <dd data-md>
      <p>This member contains the type of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③⑥">public key credential</a> the caller is referring to. The value SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype⑦">PublicKeyCredentialType</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⑥">client platforms</a> MUST ignore any <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor⑨">PublicKeyCredentialDescriptor</a></code> with an unknown <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-type" id="ref-for-dom-publickeycredentialdescriptor-type②">type</a></code>.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialDescriptor" data-dfn-type="dict-member" data-export id="dom-publickeycredentialdescriptor-id"><code>id</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource⑨">BufferSource</a></span>
     <dd data-md>
      <p>This member contains the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id①⑨">credential ID</a> of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③⑦">public key credential</a> the caller is referring to.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialDescriptor" data-dfn-type="dict-member" data-export id="dom-publickeycredentialdescriptor-transports"><code>transports</code></dfn>, <span> of type sequence&lt;<a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③⑤">DOMString</a>></span>
     <dd data-md>
      <p>This OPTIONAL member contains a hint as to how the <a data-link-type="dfn" href="#client" id="ref-for-client③⑨">client</a> might communicate with the <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator⑥">managing authenticator</a> of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③⑧">public key credential</a> the caller is referring to. The values SHOULD be members of <code class="idl"><a data-link-type="idl" href="#enumdef-authenticatortransport" id="ref-for-enumdef-authenticatortransport②">AuthenticatorTransport</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⑦">client platforms</a> MUST ignore unknown values.</p>
      <p>The <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-gettransports" id="ref-for-dom-authenticatorattestationresponse-gettransports①">getTransports()</a></code> operation can provide suitable values for this member.
When <a href="#sctn-registering-a-new-credential">registering a new credential</a>,
the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④①">Relying Party</a> SHOULD store the value returned from <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-gettransports" id="ref-for-dom-authenticatorattestationresponse-gettransports②">getTransports()</a></code>.
When creating a <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor①⓪">PublicKeyCredentialDescriptor</a></code> for that credential,
the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④②">Relying Party</a> SHOULD retrieve that stored value
and set it as the value of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports⑨">transports</a></code> member.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="5.8.4" id="enum-transport"><span class="secno">5.8.4. </span><span class="content">Authenticator Transport Enumeration (enum <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-authenticatortransport"><code>AuthenticatorTransport</code></dfn>)</span><a class="self-link" href="#enum-transport"></a></h4>
<pre class="idl highlight def"><c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-authenticatortransport" id="ref-for-enumdef-authenticatortransport③"><c- g>AuthenticatorTransport</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatortransport-usb" id="ref-for-dom-authenticatortransport-usb"><c- s>"usb"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatortransport-nfc" id="ref-for-dom-authenticatortransport-nfc"><c- s>"nfc"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatortransport-ble" id="ref-for-dom-authenticatortransport-ble"><c- s>"ble"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatortransport-internal" id="ref-for-dom-authenticatortransport-internal①"><c- s>"internal"</c-></a>
};
</pre>
   <p class="note" role="note"><span>Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-authenticatortransport" id="ref-for-enumdef-authenticatortransport④">AuthenticatorTransport</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p>
   <div>
     <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑨⑤">Authenticators</a> may implement various <a href="#enum-transport">transports</a> for communicating with <a data-link-type="dfn" href="#client" id="ref-for-client④⓪">clients</a>. This enumeration
    defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a
    specific credential. Note that these hints represent the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party②⓪">WebAuthn Relying Party</a>'s best belief as to how an authenticator may be reached. A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④③">Relying Party</a> will typically learn of the supported transports for a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③⑨">public key credential</a> via <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-gettransports" id="ref-for-dom-authenticatorattestationresponse-gettransports③">getTransports()</a></code>. 
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorTransport" data-dfn-type="enum-value" data-export data-lt="&quot;usb&quot;|usb" id="dom-authenticatortransport-usb"><code>usb</code></dfn>
     <dd data-md>
      <p>Indicates the respective <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑨⑥">authenticator</a> can be contacted over removable USB.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorTransport" data-dfn-type="enum-value" data-export data-lt="&quot;nfc&quot;|nfc" id="dom-authenticatortransport-nfc"><code>nfc</code></dfn>
     <dd data-md>
      <p>Indicates the respective <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑨⑦">authenticator</a> can be contacted over Near Field Communication (NFC).</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorTransport" data-dfn-type="enum-value" data-export data-lt="&quot;ble&quot;|ble" id="dom-authenticatortransport-ble"><code>ble</code></dfn>
     <dd data-md>
      <p>Indicates the respective <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑨⑧">authenticator</a> can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorTransport" data-dfn-type="enum-value" data-export data-lt="&quot;internal&quot;|internal" id="dom-authenticatortransport-internal"><code>internal</code></dfn>
     <dd data-md>
      <p>Indicates the respective <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator⑨⑨">authenticator</a> is contacted using a <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①⑧">client device</a>-specific transport,
i.e., it is a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①①">platform authenticator</a>.
These authenticators are not removable from the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①⑨">client device</a>.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="5.8.5" id="sctn-alg-identifier"><span class="secno">5.8.5. </span><span class="content">Cryptographic Algorithm Identifier (typedef <code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier⑧">COSEAlgorithmIdentifier</a></code>)</span><a class="self-link" href="#sctn-alg-identifier"></a></h4>
<pre class="idl highlight def"><c- b>typedef</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long"><c- b>long</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-type="typedef" data-export id="typedefdef-cosealgorithmidentifier"><code><c- g>COSEAlgorithmIdentifier</c-></code></dfn>;
</pre>
   <div>
     A <code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier⑨">COSEAlgorithmIdentifier</a></code>'s value is a number identifying a cryptographic algorithm.
    The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry <a data-link-type="biblio" href="#biblio-iana-cose-algs-reg">[IANA-COSE-ALGS-REG]</a>,
    for instance, <code>-7</code> for "ES256" and <code>-257</code> for "RS256". 
    <p>The COSE algorithms registry leaves degrees of freedom to be specified by other parameters in a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-7" id="ref-for-section-7">COSE key</a>. In order to promote interoperability, this specification makes the following additional guarantees of <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②①">credential public keys</a>:</p>
    <ol>
     <li data-md>
      <p>Keys with algorithm ES256 (-7) MUST specify P-256 (1) as the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-13.1.1" id="ref-for-section-13.1.1②">crv</a> parameter and MUST NOT use the compressed point form.</p>
     <li data-md>
      <p>Keys with algorithm ES384 (-35) MUST specify P-384 (2) as the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-13.1.1" id="ref-for-section-13.1.1③">crv</a> parameter and MUST NOT use the compressed point form.</p>
     <li data-md>
      <p>Keys with algorithm ES512 (-36) MUST specify P-521 (3) as the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-13.1.1" id="ref-for-section-13.1.1④">crv</a> parameter and MUST NOT use the compressed point form.</p>
     <li data-md>
      <p>Keys with algorithm EdDSA (-8) MUST specify Ed25519 (6) as the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-13.1.1" id="ref-for-section-13.1.1⑤">crv</a> parameter. (These always use a compressed form in COSE.)</p>
    </ol>
   </div>
   <p class="note" role="note"><span>Note:</span> There are many checks neccessary to correctly implement signature verification using these algorithms. One of these is that, when processing uncompressed elliptic-curve points, implementations should check that the point is actually on the curve. This check is highlighted because it’s judged to be at particular risk of falling through the gap between a cryptographic library and other code.</p>
   <h4 class="heading settled" data-level="5.8.6" id="enum-userVerificationRequirement"><span class="secno">5.8.6. </span><span class="content">User Verification Requirement Enumeration (enum <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-userverificationrequirement"><code>UserVerificationRequirement</code></dfn>)</span><a class="self-link" href="#enum-userVerificationRequirement"></a></h4>
<pre class="idl highlight def"><c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-userverificationrequirement" id="ref-for-enumdef-userverificationrequirement②"><c- g>UserVerificationRequirement</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-userverificationrequirement-required" id="ref-for-dom-userverificationrequirement-required⑥"><c- s>"required"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-userverificationrequirement-preferred" id="ref-for-dom-userverificationrequirement-preferred④"><c- s>"preferred"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-userverificationrequirement-discouraged" id="ref-for-dom-userverificationrequirement-discouraged④"><c- s>"discouraged"</c-></a>
};
</pre>
   <p>A <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party②①">WebAuthn Relying Party</a> may require <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②①">user verification</a> for some of its operations but not for others, and may use this type to express its
needs.</p>
   <p class="note" role="note"><span>Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-userverificationrequirement" id="ref-for-enumdef-userverificationrequirement③">UserVerificationRequirement</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="UserVerificationRequirement" data-dfn-type="enum-value" data-export data-lt="&quot;required&quot;|required" id="dom-userverificationrequirement-required"><code>required</code></dfn>
     <dd data-md>
      <p>This value indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④④">Relying Party</a> requires <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②②">user verification</a> for the operation and will fail the operation if the
response does not have the <a data-link-type="dfn" href="#uv" id="ref-for-uv">UV</a> <a data-link-type="dfn" href="#flags" id="ref-for-flags">flag</a> set.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="UserVerificationRequirement" data-dfn-type="enum-value" data-export data-lt="&quot;preferred&quot;|preferred" id="dom-userverificationrequirement-preferred"><code>preferred</code></dfn>
     <dd data-md>
      <p>This value indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑤">Relying Party</a> prefers <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②③">user verification</a> for the operation if possible, but will not fail the
operation if the response does not have the <a data-link-type="dfn" href="#uv" id="ref-for-uv①">UV</a> <a data-link-type="dfn" href="#flags" id="ref-for-flags①">flag</a> set.</p>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="UserVerificationRequirement" data-dfn-type="enum-value" data-export data-lt="&quot;discouraged&quot;|discouraged" id="dom-userverificationrequirement-discouraged"><code>discouraged</code></dfn>
     <dd data-md>
      <p>This value indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑥">Relying Party</a> does not want <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②④">user verification</a> employed during the operation (e.g., in the
interest of minimizing disruption to the user interaction flow).</p>
    </dl>
   </div>
   <h3 class="heading settled" data-level="5.9" id="sctn-permissions-policy"><span class="secno">5.9. </span><span class="content">Permissions Policy integration</span><a class="self-link" href="#sctn-permissions-policy"></a></h3>
   <div class="mdn-anno wrapped after">
    <button class="mdn-anno-btn"><b class="less-than-two-engines-flag" title="This feature is in less than two current engines.">⚠</b><span>MDN</span></button>
    <div class="feature">
     <p><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/publickey-credentials-get" title="The HTTP Feature-Policy header publickey-credentials-get directive controls whether the current document is allowed to access Web Authentcation API to create new public-key credentials, i.e, via navigator.credentials.get({publicKey: ..., ...}).">Headers/Feature-Policy/publickey-credentials-get</a></p>
     <p class="less-than-two-engines-text">In only one current engine.</p>
     <div class="support">
      <span class="firefox no"><span>Firefox</span><span>None</span></span><span class="safari no"><span>Safari</span><span>None</span></span><span class="chrome yes"><span>Chrome</span><span>84+</span></span>
      <hr>
      <span class="opera no"><span>Opera</span><span>None</span></span><span class="edge_blink yes"><span>Edge</span><span>84+</span></span>
      <hr>
      <span class="edge no"><span>Edge (Legacy)</span><span>None</span></span><span class="ie no"><span>IE</span><span>None</span></span>
      <hr>
      <span class="firefox_android no"><span>Firefox for Android</span><span>None</span></span><span class="safari_ios no"><span>iOS Safari</span><span>None</span></span><span class="chrome_android yes"><span>Chrome for Android</span><span>84+</span></span><span class="webview_android yes"><span>Android WebView</span><span>84+</span></span><span class="samsunginternet_android no"><span>Samsung Internet</span><span>None</span></span><span class="opera_android no"><span>Opera Mobile</span><span>None</span></span>
     </div>
    </div>
   </div>
   <p>This specification defines one <a data-link-type="dfn" href="https://w3c.github.io/webappsec-permissions-policy/#policy-controlled-feature" id="ref-for-policy-controlled-feature">policy-controlled feature</a> identified by
the feature-identifier token "<code><dfn class="dfn-paneled" data-dfn-type="dfn" data-export data-lt="publickey-credentials-get-feature" id="publickey-credentials-get-feature">publickey-credentials-get</dfn></code>".
Its <a data-link-type="dfn" href="https://w3c.github.io/webappsec-permissions-policy/#default-allowlist" id="ref-for-default-allowlist">default allowlist</a> is '<code>self</code>'. <a data-link-type="biblio" href="#biblio-permissions-policy">[Permissions-Policy]</a></p>
   <p>A <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document">Document</a></code>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-permissions-policy" id="ref-for-concept-document-permissions-policy③">permissions policy</a> determines whether any content in that <a href="https://html.spec.whatwg.org/multipage/dom.html#documents">document</a> is <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use" id="ref-for-allowed-to-use①">allowed to successfully invoke</a> the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①②">Web Authentication API</a>, i.e., via <code><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②②">navigator.credentials.get({publicKey:..., ...})</a></code>.
If disabled in any document, no content in the document will be <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use" id="ref-for-allowed-to-use②">allowed to use</a> the foregoing methods: attempting to do so will <a href="https://www.w3.org/2001/tag/doc/promises-guide#errors">return an error</a>.</p>
   <p class="note" role="note"><span>Note:</span> Algorithms specified in <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a> perform the actual permissions policy evaluation. This is because such policy evaluation needs to occur when there is access to the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#current-settings-object" id="ref-for-current-settings-object">current settings object</a>. The <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot⑨">[[Create]](origin, options, sameOriginWithAncestors)</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑨">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots" id="ref-for-sec-object-internal-methods-and-internal-slots①⑧">internal methods</a> do not have such access since they are invoked <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel" id="ref-for-in-parallel">in parallel</a> (by algorithms specified in <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a>).</p>
   <h3 class="heading settled" data-level="5.10" id="sctn-iframe-guidance"><span class="secno">5.10. </span><span class="content">Using Web Authentication within <code>iframe</code> elements</span><a class="self-link" href="#sctn-iframe-guidance"></a></h3>
   <p>The <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①③">Web Authentication API</a> is disabled by default in cross-origin <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element①">iframe</a></code>s.
To override this default policy and indicate that a cross-origin <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element②">iframe</a></code> is allowed to invoke the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①④">Web Authentication API</a>'s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot①⓪">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> method, specify the <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow" id="ref-for-attr-iframe-allow">allow</a></code> attribute on the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element③">iframe</a></code> element and include the <code><a data-link-type="dfn" href="#publickey-credentials-get-feature" id="ref-for-publickey-credentials-get-feature">publickey-credentials-get</a></code> feature-identifier token in the <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow" id="ref-for-attr-iframe-allow①">allow</a></code> attribute’s value.</p>
   <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑦">Relying Parties</a> utilizing the WebAuthn API in an embedded context should review <a href="#sctn-seccons-visibility">§ 13.4.2 Visibility Considerations for Embedded Usage</a> regarding <a data-link-type="dfn" href="#ui-redressing" id="ref-for-ui-redressing">UI redressing</a> and its possible mitigations.</p>
   <h2 class="heading settled" data-level="6" id="sctn-authenticator-model"><span class="secno">6. </span><span class="content">WebAuthn <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-model">Authenticator Model</dfn></span><a class="self-link" href="#sctn-authenticator-model"></a></h2>
   <p><a href="#sctn-api">The Web Authentication API</a> implies a specific abstract functional model for a <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator④">WebAuthn Authenticator</a>. This section
describes that <a data-link-type="dfn" href="#authenticator-model" id="ref-for-authenticator-model②">authenticator model</a>.</p>
   <p><a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⑧">Client platforms</a> MAY implement and expose this abstract model in any way desired. However, the behavior of the client’s Web
Authentication API implementation, when operating on the authenticators supported by that <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⑨">client platform</a>, MUST be indistinguishable
from the behavior specified in <a href="#sctn-api">§ 5 Web Authentication API</a>.</p>
   <p class="note" role="note"><span>Note:</span> <a data-link-type="biblio" href="#biblio-fido-ctap">[FIDO-CTAP]</a> is an example of a concrete instantiation of this model, but it is one in which there are differences in the data it returns and those expected by the <a href="#sctn-api">WebAuthn API</a>'s algorithms. The CTAP2 response messages are CBOR maps constructed using integer keys rather than the string keys defined in this specification for the same objects. The <a data-link-type="dfn" href="#client" id="ref-for-client④①">client</a> is expected to perform any needed transformations on such data. The <a data-link-type="biblio" href="#biblio-fido-ctap">[FIDO-CTAP]</a> specification details the mapping between CTAP2 integer keys and WebAuthn string keys, in section <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#responses" id="ref-for-responses">§6.2. Responses</a>.</p>
   <p>For authenticators, this model defines the logical operations that they MUST support, and the data formats that they expose to
the client and the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party②②">WebAuthn Relying Party</a>. However, it does not define the details of how authenticators communicate with the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②⓪">client device</a>,
unless they are necessary for interoperability with <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑧">Relying Parties</a>. For instance, this abstract model does not define protocols for
connecting authenticators to clients over transports such as USB or NFC. Similarly, this abstract model does not define specific
error codes or methods of returning them; however, it does define error behavior in terms of the needs of the client. Therefore,
specific error codes are mentioned as a means of showing which error conditions MUST be distinguishable (or not) from each other
in order to enable a compliant and secure client implementation.</p>
   <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑨">Relying Parties</a> may influence authenticator selection, if they deem necessary, by stipulating various authenticator characteristics
when <a href="#sctn-createCredential">creating credentials</a> and/or when <a href="#sctn-getAssertion">generating assertions</a>, through use of <a href="#dictionary-makecredentialoptions">credential creation options</a> or <a href="#dictionary-assertion-options">assertion generation options</a>,
respectively. The algorithms underlying the <a href="#sctn-api">WebAuthn API</a> marshal these options and pass them to the applicable <a href="#sctn-authenticator-ops">authenticator operations</a> defined below.</p>
   <p>In this abstract model, the authenticator provides key management and cryptographic signatures. It can be embedded in the
WebAuthn client or housed in a separate device entirely. The authenticator itself can contain a cryptographic module which
operates at a higher security level than the rest of the authenticator. This is particularly important for authenticators that
are embedded in the WebAuthn client, as in those cases this cryptographic module (which may, for example, be a TPM) could be
considered more trustworthy than the rest of the authenticator.</p>
   <p>Each authenticator stores a <dfn class="dfn-paneled" data-dfn-for="authenticator" data-dfn-type="dfn" data-noexport id="authenticator-credentials-map">credentials map</dfn>, a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map⑥">map</a> from (<a data-link-type="dfn" href="#public-key-credential-source-rpid" id="ref-for-public-key-credential-source-rpid">rpId</a>, [<a data-link-type="dfn" href="#public-key-credential-source-userhandle" id="ref-for-public-key-credential-source-userhandle">userHandle</a>]) to <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source②②">public key credential source</a>.</p>
   <p>Additionally, each authenticator has an AAGUID, which is a 128-bit identifier indicating the type (e.g. make and model) of the
authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators
made by that manufacturer, and different (with high probability) from the AAGUIDs of all other types of authenticators.
The AAGUID for a given type of authenticator SHOULD be randomly generated to ensure this. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⓪">Relying Party</a> MAY use the AAGUID to infer certain
properties of the authenticator, such as certification level and strength of key protection, using information from other sources.</p>
   <p>The primary function of the authenticator is to provide <a data-link-type="dfn" href="#webauthn-signature" id="ref-for-webauthn-signature①">WebAuthn signatures</a>, which are bound to various contextual data. These
data are observed and added at different levels of the stack as a signature request passes from the server to the
authenticator. In verifying a signature, the server checks these bindings against expected values. These contextual bindings
are divided in two: Those added by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤①">Relying Party</a> or the client, referred to as <a data-link-type="dfn" href="#client-data" id="ref-for-client-data②">client data</a>; and those added by the authenticator,
referred to as the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①②">authenticator data</a>. The authenticator signs over the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data③">client data</a>, but is otherwise not interested in
its contents. To save bandwidth and processing requirements on the authenticator, the client hashes the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data④">client data</a> and
sends only the result to the authenticator. The authenticator signs over the combination of the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data⑤">hash of the serialized client data</a>, and its own <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①③">authenticator data</a>.</p>
   <p>The goals of this design can be summarized as follows.</p>
   <ul>
    <li data-md>
     <p>The scheme for generating signatures should accommodate cases where the link between the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②①">client device</a> and authenticator
is very limited, in bandwidth and/or latency. Examples include Bluetooth Low Energy and Near-Field Communication.</p>
    <li data-md>
     <p>The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators
should not have to parse high-level encodings such as JSON.</p>
    <li data-md>
     <p>Both the <a data-link-type="dfn" href="#client" id="ref-for-client④②">client</a> and the authenticator should have the flexibility to add contextual bindings as needed.</p>
    <li data-md>
     <p>The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.</p>
   </ul>
   <p>Authenticators produce cryptographic signatures for two distinct purposes:</p>
   <ol>
    <li data-md>
     <p>An <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-signature">attestation signature</dfn> is produced when a new <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④⓪">public key credential</a> is created via an <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential⑨">authenticatorMakeCredential</a> operation. An <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature①">attestation signature</a> provides cryptographic
proof of certain properties of the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⓪⓪">authenticator</a> and the credential. For instance, an <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature②">attestation signature</a> asserts the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⓪①">authenticator</a> type (as denoted by its AAGUID) and the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②②">credential public key</a>. The <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature③">attestation
signature</a> is signed by an <a data-link-type="dfn" href="#attestation-private-key" id="ref-for-attestation-private-key">attestation private key</a>, which is chosen depending on the type of <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①⓪">attestation</a> desired.
For more details on <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①①">attestation</a>, see <a href="#sctn-attestation">§ 6.5 Attestation</a>.</p>
    <li data-md>
     <p>An <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="assertion-signature">assertion signature</dfn> is produced when the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion⑦">authenticatorGetAssertion</a> method is invoked. It represents an
assertion by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⓪②">authenticator</a> that the user has <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①③">consented</a> to a specific transaction, such as logging
in, or completing a purchase. Thus, an <a data-link-type="dfn" href="#assertion-signature" id="ref-for-assertion-signature②">assertion signature</a> asserts that the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⓪③">authenticator</a> possessing a particular <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key⑨">credential private key</a> has established, to the best of its ability, that the user requesting this transaction is the
same user who <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①④">consented</a> to creating that particular <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④①">public key credential</a>. It also asserts additional
information, termed <a data-link-type="dfn" href="#client-data" id="ref-for-client-data⑤">client data</a>, that may be useful to the caller, such as the means by which <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①⑤">user consent</a> was
provided, and the prompt shown to the user by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⓪④">authenticator</a>. The <a data-link-type="dfn" href="#assertion-signature" id="ref-for-assertion-signature③">assertion signature</a> format is illustrated in <a href="#fig-signature">Figure 4, below</a>.</p>
   </ol>
   <p>The term <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="webauthn-signature">WebAuthn signature</dfn> refers to both <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature④">attestation signatures</a> and <a data-link-type="dfn" href="#assertion-signature" id="ref-for-assertion-signature④">assertion signatures</a>.
The formats of these signatures, as well as the procedures for generating them, are specified below.</p>
   <h3 class="heading settled" data-level="6.1" id="sctn-authenticator-data"><span class="secno">6.1. </span><span class="content">Authenticator Data</span><a class="self-link" href="#sctn-authenticator-data"></a></h3>
   <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-data">authenticator data</dfn> structure encodes contextual bindings made by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⓪⑤">authenticator</a>. These bindings are
controlled by the authenticator itself, and derive their trust from the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party②③">WebAuthn Relying Party</a>'s assessment of the security properties of the
authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy
than the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data⑥">client data</a>. At the other extreme, the authenticator may be a discrete entity with high-security hardware and
software, connected to the client over a secure channel. In both cases, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤②">Relying Party</a> receives the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①④">authenticator data</a> in the same
format, and uses its knowledge of the authenticator to make trust decisions.</p>
   <p>The <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①⑤">authenticator data</a> has a compact but extensible encoding. This is desired since authenticators can be devices with
limited capabilities and low power requirements, with much simpler software stacks than the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⓪">client platform</a>.</p>
   <p>The <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①⑥">authenticator data</a> structure is a byte array of 37 bytes or more,
laid out as shown in <a href="#table-authData">Table <span class="table-ref-following"></span></a>.</p>
   <figure class="table" id="table-authData">
    <table class="complex data longlastcol">
     <tbody>
      <tr>
       <th>Name
       <th>Length (in bytes)
       <th>Description
      <tr>
       <td><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="rpidhash">rpIdHash</dfn>
       <td>32
       <td> SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②④">RP ID</a> the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④②">credential</a> is <a data-link-type="dfn" href="#scope" id="ref-for-scope①②">scoped</a> to. 
      <tr>
       <td><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="flags">flags</dfn>
       <td>1
       <td>
         Flags (bit 0 is the least significant bit): 
        <ul>
         <li data-md>
          <p>Bit 0: <a data-link-type="dfn" href="#concept-user-present" id="ref-for-concept-user-present①">User Present</a> (<a data-link-type="dfn" href="#up" id="ref-for-up">UP</a>) result.</p>
          <ul>
           <li data-md>
            <p><code>1</code> means the user is <a data-link-type="dfn" href="#concept-user-present" id="ref-for-concept-user-present②">present</a>.</p>
           <li data-md>
            <p><code>0</code> means the user is not <a data-link-type="dfn" href="#concept-user-present" id="ref-for-concept-user-present③">present</a>.</p>
          </ul>
         <li data-md>
          <p>Bit 1: Reserved for future use (<code>RFU1</code>).</p>
         <li data-md>
          <p>Bit 2: <a data-link-type="dfn" href="#concept-user-verified" id="ref-for-concept-user-verified①">User Verified</a> (<a data-link-type="dfn" href="#uv" id="ref-for-uv②">UV</a>) result.</p>
          <ul>
           <li data-md>
            <p><code>1</code> means the user is <a data-link-type="dfn" href="#concept-user-verified" id="ref-for-concept-user-verified②">verified</a>.</p>
           <li data-md>
            <p><code>0</code> means the user is not <a data-link-type="dfn" href="#concept-user-verified" id="ref-for-concept-user-verified③">verified</a>.</p>
          </ul>
         <li data-md>
          <p>Bits 3-5: Reserved for future use (<code>RFU2</code>).</p>
         <li data-md>
          <p>Bit 6: <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data②">Attested credential data</a> included (<code>AT</code>).</p>
          <ul>
           <li data-md>
            <p>Indicates whether the authenticator added <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data③">attested credential data</a>.</p>
          </ul>
         <li data-md>
          <p>Bit 7: Extension data included (<code>ED</code>).</p>
          <ul>
           <li data-md>
            <p>Indicates if the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①⑦">authenticator data</a> has <a data-link-type="dfn" href="#authdataextensions" id="ref-for-authdataextensions">extensions</a>.</p>
          </ul>
        </ul>
      <tr>
       <td><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="signcount">signCount</dfn>
       <td>4
       <td><a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter">Signature counter</a>, 32-bit unsigned big-endian integer.
      <tr>
       <td><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestedcredentialdata">attestedCredentialData</dfn>
       <td>variable (if present)
       <td> <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data④">attested credential data</a> (if present). See <a href="#sctn-attested-credential-data">§ 6.5.1 Attested Credential Data</a> for details. Its length depends on
                the <a data-link-type="dfn" href="#credentialidlength" id="ref-for-credentialidlength">length</a> of the <a data-link-type="dfn" href="#credentialid" id="ref-for-credentialid①">credential ID</a> and <a data-link-type="dfn" href="#credentialpublickey" id="ref-for-credentialpublickey①">credential public
                key</a> being attested. 
      <tr>
       <td><dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="authDataExtensions" data-noexport id="authdataextensions">extensions</dfn>
       <td>variable (if present)
       <td> Extension-defined <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①⑧">authenticator data</a>. This is a <a data-link-type="dfn" href="#cbor" id="ref-for-cbor⑦">CBOR</a> <a data-link-type="biblio" href="#biblio-rfc8949">[RFC8949]</a> map with <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier③">extension identifiers</a> as keys,
                and <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output②">authenticator extension outputs</a> as values. See <a href="#sctn-extensions">§ 9 WebAuthn Extensions</a> for details. 
    </table>
    <figcaption> <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①⑨">Authenticator data</a> layout. The names in the Name column are only for reference within this document, and are not
        present in the actual representation of the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②⓪">authenticator data</a>. </figcaption>
   </figure>
   <p>The <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑤">RP ID</a> is originally received from the <a data-link-type="dfn" href="#client" id="ref-for-client④③">client</a> when the credential is created, and again when an <a data-link-type="dfn" href="#assertion" id="ref-for-assertion①">assertion</a> is generated.
However, it differs from other <a data-link-type="dfn" href="#client-data" id="ref-for-client-data⑦">client data</a> in some important ways. First, unlike the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data⑧">client data</a>, the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑥">RP ID</a> of a
credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is
validated by the authenticator during the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion⑧">authenticatorGetAssertion</a> operation, by verifying that the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑦">RP ID</a> that
the requested <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④③">credential</a> is <a data-link-type="dfn" href="#scope" id="ref-for-scope①③">scoped</a> to exactly matches the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑧">RP ID</a> supplied by the <a data-link-type="dfn" href="#client" id="ref-for-client④④">client</a>.</p>
   <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⓪⑥">Authenticators</a> <dfn class="dfn-paneled" data-dfn-for="authenticator data" data-dfn-type="dfn" data-noexport id="authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure">perform the following steps to generate an <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②①">authenticator data</a> structure</dfn>:</p>
   <ul>
    <li data-md>
     <p>Hash <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑨">RP ID</a> using SHA-256 to generate the <a data-link-type="dfn" href="#rpidhash" id="ref-for-rpidhash">rpIdHash</a>.</p>
    <li data-md>
     <p>The <code>UP</code> <a data-link-type="dfn" href="#flags" id="ref-for-flags②">flag</a> SHALL be set if and only if the authenticator performed a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence⑥">test of user presence</a>.
The <code>UV</code> <a data-link-type="dfn" href="#flags" id="ref-for-flags③">flag</a> SHALL be set if and only if the authenticator performed <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑤">user verification</a>.
The <code>RFU</code> bits SHALL be set to zero.</p>
     <p class="note" role="note"><span>Note:</span> If the authenticator performed both a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence⑦">test of user presence</a> and <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑥">user verification</a>,
possibly combined in a single <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①⑥">authorization gesture</a>,
then the authenticator will set both the <code>UP</code> <a data-link-type="dfn" href="#flags" id="ref-for-flags④">flag</a> and the <code>UV</code> <a data-link-type="dfn" href="#flags" id="ref-for-flags⑤">flag</a>.</p>
    <li data-md>
     <p>For <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature⑤">attestation signatures</a>, the authenticator MUST set the AT <a data-link-type="dfn" href="#flags" id="ref-for-flags⑥">flag</a> and include the <code><a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata②">attestedCredentialData</a></code>.
For <a data-link-type="dfn" href="#assertion-signature" id="ref-for-assertion-signature⑤">assertion signatures</a>, the AT <a data-link-type="dfn" href="#flags" id="ref-for-flags⑦">flag</a> MUST NOT be set and the <code><a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata③">attestedCredentialData</a></code> MUST NOT be included.</p>
    <li data-md>
     <p>If the authenticator does not include any <a data-link-type="dfn" href="#authdataextensions" id="ref-for-authdataextensions①">extension data</a>, it MUST set the <code>ED</code> <a data-link-type="dfn" href="#flags" id="ref-for-flags⑧">flag</a> to zero, and to one if <a data-link-type="dfn" href="#authdataextensions" id="ref-for-authdataextensions②">extension data</a> is included.</p>
   </ul>
   <p><a href="#fig-authData">Figure <span class="figure-num-following"></span></a> shows a visual representation of the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②②">authenticator data</a> structure.</p>
   <figure id="fig-authData">
     <img src="images/fido-signature-formats-figure1.svg"> 
    <figcaption><a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②③">Authenticator data</a> layout.</figcaption>
   </figure>
   <div class="note" role="note">
     Note: <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②④">authenticator data</a> describes its own length: If the AT and ED <a data-link-type="dfn" href="#flags" id="ref-for-flags⑨">flags</a> are not set, it is always 37 bytes long.
    The <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data⑤">attested credential data</a> (which is only present if the AT <a data-link-type="dfn" href="#flags" id="ref-for-flags①⓪">flag</a> is set) describes its own length. If the ED <a data-link-type="dfn" href="#flags" id="ref-for-flags①①">flag</a> is set, then the total length is 37 bytes plus the length of the <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data⑥">attested credential data</a> (if the AT <a data-link-type="dfn" href="#flags" id="ref-for-flags①②">flag</a> is set), plus the length of the <a data-link-type="dfn" href="#authdataextensions" id="ref-for-authdataextensions③">extensions</a> output (a <a data-link-type="dfn" href="#cbor" id="ref-for-cbor⑧">CBOR</a> map) that
    follows. 
    <p>Determining <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data⑦">attested credential data</a>'s length, which is variable, involves determining <code><a data-link-type="dfn" href="#credentialpublickey" id="ref-for-credentialpublickey②">credentialPublicKey</a></code>’s beginning location given the preceding <code><a data-link-type="dfn" href="#credentialid" id="ref-for-credentialid②">credentialId</a></code>’s <a data-link-type="dfn" href="#credentialidlength" id="ref-for-credentialidlength①">length</a>, and then determining the <code><a data-link-type="dfn" href="#credentialpublickey" id="ref-for-credentialpublickey③">credentialPublicKey</a></code>’s length (see also <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-7" id="ref-for-section-7①">Section 7</a> of <a data-link-type="biblio" href="#biblio-rfc8152">[RFC8152]</a>).</p>
   </div>
   <h4 class="heading settled" data-level="6.1.1" id="sctn-sign-counter"><span class="secno">6.1.1. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="signature-counter">Signature Counter</dfn> Considerations</span><a class="self-link" href="#sctn-sign-counter"></a></h4>
   <p>Authenticators SHOULD implement a <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①">signature counter</a> feature. These counters are conceptually stored for each credential
by the authenticator, or globally for the authenticator as a whole. The initial value of a credential’s <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter②">signature counter</a> is specified in the <code><a data-link-type="dfn" href="#signcount" id="ref-for-signcount">signCount</a></code> value of the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②⑤">authenticator data</a> returned by <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①⓪">authenticatorMakeCredential</a>. The <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter③">signature counter</a> is incremented for each successful <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion⑨">authenticatorGetAssertion</a> operation by some positive value, and subsequent values are returned to the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party②④">WebAuthn Relying Party</a> within the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②⑥">authenticator data</a> again. The <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter④">signature counter</a>'s purpose is to aid <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤③">Relying Parties</a> in detecting cloned authenticators. Clone
detection is more important for authenticators with limited protection measures.</p>
   <p>A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤④">Relying Party</a> stores the <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑤">signature counter</a> of the most recent <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①⓪">authenticatorGetAssertion</a> operation. (Or the counter from the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①①">authenticatorMakeCredential</a> operation if no <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①①">authenticatorGetAssertion</a> has ever been performed on a credential.) In subsequent <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①②">authenticatorGetAssertion</a> operations, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑤">Relying Party</a> compares the stored <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑥">signature counter</a> value with the new <code><a data-link-type="dfn" href="#signcount" id="ref-for-signcount①">signCount</a></code> value returned in the assertion’s <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②⑦">authenticator data</a>.  If either is non-zero, and the new <code><a data-link-type="dfn" href="#signcount" id="ref-for-signcount②">signCount</a></code> value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.</p>
   <p>Detecting a <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑦">signature counter</a> mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑥">Relying Parties</a> should address this situation appropriately relative to their individual situations, i.e., their risk tolerance.</p>
   <p>Authenticators:</p>
   <ul>
    <li data-md>
     <p>SHOULD implement per credential <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑧">signature counters</a>.  This prevents the <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑨">signature counter</a> value from being shared between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑦">Relying Parties</a> and being possibly employed
as a correlation handle for the user. Authenticators may implement a global <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①⓪">signature counter</a>,
i.e., on a per-authenticator basis, but this is less privacy-friendly for users.</p>
    <li data-md>
     <p>SHOULD ensure that the <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①①">signature counter</a> value does not
accidentally decrease  (e.g., due to hardware failures).</p>
   </ul>
   <h4 class="heading settled" data-level="6.1.2" id="sctn-fido-u2f-sig-format-compat"><span class="secno">6.1.2. </span><span class="content">FIDO U2F Signature Format Compatibility</span><a class="self-link" href="#sctn-fido-u2f-sig-format-compat"></a></h4>
   <p>The format for <a data-link-type="dfn" href="#assertion-signature" id="ref-for-assertion-signature⑥">assertion signatures</a>, which sign over the concatenation of an <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②⑧">authenticator data</a> structure and the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data⑥">hash
of the serialized client data</a>, are compatible with the FIDO U2F authentication signature format (see <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success" id="ref-for-authentication-response-message-success">Section 5.4</a> of <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]</a>).</p>
   <p>This is because the first 37 bytes of the signed data in a FIDO U2F authentication response message constitute a valid <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②⑨">authenticator data</a> structure, and the remaining 32 bytes are the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data⑦">hash of the serialized client data</a>. In this <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③⓪">authenticator data</a> structure, the <code><a data-link-type="dfn" href="#rpidhash" id="ref-for-rpidhash①">rpIdHash</a></code> is the FIDO U2F <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-request-message---u2f_authenticate" id="ref-for-authentication-request-message---u2f_authenticate">application parameter</a>, all <code><a data-link-type="dfn" href="#flags" id="ref-for-flags①③">flags</a></code> except <code><a data-link-type="dfn" href="#up" id="ref-for-up①">UP</a></code> are always zero, and the <code><a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata④">attestedCredentialData</a></code> and <code><a data-link-type="dfn" href="#authdataextensions" id="ref-for-authdataextensions④">extensions</a></code> are never present. FIDO U2F authentication signatures can therefore be verified by
the same procedure as other <a data-link-type="dfn" href="#assertion-signature" id="ref-for-assertion-signature⑦">assertion signatures</a> generated by the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①②">authenticatorMakeCredential</a> operation.</p>
   <h3 class="heading settled" data-level="6.2" id="sctn-authenticator-taxonomy"><span class="secno">6.2. </span><span class="content">Authenticator Taxonomy</span><a class="self-link" href="#sctn-authenticator-taxonomy"></a></h3>
   <p>Many use cases are dependent on the capabilities of the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⓪⑦">authenticator</a> used.
This section defines some terminology for those capabilities, their most important combinations,
and which use cases those combinations enable.</p>
   <p>For example:</p>
   <ul>
    <li data-md>
     <p>When authenticating for the first time on a particular <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②②">client device</a>, a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators⑥">roaming authenticator</a> is typically needed
since the user doesn’t yet have a <a data-link-type="dfn" href="#platform-credential" id="ref-for-platform-credential①">platform credential</a> on that <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②③">client device</a>.</p>
    <li data-md>
     <p>For subsequent re-authentication on the same <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②④">client device</a>, a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①②">platform authenticator</a> is likely the most convenient
since it’s built directly into the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②⑤">client device</a> rather than being a separate device that the user may have to locate.</p>
    <li data-md>
     <p>For <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①">second-factor</a> authentication in addition to a traditional username and password, any <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⓪⑧">authenticator</a> can be used.</p>
    <li data-md>
     <p>Passwordless <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②">multi-factor</a> authentication requires an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⓪⑨">authenticator</a> capable of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑦">user verification</a>, and in some cases also <a data-link-type="dfn" href="#discoverable-credential-capable" id="ref-for-discoverable-credential-capable①">discoverable credential capable</a>.</p>
    <li data-md>
     <p>A laptop computer might support connecting to <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators⑦">roaming authenticators</a> via USB and Bluetooth,
while a mobile phone might only support NFC.</p>
   </ul>
   <p>The above examples illustrate the the primary <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-type">authenticator type</dfn> characteristics:</p>
   <ul>
    <li data-md>
     <p>Whether the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①①⓪">authenticator</a> is a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators⑧">roaming</a> or <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①③">platform</a> authenticator
— the <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality⑤">authenticator attachment modality</a>.
A <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators⑨">roaming authenticator</a> can support one or more <a href="#enum-transport">transports</a> for communicating with the <a data-link-type="dfn" href="#client" id="ref-for-client④⑤">client</a>.</p>
    <li data-md>
     <p>Whether the authenticator is capable of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑧">user verification</a> — the <a data-link-type="dfn" href="#authentication-factor-capability" id="ref-for-authentication-factor-capability">authentication factor capability</a>.</p>
    <li data-md>
     <p>Whether the authenticator is <a data-link-type="dfn" href="#discoverable-credential-capable" id="ref-for-discoverable-credential-capable②">discoverable credential capable</a> — the <a data-link-type="dfn" href="#credential-storage-modality" id="ref-for-credential-storage-modality">credential storage modality</a>.</p>
   </ul>
   <p>These characteristics are independent and may in theory be combined in any way,
but <a href="#table-authenticatorTypes">Table <span class="table-ref-following"></span></a> lists and names some <a data-link-type="dfn" href="#authenticator-type" id="ref-for-authenticator-type①">authenticator types</a> of particular interest.</p>
   <figure class="table" id="table-authenticatorTypes">
    <table class="data">
     <thead>
      <tr>
       <th> <a data-link-type="dfn" href="#authenticator-type" id="ref-for-authenticator-type②">Authenticator Type</a> 
       <th> <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality⑥">Authenticator Attachment Modality</a> 
       <th> <a data-link-type="dfn" href="#credential-storage-modality" id="ref-for-credential-storage-modality①">Credential Storage Modality</a> 
       <th> <a data-link-type="dfn" href="#authentication-factor-capability" id="ref-for-authentication-factor-capability①">Authentication Factor Capability</a> 
     <tbody>
      <tr>
       <th> <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="second-factor-platform-authenticator">Second-factor platform authenticator</dfn> 
       <td> <a data-link-type="dfn" href="#platform-attachment" id="ref-for-platform-attachment①">platform</a> 
       <td> Either 
       <td> <a data-link-type="dfn" href="#single-factor-capable" id="ref-for-single-factor-capable">Single-factor capable</a> 
      <tr>
       <th> <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="user-verifying-platform-authenticator">User-verifying platform authenticator</dfn> 
       <td> <a data-link-type="dfn" href="#platform-attachment" id="ref-for-platform-attachment②">platform</a> 
       <td> Either 
       <td> <a data-link-type="dfn" href="#multi-factor-capable" id="ref-for-multi-factor-capable">Multi-factor capable</a> 
      <tr>
       <th> <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="second-factor-roaming-authenticator">Second-factor roaming authenticator</dfn> 
       <td> <a data-link-type="dfn" href="#cross-platform-attachment" id="ref-for-cross-platform-attachment①">cross-platform</a> 
       <td> <a data-link-type="dfn" href="#server-side-credential-storage-modality" id="ref-for-server-side-credential-storage-modality①">Server-side storage</a> 
       <td> <a data-link-type="dfn" href="#single-factor-capable" id="ref-for-single-factor-capable①">Single-factor capable</a> 
      <tr>
       <th> <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="first-factor-roaming-authenticator">First-factor roaming authenticator</dfn> 
       <td> <a data-link-type="dfn" href="#cross-platform-attachment" id="ref-for-cross-platform-attachment②">cross-platform</a> 
       <td> <a data-link-type="dfn" href="#client-side-credential-storage-modality" id="ref-for-client-side-credential-storage-modality③">Client-side storage</a> 
       <td> <a data-link-type="dfn" href="#multi-factor-capable" id="ref-for-multi-factor-capable①">Multi-factor capable</a> 
    </table>
    <figcaption> Definitions of names for some <a data-link-type="dfn" href="#authenticator-type" id="ref-for-authenticator-type③">authenticator types</a>. </figcaption>
   </figure>
   <p>A <a data-link-type="dfn" href="#second-factor-platform-authenticator" id="ref-for-second-factor-platform-authenticator">second-factor platform authenticator</a> is convenient to use for re-authentication on the same <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②⑥">client device</a>,
and can be used to add an extra layer of security both when initiating a new session and when resuming an existing session.
A <a data-link-type="dfn" href="#second-factor-roaming-authenticator" id="ref-for-second-factor-roaming-authenticator">second-factor roaming authenticator</a> is more likely to be used
to authenticate on a particular <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②⑦">client device</a> for the first time,
or on a <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②⑧">client device</a> shared between multiple users.</p>
   <p><a data-link-type="dfn" href="#user-verifying-platform-authenticator" id="ref-for-user-verifying-platform-authenticator⑤">User-verifying platform authenticators</a> and <a data-link-type="dfn" href="#first-factor-roaming-authenticator" id="ref-for-first-factor-roaming-authenticator①">first-factor roaming authenticators</a> enable passwordless <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af③">multi-factor</a> authentication.
In addition to the proof of possession of the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⓪">credential private key</a>,
these authenticators support <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑨">user verification</a> as a second <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af④">authentication factor</a>,
typically a PIN or <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition③">biometric recognition</a>.
The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①①①">authenticator</a> can thus act as two kinds of <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af⑤">authentication factor</a>,
which enables <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af⑥">multi-factor</a> authentication while eliminating the need to share a password with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑧">Relying Party</a>.</p>
   <p>The four combinations not named in <a href="#table-authenticatorTypes">Table <span class="table-ref-previous"></span></a> have less distinguished use cases:</p>
   <ul>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#credential-storage-modality" id="ref-for-credential-storage-modality②">credential storage modality</a> is less relevant for a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①④">platform authenticator</a> than for a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①⓪">roaming authenticator</a>,
since users using a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①⑤">platform authenticator</a> can typically be identified by a session cookie or the like
(i.e., ambient credentials).</p>
    <li data-md>
     <p>A <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①①">roaming authenticator</a> that is <a data-link-type="dfn" href="#discoverable-credential-capable" id="ref-for-discoverable-credential-capable③">discoverable credential capable</a> but not <a data-link-type="dfn" href="#multi-factor-capable" id="ref-for-multi-factor-capable②">multi-factor capable</a> can be used for <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#sf" id="ref-for-sf">single-factor</a> authentication without a username,
where the user is automatically identified by the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①③">user handle</a> and possession of the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①①">credential private key</a> is used as the only <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af⑦">authentication factor</a>.
This can be useful in some situations, but makes the user particularly vulnerable to theft of the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①①②">authenticator</a>.</p>
    <li data-md>
     <p>A <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①②">roaming authenticator</a> that is <a data-link-type="dfn" href="#multi-factor-capable" id="ref-for-multi-factor-capable③">multi-factor capable</a> but not <a data-link-type="dfn" href="#discoverable-credential-capable" id="ref-for-discoverable-credential-capable④">discoverable credential capable</a> can be used for <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af⑧">multi-factor</a> authentication, but requires the user to be identified first
which risks leaking personally identifying information; see <a href="#sctn-credential-id-privacy-leak">§ 14.6.3 Privacy leak via credential IDs</a>.</p>
   </ul>
   <p>The following subsections define the aspects <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality⑦">authenticator attachment modality</a>, <a data-link-type="dfn" href="#credential-storage-modality" id="ref-for-credential-storage-modality③">credential storage modality</a> and <a data-link-type="dfn" href="#authentication-factor-capability" id="ref-for-authentication-factor-capability②">authentication factor capability</a> in more depth.</p>
   <h4 class="heading settled" data-level="6.2.1" id="sctn-authenticator-attachment-modality"><span class="secno">6.2.1. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-attachment-modality">Authenticator Attachment Modality</dfn></span><a class="self-link" href="#sctn-authenticator-attachment-modality"></a></h4>
   <p><a data-link-type="dfn" href="#client" id="ref-for-client④⑥">Clients</a> can communicate with <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①①③">authenticators</a> using a variety of mechanisms. For example, a <a data-link-type="dfn" href="#client" id="ref-for-client④⑦">client</a> MAY use a <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②⑨">client device</a>-specific API to communicate with an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①①④">authenticator</a> which is physically bound to a <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⓪">client device</a>. On the other hand, a <a data-link-type="dfn" href="#client" id="ref-for-client④⑧">client</a> can use a variety of standardized cross-platform transport protocols such as Bluetooth (see <a href="#enum-transport">§ 5.8.4 Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>) to discover
and communicate with <a data-link-type="dfn" href="#cross-platform-attachment" id="ref-for-cross-platform-attachment③">cross-platform attached</a> <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①①⑤">authenticators</a>. We refer to <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①①⑥">authenticators</a> that
are part of the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③①">client device</a> as <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="platform-authenticators">platform authenticators</dfn>, while those that are reachable via cross-platform
transport protocols are referred to as <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="roaming-authenticators">roaming authenticators</dfn>.</p>
   <ul>
    <li data-md>
     <p>A <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①⑥">platform authenticator</a> is attached using a <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③②">client device</a>-specific transport, called <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="platform-attachment">platform attachment</dfn>, and is usually not removable from the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③③">client
device</a>. A <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④④">public key credential</a> <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential⑧">bound</a> to a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①⑦">platform authenticator</a> is called a <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="platform-credential">platform credential</dfn>.</p>
    <li data-md>
     <p>A <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①③">roaming authenticator</a> is attached using cross-platform transports, called <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="cross-platform-attachment">cross-platform attachment</dfn>. Authenticators of this class are removable from, and
can "roam" between, <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③④">client devices</a>. A <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④⑤">public key credential</a> <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential⑨">bound</a> to a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①④">roaming authenticator</a> is called a <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="roaming credential" data-noexport id="roaming-credential">roaming
credential</dfn>.</p>
   </ul>
   <p>Some <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①⑧">platform authenticators</a> could possibly also act as <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①⑤">roaming authenticators</a> depending on context. For example, a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①⑨">platform authenticator</a> integrated into a mobile device could make itself available as a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①⑥">roaming authenticator</a> via
Bluetooth.
In this case <a data-link-type="dfn" href="#client" id="ref-for-client④⑨">clients</a> running on the mobile device would recognise the authenticator as a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②⓪">platform authenticator</a>,
while <a data-link-type="dfn" href="#client" id="ref-for-client⑤⓪">clients</a> running on a different <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⑤">client device</a> and communicating with the same authenticator via Bluetooth
would recognize it as a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①⑦">roaming authenticator</a>.</p>
   <p>The primary use case for <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②①">platform authenticators</a> is to register a particular <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⑥">client device</a> as a "trusted device",
so the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⑦">client device</a> itself acts as a <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af⑨">something you have</a> <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①⓪">authentication factor</a> for future <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①⓪">authentication</a>.
This gives the user the convenience benefit
of not needing a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①⑧">roaming authenticator</a> for future <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony⑤">authentication ceremonies</a>, e.g., the user will not have to dig around in
their pocket for their key fob or phone.</p>
   <p>Use cases for <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①⑨">roaming authenticators</a> include: <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①①">authenticating</a> on a new <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⑧">client device</a> for the first time,
on rarely used <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⑨">client devices</a>, <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④⓪">client devices</a> shared between multiple users,
or <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④①">client devices</a> that do not include a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②②">platform authenticator</a>;
and when policy or preference dictates that the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①①⑦">authenticator</a> be kept separate from the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④②">client devices</a> it is used with.
A <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②⓪">roaming authenticator</a> can also be used to hold
backup <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④⑥">credentials</a> in case another <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①①⑧">authenticator</a> is lost.</p>
   <h4 class="heading settled" data-level="6.2.2" id="sctn-credential-storage-modality"><span class="secno">6.2.2. </span><span class="content">Credential Storage Modality</span><a class="self-link" href="#sctn-credential-storage-modality"></a></h4>
   <p>An <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①①⑨">authenticator</a> can store a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source②③">public key credential source</a> in one of two ways:</p>
   <ol>
    <li data-md>
     <p>In persistent storage embedded in the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⓪">authenticator</a>, <a data-link-type="dfn" href="#client" id="ref-for-client⑤①">client</a> or <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④③">client device</a>, e.g., in a secure element.
This is a technical requirement for a <a data-link-type="dfn" href="#client-side-discoverable-public-key-credential-source" id="ref-for-client-side-discoverable-public-key-credential-source③">client-side discoverable public key credential source</a>.</p>
    <li data-md>
     <p>By encrypting (i.e., wrapping) the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①②">credential private key</a> such that only this <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②①">authenticator</a> can decrypt (i.e., unwrap) it and letting the resulting
ciphertext be the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id②⓪">credential ID</a> for the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source②④">public key credential source</a>. The <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id②①">credential ID</a> is stored by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑨">Relying Party</a> and returned to the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②②">authenticator</a> via the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①①">allowCredentials</a></code> option of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②③">get()</a></code>, which allows the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②③">authenticator</a> to decrypt and use the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①③">credential private key</a>.</p>
     <p>This enables the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②④">authenticator</a> to have unlimited storage capacity for <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①④">credential private keys</a>, since the encrypted <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⑤">credential private keys</a> are stored by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⓪">Relying Party</a> instead of by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⑤">authenticator</a> - but it means that a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential⑦">credential</a> stored in this way must be retrieved from the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥①">Relying Party</a> before the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⑥">authenticator</a> can use it.</p>
   </ol>
   <p>Which of these storage strategies an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⑦">authenticator</a> supports defines the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⑧">authenticator</a>'s <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="credential storage modality" data-noexport id="credential-storage-modality">credential storage
modality</dfn> as follows:</p>
   <ul>
    <li data-md>
     <p>An <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⑨">authenticator</a> has the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-side-credential-storage-modality">client-side credential storage modality</dfn> if it supports <a data-link-type="dfn" href="#client-side-discoverable-public-key-credential-source" id="ref-for-client-side-discoverable-public-key-credential-source④">client-side discoverable public key
credential sources</a>. An <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⓪">authenticator</a> with <a data-link-type="dfn" href="#client-side-credential-storage-modality" id="ref-for-client-side-credential-storage-modality④">client-side credential storage modality</a> is also called <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="discoverable credential capable" data-noexport id="discoverable-credential-capable">discoverable
credential capable</dfn>.</p>
    <li data-md>
     <p>An <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③①">authenticator</a> has the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="server-side-credential-storage-modality">server-side credential storage modality</dfn> if it does not have the <a data-link-type="dfn" href="#client-side-credential-storage-modality" id="ref-for-client-side-credential-storage-modality⑤">client-side credential storage
modality</a>, i.e., it only supports storing <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⑥">credential private keys</a> as a ciphertext in the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id②②">credential ID</a>.</p>
   </ul>
   <p>Note that a <a data-link-type="dfn" href="#discoverable-credential-capable" id="ref-for-discoverable-credential-capable⑤">discoverable credential capable</a> <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③②">authenticator</a> MAY support both storage strategies. In this case, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③③">authenticator</a> MAY
at its discretion use different storage strategies for different <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④⑦">credentials</a>, though subject to the <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey⑦">residentKey</a></code> or <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-requireresidentkey" id="ref-for-dom-authenticatorselectioncriteria-requireresidentkey④">requireResidentKey</a></code> options of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①⑤">create()</a></code>.</p>
   <h4 class="heading settled" data-level="6.2.3" id="sctn-authentication-factor-capability"><span class="secno">6.2.3. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authentication-factor-capability">Authentication Factor Capability</dfn></span><a class="self-link" href="#sctn-authentication-factor-capability"></a></h4>
   <p>There are three broad classes of <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①①">authentication factors</a> that can be used to prove an identity during an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony⑥">authentication
ceremony</a>: <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①②">something you have</a>, <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①③">something you know</a> and <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①④">something you are</a>. Examples include a physical key, a password,
and a fingerprint, respectively.</p>
   <p>All <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator⑤">WebAuthn Authenticators</a> belong to the <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①⑤">something you have</a> class, but an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③④">authenticator</a> that supports <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⓪">user
verification</a> can also act as one or two additional kinds of <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①⑥">authentication factor</a>. For example, if the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑤">authenticator</a> can
verify a PIN, the PIN is <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①⑦">something you know</a>, and a <a data-link-type="dfn" href="#biometric-authenticator" id="ref-for-biometric-authenticator">biometric authenticator</a> can verify <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①⑧">something you are</a>. Therefore, an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑥">authenticator</a> that supports <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③①">user verification</a> is <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="multi-factor-capable">multi-factor capable</dfn>. Conversely, an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑦">authenticator</a> that is
not <a data-link-type="dfn" href="#multi-factor-capable" id="ref-for-multi-factor-capable④">multi-factor capable</a> is <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="single-factor-capable">single-factor capable</dfn>. Note that a single <a data-link-type="dfn" href="#multi-factor-capable" id="ref-for-multi-factor-capable⑤">multi-factor capable</a> <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑧">authenticator</a> could support several modes of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③②">user verification</a>, meaning it could act as all three kinds of <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①⑨">authentication factor</a>.</p>
   <p>Although <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③③">user verification</a> is performed locally on the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑨">authenticator</a> and not by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥②">Relying Party</a>, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④⓪">authenticator</a> indicates if <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③④">user verification</a> was performed by setting the <a data-link-type="dfn" href="#uv" id="ref-for-uv③">UV</a> <a data-link-type="dfn" href="#flags" id="ref-for-flags①④">flag</a> in the signed response returned to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥③">Relying Party</a>.
The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥④">Relying Party</a> can therefore use the <a data-link-type="dfn" href="#uv" id="ref-for-uv④">UV</a> flag to verify that additional <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②⓪">authentication factors</a> were used in a <a data-link-type="dfn" href="#registration" id="ref-for-registration①③">registration</a> or <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony⑦">authentication ceremony</a>. The authenticity of the <a data-link-type="dfn" href="#uv" id="ref-for-uv⑤">UV</a> <a data-link-type="dfn" href="#flags" id="ref-for-flags①⑤">flag</a> can in turn be assessed by inspecting the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④①">authenticator</a>'s <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑤">attestation statement</a>.</p>
   <h3 class="heading settled" data-level="6.3" id="sctn-authenticator-ops"><span class="secno">6.3. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-operations">Authenticator Operations</dfn></span><a class="self-link" href="#sctn-authenticator-ops"></a></h3>
   <p>A <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client⑥">WebAuthn Client</a> MUST connect to an authenticator in order to invoke any of the operations of that authenticator. This connection
defines an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-session">authenticator session</dfn>. An authenticator must maintain isolation between sessions. It may do this by only allowing one
session to exist at any particular time, or by providing more complicated session management.</p>
   <p>The following operations can be invoked by the client in an authenticator session.</p>
   <h4 class="heading settled" data-level="6.3.1" id="sctn-op-lookup-credsource-by-credid"><span class="secno">6.3.1. </span><span class="content">Lookup Credential Source by Credential ID Algorithm</span><a class="self-link" href="#sctn-op-lookup-credsource-by-credid"></a></h4>
   <p>The result of <dfn class="dfn-paneled" data-dfn-for="credential id" data-dfn-type="dfn" data-noexport id="credential-id-looking-up">looking up</dfn> a <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id②③">credential id</a> <var>credentialId</var> in an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④②">authenticator</a> <var>authenticator</var> is the result of the following algorithm:</p>
   <ol>
    <li data-md>
     <p>If <var>authenticator</var> can decrypt <var>credentialId</var> into a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source②⑤">public key credential source</a> <var>credSource</var>:</p>
     <ol>
      <li data-md>
       <p>Set <var>credSource</var>.<a data-link-type="dfn" href="#public-key-credential-source-id" id="ref-for-public-key-credential-source-id">id</a> to <var>credentialId</var>.</p>
      <li data-md>
       <p>Return <var>credSource</var>.</p>
     </ol>
    <li data-md>
     <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-iterate" id="ref-for-map-iterate②">For each</a> <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source②⑥">public key credential source</a> <var>credSource</var> of <var>authenticator</var>’s <a data-link-type="dfn" href="#authenticator-credentials-map" id="ref-for-authenticator-credentials-map②">credentials map</a>:</p>
     <ol>
      <li data-md>
       <p>If <var>credSource</var>.<a data-link-type="dfn" href="#public-key-credential-source-id" id="ref-for-public-key-credential-source-id①">id</a> is <var>credentialId</var>, return <var>credSource</var>.</p>
     </ol>
    <li data-md>
     <p>Return <code>null</code>.</p>
   </ol>
   <h4 class="heading settled" data-level="6.3.2" id="sctn-op-make-cred"><span class="secno">6.3.2. </span><span class="content">The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticatormakecredential">authenticatorMakeCredential</dfn> Operation</span><a class="self-link" href="#sctn-op-make-cred"></a></h4>
   <p>It takes the following input parameters:</p>
   <dl>
    <dt data-md><var>hash</var>
    <dd data-md>
     <p>The <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data⑧">hash of the serialized client data</a>, provided by the client.</p>
    <dt data-md><var>rpEntity</var>
    <dd data-md>
     <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑤">Relying Party</a>'s <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity⑤">PublicKeyCredentialRpEntity</a></code>.</p>
    <dt data-md><var>userEntity</var>
    <dd data-md>
     <p>The user account’s <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity⑤">PublicKeyCredentialUserEntity</a></code>, containing the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①④">user handle</a> given by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑥">Relying Party</a>.</p>
    <dt data-md><var>requireResidentKey</var>
    <dd data-md>
     <p>The <a data-link-type="dfn" href="#effective-resident-key-requirement-for-credential-creation" id="ref-for-effective-resident-key-requirement-for-credential-creation">effective resident key requirement for credential creation</a>, a Boolean value determined by the <a data-link-type="dfn" href="#client" id="ref-for-client⑤②">client</a>.</p>
    <dt data-md><var>requireUserPresence</var>
    <dd data-md>
     <p>The constant Boolean value <code>true</code>.
It is included here as a pseudo-parameter to simplify applying this abstract authenticator model to implementations that may
wish to make a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence⑧">test of user presence</a> optional although WebAuthn does not.</p>
    <dt data-md><var>requireUserVerification</var>
    <dd data-md>
     <p>The <a data-link-type="dfn" href="#effective-user-verification-requirement-for-credential-creation" id="ref-for-effective-user-verification-requirement-for-credential-creation">effective user verification requirement for credential creation</a>, a Boolean value determined by the <a data-link-type="dfn" href="#client" id="ref-for-client⑤③">client</a>.</p>
    <dt data-md><var>credTypesAndPubKeyAlgs</var>
    <dd data-md>
     <p>A sequence of pairs of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype⑧">PublicKeyCredentialType</a></code> and public key algorithms (<code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier①⓪">COSEAlgorithmIdentifier</a></code>) requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑦">Relying Party</a>. This sequence is ordered from most preferred to least preferred. The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④③">authenticator</a> makes a best-effort to create the most
preferred credential that it can.</p>
    <dt data-md><var>excludeCredentialDescriptorList</var>
    <dd data-md>
     <p>An OPTIONAL list of <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor①①">PublicKeyCredentialDescriptor</a></code> objects provided by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑧">Relying Party</a> with the intention that, if any of
these are known to the authenticator, it SHOULD NOT create a new credential. <var>excludeCredentialDescriptorList</var> contains a
list of known credentials.</p>
    <dt data-md><var>enterpriseAttestationPossible</var>
    <dd data-md>
     <p>A Boolean value that indicates that individually-identifying attestation MAY be returned by the authenticator.</p>
    <dt data-md><var>extensions</var>
    <dd data-md>
     <p>A <a data-link-type="dfn" href="#cbor" id="ref-for-cbor⑨">CBOR</a> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map⑦">map</a> from <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier④">extension identifiers</a> to their <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①">authenticator extension inputs</a>, created by the <a data-link-type="dfn" href="#client" id="ref-for-client⑤④">client</a> based on
the extensions requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑨">Relying Party</a>, if any.</p>
   </dl>
   <p class="note" role="note"><span>Note:</span> Before performing this operation, all other operations in progress in the <a data-link-type="dfn" href="#authenticator-session" id="ref-for-authenticator-session②">authenticator session</a> MUST be aborted by
running the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel①①">authenticatorCancel</a> operation.</p>
   <p>When this operation is invoked, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④④">authenticator</a> MUST perform the following procedure:</p>
   <ol>
    <li data-md>
     <p>Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#unknownerror" id="ref-for-unknownerror">UnknownError</a></code>" and terminate the operation.</p>
    <li data-md>
     <p>Check if at least one of the specified combinations of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype⑨">PublicKeyCredentialType</a></code> and cryptographic parameters in <var>credTypesAndPubKeyAlgs</var> is supported.
If not, return an error code equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notsupportederror" id="ref-for-notsupportederror②">NotSupportedError</a></code>" and terminate the operation.</p>
    <li data-md>
     <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate①⑥">For each</a> <var>descriptor</var> of <var>excludeCredentialDescriptorList</var>:</p>
     <ol>
      <li data-md>
       <p>If <a data-link-type="dfn" href="#credential-id-looking-up" id="ref-for-credential-id-looking-up">looking up</a> <code><var>descriptor</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id②">id</a></code></code> in this authenticator
returns non-null, and the returned <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item⑥">item</a>'s <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⓪">RP ID</a> and <a data-link-type="dfn" href="#public-key-credential-source-type" id="ref-for-public-key-credential-source-type">type</a> match <code><var>rpEntity</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id⑧">id</a></code></code> and <code><var>excludeCredentialDescriptorList</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-type" id="ref-for-dom-publickeycredentialdescriptor-type③">type</a></code></code> respectively,
then collect an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①⑦">authorization gesture</a> confirming <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①⑥">user
consent</a> for creating a new credential. The <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①⑧">authorization gesture</a> MUST include a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence⑨">test
of user presence</a>. If the user</p>
       <dl class="switch">
        <dt data-md>confirms consent to create a new credential
        <dd data-md>
         <p>return an error code equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#invalidstateerror" id="ref-for-invalidstateerror③">InvalidStateError</a></code>" and terminate the operation.</p>
        <dt data-md>does not consent to create a new credential
        <dd data-md>
         <p>return an error code equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror⑨">NotAllowedError</a></code>" and terminate the operation.</p>
       </dl>
       <p class="note" role="note"><span>Note:</span> The purpose of this <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①⑨">authorization gesture</a> is not to proceed with creating a credential,
but for privacy reasons to authorize disclosure of the fact that <code><var>descriptor</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id③">id</a></code></code> is <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①⓪">bound</a> to this <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④⑤">authenticator</a>.
If the user consents, the <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑤">client</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⓪">Relying Party</a> can detect this and guide the user to use a different <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④⑥">authenticator</a>.
If the user does not consent,
the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④⑦">authenticator</a> does not reveal that <code><var>descriptor</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id④">id</a></code></code> is <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①①">bound</a> to it,
and responds as if the user simply declined consent to create a credential.</p>
     </ol>
    <li data-md>
     <p>If <var>requireResidentKey</var> is <code>true</code> and the authenticator cannot store a <a data-link-type="dfn" href="#client-side-discoverable-public-key-credential-source" id="ref-for-client-side-discoverable-public-key-credential-source⑤">client-side discoverable public key credential source</a>,
return an error code equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#constrainterror" id="ref-for-constrainterror">ConstraintError</a></code>" and terminate the operation.</p>
    <li data-md>
     <p>If <var>requireUserVerification</var> is <code>true</code> and the authenticator cannot perform <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⑤">user verification</a>, return an error code
equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#constrainterror" id="ref-for-constrainterror①">ConstraintError</a></code>" and terminate the operation.</p>
    <li id="op-makecred-step-user-consent">
     <a class="self-link" href="#op-makecred-step-user-consent"></a> Collect an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②⓪">authorization gesture</a> confirming <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①⑦">user consent</a> for creating a new credential.
    The prompt for the <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②①">authorization gesture</a> is shown by the
    authenticator if it has its own output capability, or by the user agent otherwise. The prompt SHOULD display <code><var>rpEntity</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id⑨">id</a></code></code>, <code><var>rpEntity</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name①⓪">name</a></code></code>, <code><var>userEntity</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name①①">name</a></code></code> and <code><var>userEntity</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname①⓪">displayName</a></code></code>, if possible. 
     <p>If <var>requireUserVerification</var> is <code>true</code>, the <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②②">authorization gesture</a> MUST include <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⑥">user verification</a>.</p>
     <p>If <var>requireUserPresence</var> is <code>true</code>, the <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②③">authorization gesture</a> MUST include a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence①⓪">test of user presence</a>.</p>
     <p>If the user does not <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①⑧">consent</a> or if <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⑦">user verification</a> fails, return an error code equivalent to
    "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror①⓪">NotAllowedError</a></code>" and terminate the operation.</p>
    <li data-md>
     <p>Once the <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②④">authorization gesture</a> has been completed and <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①⑨">user consent</a> has been obtained, generate a new credential object:</p>
     <ol>
      <li data-md>
       <p>Let (<var>publicKey</var>, <var>privateKey</var>) be a new pair of cryptographic keys using the combination of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype①⓪">PublicKeyCredentialType</a></code> and cryptographic parameters represented by the first <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item⑦">item</a> in <var>credTypesAndPubKeyAlgs</var> that is supported by
this authenticator.</p>
      <li data-md>
       <p>Let <var>userHandle</var> be <code><var>userEntity</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-id" id="ref-for-dom-publickeycredentialuserentity-id⑤">id</a></code></code>.</p>
      <li data-md>
       <p>Let <var>credentialSource</var> be a new <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source②⑦">public key credential source</a> with the fields:</p>
       <dl>
        <dt data-md><a data-link-type="dfn" href="#public-key-credential-source-type" id="ref-for-public-key-credential-source-type①">type</a>
        <dd data-md>
         <p><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialtype-public-key" id="ref-for-dom-publickeycredentialtype-public-key④">public-key</a></code>.</p>
        <dt data-md><a data-link-type="dfn" href="#public-key-credential-source-privatekey" id="ref-for-public-key-credential-source-privatekey">privateKey</a>
        <dd data-md>
         <p><var>privateKey</var></p>
        <dt data-md><a data-link-type="dfn" href="#public-key-credential-source-rpid" id="ref-for-public-key-credential-source-rpid①">rpId</a>
        <dd data-md>
         <p><code><var>rpEntity</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id①⓪">id</a></code></code></p>
        <dt data-md><a data-link-type="dfn" href="#public-key-credential-source-userhandle" id="ref-for-public-key-credential-source-userhandle①">userHandle</a>
        <dd data-md>
         <p><var>userHandle</var></p>
        <dt data-md><a data-link-type="dfn" href="#public-key-credential-source-otherui" id="ref-for-public-key-credential-source-otherui②">otherUI</a>
        <dd data-md>
         <p>Any other information the authenticator chooses to include.</p>
       </dl>
      <li data-md>
       <p>If <var>requireResidentKey</var> is <code>true</code> or the authenticator chooses to create a <a data-link-type="dfn" href="#client-side-discoverable-public-key-credential-source" id="ref-for-client-side-discoverable-public-key-credential-source⑥">client-side discoverable public key credential source</a>:</p>
       <ol>
        <li data-md>
         <p>Let <var>credentialId</var> be a new <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id②④">credential id</a>.</p>
        <li data-md>
         <p>Set <var>credentialSource</var>.<a data-link-type="dfn" href="#public-key-credential-source-id" id="ref-for-public-key-credential-source-id②">id</a> to <var>credentialId</var>.</p>
        <li data-md>
         <p>Let <var>credentials</var> be this authenticator’s <a data-link-type="dfn" href="#authenticator-credentials-map" id="ref-for-authenticator-credentials-map③">credentials map</a>.</p>
        <li data-md>
         <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-set" id="ref-for-map-set④">Set</a> <var>credentials</var>[(<code><var>rpEntity</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id①①">id</a></code></code>, <var>userHandle</var>)] to <var>credentialSource</var>.</p>
       </ol>
      <li data-md>
       <p>Otherwise:</p>
       <ol>
        <li data-md>
         <p>Let <var>credentialId</var> be the result of serializing and encrypting <var>credentialSource</var> so that only this authenticator can
decrypt it.</p>
       </ol>
     </ol>
    <li data-md>
     <p>If any error occurred while creating the new credential object, return an error code equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#unknownerror" id="ref-for-unknownerror①">UnknownError</a></code>" and
terminate the operation.</p>
    <li data-md>
     <p>Let <var>processedExtensions</var> be the result of <a data-link-type="dfn" href="#authenticator-extension-processing" id="ref-for-authenticator-extension-processing">authenticator extension processing</a> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-iterate" id="ref-for-map-iterate③">for each</a> supported <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier⑤">extension
identifier</a> → <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input②">authenticator extension input</a> in <var>extensions</var>.</p>
    <li data-md>
     <p>If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④⑧">authenticator</a>:</p>
     <dl class="switch">
      <dt data-md>is a U2F device
      <dd data-md>
       <p>let the <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①②">signature counter</a> value for the new credential be zero. (U2F devices may support signature counters but do not return a counter when making a credential. See <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]</a>.)</p>
      <dt data-md>supports a global <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①③">signature counter</a>
      <dd data-md>
       <p>Use the global <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①④">signature counter</a>'s actual value when generating <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③①">authenticator data</a>.</p>
      <dt data-md>supports a per credential <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①⑤">signature counter</a>
      <dd data-md>
       <p>allocate the counter, associate it with the new credential, and initialize the counter value as zero.</p>
      <dt data-md>does not support a <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①⑥">signature counter</a>
      <dd data-md>
       <p>let the <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①⑦">signature counter</a> value for the new credential be constant at zero.</p>
     </dl>
    <li data-md>
     <p>Let <var>attestedCredentialData</var> be the <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data⑧">attested credential data</a> byte array including the <var>credentialId</var> and <var>publicKey</var>.</p>
    <li data-md>
     <p>Let <var>authenticatorData</var> <a data-link-type="dfn" href="#authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure" id="ref-for-authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure">be the byte array</a> specified in <a href="#sctn-authenticator-data">§ 6.1 Authenticator Data</a>, including <var>attestedCredentialData</var> as the <code><a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata⑤">attestedCredentialData</a></code> and <var>processedExtensions</var>, if any, as the <code><a data-link-type="dfn" href="#authdataextensions" id="ref-for-authdataextensions⑤">extensions</a></code>.</p>
    <li data-md>
     <p>Create an <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object⑨">attestation object</a> for the new credential using the procedure specified in <a href="#sctn-generating-an-attestation-object">§ 6.5.4 Generating an Attestation Object</a>, using an authenticator-chosen <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format①">attestation statement format</a>, <var>authenticatorData</var>,
and <var>hash</var>, as well as <code class="idl"><a data-link-type="idl" href="#dom-attestationconveyancepreference-enterprise" id="ref-for-dom-attestationconveyancepreference-enterprise②">taking into account</a></code> the value of <var>enterpriseAttestationPossible</var>. For more details on attestation, see <a href="#sctn-attestation">§ 6.5 Attestation</a>.</p>
   </ol>
   <p>On successful completion of this operation, the authenticator returns the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⓪">attestation object</a> to the client.</p>
   <h4 class="heading settled" data-level="6.3.3" id="sctn-op-get-assertion"><span class="secno">6.3.3. </span><span class="content">The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticatorgetassertion">authenticatorGetAssertion</dfn> Operation</span><a class="self-link" href="#sctn-op-get-assertion"></a></h4>
   <p>It takes the following input parameters:</p>
   <dl>
    <dt data-md><var>rpId</var>
    <dd data-md>
     <p>The caller’s <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③①">RP ID</a>, as <a href="#GetAssn-DetermineRpId">determined</a> by the user agent and the client.</p>
    <dt data-md><var>hash</var>
    <dd data-md>
     <p>The <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data⑨">hash of the serialized client data</a>, provided by the client.</p>
    <dt data-md><var>allowCredentialDescriptorList</var>
    <dd data-md>
     <p>An OPTIONAL <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list③">list</a> of <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor①②">PublicKeyCredentialDescriptor</a></code>s describing credentials acceptable to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦①">Relying Party</a> (possibly filtered
by the client), if any.</p>
    <dt data-md><var>requireUserPresence</var>
    <dd data-md>
     <p>The constant Boolean value <code>true</code>.
It is included here as a pseudo-parameter to simplify applying this abstract authenticator model to implementations that may
wish to make a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence①①">test of user presence</a> optional although WebAuthn does not.</p>
    <dt data-md><var>requireUserVerification</var>
    <dd data-md>
     <p>The <a data-link-type="dfn" href="#effective-user-verification-requirement-for-assertion" id="ref-for-effective-user-verification-requirement-for-assertion">effective user verification requirement for assertion</a>, a Boolean value provided by the client.</p>
    <dt data-md><var>extensions</var>
    <dd data-md>
     <p>A <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①⓪">CBOR</a> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map⑧">map</a> from <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier⑥">extension identifiers</a> to their <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input③">authenticator extension inputs</a>, created by the client based on
the extensions requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦②">Relying Party</a>, if any.</p>
   </dl>
   <p class="note" role="note"><span>Note:</span> Before performing this operation, all other operations in progress in the <a data-link-type="dfn" href="#authenticator-session" id="ref-for-authenticator-session③">authenticator session</a> MUST be aborted by running the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel①②">authenticatorCancel</a> operation.</p>
   <p>When this method is invoked, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④⑨">authenticator</a> MUST perform the following procedure:</p>
   <ol>
    <li data-md>
     <p>Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#unknownerror" id="ref-for-unknownerror②">UnknownError</a></code>" and terminate the operation.</p>
    <li data-md>
     <p>Let <var>credentialOptions</var> be a new empty <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set⑥">set</a> of <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source②⑧">public key credential sources</a>.</p>
    <li data-md>
     <p>If <var>allowCredentialDescriptorList</var> was supplied, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate①⑦">for each</a> <var>descriptor</var> of <var>allowCredentialDescriptorList</var>:</p>
     <ol>
      <li data-md>
       <p>Let <var>credSource</var> be the result of <a data-link-type="dfn" href="#credential-id-looking-up" id="ref-for-credential-id-looking-up①">looking up</a> <code><var>descriptor</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id⑤">id</a></code></code> in this
authenticator.</p>
      <li data-md>
       <p>If <var>credSource</var> is not <code>null</code>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#set-append" id="ref-for-set-append③">append</a> it to <var>credentialOptions</var>.</p>
     </ol>
    <li data-md>
     <p>Otherwise (<var>allowCredentialDescriptorList</var> was not supplied), <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-iterate" id="ref-for-map-iterate④">for each</a> <var>key</var> → <var>credSource</var> of this
authenticator’s <a data-link-type="dfn" href="#authenticator-credentials-map" id="ref-for-authenticator-credentials-map④">credentials map</a>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#set-append" id="ref-for-set-append④">append</a> <var>credSource</var> to <var>credentialOptions</var>.</p>
    <li data-md>
     <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove" id="ref-for-list-remove②⓪">Remove</a> any items from <var>credentialOptions</var> whose <a data-link-type="dfn" href="#public-key-credential-source-rpid" id="ref-for-public-key-credential-source-rpid②">rpId</a> is not equal to <var>rpId</var>.</p>
    <li data-md>
     <p>If <var>credentialOptions</var> is now empty, return an error code equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror①①">NotAllowedError</a></code>" and terminate the operation.</p>
    <li data-md>
     <p>Prompt the user to select a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source②⑨">public key credential source</a> <var>selectedCredential</var> from <var>credentialOptions</var>.
Collect an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②⑤">authorization gesture</a> confirming <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②⓪">user consent</a> for using <var>selectedCredential</var>.
The prompt for the <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②⑥">authorization gesture</a> may be shown
by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤⓪">authenticator</a> if it has its own output capability, or by the user agent otherwise.</p>
     <p>If <var>requireUserVerification</var> is <code>true</code>, the <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②⑦">authorization gesture</a> MUST include <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⑧">user verification</a>.</p>
     <p>If <var>requireUserPresence</var> is <code>true</code>, the <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②⑧">authorization gesture</a> MUST include a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence①②">test of user presence</a>.</p>
     <p>If the user does not <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②①">consent</a>, return an error code equivalent to
"<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror①②">NotAllowedError</a></code>" and terminate the operation.</p>
    <li data-md>
     <p>Let <var>processedExtensions</var> be the result of <a data-link-type="dfn" href="#authenticator-extension-processing" id="ref-for-authenticator-extension-processing①">authenticator extension processing</a> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-iterate" id="ref-for-map-iterate⑤">for each</a> supported <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier⑦">extension
identifier</a> → <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input④">authenticator extension input</a> in <var>extensions</var>.</p>
    <li data-md>
     <p>Increment the credential associated <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①⑧">signature counter</a> or the global <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①⑨">signature counter</a> value, depending on
which approach is implemented by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤①">authenticator</a>, by some positive value.
If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤②">authenticator</a> does not implement a <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter②⓪">signature counter</a>, let the <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter②①">signature counter</a> value remain constant at
zero.</p>
    <li data-md>
     <p>Let <var>authenticatorData</var> <a data-link-type="dfn" href="#authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure" id="ref-for-authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure①">be the byte array</a> specified in <a href="#sctn-authenticator-data">§ 6.1 Authenticator Data</a> including <var>processedExtensions</var>, if any, as
the <code><a data-link-type="dfn" href="#authdataextensions" id="ref-for-authdataextensions⑥">extensions</a></code> and excluding <code><a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata⑥">attestedCredentialData</a></code>.</p>
    <li data-md>
     <p>Let <var>signature</var> be the <a data-link-type="dfn" href="#assertion-signature" id="ref-for-assertion-signature⑧">assertion signature</a> of the concatenation <code><var>authenticatorData</var> || <var>hash</var></code> using the <a data-link-type="dfn" href="#public-key-credential-source-privatekey" id="ref-for-public-key-credential-source-privatekey①">privateKey</a> of <var>selectedCredential</var> as shown in <a href="#fig-signature">Figure <span class="figure-num-following"></span></a>, below. A simple,
undelimited
concatenation is safe to use here because the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③②">authenticator data</a> describes its own length. The <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①⓪">hash of the serialized
client data</a> (which potentially has a variable length) is always the last element.</p>
     <figure id="fig-signature">
       <img src="images/fido-signature-formats-figure2.svg"> 
      <figcaption>Generating an <a data-link-type="dfn" href="#assertion-signature" id="ref-for-assertion-signature⑨">assertion signature</a>.</figcaption>
     </figure>
    <li data-md>
     <p>If any error occurred while generating the <a data-link-type="dfn" href="#assertion-signature" id="ref-for-assertion-signature①⓪">assertion signature</a>, return an error code equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#unknownerror" id="ref-for-unknownerror③">UnknownError</a></code>" and
terminate the operation.</p>
    <li id="authenticatorGetAssertion-return-values">
     <a class="self-link" href="#authenticatorGetAssertion-return-values"></a> Return to the user agent: 
     <ul>
      <li data-md>
       <p><var>selectedCredential</var>.<a data-link-type="dfn" href="#public-key-credential-source-id" id="ref-for-public-key-credential-source-id③">id</a>, if either a list of credentials
(i.e., <var>allowCredentialDescriptorList</var>) of length 2 or greater was
supplied by the client, or no such list was supplied.</p>
       <p class="note" role="note"><span>Note:</span> If, within <var>allowCredentialDescriptorList</var>, the client supplied exactly one credential and it was successfully employed, then its <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id②⑤">credential ID</a> is not returned since the client already knows it. This saves transmitting these bytes over
        what may be a constrained connection in what is likely a common case.</p>
      <li data-md>
       <p><var>authenticatorData</var></p>
      <li data-md>
       <p><var>signature</var></p>
      <li data-md>
       <p><var>selectedCredential</var>.<a data-link-type="dfn" href="#public-key-credential-source-userhandle" id="ref-for-public-key-credential-source-userhandle②">userHandle</a></p>
       <p class="note" role="note"><span>Note:</span> the returned <a data-link-type="dfn" href="#public-key-credential-source-userhandle" id="ref-for-public-key-credential-source-userhandle③">userHandle</a> value may be <code>null</code>, see: <a data-link-type="dfn" href="#assertioncreationdata-userhandleresult" id="ref-for-assertioncreationdata-userhandleresult④">userHandleResult</a>.</p>
     </ul>
   </ol>
   <p>If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤③">authenticator</a> cannot find any <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④⑧">credential</a> corresponding to the specified <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦③">Relying Party</a> that
matches the specified criteria, it terminates the operation and returns an error.</p>
   <h4 class="heading settled" data-level="6.3.4" id="sctn-op-cancel"><span class="secno">6.3.4. </span><span class="content">The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticatorcancel">authenticatorCancel</dfn> Operation</span><a class="self-link" href="#sctn-op-cancel"></a></h4>
   <p>This operation takes no input parameters and returns no result.</p>
   <p>When this operation is invoked by the client in an <a data-link-type="dfn" href="#authenticator-session" id="ref-for-authenticator-session④">authenticator session</a>, it has the effect of terminating any <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①③">authenticatorMakeCredential</a> or <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①③">authenticatorGetAssertion</a> operation currently in progress in that authenticator
session. The authenticator stops prompting for, or accepting, any user input related to authorizing the canceled operation. The
client ignores any further responses from the authenticator for the canceled operation.</p>
   <p>This operation is ignored if it is invoked in an <a data-link-type="dfn" href="#authenticator-session" id="ref-for-authenticator-session⑤">authenticator session</a> which does not have an <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①④">authenticatorMakeCredential</a> or <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①④">authenticatorGetAssertion</a> operation currently in progress.</p>
   <h3 class="heading settled" data-level="6.4" id="sctn-strings"><span class="secno">6.4. </span><span class="content">String Handling</span><a class="self-link" href="#sctn-strings"></a></h3>
   <p>Authenticators may be required to store arbitrary strings chosen by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦④">Relying Party</a>, for example the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name①②">name</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname①①">displayName</a></code> in a <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity⑥">PublicKeyCredentialUserEntity</a></code>. This section discusses some practical consequences of handling arbitrary strings that may be presented to humans.</p>
   <h4 class="heading settled" data-level="6.4.1" id="sctn-strings-truncation"><span class="secno">6.4.1. </span><span class="content">String Truncation</span><a class="self-link" href="#sctn-strings-truncation"></a></h4>
   <p>Each arbitrary string in the API will have some accommodation for the potentially limited resources available to an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤④">authenticator</a>. If string value truncation is the chosen accommodation then authenticators MAY truncate in order to make the string fit within a length equal or greater than the specified minimum supported length. Such truncation SHOULD also respect UTF-8 sequence boundaries or <a data-link-type="dfn" href="https://unicode.org/reports/tr29/#Grapheme_Cluster_Boundaries" id="ref-for-Grapheme_Cluster_Boundaries">grapheme cluster</a> boundaries <a data-link-type="biblio" href="#biblio-utr29">[UTR29]</a>. This defines the maximum truncation permitted and authenticators MUST NOT truncate further.</p>
   <p>For example, in <a href="#fig-stringTruncation">figure <span class="figure-num-following"></span></a> the string is 65 bytes long. If truncating to 64 bytes then the final 0x88 byte must be removed purely because of space reasons. Since that leaves a partial UTF-8 sequence the remainder of that sequence may also be removed. Since that leaves a partial <a data-link-type="dfn" href="https://unicode.org/reports/tr29/#Grapheme_Cluster_Boundaries" id="ref-for-Grapheme_Cluster_Boundaries①">grapheme cluster</a> an authenticator may remove the remainder of that cluster.</p>
   <figure id="fig-stringTruncation">
     <img src="images/string-truncation.svg"> 
    <figcaption>The end of a UTF-8 encoded string showing the positions of different truncation boundaries.</figcaption>
   </figure>
   <p><a data-link-type="dfn" href="#conforming-user-agent" id="ref-for-conforming-user-agent④">Conforming User Agents</a> are responsible for ensuring that the authenticator behaviour observed by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑤">Relying Parties</a> conforms to this specification with respect to string handling. For example, if an authenticator is known to behave incorrectly when asked to store large strings, the user agent SHOULD perform the truncation for it in order to maintain the model from the point of view of the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑥">Relying Party</a>. User-agents that do this SHOULD truncate at <a data-link-type="dfn" href="https://unicode.org/reports/tr29/#Grapheme_Cluster_Boundaries" id="ref-for-Grapheme_Cluster_Boundaries②">grapheme cluster</a> boundaries.</p>
   <p>Truncation based on UTF-8 sequences alone may cause a <a data-link-type="dfn" href="https://unicode.org/reports/tr29/#Grapheme_Cluster_Boundaries" id="ref-for-Grapheme_Cluster_Boundaries③">grapheme cluster</a> to be truncated. This could make the grapheme cluster render as a different glyph, potentially changing the meaning of the string, instead of removing the glyph entirely.</p>
   <p>In addition to that, truncating on byte boundaries alone causes a known issue that user agents should be aware of: if the authenticator is using <a data-link-type="biblio" href="#biblio-fido-ctap">[FIDO-CTAP]</a> then future messages from the authenticator may contain invalid CBOR since the value is typed as a CBOR string and thus is required to be valid UTF-8. User agents are tasked with handling this to avoid burdening authenticators with understanding character encodings and Unicode character properties. Thus, when dealing with <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤⑤">authenticators</a>, user agents SHOULD:</p>
   <ol>
    <li data-md>
     <p>Ensure that any strings sent to authenticators are validly encoded.</p>
    <li data-md>
     <p>Handle the case where strings have been truncated resulting in an invalid encoding. For example, any partial code point at the end may be dropped or replaced with <a href="http://unicode.org/cldr/utility/character.jsp?a=FFFD">U+FFFD</a>.</p>
   </ol>
   <h4 class="heading settled" data-level="6.4.2" id="sctn-strings-langdir"><span class="secno">6.4.2. </span><span class="content">Language and Direction Encoding</span><a class="self-link" href="#sctn-strings-langdir"></a></h4>
   <p>In order to be correctly displayed in context, the language and base direction of a string <a href="https://www.w3.org/TR/string-meta/#why-is-this-important">may be required</a>. Strings in this API may have to be written to fixed-function <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤⑥">authenticators</a> and then later read back and displayed on a different platform. Thus language and direction metadata is encoded in the string itself to ensure that it is transported atomically.</p>
   <p>To encode language and direction metadata in a string that is documented as permitting it, suffix its code points with two sequences of code points:</p>
   <p>The first encodes a <a data-link-type="dfn" href="https://tools.ietf.org/html/bcp47#section-2.1" id="ref-for-section-2.1">language tag</a> with the code point U+E0001 followed by the ASCII values of the <a data-link-type="dfn" href="https://tools.ietf.org/html/bcp47#section-2.1" id="ref-for-section-2.1①">language tag</a> each shifted up by U+E0000. For example, the <a data-link-type="dfn" href="https://tools.ietf.org/html/bcp47#section-2.1" id="ref-for-section-2.1②">language tag</a> “en-US” becomes the code points U+E0001, U+E0065, U+E006E, U+E002D, U+E0055, U+E0053.</p>
   <p>The second consists of a single code point which is either U+200E (“LEFT-TO-RIGHT MARK”), U+200F (“RIGHT-TO-LEFT MARK”), or U+E007F (“CANCEL TAG”). The first two can be used to indicate directionality but SHOULD only be used when neccessary to produce the correct result. (E.g. an RTL string that starts with LTR-strong characters.) The value U+E007F is a direction-agnostic indication of the end of the <a data-link-type="dfn" href="https://tools.ietf.org/html/bcp47#section-2.1" id="ref-for-section-2.1③">language tag</a>.</p>
   <p>So the string “حبیب الرحمان” could have two different DOMString values, depending on whether the language was encoded or not. (Since the direction is unambigous a directionality marker is not needed in this example.)</p>
   <ul>
    <li data-md>
     <p>Unadorned string: U+FEA2, U+FE92, U+FBFF, U+FE91, U+20, U+FE8E, U+FEDF, U+FEAE, U+FEA4, U+FEE3, U+FE8E, U+FEE7</p>
    <li data-md>
     <p>With language “ar-SA” encoded: U+FEA2, U+FE92, U+FBFF, U+FE91, U+20, U+FE8E, U+FEDF, U+FEAE, U+FEA4, U+FEE3, U+FE8E, U+FEE7, U+E0001, U+E0061, U+E0072, U+E002D, U+E0053, U+E0041, U+E007F</p>
   </ul>
   <p>Consumers of strings that may have language and direction encoded should be aware that truncation could truncate a <a data-link-type="dfn" href="https://tools.ietf.org/html/bcp47#section-2.1" id="ref-for-section-2.1④">language tag</a> into a different, but still valid, language. The final directionality marker or CANCEL TAG code point provide an unambigous indication of truncation.</p>
   <h3 class="heading settled" data-level="6.5" id="sctn-attestation"><span class="secno">6.5. </span><span class="content">Attestation</span><a class="self-link" href="#sctn-attestation"></a></h3>
   <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤⑦">Authenticators</a> SHOULD also provide some form of <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①②">attestation</a>, if possible.
If an authenticator does, the basic requirement is that the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤⑧">authenticator</a> can
produce, for each <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②③">credential public key</a>, an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑥">attestation statement</a> verifiable by the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party②⑤">WebAuthn Relying Party</a>. Typically, this <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑦">attestation statement</a> contains a signature by an <a data-link-type="dfn" href="#attestation-private-key" id="ref-for-attestation-private-key①">attestation private key</a> over the attested <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②④">credential public key</a> and
a challenge, as well as a certificate or similar data providing provenance information for the <a data-link-type="dfn" href="#attestation-public-key" id="ref-for-attestation-public-key">attestation public key</a>,
enabling the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑦">Relying Party</a> to make a trust decision. However, if an <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair②">attestation key pair</a> is not available, then the authenticator
MAY either perform <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation⑥">self attestation</a> of the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②⑤">credential public key</a> with the corresponding <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⑦">credential private key</a>,
or otherwise perform <a data-link-type="dfn" href="#none" id="ref-for-none">no attestation</a>. All this
information is returned by <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤⑨">authenticators</a> any time a new <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④⑨">public key credential</a> is generated, in the overall form of an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-object">attestation object</dfn>. The relationship of the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①①">attestation object</a> with <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③③">authenticator data</a> (containing <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data⑨">attested credential data</a>) and the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑧">attestation statement</a> is illustrated in <a href="#fig-attStructs">figure <span class="figure-num-following"></span></a>, below.</p>
   <p>If an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥⓪">authenticator</a> employs <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation⑦">self attestation</a> or <a data-link-type="dfn" href="#none" id="ref-for-none①">no attestation</a>, then no provenance information is provided
for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑧">Relying Party</a> to base a trust decision on.
In these cases, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥①">authenticator</a> provides no guarantees about its operation to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑨">Relying Party</a>.</p>
   <figure id="fig-attStructs">
     <img src="images/fido-attestation-structures.svg"> 
    <figcaption><a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①②">Attestation object</a> layout illustrating the included <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③④">authenticator data</a> (containing <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data①⓪">attested credential
    data</a>) and the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑨">attestation statement</a>.</figcaption>
   </figure>
   <div class="note" role="note"> This figure illustrates only the <code>packed</code> <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format②">attestation statement format</a>. Several additional <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format③">attestation statement
  formats</a> are defined in <a href="#sctn-defined-attestation-formats">§ 8 Defined Attestation Statement Formats</a>. </div>
   <p>An important component of the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①③">attestation object</a> is the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-statement">attestation statement</dfn>. This is a specific type of signed
data object, containing statements about a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤⓪">public key credential</a> itself and the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥②">authenticator</a> that created it. It
contains an <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature⑥">attestation signature</a> created using the key of the attesting authority (except for the case of <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation⑧">self
attestation</a>, when it is created using the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⑧">credential private key</a>). In order to correctly interpret an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②⓪">attestation
statement</a>, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⓪">Relying Party</a> needs to understand these two aspects of <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①③">attestation</a>:</p>
   <ol>
    <li data-md>
     <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-statement-format">attestation statement format</dfn> is the manner in which the signature is represented and the various contextual
bindings are incorporated into the attestation statement by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥③">authenticator</a>. In other words, this defines the
syntax of the statement. Various existing components and OS platforms (such as TPMs and the Android OS) have previously defined <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format④">attestation statement formats</a>. This specification supports a variety of such formats in an extensible way, as defined in <a href="#sctn-attestation-formats">§ 6.5.2 Attestation Statement Formats</a>. The formats themselves are identified by strings, as described in <a href="#sctn-attstn-fmt-ids">§ 8.1 Attestation Statement Format Identifiers</a>.</p>
    <li data-md>
     <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-type">attestation type</dfn> defines the semantics of <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②①">attestation statements</a> and their underlying trust models.
Specifically, it defines how a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧①">Relying Party</a> establishes trust in a particular <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②②">attestation statement</a>, after verifying that it
is cryptographically valid. This specification supports a number of <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type">attestation types</a>, as described in <a href="#sctn-attestation-types">§ 6.5.3 Attestation Types</a>.</p>
   </ol>
   <p>In general, there is no simple mapping between <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format⑤">attestation statement formats</a> and <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①">attestation types</a>. For example, the
"packed" <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format⑥">attestation statement format</a> defined in <a href="#sctn-packed-attestation">§ 8.2 Packed Attestation Statement Format</a> can be used in conjunction with all <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type②">attestation
types</a>, while other formats and types have more limited applicability.</p>
   <p>The privacy, security and operational characteristics of <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①④">attestation</a> depend on:</p>
   <ul>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type③">attestation type</a>, which determines the trust model,</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format⑦">attestation statement format</a>, which MAY constrain the strength of the <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①⑤">attestation</a> by limiting what can be
expressed in an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②③">attestation statement</a>, and</p>
    <li data-md>
     <p>The characteristics of the individual <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥④">authenticator</a>, such as its construction, whether part or all of it runs in a secure
operating environment, and so on.</p>
   </ul>
   <p>It is expected that most <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥⑤">authenticators</a> will support a small number of <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type④">attestation types</a> and <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format⑧">attestation statement
formats</a>, while <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧②">Relying Parties</a> will decide what <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type⑤">attestation types</a> are acceptable to them by policy. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧③">Relying Parties</a> will also need to
understand the characteristics of the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥⑥">authenticators</a> that they trust, based on information they have about these <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥⑦">authenticators</a>. For example, the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice">[FIDOMetadataService]</a> provides one way to access such information.</p>
   <h4 class="heading settled" data-level="6.5.1" id="sctn-attested-credential-data"><span class="secno">6.5.1. </span><span class="content">Attested Credential Data</span><a class="self-link" href="#sctn-attested-credential-data"></a></h4>
   <p><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attested-credential-data">Attested credential data</dfn> is a variable-length byte array added to the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③⑤">authenticator data</a> when generating an <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①④">attestation
object</a> for a given credential. Its format is shown in <a href="#table-attestedCredentialData">Table <span class="table-ref-following"></span></a>.</p>
   <figure class="table" id="table-attestedCredentialData">
    <table class="complex data longlastcol">
     <tbody>
      <tr>
       <th>Name
       <th>Length (in bytes)
       <th>Description
      <tr>
       <td><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="aaguid">aaguid</dfn>
       <td>16
       <td>The AAGUID of the authenticator.
      <tr>
       <td><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="credentialidlength">credentialIdLength</dfn>
       <td>2
       <td>Byte length <strong>L</strong> of Credential ID, 16-bit unsigned big-endian integer.
      <tr>
       <td><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="credentialid">credentialId</dfn>
       <td>L
       <td><a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id②⑥">Credential ID</a>
      <tr>
       <td><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="credentialpublickey">credentialPublicKey</dfn>
       <td>variable
       <td> The <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②⑥">credential public key</a> encoded in COSE_Key format,
                as defined in <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-7" id="ref-for-section-7②">Section 7</a> of <a data-link-type="biblio" href="#biblio-rfc8152">[RFC8152]</a>, using the <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#ctap2-canonical-cbor-encoding-form" id="ref-for-ctap2-canonical-cbor-encoding-form③">CTAP2 canonical CBOR encoding form</a>.
                The COSE_Key-encoded <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②⑦">credential public key</a> MUST contain the "alg" parameter and MUST NOT
                contain any other OPTIONAL parameters. The "alg" parameter MUST contain a <code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier①①">COSEAlgorithmIdentifier</a></code> value.
                The encoded <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②⑧">credential public key</a> MUST also contain any additional REQUIRED parameters stipulated by the
                relevant key type specification, i.e., REQUIRED for the key type "kty" and algorithm "alg" (see Section 8 of <a data-link-type="biblio" href="#biblio-rfc8152">[RFC8152]</a>). 
    </table>
    <figcaption> <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data①①">Attested credential data</a> layout. The names in the Name column are only for reference within this document, and are not
        present in the actual representation of the <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data①②">attested credential data</a>. </figcaption>
   </figure>
   <h5 class="heading settled" data-level="6.5.1.1" id="sctn-encoded-credPubKey-examples"><span class="secno">6.5.1.1. </span><span class="content">Examples of <code>credentialPublicKey</code> Values Encoded in COSE_Key Format</span><a class="self-link" href="#sctn-encoded-credPubKey-examples"></a></h5>
   <p>This section provides examples of COSE_Key-encoded Elliptic Curve and RSA public keys for the ES256, PS256, and RS256
signature algorithms. These examples adhere to the rules defined above for the <a data-link-type="dfn" href="#credentialpublickey" id="ref-for-credentialpublickey④">credentialPublicKey</a> value, and are presented in CDDL <a data-link-type="biblio" href="#biblio-rfc8610">[RFC8610]</a> for clarity.</p>
   <p><a data-link-type="biblio" href="#biblio-rfc8152">[RFC8152]</a> <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-7" id="ref-for-section-7③">Section 7</a> defines the general framework for all COSE_Key-encoded keys.
Specific key types for specific algorithms are defined in other sections of <a data-link-type="biblio" href="#biblio-rfc8152">[RFC8152]</a> as well as in other specifications,
as noted below.</p>
   <p>Below is an example of a COSE_Key-encoded Elliptic Curve public key in EC2 format (see <a data-link-type="biblio" href="#biblio-rfc8152">[RFC8152]</a> <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-13.1" id="ref-for-section-13.1">Section 13.1</a>), on the P-256 curve, to be used with the ES256 signature
algorithm (ECDSA w/ SHA-256, see <a data-link-type="biblio" href="#biblio-rfc8152">[RFC8152]</a> <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-8.1" id="ref-for-section-8.1">Section 8.1</a>:</p>
<pre class="example highlight" id="example-bdbd14cc"><a class="self-link" href="#example-bdbd14cc"></a><c- p>{</c->
  <c- mi>1</c-><c- p>:</c->   <c- mi>2</c-><c- p>,</c->  ; k<c- kc>t</c->y<c- p>:</c-> EC<c- mi>2</c-> key <c- kc>t</c->ype
  <c- mi>3</c-><c- p>:</c->  <c- mi>-7</c-><c- p>,</c->  ; alg<c- p>:</c-> ES<c- mi>256</c-> sig<c- kc>nature</c-> algori<c- kc>t</c->hm
 <c- mi>-1</c-><c- p>:</c->   <c- mi>1</c-><c- p>,</c->  ; crv<c- p>:</c-> P<c- mi>-256</c-> curve
 <c- mi>-2</c-><c- p>:</c->   x<c- p>,</c->  ; x<c- mi>-</c->coordi<c- kc>nate</c-> as by<c- kc>te</c-> s<c- kc>tr</c->i<c- kc>n</c->g <c- mi>32</c-> by<c- kc>tes</c-> i<c- kc>n</c-> le<c- kc>n</c->g<c- kc>t</c->h
           ; e.g.<c- p>,</c-> i<c- kc>n</c-> hex<c- p>:</c-> <c- mf>65e</c->da<c- mi>5</c->a<c- mi>12577</c->c<c- mi>2</c->bae<c- mi>829437</c-><c- kc>fe</c-><c- mi>338701</c->a<c- mi>10</c->aaa<c- mf>375e1</c->bb<c- mi>5</c->b<c- mi>5</c->de<c- mi>108</c->de<c- mi>439</c->c<c- mi>08551</c->d
 <c- mi>-3</c-><c- p>:</c->   y   ; y<c- mi>-</c->coordi<c- kc>nate</c-> as by<c- kc>te</c-> s<c- kc>tr</c->i<c- kc>n</c->g <c- mi>32</c-> by<c- kc>tes</c-> i<c- kc>n</c-> le<c- kc>n</c->g<c- kc>t</c->h
           ; e.g.<c- p>,</c-> i<c- kc>n</c-> hex<c- p>:</c-> <c- mf>1e52e</c->d<c- mi>75701163</c-><c- kc>f</c-><c- mi>7</c-><c- kc>f</c-><c- mf>9e40</c->dd<c- kc>f</c-><c- mi>9</c-><c- kc>f</c-><c- mi>341</c->b<c- mi>3</c->dc<c- mi>9</c->ba<c- mi>860</c->a<c- kc>f</c-><c- mf>7e0</c->ca<c- mi>7</c->ca<c- mf>7e9ee</c->cd<c- mi>0084</c->d<c- mi>19</c->c
<c- p>}</c->
</pre>
   <p>Below is the above Elliptic Curve public key encoded in the <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#ctap2-canonical-cbor-encoding-form" id="ref-for-ctap2-canonical-cbor-encoding-form④">CTAP2 canonical CBOR encoding form</a>, whitespace and line breaks
are included here for clarity and to match the CDDL <a data-link-type="biblio" href="#biblio-rfc8610">[RFC8610]</a> presentation above:</p>
<pre class="example highlight" id="example-08d0b440"><a class="self-link" href="#example-08d0b440"></a>A<c- mi>5</c->
   <c- mi>01</c->  <c- mi>02</c->

   <c- mi>03</c->  <c- mi>26</c->

   <c- mi>20</c->  <c- mi>01</c->

   <c- mi>21</c->  <c- mi>58</c-> <c- mi>20</c->   <c- mf>65e</c->da<c- mi>5</c->a<c- mi>12577</c->c<c- mi>2</c->bae<c- mi>829437</c-><c- kc>fe</c-><c- mi>338701</c->a<c- mi>10</c->aaa<c- mf>375e1</c->bb<c- mi>5</c->b<c- mi>5</c->de<c- mi>108</c->de<c- mi>439</c->c<c- mi>08551</c->d

   <c- mi>22</c->  <c- mi>58</c-> <c- mi>20</c->   <c- mf>1e52e</c->d<c- mi>75701163</c-><c- kc>f</c-><c- mi>7</c-><c- kc>f</c-><c- mf>9e40</c->dd<c- kc>f</c-><c- mi>9</c-><c- kc>f</c-><c- mi>341</c->b<c- mi>3</c->dc<c- mi>9</c->ba<c- mi>860</c->a<c- kc>f</c-><c- mf>7e0</c->ca<c- mi>7</c->ca<c- mf>7e9ee</c->cd<c- mi>0084</c->d<c- mi>19</c->c
</pre>
   <p>Below is an example of a COSE_Key-encoded 2048-bit RSA public key (see <a data-link-type="biblio" href="#biblio-rfc8230">[RFC8230]</a> <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8230#section-4" id="ref-for-section-4">Section 4</a>,
to be used with the PS256 signature algorithm
(RSASSA-PSS with SHA-256, see <a data-link-type="biblio" href="#biblio-rfc8230">[RFC8230]</a> <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8230#section-2" id="ref-for-section-2">Section 2</a>:</p>
<pre class="example highlight" id="example-fb934e19"><a class="self-link" href="#example-fb934e19"></a><c- p>{</c->
  <c- mi>1</c-><c- p>:</c->   <c- mi>3</c-><c- p>,</c->  ; k<c- kc>t</c->y<c- p>:</c-> RSA key <c- kc>t</c->ype
  <c- mi>3</c-><c- p>:</c-> <c- mi>-37</c-><c- p>,</c->  ; alg<c- p>:</c-> PS<c- mi>256</c->
 <c- mi>-1</c-><c- p>:</c->   <c- kc>n</c-><c- p>,</c->  ; <c- kc>n</c-><c- p>:</c->   RSA modulus <c- kc>n</c-> by<c- kc>te</c-> s<c- kc>tr</c->i<c- kc>n</c->g <c- mi>256</c-> by<c- kc>tes</c-> i<c- kc>n</c-> le<c- kc>n</c->g<c- kc>t</c->h
           ;      e.g.<c- p>,</c-> i<c- kc>n</c-> hex (middle by<c- kc>tes</c-> elided <c- kc>f</c->or brevi<c- kc>t</c->y)<c- p>:</c-> DB<c- mi>5</c->F<c- mf>651550...6</c->DC<c- mi>6548</c->ACC<c- mi>3</c->
 <c- mi>-2</c-><c- p>:</c->   e   ; e<c- p>:</c->   RSA public expo<c- kc>nent</c-> e by<c- kc>te</c-> s<c- kc>tr</c->i<c- kc>n</c->g <c- mi>3</c-> by<c- kc>tes</c-> i<c- kc>n</c-> le<c- kc>n</c->g<c- kc>t</c->h
           ;      e.g.<c- p>,</c-> i<c- kc>n</c-> hex<c- p>:</c-> <c- mi>010001</c->
<c- p>}</c->
</pre>
   <p>Below is an example of the same COSE_Key-encoded RSA public key as above,
to be used with the RS256 signature algorithm (RSASSA-PKCS1-v1_5 with SHA-256):</p>
<pre class="example highlight" id="example-8dfabc00"><a class="self-link" href="#example-8dfabc00"></a><c- p>{</c->
  <c- mi>1</c-><c- p>:</c->   <c- mi>3</c-><c- p>,</c->  ; k<c- kc>t</c->y<c- p>:</c-> RSA key <c- kc>t</c->ype
  <c- mi>3</c-><c- p>:</c-><c- mi>-257</c-><c- p>,</c->  ; alg<c- p>:</c-> RS<c- mi>256</c->
 <c- mi>-1</c-><c- p>:</c->   <c- kc>n</c-><c- p>,</c->  ; <c- kc>n</c-><c- p>:</c->   RSA modulus <c- kc>n</c-> by<c- kc>te</c-> s<c- kc>tr</c->i<c- kc>n</c->g <c- mi>256</c-> by<c- kc>tes</c-> i<c- kc>n</c-> le<c- kc>n</c->g<c- kc>t</c->h
           ;      e.g.<c- p>,</c-> i<c- kc>n</c-> hex (middle by<c- kc>tes</c-> elided <c- kc>f</c->or brevi<c- kc>t</c->y)<c- p>:</c-> DB<c- mi>5</c->F<c- mf>651550...6</c->DC<c- mi>6548</c->ACC<c- mi>3</c->
 <c- mi>-2</c-><c- p>:</c->   e   ; e<c- p>:</c->   RSA public expo<c- kc>nent</c-> e by<c- kc>te</c-> s<c- kc>tr</c->i<c- kc>n</c->g <c- mi>3</c-> by<c- kc>tes</c-> i<c- kc>n</c-> le<c- kc>n</c->g<c- kc>t</c->h
           ;      e.g.<c- p>,</c-> i<c- kc>n</c-> hex<c- p>:</c-> <c- mi>010001</c->
<c- p>}</c->
</pre>
   <h4 class="heading settled" data-level="6.5.2" id="sctn-attestation-formats"><span class="secno">6.5.2. </span><span class="content">Attestation Statement Formats</span><a class="self-link" href="#sctn-attestation-formats"></a></h4>
   <p>As described above, an <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format⑨">attestation statement format</a> is a data format which represents a cryptographic signature by an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥⑧">authenticator</a> over a set of contextual bindings. Each <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format①⓪">attestation statement format</a> MUST be defined using the following
template:</p>
   <ul>
    <li data-md>
     <p><strong><a data-link-type="dfn" href="#attestation-statement-format-identifier" id="ref-for-attestation-statement-format-identifier">Attestation statement format identifier</a>:</strong></p>
    <li data-md>
     <p><strong>Supported <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type⑥">attestation types</a>:</strong></p>
    <li data-md>
     <p><strong>Syntax:</strong> The syntax of an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②④">attestation statement</a> produced in this format, defined using CDDL <a data-link-type="biblio" href="#biblio-rfc8610">[RFC8610]</a> for the extension point <code>$attStmtFormat</code> defined in <a href="#sctn-generating-an-attestation-object">§ 6.5.4 Generating an Attestation Object</a>.</p>
    <li data-md>
     <p><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="signing-procedure">Signing procedure</dfn>:
The <a data-link-type="dfn" href="#signing-procedure" id="ref-for-signing-procedure②">signing procedure</a> for computing an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②⑤">attestation statement</a> in this <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format①①">format</a> given
the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤①">public key credential</a> to be attested, the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③⑥">authenticator data</a> structure containing the <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="authenticator data for the attestation" data-noexport id="authenticator-data-for-the-attestation">authenticator data
for the attestation</dfn>, and the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①①">hash of the serialized client data</a>.</p>
    <li data-md>
     <p><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="verification-procedure">Verification procedure</dfn>:
The procedure for verifying an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②⑥">attestation statement</a>, which takes the following <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="verification-procedure-inputs">verification procedure inputs</dfn>:</p>
     <ul>
      <li data-md>
       <p><var>attStmt</var>: The <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②⑦">attestation statement</a> structure</p>
      <li data-md>
       <p><var>authenticatorData</var>: The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-data-claimed-to-have-been-used-for-the-attestation"><a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③⑦">authenticator data</a> claimed to have been used for the attestation</dfn></p>
      <li data-md>
       <p><var>clientDataHash</var>: The <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①②">hash of the serialized client data</a></p>
     </ul>
     <p>The procedure returns either:</p>
     <ul>
      <li data-md>
       <p>An error indicating that the attestation is invalid, or</p>
      <li data-md>
       <p>An implementation-specific value representing the <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type⑦">attestation type</a>, and the <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path">trust path</a>. This <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-trust-path">attestation trust path</dfn> is either
empty (in case of <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation⑨">self attestation</a>), or a set of X.509 certificates.</p>
     </ul>
   </ul>
   <p>The initial list of specified <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format①②">attestation statement formats</a> is in <a href="#sctn-defined-attestation-formats">§ 8 Defined Attestation Statement Formats</a>.</p>
   <h4 class="heading settled" data-level="6.5.3" id="sctn-attestation-types"><span class="secno">6.5.3. </span><span class="content">Attestation Types</span><a class="self-link" href="#sctn-attestation-types"></a></h4>
   <p>WebAuthn supports several <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type⑧">attestation types</a>, defining the semantics of <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②⑧">attestation statements</a> and their underlying trust
models:</p>
   <p class="note" role="note"><span>Note:</span> This specification does not define any data structures explicitly expressing the <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type⑨">attestation types</a> employed by <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥⑨">authenticators</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧④">Relying Parties</a> engaging in <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②⑨">attestation statement</a> <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure">verification</a> — i.e., when
calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①⑥">navigator.credentials.create()</a></code> they select an <a data-link-type="dfn" href="#attestation-conveyance" id="ref-for-attestation-conveyance③">attestation conveyance</a> other than <code class="idl"><a data-link-type="idl" href="#dom-attestationconveyancepreference-none" id="ref-for-dom-attestationconveyancepreference-none①">none</a></code> and verify the received <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③⓪">attestation statement</a> — will determine the employed <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①⓪">attestation type</a> as a part of <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure①">verification</a>. See the "Verification procedure" subsections of <a href="#sctn-defined-attestation-formats">§ 8 Defined Attestation Statement Formats</a>. See also <a href="#sctn-attestation-privacy">§ 14.4.1 Attestation Privacy</a>. For all <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①①">attestation types</a> defined in this 
section other than <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①⓪">Self</a> and <a data-link-type="dfn" href="#none" id="ref-for-none②">None</a>, <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑤">Relying Party</a> <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure②">verification</a> is followed by
matching the <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path①">trust path</a> to an acceptable root certificate per step 21 of <a href="#sctn-registering-a-new-credential">§ 7.1 Registering a New Credential</a>.
Differentiating these <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①②">attestation types</a> becomes useful primarily as a means for determining if the <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①⑥">attestation</a> is acceptable 
under <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑥">Relying Party</a> policy.</p>
   <dl>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="basic-attestation">Basic Attestation</dfn> (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="basic">Basic</dfn>)
    <dd data-md>
     <p>In the case of basic attestation <a data-link-type="biblio" href="#biblio-uafprotocol">[UAFProtocol]</a>, the authenticator’s <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair③">attestation key pair</a> is specific to an
authenticator "model", i.e., a "batch" of authenticators.  Thus, authenticators of the same, or similar, model often share the same <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair④">attestation key pair</a>. See <a href="#sctn-attestation-privacy">§ 14.4.1 Attestation Privacy</a> for further information.</p>
     <p><a data-link-type="dfn" href="#basic-attestation" id="ref-for-basic-attestation">Basic attestation</a> is also referred to as <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="batch-attestation">batch attestation</dfn>.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="self-attestation">Self Attestation</dfn> (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="self">Self</dfn>)
    <dd data-md>
     <p>In the case of <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①①">self attestation</a>, also known as surrogate basic attestation <a data-link-type="biblio" href="#biblio-uafprotocol">[UAFProtocol]</a>, the Authenticator does not have
any specific <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair⑤">attestation key pair</a>. Instead it uses the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⑨">credential private key</a> to create the <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature⑦">attestation signature</a>.
Authenticators without meaningful protection measures for an <a data-link-type="dfn" href="#attestation-private-key" id="ref-for-attestation-private-key②">attestation private key</a> typically use this attestation type.</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-ca">Attestation CA</dfn> (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attca">AttCA</dfn>)
    <dd data-md>
     <p>In this case, an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦⓪">authenticator</a> is based on a Trusted Platform Module (TPM) and holds an authenticator-specific
"endorsement key" (EK). This key is used to securely communicate with a trusted third party, the <a data-link-type="dfn" href="#attestation-ca" id="ref-for-attestation-ca①">Attestation CA</a> <a data-link-type="biblio" href="#biblio-tcg-cmcprofile-aikcertenroll">[TCG-CMCProfile-AIKCertEnroll]</a> (formerly known as a "Privacy CA"). The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦①">authenticator</a> can generate multiple
attestation identity key pairs (AIK) and requests an <a data-link-type="dfn" href="#attestation-ca" id="ref-for-attestation-ca②">Attestation CA</a> to issue an AIK certificate
for each. Using this approach, such an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦②">authenticator</a> can limit the exposure of the EK (which is a global correlation
handle) to Attestation CA(s). AIKs can be requested for each <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦③">authenticator</a>-generated <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤②">public key credential</a> individually, and conveyed to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑦">Relying Parties</a> as <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate③">attestation certificates</a>.</p>
     <p class="note" role="note"><span>Note:</span> This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently
    is called "active".</p>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="anonymization-ca">Anonymization CA</dfn> (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="anonca">AnonCA</dfn>)
    <dd data-md>
     <p>In this case, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦④">authenticator</a> uses an <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca③">Anonymization CA</a> which dynamically generates per-<a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential⑧">credential</a> <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate④">attestation certificates</a> such that the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③①">attestation statements</a> presented to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑧">Relying Parties</a> do not provide uniquely identifiable information, e.g., that might be used for tracking purposes.</p>
     <p class="note" role="note"><span>Note:</span> <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③②">Attestation statements</a> conveying <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①⑦">attestations</a> of <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①③">type</a> <a data-link-type="dfn" href="#attca" id="ref-for-attca">AttCA</a> or <a data-link-type="dfn" href="#anonca" id="ref-for-anonca">AnonCA</a> use the same data structure
    as those of <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①④">type</a> <a data-link-type="dfn" href="#basic" id="ref-for-basic">Basic</a>, so the three attestation types
    are, in general, distinguishable only with externally provided knowledge regarding the contents of the <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate⑤">attestation
    certificates</a> conveyed in the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③③">attestation statement</a>.</p>
    <dt data-md>No attestation statement (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="none">None</dfn>)
    <dd data-md>
     <p>In this case, no attestation information is available. See also <a href="#sctn-none-attestation">§ 8.7 None Attestation Statement Format</a>.</p>
   </dl>
   <h4 class="heading settled" data-level="6.5.4" id="sctn-generating-an-attestation-object"><span class="secno">6.5.4. </span><span class="content">Generating an Attestation Object</span><a class="self-link" href="#sctn-generating-an-attestation-object"></a></h4>
   <p>To generate an <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑤">attestation object</a> (see: <a href="#fig-attStructs">Figure 6</a>) given:</p>
   <dl>
    <dt data-md><var>attestationFormat</var>
    <dd data-md>
     <p>An <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format①③">attestation statement format</a>.</p>
    <dt data-md><var>authData</var>
    <dd data-md>
     <p>A byte array containing <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③⑧">authenticator data</a>.</p>
    <dt data-md><var>hash</var>
    <dd data-md>
     <p>The <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①③">hash of the serialized client data</a>.</p>
   </dl>
   <p>the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦⑤">authenticator</a> MUST:</p>
   <ol>
    <li data-md>
     <p>Let <var>attStmt</var> be the result of running <var>attestationFormat</var>’s <a data-link-type="dfn" href="#signing-procedure" id="ref-for-signing-procedure①">signing procedure</a> given <var>authData</var> and <var>hash</var>.</p>
    <li data-md>
     <p>Let <var>fmt</var> be <var>attestationFormat</var>’s <a data-link-type="dfn" href="#attestation-statement-format-identifier" id="ref-for-attestation-statement-format-identifier①">attestation statement format identifier</a></p>
    <li data-md>
     <p>Return the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑥">attestation object</a> as a CBOR map with the following syntax, filled in with variables initialized by this
algorithm:</p>
<pre>    attObj = {
                authData: bytes,
                $$attStmtType
             }

    attStmtTemplate = (
                          fmt: text,
                          attStmt: { * tstr => any } ; Map is filled in by each concrete attStmtType
                      )

    ; Every attestation statement format must have the above fields
    attStmtTemplate .within $$attStmtType
</pre>
   </ol>
   <h4 class="heading settled" data-level="6.5.5" id="sctn-signature-attestation-types"><span class="secno">6.5.5. </span><span class="content">Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures</span><a class="self-link" href="#sctn-signature-attestation-types"></a></h4>
   <ul>
    <li data-md>
     <p>For COSEAlgorithmIdentifier -7 (ES256),  and other ECDSA-based algorithms, the <code>sig</code> value MUST be encoded as an ASN.1 DER Ecdsa-Sig-Value, as defined in <a data-link-type="biblio" href="#biblio-rfc3279">[RFC3279]</a> section 2.2.3.</p>
<pre>        Example:
        30 44                                ; SEQUENCE (68 Bytes)
            02 20                            ; INTEGER (32 Bytes)
            |  3d 46 28 7b 8c 6e 8c 8c  26 1c 1b 88 f2 73 b0 9a
            |  32 a6 cf 28 09 fd 6e 30  d5 a7 9f 26 37 00 8f 54
            02 20                            ; INTEGER (32 Bytes)
            |  4e 72 23 6e a3 90 a9 a1  7b cf 5f 7a 09 d6 3a b2
            |  17 6c 92 bb 8e 36 c0 41  98 a2 7b 90 9b 6e 8f 13
</pre>
     <p class="note" role="note"><span>Note:</span> As CTAP1/U2F <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦⑥">authenticators</a> are already producing signatures values in this format, CTAP2 <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦⑦">authenticators</a> will also produce signatures values in the same format, for consistency reasons.</p>
   </ul>
   <p>It is RECOMMENDED that any new attestation formats defined not use ASN.1 encodings,
    but instead represent signatures as equivalent fixed-length byte arrays without internal structure,
    using the same representations as used by COSE signatures as defined in <a data-link-type="biblio" href="#biblio-rfc8152">[RFC8152]</a> and <a data-link-type="biblio" href="#biblio-rfc8230">[RFC8230]</a>.</p>
   <p>The below signature format definitions satisfy this requirement and serve as examples for deriving the same for other signature algorithms not explicitly mentioned here:</p>
   <ul>
    <li data-md>
     <p>For COSEAlgorithmIdentifier -257 (RS256), <code>sig</code> MUST contain the signature generated using the
RSASSA-PKCS1-v1_5 signature scheme defined in section 8.2.1 in <a data-link-type="biblio" href="#biblio-rfc8017">[RFC8017]</a> with SHA-256 as the hash function.
The signature is not ASN.1 wrapped.</p>
    <li data-md>
     <p>For COSEAlgorithmIdentifier -37 (PS256), <code>sig</code> MUST contain the signature generated using the
RSASSA-PSS signature scheme defined in section 8.1.1 in <a data-link-type="biblio" href="#biblio-rfc8017">[RFC8017]</a> with SHA-256 as the hash function.
The signature is not ASN.1 wrapped.</p>
   </ul>
   <h2 class="heading settled" data-level="7" id="sctn-rp-operations"><span class="secno">7. </span><span class="content"><a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party②⑥">WebAuthn Relying Party</a> Operations</span><a class="self-link" href="#sctn-rp-operations"></a></h2>
   <p>A <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony③">registration</a> or <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony⑧">authentication ceremony</a> begins with the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party②⑦">WebAuthn Relying Party</a> creating a <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions④">PublicKeyCredentialCreationOptions</a></code> or <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions⑤">PublicKeyCredentialRequestOptions</a></code> object, respectively, which encodes the parameters for the <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony⑧">ceremony</a>. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑨">Relying Party</a> SHOULD take care to not leak sensitive information during this stage; see <a href="#sctn-username-enumeration">§ 14.6.2 Username Enumeration</a> for details.</p>
   <p>Upon successful execution of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①⑦">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②④">get()</a></code>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⓪">Relying Party</a>'s script receives
a <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential①⑥">PublicKeyCredential</a></code> containing an <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse⑤">AuthenticatorAttestationResponse</a></code> or <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse⑤">AuthenticatorAssertionResponse</a></code> structure,
respectively, from the client. It must then deliver the contents of this structure to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨①">Relying Party</a> server, using methods outside
the scope of this specification. This section describes the operations that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨②">Relying Party</a> must perform upon receipt of these
structures.</p>
   <h3 class="heading settled" data-level="7.1" id="sctn-registering-a-new-credential"><span class="secno">7.1. </span><span class="content">Registering a New Credential</span><a class="self-link" href="#sctn-registering-a-new-credential"></a></h3>
   <p>In order to perform a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony④">registration ceremony</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨③">Relying Party</a> MUST proceed as follows:</p>
   <ol>
    <li data-md>
     <p>Let <var>options</var> be a new <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions⑤">PublicKeyCredentialCreationOptions</a></code> structure configured to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨④">Relying Party</a>'s needs for the ceremony.</p>
    <li data-md>
     <p>Call <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①⑧">navigator.credentials.create()</a></code> and pass <var>options</var> as the <code><code class="idl"><a data-link-type="idl" href="#dom-credentialcreationoptions-publickey" id="ref-for-dom-credentialcreationoptions-publickey④">publicKey</a></code></code> option.
Let <var>credential</var> be the result of the successfully resolved promise.
If the promise is rejected, abort the ceremony with a user-visible error, or otherwise guide the user experience as
might be determinable from the context available in the rejected promise. For example if the promise is rejected with
an error code equivalent to "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#invalidstateerror" id="ref-for-invalidstateerror④">InvalidStateError</a></code>", the user might be instructed to use a different <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦⑧">authenticator</a>. 
For information on different error contexts and the circumstances leading to them, see <a href="#sctn-op-make-cred">§ 6.3.2 The authenticatorMakeCredential Operation</a>.</p>
    <li data-md>
     <p>Let <var>response</var> be <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response③">response</a></code></code>.
If <var>response</var> is not an instance of <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse⑥">AuthenticatorAttestationResponse</a></code>, abort the ceremony with a user-visible error.</p>
    <li data-md>
     <p>Let <var>clientExtensionResults</var> be the result of calling <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-getclientextensionresults" id="ref-for-dom-publickeycredential-getclientextensionresults①">getClientExtensionResults()</a></code></code>.</p>
    <li data-md>
     <p>Let <var>JSONtext</var> be the result of
running <a data-link-type="dfn" href="https://encoding.spec.whatwg.org/#utf-8-decode" id="ref-for-utf-8-decode">UTF-8 decode</a> on the value of <code><var>response</var>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson⑥">clientDataJSON</a></code></code>.</p>
     <p class="note" role="note"><span>Note:</span> Using any implementation of <a data-link-type="dfn" href="https://encoding.spec.whatwg.org/#utf-8-decode" id="ref-for-utf-8-decode①">UTF-8 decode</a> is acceptable as long as it yields the same result as that yielded by
the <a data-link-type="dfn" href="https://encoding.spec.whatwg.org/#utf-8-decode" id="ref-for-utf-8-decode②">UTF-8 decode</a> algorithm. In particular, any leading byte order mark (BOM) MUST be stripped.</p>
    <li data-md>
     <p>Let <var>C</var>, the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data⑨">client data</a> claimed as collected during the credential creation, be the result of running an
implementation-specific JSON parser on <var>JSONtext</var>.</p>
     <p class="note" role="note"><span>Note:</span> <var>C</var> may be any implementation-specific data structure representation, as long as <var>C</var>’s components are referenceable, as
required by this algorithm.</p>
    <li data-md>
     <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-type" id="ref-for-dom-collectedclientdata-type⑦">type</a></code></code> is <code>webauthn.create</code>.</p>
    <li data-md>
     <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge⑥">challenge</a></code></code> equals
the base64url encoding of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-challenge" id="ref-for-dom-publickeycredentialcreationoptions-challenge②">challenge</a></code></code>.</p>
    <li data-md>
     <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin⑦">origin</a></code></code> matches the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑤">Relying Party</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①②">origin</a>.</p>
    <li data-md>
     <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding④">tokenBinding</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-tokenbinding-status" id="ref-for-dom-tokenbinding-status②">status</a></code></code> matches the state of <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-1" id="ref-for-section-1③">Token Binding</a> for the TLS connection over which the <a data-link-type="dfn" href="#assertion" id="ref-for-assertion②">assertion</a> was obtained. If <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-1" id="ref-for-section-1④">Token Binding</a> was used on that TLS connection, also verify that <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding⑤">tokenBinding</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-tokenbinding-id" id="ref-for-dom-tokenbinding-id②">id</a></code></code> matches the <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding⑧">base64url encoding</a> of the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-3.2" id="ref-for-section-3.2④">Token Binding ID</a> for the connection.</p>
    <li data-md>
     <p>Let <var>hash</var> be the result of computing a hash over <code><var>response</var>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson⑦">clientDataJSON</a></code></code> using SHA-256.</p>
    <li data-md>
     <p>Perform CBOR decoding on the <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-attestationobject" id="ref-for-dom-authenticatorattestationresponse-attestationobject⑥">attestationObject</a></code> field of the <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse⑦">AuthenticatorAttestationResponse</a></code> structure to obtain the attestation statement format <var>fmt</var>, the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③⑨">authenticator data</a> <var>authData</var>, and the attestation statement <var>attStmt</var>.</p>
    <li data-md>
     <p>Verify that the <code><a data-link-type="dfn" href="#rpidhash" id="ref-for-rpidhash②">rpIdHash</a></code> in <var>authData</var> is the SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③②">RP ID</a> expected by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑥">Relying Party</a>.</p>
    <li data-md>
     <p>Verify that the <a data-link-type="dfn" href="#concept-user-present" id="ref-for-concept-user-present④">User Present</a> bit of the <code><a data-link-type="dfn" href="#flags" id="ref-for-flags①⑥">flags</a></code> in <var>authData</var> is set.</p>
    <li data-md>
     <p>If <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⑨">user verification</a> is required for this registration, verify that the <a data-link-type="dfn" href="#concept-user-verified" id="ref-for-concept-user-verified④">User Verified</a> bit of the <code><a data-link-type="dfn" href="#flags" id="ref-for-flags①⑦">flags</a></code> in <var>authData</var> is set.</p>
    <li data-md>
     <p>Verify that the "alg" parameter in the <a data-link-type="dfn" href="#credentialpublickey" id="ref-for-credentialpublickey⑤">credential public key</a> in <var>authData</var> matches the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialparameters-alg" id="ref-for-dom-publickeycredentialparameters-alg②">alg</a></code> attribute of one of the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item⑧">items</a> in <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-pubkeycredparams" id="ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams④">pubKeyCredParams</a></code></code>.</p>
    <li data-md>
     <p>Verify that the values of the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output⑥">client extension outputs</a> in <var>clientExtensionResults</var> and the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output③">authenticator extension
outputs</a> in the <code><a data-link-type="dfn" href="#authdataextensions" id="ref-for-authdataextensions⑦">extensions</a></code> in <var>authData</var> are as expected, considering the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①">client
extension input</a> values that were given in <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions④">extensions</a></code></code> and any specific policy of the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑦">Relying Party</a> regarding unsolicited extensions, i.e., those that were not specified as part of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions⑤">extensions</a></code></code>.
In the general case, the meaning of "are as expected" is specific to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑧">Relying Party</a> and which extensions are in use.</p>
     <p class="note" role="note"><span>Note:</span> <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④①">Client platforms</a> MAY enact local policy that sets additional <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension②">authenticator extensions</a> or <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension②">client extensions</a> and thus cause values to appear in the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output④">authenticator extension outputs</a> or <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output⑦">client extension outputs</a> that were not originally specified as part of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions⑥">extensions</a></code></code>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑨">Relying Parties</a> MUST be prepared to handle such
situations, whether it be to ignore the unsolicited extensions or reject the attestation. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⓪">Relying Party</a> can make this
decision based on local policy and the extensions in use.</p>
     <p class="note" role="note"><span>Note:</span> Since all extensions are OPTIONAL for both the <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑥">client</a> and the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦⑨">authenticator</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪①">Relying Party</a> MUST also be
prepared to handle cases where none or not all of the requested extensions were acted upon.</p>
    <li data-md>
     <p>Determine the attestation statement format by performing a USASCII case-sensitive match on <var>fmt</var> against the set of
supported WebAuthn Attestation Statement Format Identifier values.
An up-to-date list of registered WebAuthn Attestation Statement Format Identifier values
is maintained in the
IANA "WebAuthn Attestation Statement Format Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a>.</p>
    <li data-md>
     <p>Verify that <var>attStmt</var> is a correct <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③④">attestation statement</a>, conveying a valid <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature⑧">attestation signature</a>, by using the <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format①④">attestation statement format</a> <var>fmt</var>’s <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure③">verification procedure</a> given <var>attStmt</var>, <var>authData</var> and <var>hash</var>.</p>
     <p class="note" role="note"><span>Note:</span> Each <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format①⑤">attestation statement format</a> specifies its own <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure④">verification procedure</a>. See <a href="#sctn-defined-attestation-formats">§ 8 Defined Attestation Statement Formats</a> for
the initially-defined formats, and <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> for the up-to-date list.</p>
    <li data-md>
     <p>If validation is successful, obtain a list of acceptable trust anchors (i.e. attestation root certificates)
for that attestation type and attestation statement format <var>fmt</var>, from a trusted source or from policy. For
example, the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice">[FIDOMetadataService]</a> provides one way to obtain such information, using the <code><a data-link-type="dfn" href="#aaguid" id="ref-for-aaguid⑥">aaguid</a></code> in the <code><a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata⑦">attestedCredentialData</a></code> in <var>authData</var>.</p>
    <li data-md>
     <p>Assess the attestation trustworthiness using the outputs of the <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure⑤">verification procedure</a> in step 19, as follows:</p>
     <ul>
      <li data-md>
       <p>If <a data-link-type="dfn" href="#none" id="ref-for-none③">no attestation</a> was provided, verify that <a data-link-type="dfn" href="#none" id="ref-for-none④">None</a> attestation is acceptable under <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪②">Relying Party</a> policy.</p>
      <li data-md>
       <p>If <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①②">self attestation</a> was used, verify that <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①③">self attestation</a> is acceptable under <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪③">Relying Party</a> policy.</p>
      <li data-md>
       <p>Otherwise, use the X.509 certificates returned as the <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path②">attestation trust path</a> from the <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure⑥">verification procedure</a> to verify that the attestation public key either correctly chains up to an acceptable root certificate, or is itself an acceptable certificate (i.e., it and the root certificate obtained in Step 20 may be the same).</p>
     </ul>
    <li data-md>
     <p>Check that the <code><a data-link-type="dfn" href="#credentialid" id="ref-for-credentialid③">credentialId</a></code> is not yet registered to any other user. If registration
is requested for a credential that is already registered to a different user, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪④">Relying Party</a> SHOULD
fail this <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony⑤">registration ceremony</a>, or it MAY decide to accept the registration, e.g. while deleting the older registration.</p>
    <li data-md>
     <p>If the attestation statement <var>attStmt</var> verified successfully and is found to be trustworthy, then register the new
credential with the account that was denoted in <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-user" id="ref-for-dom-publickeycredentialcreationoptions-user④">user</a></code></code>:</p>
     <ul>
      <li data-md>
       <p>Associate the user’s account with the <code><a data-link-type="dfn" href="#credentialid" id="ref-for-credentialid④">credentialId</a></code> and <code><a data-link-type="dfn" href="#credentialpublickey" id="ref-for-credentialpublickey⑥">credentialPublicKey</a></code> in <code><var>authData</var>.<a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata⑧">attestedCredentialData</a></code>, as appropriate for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑤">Relying Party</a>'s system.</p>
      <li data-md>
       <p>Associate the <code><a data-link-type="dfn" href="#credentialid" id="ref-for-credentialid⑤">credentialId</a></code> with a new stored <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter②②">signature counter</a> value
initialized to the value of <code><var>authData</var>.<a data-link-type="dfn" href="#signcount" id="ref-for-signcount③">signCount</a></code>.</p>
     </ul>
     <p>It is RECOMMENDED to also:</p>
     <ul>
      <li data-md>
       <p>Associate the <code><a data-link-type="dfn" href="#credentialid" id="ref-for-credentialid⑥">credentialId</a></code> with the transport hints
returned by calling <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response④">response</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-gettransports" id="ref-for-dom-authenticatorattestationresponse-gettransports④">getTransports()</a></code></code>.
This value SHOULD NOT be modified before or after storing it.
It is RECOMMENDED to use this value to populate the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports①⓪">transports</a></code> of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①②">allowCredentials</a></code> option in future <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②⑤">get()</a></code> calls
to help the <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑦">client</a> know how to find a suitable <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⓪">authenticator</a>.</p>
     </ul>
    <li data-md>
     <p>If the attestation statement <var>attStmt</var> successfully verified but is not trustworthy per step 21 above, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑥">Relying Party</a> SHOULD fail
the <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony⑥">registration ceremony</a>.</p>
     <p class="note" role="note"><span>NOTE:</span> However, if permitted by policy, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑦">Relying Party</a> MAY register the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id②⑦">credential ID</a> and credential public key but treat the
    credential as one with <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①④">self attestation</a> (see <a href="#sctn-attestation-types">§ 6.5.3 Attestation Types</a>). If doing so, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑧">Relying Party</a> is asserting there
    is no cryptographic proof that the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤③">public key credential</a> has been generated by a particular <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧①">authenticator</a> model.
    See <a data-link-type="biblio" href="#biblio-fidosecref">[FIDOSecRef]</a> and <a data-link-type="biblio" href="#biblio-uafprotocol">[UAFProtocol]</a> for a more detailed discussion.</p>
   </ol>
   <p>Verification of <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑦">attestation objects</a> requires that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑨">Relying Party</a> has a trusted method of determining acceptable trust anchors
in step 20 above. Also, if certificates are being used, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⓪">Relying Party</a> MUST have access to certificate status information for the
intermediate CA certificates. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①①">Relying Party</a> MUST also be able to build the attestation certificate chain if the client did not
provide this chain in the attestation information.</p>
   <h3 class="heading settled" data-level="7.2" id="sctn-verifying-assertion"><span class="secno">7.2. </span><span class="content">Verifying an Authentication Assertion</span><a class="self-link" href="#sctn-verifying-assertion"></a></h3>
   <p>In order to perform an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony⑨">authentication ceremony</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①②">Relying Party</a> MUST proceed as follows:</p>
   <ol>
    <li data-md>
     <p>Let <var>options</var> be a new <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions⑥">PublicKeyCredentialRequestOptions</a></code> structure configured to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①③">Relying Party</a>'s needs for the ceremony.</p>
     <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①③">allowCredentials</a></code></code> is present,
the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports①①">transports</a></code> member of each <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item⑨">item</a> SHOULD be set to
the value returned by <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response⑤">response</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-gettransports" id="ref-for-dom-authenticatorattestationresponse-gettransports⑤">getTransports()</a></code></code> when the corresponding credential was registered.</p>
    <li data-md>
     <p>Call <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②⑥">navigator.credentials.get()</a></code> and pass <var>options</var> as the <code><code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-publickey" id="ref-for-dom-credentialrequestoptions-publickey④">publicKey</a></code></code> option.
Let <var>credential</var> be the result of the successfully resolved promise.
If the promise is rejected, abort the ceremony with a user-visible error, or otherwise guide the user experience as might 
be determinable from the context available in the rejected promise. For information on different error contexts and the 
circumstances leading to them, see <a href="#sctn-op-get-assertion">§ 6.3.3 The authenticatorGetAssertion Operation</a>.</p>
    <li data-md>
     <p>Let <var>response</var> be <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response⑥">response</a></code></code>.
If <var>response</var> is not an instance of <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse⑥">AuthenticatorAssertionResponse</a></code>, abort the ceremony with a user-visible error.</p>
    <li data-md>
     <p>Let <var>clientExtensionResults</var> be the result of calling <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-getclientextensionresults" id="ref-for-dom-publickeycredential-getclientextensionresults②">getClientExtensionResults()</a></code></code>.</p>
    <li data-md>
     <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①④">allowCredentials</a></code></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty" id="ref-for-list-is-empty⑨">is not empty</a>,
verify that <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id" id="ref-for-dom-credential-id①">id</a></code></code> identifies one of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤④">public key credentials</a> listed in <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑤">allowCredentials</a></code></code>.</p>
    <li data-md>
     <p>Identify the user being authenticated and verify that this user is the owner of the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source③⓪">public key credential source</a> <var>credentialSource</var> identified by <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id" id="ref-for-dom-credential-id②">id</a></code></code>:</p>
     <dl class="switch">
      <dt data-md>If the user was identified before the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony①⓪">authentication ceremony</a> was initiated, e.g., via a username or cookie,
      <dd data-md>
       <p>verify that the identified user is the owner of <var>credentialSource</var>. If <code><var>response</var>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-userhandle" id="ref-for-dom-authenticatorassertionresponse-userhandle③">userHandle</a></code></code> is present,
let <var>userHandle</var> be its value. Verify that <var>userHandle</var> also maps to the same user.</p>
      <dt data-md>If the user was not identified before the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony①①">authentication ceremony</a> was initiated,
      <dd data-md>
       <p>verify that <code><var>response</var>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-userhandle" id="ref-for-dom-authenticatorassertionresponse-userhandle④">userHandle</a></code></code> is
present, and that the user identified by this value is the owner of <var>credentialSource</var>.</p>
     </dl>
    <li data-md>
     <p>Using <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id" id="ref-for-dom-credential-id③">id</a></code></code> (or <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-rawid" id="ref-for-dom-publickeycredential-rawid①">rawId</a></code></code>, if <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding⑨">base64url encoding</a> is inappropriate for your use case), look up the corresponding <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②⑨">credential public key</a> and let <var>credentialPublicKey</var> be that <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⓪">credential public key</a>.</p>
    <li data-md>
     <p>Let <var>cData</var>, <var>authData</var> and <var>sig</var> denote the value of <var>response</var>’s <code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson⑧">clientDataJSON</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-authenticatordata" id="ref-for-dom-authenticatorassertionresponse-authenticatordata②">authenticatorData</a></code>, and <code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-signature" id="ref-for-dom-authenticatorassertionresponse-signature②">signature</a></code> respectively.</p>
    <li data-md>
     <p>Let <var>JSONtext</var> be the result of running <a data-link-type="dfn" href="https://encoding.spec.whatwg.org/#utf-8-decode" id="ref-for-utf-8-decode③">UTF-8 decode</a> on the value of <var>cData</var>.</p>
     <p class="note" role="note"><span>Note:</span> Using any implementation of <a data-link-type="dfn" href="https://encoding.spec.whatwg.org/#utf-8-decode" id="ref-for-utf-8-decode④">UTF-8 decode</a> is acceptable as long as it yields the same result as that yielded by
the <a data-link-type="dfn" href="https://encoding.spec.whatwg.org/#utf-8-decode" id="ref-for-utf-8-decode⑤">UTF-8 decode</a> algorithm. In particular, any leading byte order mark (BOM) MUST be stripped.</p>
    <li data-md>
     <p>Let <var>C</var>, the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data①⓪">client data</a> claimed as used for the signature, be the result of running an implementation-specific
JSON parser on <var>JSONtext</var>.</p>
     <p class="note" role="note"><span>Note:</span> <var>C</var> may be any implementation-specific data structure representation, as long as <var>C</var>’s components are referenceable, as
required by this algorithm.</p>
    <li data-md>
     <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-type" id="ref-for-dom-collectedclientdata-type⑧">type</a></code></code> is the string <code>webauthn.get</code>.</p>
    <li data-md>
     <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge⑦">challenge</a></code></code> equals
the base64url encoding of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-challenge" id="ref-for-dom-publickeycredentialrequestoptions-challenge③">challenge</a></code></code>.</p>
    <li data-md>
     <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin⑧">origin</a></code></code> matches the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①④">Relying Party</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①③">origin</a>.</p>
    <li data-md>
     <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding⑥">tokenBinding</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-tokenbinding-status" id="ref-for-dom-tokenbinding-status③">status</a></code></code> matches the state of <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-1" id="ref-for-section-1⑤">Token Binding</a> for the TLS connection over which the attestation was obtained. If <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-1" id="ref-for-section-1⑥">Token Binding</a> was used on that TLS connection, also verify that <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding⑦">tokenBinding</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-tokenbinding-id" id="ref-for-dom-tokenbinding-id③">id</a></code></code> matches the <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①⓪">base64url encoding</a> of the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-3.2" id="ref-for-section-3.2⑤">Token Binding ID</a> for the connection.</p>
    <li id="rp-op-verifying-assertion-step-rpid-hash">
     <a class="self-link" href="#rp-op-verifying-assertion-step-rpid-hash"></a> Verify that the <code><a data-link-type="dfn" href="#rpidhash" id="ref-for-rpidhash③">rpIdHash</a></code> in <var>authData</var> is the SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③③">RP ID</a> expected by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑤">Relying Party</a>. 
     <p class="note" role="note"><span>Note:</span> If using the <a data-link-type="dfn" href="#appid" id="ref-for-appid①">appid</a> extension, this step needs some special logic. See <a href="#sctn-appid-extension">§ 10.1 FIDO AppID Extension (appid)</a> for details.</p>
    <li data-md>
     <p>Verify that the <a data-link-type="dfn" href="#concept-user-present" id="ref-for-concept-user-present⑤">User Present</a> bit of the <code><a data-link-type="dfn" href="#flags" id="ref-for-flags①⑧">flags</a></code> in <var>authData</var> is set.</p>
    <li data-md>
     <p>If <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④⓪">user verification</a> is required for this assertion, verify that the <a data-link-type="dfn" href="#concept-user-verified" id="ref-for-concept-user-verified⑤">User Verified</a> bit of the <code><a data-link-type="dfn" href="#flags" id="ref-for-flags①⑨">flags</a></code> in <var>authData</var> is set.</p>
    <li data-md>
     <p>Verify that the values of the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output⑧">client extension outputs</a> in <var>clientExtensionResults</var> and the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output⑤">authenticator extension
outputs</a> in the <code><a data-link-type="dfn" href="#authdataextensions" id="ref-for-authdataextensions⑧">extensions</a></code> in <var>authData</var> are as expected, considering the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input②">client
extension input</a> values that were given in <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions④">extensions</a></code></code> and any specific policy of the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑥">Relying Party</a> regarding unsolicited extensions, i.e., those that were not specified as part of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions⑤">extensions</a></code></code>.
In the general case, the meaning of "are as expected" is specific to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑦">Relying Party</a> and which extensions are in use.</p>
     <p class="note" role="note"><span>Note:</span> <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④②">Client platforms</a> MAY enact local policy that sets additional <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension③">authenticator extensions</a> or <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension③">client extensions</a> and thus cause values to appear in the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output⑥">authenticator extension outputs</a> or <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output⑨">client extension outputs</a> that were not originally specified as part of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions⑥">extensions</a></code></code>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑧">Relying Parties</a> MUST be prepared to handle such
situations, whether it be to ignore the unsolicited extensions or reject the assertion. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑨">Relying Party</a> can make this
decision based on local policy and the extensions in use.</p>
     <p class="note" role="note"><span>Note:</span> Since all extensions are OPTIONAL for both the <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑧">client</a> and the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧②">authenticator</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⓪">Relying Party</a> MUST also be
prepared to handle cases where none or not all of the requested extensions were acted upon.</p>
    <li data-md>
     <p>Let <var>hash</var> be the result of computing a hash over the <var>cData</var> using SHA-256.</p>
    <li data-md>
     <p>Using <var>credentialPublicKey</var>, verify that <var>sig</var> is a valid signature over the binary concatenation of <var>authData</var> and <var>hash</var>.</p>
     <p class="note" role="note"><span>Note:</span> This verification step is compatible with signatures generated by FIDO U2F authenticators. See <a href="#sctn-fido-u2f-sig-format-compat">§ 6.1.2 FIDO U2F Signature Format Compatibility</a>.</p>
    <li data-md>
     <p>Let <var>storedSignCount</var> be the stored <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter②③">signature counter</a> value associated with <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id" id="ref-for-dom-credential-id④">id</a></code></code>.
If <var>authData</var>.<code><a data-link-type="dfn" href="#signcount" id="ref-for-signcount④">signCount</a></code> is nonzero or <var>storedSignCount</var> is nonzero,
then run the following sub-step:</p>
     <ul>
      <li data-md>
       <p>If <var>authData</var>.<code><a data-link-type="dfn" href="#signcount" id="ref-for-signcount⑤">signCount</a></code> is</p>
       <dl class="switch">
        <dt>greater than <var>storedSignCount</var>:
        <dd>Update <var>storedSignCount</var> to be the value of <var>authData</var>.<code><a data-link-type="dfn" href="#signcount" id="ref-for-signcount⑥">signCount</a></code>.
        <dt>less than or equal to <var>storedSignCount</var>:
        <dd>This is a signal that
          the authenticator may be cloned, i.e. at least
          two copies of the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key②⓪">credential private key</a> may exist and are
          being used in parallel. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②①">Relying Parties</a> should incorporate this information
          into their risk scoring.  Whether the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②②">Relying Party</a> updates <var>storedSignCount</var> in this case, or not, or fails the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony①②">authentication ceremony</a> or not, is <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②③">Relying Party</a>-specific. 
       </dl>
     </ul>
    <li data-md>
     <p>If all the above steps are successful, continue with the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony①③">authentication ceremony</a> as appropriate. Otherwise, fail the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony①④">authentication ceremony</a>.</p>
   </ol>
   <h2 class="heading settled" data-level="8" id="sctn-defined-attestation-formats"><span class="secno">8. </span><span class="content">Defined Attestation Statement Formats</span><a class="self-link" href="#sctn-defined-attestation-formats"></a></h2>
   <p>WebAuthn supports pluggable attestation statement formats. This section defines an initial set of such formats.</p>
   <h3 class="heading settled" data-level="8.1" id="sctn-attstn-fmt-ids"><span class="secno">8.1. </span><span class="content">Attestation Statement Format Identifiers</span><a class="self-link" href="#sctn-attstn-fmt-ids"></a></h3>
   <p>Attestation statement formats are identified by a string, called an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-statement-format-identifier">attestation statement format identifier</dfn>, chosen by
the author of the <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format①⑥">attestation statement format</a>.</p>
   <p>Attestation statement format identifiers SHOULD be registered in the
IANA "WebAuthn Attestation Statement Format Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a>.
All registered attestation statement format identifiers are unique amongst themselves as a matter of course.</p>
   <p>Unregistered attestation statement format identifiers SHOULD use lowercase reverse domain-name naming, using a domain name
registered by the developer, in order to assure uniqueness of the identifier. All attestation statement format identifiers MUST
be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote,
i.e., VCHAR as defined in <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a> but without %x22 and %x5c.</p>
   <p class="note" role="note"><span>Note:</span> This means attestation statement format identifiers based on domain names MUST incorporate only LDH Labels <a data-link-type="biblio" href="#biblio-rfc5890">[RFC5890]</a>.</p>
   <p>Implementations MUST match WebAuthn attestation statement format identifiers in a case-sensitive fashion.</p>
   <p>Attestation statement formats that may exist in multiple versions SHOULD include a version in their identifier. In effect,
different versions are thus treated as different formats, e.g., <code>packed2</code> as a new version of the <a href="#sctn-packed-attestation">§ 8.2 Packed Attestation Statement Format</a>.</p>
   <p>The following sections present a set of currently-defined and registered attestation statement formats and their identifiers.
The up-to-date list of registered <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions⑥">WebAuthn Extensions</a> is maintained in the
IANA "WebAuthn Attestation Statement Format Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a>.</p>
   <h3 class="heading settled" data-level="8.2" id="sctn-packed-attestation"><span class="secno">8.2. </span><span class="content">Packed Attestation Statement Format</span><a class="self-link" href="#sctn-packed-attestation"></a></h3>
   <p>This is a WebAuthn optimized attestation statement format. It uses a very compact but still extensible encoding method. It is
implementable by <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧③">authenticators</a> with limited resources (e.g., secure elements).</p>
   <dl>
    <dt data-md>Attestation statement format identifier
    <dd data-md>
     <p>packed</p>
    <dt data-md>Attestation types supported
    <dd data-md>
     <p><a data-link-type="dfn" href="#basic" id="ref-for-basic①">Basic</a>, <a data-link-type="dfn" href="#self" id="ref-for-self">Self</a>, <a data-link-type="dfn" href="#attca" id="ref-for-attca①">AttCA</a></p>
    <dt data-md>Syntax
    <dd data-md>
     <p>The syntax of a Packed Attestation statement is defined by the following CDDL:</p>
<pre>    $$attStmtType //= (
                          fmt: "packed",
                          attStmt: packedStmtFormat
                      )

    packedStmtFormat = {
                           alg: COSEAlgorithmIdentifier,
                           sig: bytes,
                           x5c: [ attestnCert: bytes, * (caCert: bytes) ]
                       } //
                       {
                           alg: COSEAlgorithmIdentifier
                           sig: bytes,
                       }
</pre>
     <p>The semantics of the fields are as follows:</p>
     <dl>
      <dt data-md>alg
      <dd data-md>
       <p>A <code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier①②">COSEAlgorithmIdentifier</a></code> containing the identifier of the algorithm used to generate the <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature⑨">attestation signature</a>.</p>
      <dt data-md>sig
      <dd data-md>
       <p>A byte string containing the <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature①⓪">attestation signature</a>.</p>
      <dt data-md>x5c
      <dd data-md>
       <p>The elements of this array contain <var>attestnCert</var> and its certificate chain (if any), each encoded in X.509 format. The attestation
certificate <var>attestnCert</var> MUST be the first element in the array.</p>
      <dt data-md>attestnCert
      <dd data-md>
       <p>The attestation certificate, encoded in X.509 format.</p>
     </dl>
    <dt data-md>Signing procedure
    <dd data-md>
     <p>The signing procedure for this attestation statement format is
similar to <a href="#fig-signature">the procedure for generating assertion signatures</a>.</p>
     <ol>
      <li data-md>
       <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation">authenticator data for the attestation</a>,
and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①④">hash of the serialized client data</a>.</p>
      <li data-md>
       <p>If <a data-link-type="dfn" href="#basic" id="ref-for-basic②">Basic</a> or <a data-link-type="dfn" href="#attca" id="ref-for-attca②">AttCA</a> <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①⑧">attestation</a> is in use, the authenticator produces the <var>sig</var> by concatenating <var>authenticatorData</var> and <var>clientDataHash</var>, and signing the result using an <a data-link-type="dfn" href="#attestation-private-key" id="ref-for-attestation-private-key③">attestation private key</a> selected through an authenticator-specific
mechanism. It sets <var>x5c</var> to <var>attestnCert</var> followed by the related certificate chain (if any). It sets <var>alg</var> to the algorithm of the
attestation private key.</p>
      <li data-md>
       <p>If <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①⑤">self attestation</a> is in use, the authenticator produces <var>sig</var> by concatenating <var>authenticatorData</var> and <var>clientDataHash</var>,
and signing the result using the credential private key. It sets <var>alg</var> to the algorithm of the credential private key and
omits the other fields.</p>
     </ol>
    <dt data-md>Verification procedure
    <dd data-md>
     <p>Given the <a data-link-type="dfn" href="#verification-procedure-inputs" id="ref-for-verification-procedure-inputs">verification procedure inputs</a> <var>attStmt</var>, <var>authenticatorData</var> and <var>clientDataHash</var>, the <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure⑦">verification procedure</a> is
as follows:</p>
     <ol>
      <li data-md>
       <p>Verify that <var>attStmt</var> is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract
the contained fields.</p>
      <li data-md>
       <p>If <var>x5c</var> is present:</p>
       <ul>
        <li data-md>
         <p>Verify that <var>sig</var> is a valid signature over the concatenation of <var>authenticatorData</var> and <var>clientDataHash</var> using the
attestation public key in <var>attestnCert</var> with the algorithm specified in <var>alg</var>.</p>
        <li data-md>
         <p>Verify that <var>attestnCert</var> meets the requirements in <a href="#sctn-packed-attestation-cert-requirements">§ 8.2.1 Packed Attestation Statement Certificate Requirements</a>.</p>
        <li data-md>
         <p>If <var>attestnCert</var> contains an extension with OID <code>1.3.6.1.4.1.45724.1.1.4</code> (<code>id-fido-gen-ce-aaguid</code>) verify that the
value of this extension matches the <code><a data-link-type="dfn" href="#aaguid" id="ref-for-aaguid⑦">aaguid</a></code> in <var>authenticatorData</var>.</p>
        <li data-md>
         <p>Optionally, inspect <var>x5c</var> and consult externally provided knowledge to determine whether <var>attStmt</var> conveys a <a data-link-type="dfn" href="#basic" id="ref-for-basic③">Basic</a> or <a data-link-type="dfn" href="#attca" id="ref-for-attca③">AttCA</a> attestation.</p>
        <li data-md>
         <p>If successful, return implementation-specific values representing <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①⑤">attestation type</a> <a data-link-type="dfn" href="#basic" id="ref-for-basic④">Basic</a>, <a data-link-type="dfn" href="#attca" id="ref-for-attca④">AttCA</a> or
uncertainty, and <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path③">attestation trust path</a> <var>x5c</var>.</p>
       </ul>
      <li data-md>
       <p>If <var>x5c</var> is not present, <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①⑥">self attestation</a> is in use.</p>
       <ul>
        <li data-md>
         <p>Validate that <var>alg</var> matches the algorithm of the <code><a data-link-type="dfn" href="#credentialpublickey" id="ref-for-credentialpublickey⑦">credentialPublicKey</a></code> in <var>authenticatorData</var>.</p>
        <li data-md>
         <p>Verify that <var>sig</var> is a valid signature over the concatenation of <var>authenticatorData</var> and <var>clientDataHash</var> using the
credential public key with <var>alg</var>.</p>
        <li data-md>
         <p>If successful, return implementation-specific values representing <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①⑥">attestation type</a> <a data-link-type="dfn" href="#self" id="ref-for-self①">Self</a> and an empty <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path④">attestation trust path</a>.</p>
       </ul>
     </ol>
   </dl>
   <h4 class="heading settled" data-level="8.2.1" id="sctn-packed-attestation-cert-requirements"><span class="secno">8.2.1. </span><span class="content">Packed Attestation Statement Certificate Requirements</span><a class="self-link" href="#sctn-packed-attestation-cert-requirements"></a></h4>
   <p>The attestation certificate MUST have the following fields/extensions:</p>
   <ul>
    <li data-md>
     <p>Version MUST be set to 3 (which is indicated by an ASN.1 INTEGER with value 2).</p>
    <li data-md>
     <p>Subject field MUST be set to:</p>
     <dl>
      <dt data-md>Subject-C
      <dd data-md>
       <p>ISO 3166 code specifying the country where the Authenticator vendor is incorporated (PrintableString)</p>
      <dt data-md>Subject-O
      <dd data-md>
       <p>Legal name of the Authenticator vendor (UTF8String)</p>
      <dt data-md>Subject-OU
      <dd data-md>
       <p>Literal string “Authenticator Attestation” (UTF8String)</p>
      <dt data-md>Subject-CN
      <dd data-md>
       <p>A UTF8String of the vendor’s choosing</p>
     </dl>
    <li data-md>
     <p>If the related attestation root certificate is used for multiple authenticator models, the Extension OID <code>1.3.6.1.4.1.45724.1.1.4</code> (<code>id-fido-gen-ce-aaguid</code>) MUST be present, containing the AAGUID as a 16-byte OCTET STRING.
The extension MUST NOT be marked as critical.</p>
     <p>Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid. Here is a sample, encoded Extension structure:</p>
<pre>30 21                                     -- SEQUENCE
  06 0b 2b 06 01 04 01 82 e5 1c 01 01 04  -- 1.3.6.1.4.1.45724.1.1.4
  04 12                                   -- OCTET STRING
    04 10                                 -- OCTET STRING
      cd 8c 39 5c 26 ed ee de             -- AAGUID
      65 3b 00 79 7d 03 ca 3c
</pre>
    <li data-md>
     <p>The Basic Constraints extension MUST have the CA component set to <code>false</code>.</p>
    <li data-md>
     <p>An Authority Information Access (AIA) extension with entry <code>id-ad-ocsp</code> and a CRL Distribution Point extension <a data-link-type="biblio" href="#biblio-rfc5280">[RFC5280]</a> are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata services.
See, for example, the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice">[FIDOMetadataService]</a>.</p>
   </ul>
   <h3 class="heading settled" data-level="8.3" id="sctn-tpm-attestation"><span class="secno">8.3. </span><span class="content">TPM Attestation Statement Format</span><a class="self-link" href="#sctn-tpm-attestation"></a></h3>
   <p>This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic
engine.</p>
   <dl>
    <dt data-md>Attestation statement format identifier
    <dd data-md>
     <p>tpm</p>
    <dt data-md>Attestation types supported
    <dd data-md>
     <p><a data-link-type="dfn" href="#attca" id="ref-for-attca⑤">AttCA</a></p>
    <dt data-md>Syntax
    <dd data-md>
     <p>The syntax of a TPM Attestation statement is as follows:</p>
<pre>    $$attStmtType // = (
                           fmt: "tpm",
                           attStmt: tpmStmtFormat
                       )

    tpmStmtFormat = {
                        ver: "2.0",
                        (
                            alg: COSEAlgorithmIdentifier,
                            x5c: [ aikCert: bytes, * (caCert: bytes) ]
                        )
                        sig: bytes,
                        certInfo: bytes,
                        pubArea: bytes
                    }
</pre>
     <p>The semantics of the above fields are as follows:</p>
     <dl>
      <dt data-md>ver
      <dd data-md>
       <p>The version of the TPM specification to which the signature conforms.</p>
      <dt data-md>alg
      <dd data-md>
       <p>A <code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier①③">COSEAlgorithmIdentifier</a></code> containing the identifier of the algorithm used to generate the <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature①①">attestation signature</a>.</p>
      <dt data-md>x5c
      <dd data-md>
       <p><var>aikCert</var> followed by its certificate chain, in X.509 encoding.</p>
      <dt data-md>aikCert
      <dd data-md>
       <p>The AIK certificate used for the attestation, in X.509 encoding.</p>
      <dt data-md>sig
      <dd data-md>
       <p>The <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature①②">attestation signature</a>, in the form of a TPMT_SIGNATURE structure as specified in <a data-link-type="biblio" href="#biblio-tpmv2-part2">[TPMv2-Part2]</a> section 11.3.4.</p>
      <dt data-md>certInfo
      <dd data-md>
       <p>The TPMS_ATTEST structure over which the above signature was computed, as specified in <a data-link-type="biblio" href="#biblio-tpmv2-part2">[TPMv2-Part2]</a> section 10.12.8.</p>
      <dt data-md>pubArea
      <dd data-md>
       <p>The TPMT_PUBLIC structure (see <a data-link-type="biblio" href="#biblio-tpmv2-part2">[TPMv2-Part2]</a> section 12.2.4) used by the TPM to represent the credential public key.</p>
     </dl>
    <dt data-md>Signing procedure
    <dd data-md>
     <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation①">authenticator data for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①⑤">hash of the serialized client data</a>.</p>
     <p>Concatenate <var>authenticatorData</var> and <var>clientDataHash</var> to form <var>attToBeSigned</var>.</p>
     <p>Generate a signature using the procedure specified in <a data-link-type="biblio" href="#biblio-tpmv2-part3">[TPMv2-Part3]</a> Section 18.2, using the attestation private key and
setting the <code>extraData</code> parameter to the digest of <var>attToBeSigned</var> using the hash algorithm corresponding to the "alg" signature algorithm.
(For the "RS256" algorithm, this would be a SHA-256 digest.)</p>
     <p>Set the <var>pubArea</var> field to the public area of the credential public key, the <var>certInfo</var> field to the output parameter of the
same name, and the <var>sig</var> field to the signature obtained from the above procedure.</p>
    <dt data-md>Verification procedure
    <dd data-md>
     <p>Given the <a data-link-type="dfn" href="#verification-procedure-inputs" id="ref-for-verification-procedure-inputs①">verification procedure inputs</a> <var>attStmt</var>, <var>authenticatorData</var> and <var>clientDataHash</var>, the <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure⑧">verification procedure</a> is
as follows:</p>
     <p>Verify that <var>attStmt</var> is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
contained fields.</p>
     <p>Verify that the public key specified by the <code>parameters</code> and <code>unique</code> fields of <var>pubArea</var> is identical to the <code><a data-link-type="dfn" href="#credentialpublickey" id="ref-for-credentialpublickey⑧">credentialPublicKey</a></code> in the <code><a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata⑨">attestedCredentialData</a></code> in <var>authenticatorData</var>.</p>
     <p>Concatenate <var>authenticatorData</var> and <var>clientDataHash</var> to form <var>attToBeSigned</var>.</p>
     <p>Validate that <var>certInfo</var> is valid:</p>
     <ul>
      <li data-md>
       <p>Verify that <code>magic</code> is set to <code>TPM_GENERATED_VALUE</code>.</p>
      <li data-md>
       <p>Verify that <code>type</code> is set to <code>TPM_ST_ATTEST_CERTIFY</code>.</p>
      <li data-md>
       <p>Verify that <code>extraData</code> is set to the hash of <var>attToBeSigned</var> using the hash algorithm employed in "alg".</p>
      <li data-md>
       <p>Verify that <code>attested</code> contains a <code>TPMS_CERTIFY_INFO</code> structure as specified in <a data-link-type="biblio" href="#biblio-tpmv2-part2">[TPMv2-Part2]</a> section 10.12.3,
whose <code>name</code> field contains a valid Name for <var>pubArea</var>,
as computed using the algorithm in the <code>nameAlg</code> field of <var>pubArea</var> using the procedure specified in <a data-link-type="biblio" href="#biblio-tpmv2-part1">[TPMv2-Part1]</a> section 16.</p>
      <li data-md>
       <p>Verify that <var>x5c</var> is present.</p>
      <li data-md>
       <p>Note that the remaining fields in the "Standard Attestation Structure" <a data-link-type="biblio" href="#biblio-tpmv2-part1">[TPMv2-Part1]</a> section 31.2, i.e., <code>qualifiedSigner</code>, <code>clockInfo</code> and <code>firmwareVersion</code> are ignored.
These fields MAY be used as an input to risk engines.</p>
      <li data-md>
       <p>Verify the <var>sig</var> is a valid signature over <var>certInfo</var> using the attestation public key in <var>aikCert</var> with the
algorithm specified in <var>alg</var>.</p>
      <li data-md>
       <p>Verify that <var>aikCert</var> meets the requirements in <a href="#sctn-tpm-cert-requirements">§ 8.3.1 TPM Attestation Statement Certificate Requirements</a>.</p>
      <li data-md>
       <p>If <var>aikCert</var> contains an extension with OID <code>1.3.6.1.4.1.45724.1.1.4</code> (<code>id-fido-gen-ce-aaguid</code>) verify that the value of this
extension matches the <code><a data-link-type="dfn" href="#aaguid" id="ref-for-aaguid⑧">aaguid</a></code> in <var>authenticatorData</var>.</p>
      <li data-md>
       <p>If successful, return implementation-specific values representing <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①⑦">attestation type</a> <a data-link-type="dfn" href="#attca" id="ref-for-attca⑥">AttCA</a> and <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path⑤">attestation trust
path</a> <var>x5c</var>.</p>
     </ul>
   </dl>
   <h4 class="heading settled" data-level="8.3.1" id="sctn-tpm-cert-requirements"><span class="secno">8.3.1. </span><span class="content">TPM Attestation Statement Certificate Requirements</span><a class="self-link" href="#sctn-tpm-cert-requirements"></a></h4>
   <p>TPM <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate⑥">attestation certificate</a> MUST have the following fields/extensions:</p>
   <ul>
    <li data-md>
     <p>Version MUST be set to 3.</p>
    <li data-md>
     <p>Subject field MUST be set to empty.</p>
    <li data-md>
     <p>The Subject Alternative Name extension MUST be set as defined in <a data-link-type="biblio" href="#biblio-tpmv2-ek-profile">[TPMv2-EK-Profile]</a> section 3.2.9.</p>
    <li data-md>
     <p>The Extended Key Usage extension MUST contain the OID <code>2.23.133.8.3</code> ("joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)").</p>
    <li data-md>
     <p>The Basic Constraints extension MUST have the CA component set to <code>false</code>.</p>
    <li data-md>
     <p>An Authority Information Access (AIA) extension with entry <code>id-ad-ocsp</code> and a CRL Distribution Point extension <a data-link-type="biblio" href="#biblio-rfc5280">[RFC5280]</a> are
both OPTIONAL as the status of many attestation certificates is available through metadata services.
See, for example, the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice">[FIDOMetadataService]</a>.</p>
   </ul>
   <h3 class="heading settled" data-level="8.4" id="sctn-android-key-attestation"><span class="secno">8.4. </span><span class="content">Android Key Attestation Statement Format</span><a class="self-link" href="#sctn-android-key-attestation"></a></h3>
   <p>When the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧④">authenticator</a> in question is a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②③">platform authenticator</a> on the Android "N" or later platform, the
attestation statement is based on the <a href="https://source.android.com/security/keystore/attestation">Android key
attestation</a>. In these cases, the attestation statement
is produced by a component running in a secure operating environment, but the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation②">authenticator data for the attestation</a> is
produced outside this environment. The <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party②⑧">WebAuthn Relying Party</a> is expected to check that the <a data-link-type="dfn" href="#authenticator-data-claimed-to-have-been-used-for-the-attestation" id="ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation">authenticator data claimed to have been used for
the attestation</a> is consistent with the fields of the attestation certificate’s extension data.</p>
   <dl>
    <dt data-md>Attestation statement format identifier
    <dd data-md>
     <p>android-key</p>
    <dt data-md>Attestation types supported
    <dd data-md>
     <p><a data-link-type="dfn" href="#basic" id="ref-for-basic⑤">Basic</a></p>
    <dt data-md>Syntax
    <dd data-md>
     <p>An Android key attestation statement consists simply of the Android attestation statement, which is a series of
DER encoded X.509 certificates. See <a href="https://developer.android.com/training/articles/security-key-attestation.html">the Android developer documentation</a>. Its
syntax is defined as follows:</p>
<pre>    $$attStmtType //= (
                          fmt: "android-key",
                          attStmt: androidStmtFormat
                      )

    androidStmtFormat = {
                          alg: COSEAlgorithmIdentifier,
                          sig: bytes,
                          x5c: [ credCert: bytes, * (caCert: bytes) ]
                        }

</pre>
    <dt data-md>Signing procedure
    <dd data-md>
     <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation③">authenticator data for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①⑥">hash of the serialized client data</a>.</p>
     <p>Request an Android Key Attestation by calling <code>keyStore.getCertificateChain(myKeyUUID)</code> providing <var>clientDataHash</var> as the
challenge value (e.g., by using <a href="https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder.html#setAttestationChallenge(byte%5B%5D)"> setAttestationChallenge</a>). Set <var>x5c</var> to the returned value.</p>
     <p>The authenticator produces <var>sig</var> by concatenating <var>authenticatorData</var> and <var>clientDataHash</var>,
and signing the result using the credential private key. It sets <var>alg</var> to the algorithm of the signature format.</p>
    <dt data-md>Verification procedure
    <dd data-md>
     <p>Given the <a data-link-type="dfn" href="#verification-procedure-inputs" id="ref-for-verification-procedure-inputs②">verification procedure inputs</a> <var>attStmt</var>, <var>authenticatorData</var> and <var>clientDataHash</var>, the <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure⑨">verification procedure</a> is
as follows:</p>
     <ul>
      <li data-md>
       <p>Verify that <var>attStmt</var> is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
contained fields.</p>
      <li data-md>
       <p>Verify that <var>sig</var> is a valid signature over the concatenation of <var>authenticatorData</var> and <var>clientDataHash</var> using the
public key in the first certificate in <var>x5c</var> with the algorithm specified in <var>alg</var>.</p>
      <li data-md>
       <p>Verify that the public key in the first certificate in <var>x5c</var> matches the <code><a data-link-type="dfn" href="#credentialpublickey" id="ref-for-credentialpublickey⑨">credentialPublicKey</a></code> in the <code><a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata①⓪">attestedCredentialData</a></code> in <var>authenticatorData</var>.</p>
      <li data-md>
       <p>Verify that the <code>attestationChallenge</code> field in the <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate⑦">attestation certificate</a> <a data-link-type="dfn" href="#android-key-attestation-certificate-extension-data" id="ref-for-android-key-attestation-certificate-extension-data">extension data</a> is identical to <var>clientDataHash</var>.</p>
      <li data-md>
       <p>Verify the following using the appropriate authorization list from the attestation certificate <a data-link-type="dfn" href="#android-key-attestation-certificate-extension-data" id="ref-for-android-key-attestation-certificate-extension-data①">extension data</a>:</p>
       <ul>
        <li data-md>
         <p>The <code>AuthorizationList.allApplications</code> field is <em>not</em> present on either authorization list
(<code>softwareEnforced</code> nor <code>teeEnforced</code>), since PublicKeyCredential MUST be <a data-link-type="dfn" href="#scope" id="ref-for-scope①④">scoped</a> to the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③④">RP ID</a>.</p>
        <li data-md>
         <p>For the following, use only the <code>teeEnforced</code> authorization list if the RP wants to accept only keys from a
trusted execution environment, otherwise use the union of <code>teeEnforced</code> and <code>softwareEnforced</code>.</p>
         <ul>
          <li data-md>
           <p>The value in the <code>AuthorizationList.origin</code> field is equal to <code>KM_ORIGIN_GENERATED</code>.</p>
          <li data-md>
           <p>The value in the <code>AuthorizationList.purpose</code> field is equal to <code>KM_PURPOSE_SIGN</code>.</p>
         </ul>
       </ul>
      <li data-md>
       <p>If successful, return implementation-specific values representing <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①⑧">attestation type</a> <a data-link-type="dfn" href="#basic" id="ref-for-basic⑥">Basic</a> and <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path⑥">attestation trust
path</a> <var>x5c</var>.</p>
     </ul>
   </dl>
   <h4 class="heading settled" data-level="8.4.1" id="sctn-key-attstn-cert-requirements"><span class="secno">8.4.1. </span><span class="content">Android Key Attestation Statement Certificate Requirements</span><a class="self-link" href="#sctn-key-attstn-cert-requirements"></a></h4>
   <p>Android Key Attestation <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate⑧">attestation certificate</a>'s <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="android key attestation certificate extension data" data-noexport id="android-key-attestation-certificate-extension-data">android key attestation certificate extension
data</dfn> is identified by the OID <code>1.3.6.1.4.1.11129.2.1.17</code>, and its schema is defined in the <a href="https://developer.android.com/training/articles/security-key-attestation#certificate_schema">Android developer documentation</a>.</p>
   <h3 class="heading settled" data-level="8.5" id="sctn-android-safetynet-attestation"><span class="secno">8.5. </span><span class="content">Android SafetyNet Attestation Statement Format</span><a class="self-link" href="#sctn-android-safetynet-attestation"></a></h3>
   <p>When the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑤">authenticator</a> is a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②④">platform authenticator</a> on certain Android platforms, the attestation
statement may be based on the <a href="https://developer.android.com/training/safetynet/attestation#compat-check-response">SafetyNet API</a>. In
this case the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④⓪">authenticator data</a> is completely controlled by the caller of the SafetyNet API (typically an application
running on the Android platform) and the attestation statement  provides some statements about the health of the platform
and the identity of the calling application
(see <a href="https://developer.android.com/training/safetynet/attestation.html">SafetyNet Documentation</a> for more details).</p>
   <dl>
    <dt data-md>Attestation statement format identifier
    <dd data-md>
     <p>android-safetynet</p>
    <dt data-md>Attestation types supported
    <dd data-md>
     <p><a data-link-type="dfn" href="#basic" id="ref-for-basic⑦">Basic</a></p>
    <dt data-md>Syntax
    <dd data-md>
     <p>The syntax of an Android Attestation statement is defined as follows:</p>
<pre>    $$attStmtType //= (
                          fmt: "android-safetynet",
                          attStmt: safetynetStmtFormat
                      )

    safetynetStmtFormat = {
                              ver: text,
                              response: bytes
                          }
</pre>
     <p>The semantics of the above fields are as follows:</p>
     <dl>
      <dt data-md>ver
      <dd data-md>
       <p>The version number of Google Play Services responsible for providing the SafetyNet API.</p>
      <dt data-md>response
      <dd data-md>
       <p>The <a data-link-type="dfn" href="https://encoding.spec.whatwg.org/#utf-8-encode" id="ref-for-utf-8-encode">UTF-8 encoded</a> result of the getJwsResult() call of the SafetyNet API. This value is a JWS <a data-link-type="biblio" href="#biblio-rfc7515">[RFC7515]</a> object (see <a href="https://developer.android.com/training/safetynet/attestation#compat-check-response">SafetyNet online documentation</a>)
in Compact Serialization.</p>
     </dl>
    <dt data-md>Signing procedure
    <dd data-md>
     <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation④">authenticator data for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①⑦">hash of the serialized client data</a>.</p>
     <p>Concatenate <var>authenticatorData</var> and <var>clientDataHash</var>, perform SHA-256 hash of the concatenated string, and
let the result of the hash form <var>attToBeSigned</var>.</p>
     <p>Request a SafetyNet attestation, providing <var>attToBeSigned</var> as the nonce value. Set <var>response</var> to the result, and <var>ver</var> to
the version of Google Play Services running in the authenticator.</p>
    <dt data-md>Verification procedure
    <dd data-md>
     <p>Given the <a data-link-type="dfn" href="#verification-procedure-inputs" id="ref-for-verification-procedure-inputs③">verification procedure inputs</a> <var>attStmt</var>, <var>authenticatorData</var> and <var>clientDataHash</var>, the <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure①⓪">verification procedure</a> is
as follows:</p>
     <ul>
      <li data-md>
       <p>Verify that <var>attStmt</var> is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
contained fields.</p>
      <li data-md>
       <p>Verify that <var>response</var> is a valid SafetyNet response of version <var>ver</var> by following the steps indicated by the <a href="https://developer.android.com/training/safetynet/attestation.html#compat-check-response">SafetyNet online documentation</a>.
As of this writing, there is only one format of the SafetyNet response and <var>ver</var> is reserved for future use.</p>
      <li data-md>
       <p>Verify that the <code>nonce</code> attribute in the payload of <var>response</var> is identical to the Base64 encoding of the SHA-256 hash of the concatenation of <var>authenticatorData</var> and <var>clientDataHash</var>.</p>
      <li data-md>
       <p>Verify that the SafetyNet response actually came from the SafetyNet service by following the steps in the <a href="https://developer.android.com/training/safetynet/attestation#compat-check-response">SafetyNet online documentation</a>.</p>
      <li data-md>
       <p>If successful, return implementation-specific values representing <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①⑨">attestation type</a> <a data-link-type="dfn" href="#basic" id="ref-for-basic⑧">Basic</a> and <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path⑦">attestation trust
path</a> <var>x5c</var>.</p>
     </ul>
   </dl>
   <h3 class="heading settled" data-level="8.6" id="sctn-fido-u2f-attestation"><span class="secno">8.6. </span><span class="content">FIDO U2F Attestation Statement Format</span><a class="self-link" href="#sctn-fido-u2f-attestation"></a></h3>
   <p>This attestation statement format is used with FIDO U2F authenticators using the formats defined in <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]</a>.</p>
   <dl>
    <dt data-md>Attestation statement format identifier
    <dd data-md>
     <p>fido-u2f</p>
    <dt data-md>Attestation types supported
    <dd data-md>
     <p><a data-link-type="dfn" href="#basic" id="ref-for-basic⑨">Basic</a>, <a data-link-type="dfn" href="#attca" id="ref-for-attca⑦">AttCA</a></p>
    <dt data-md>Syntax
    <dd data-md>
     <p>The syntax of a FIDO U2F attestation statement is defined as follows:</p>
<pre>    $$attStmtType //= (
                          fmt: "fido-u2f",
                          attStmt: u2fStmtFormat
                      )

    u2fStmtFormat = {
                        x5c: [ attestnCert: bytes ],
                        sig: bytes
                    }
</pre>
     <p>The semantics of the above fields are as follows:</p>
     <dl>
      <dt data-md>x5c
      <dd data-md>
       <p>A single element array containing the attestation certificate in X.509 format.</p>
      <dt data-md>sig
      <dd data-md>
       <p>The <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature①③">attestation signature</a>.
The signature was calculated over the (raw) U2F registration response message <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]</a> received by the <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑨">client</a> from the authenticator.</p>
     </dl>
    <dt data-md>Signing procedure
    <dd data-md>
     <p>If the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③①">credential public key</a> of the <a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata①①">attested credential</a> is not of algorithm -7 ("ES256"), stop and return an error.
Otherwise, let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation⑤">authenticator data for the attestation</a>,
and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①⑧">hash of the serialized client data</a>. (Since SHA-256 is used to hash the
serialized <a data-link-type="dfn" href="#client-data" id="ref-for-client-data①①">client data</a>, <var>clientDataHash</var> will be 32 bytes long.)</p>
     <p>Generate a Registration Response Message as specified in <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]</a> <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#registration-response-message-success" id="ref-for-registration-response-message-success">Section 4.3</a>, with the application parameter set to the
SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑤">RP ID</a> that the given <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤⑤">credential</a> is <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑤">scoped</a> to, the challenge parameter set to <var>clientDataHash</var>, and the key handle
parameter set to the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id②⑧">credential ID</a> of the given credential. Set the raw signature part of this Registration Response Message (i.e., without the <a data-link-type="dfn" href="#user-public-key" id="ref-for-user-public-key①">user public key</a>,
key handle, and attestation certificates) as <var>sig</var> and set the attestation certificates of
the attestation public key as <var>x5c</var>.</p>
    <dt data-md>Verification procedure
    <dd data-md>
     <p>Given the <a data-link-type="dfn" href="#verification-procedure-inputs" id="ref-for-verification-procedure-inputs④">verification procedure inputs</a> <var>attStmt</var>, <var>authenticatorData</var> and <var>clientDataHash</var>, the <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure①①">verification procedure</a> is
as follows:</p>
     <ol>
      <li data-md>
       <p>Verify that <var>attStmt</var> is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
contained fields.</p>
      <li data-md>
       <p>Check that <var>x5c</var> has exactly one element and let <var>attCert</var> be that element. Let <var>certificate public key</var> be the public key
conveyed by <var>attCert</var>. If <var>certificate public key</var> is not an Elliptic Curve (EC) public
key over the P-256 curve, terminate this algorithm and return an appropriate error.</p>
      <li data-md>
       <p>Extract the claimed <var>rpIdHash</var> from <var>authenticatorData</var>, and the claimed <var>credentialId</var> and <var>credentialPublicKey</var> from <var>authenticatorData</var>.<code><a data-link-type="dfn" href="#attestedcredentialdata" id="ref-for-attestedcredentialdata①②">attestedCredentialData</a></code>.</p>
      <li data-md>
       <p>Convert the COSE_KEY formatted <var>credentialPublicKey</var> (see <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8152#section-7" id="ref-for-section-7④">Section 7</a> of <a data-link-type="biblio" href="#biblio-rfc8152">[RFC8152]</a>) to Raw ANSI X9.62 public key
format (see ALG_KEY_ECC_X962_RAW in <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#public-key-representation-formats" id="ref-for-public-key-representation-formats">Section 3.6.2 Public Key Representation Formats</a> of <a data-link-type="biblio" href="#biblio-fido-registry">[FIDO-Registry]</a>).</p>
       <ul>
        <li data-md>
         <p>Let <var>x</var> be the value corresponding to the "-2" key (representing x coordinate) in <var>credentialPublicKey</var>, and confirm its
size to be of 32 bytes.
If size differs or "-2" key is not found, terminate this algorithm and return an appropriate error.</p>
        <li data-md>
         <p>Let <var>y</var> be the value corresponding to the "-3" key (representing y coordinate) in <var>credentialPublicKey</var>, and confirm its
size to be of 32 bytes.
If size differs or "-3" key is not found, terminate this algorithm and return an appropriate error.</p>
        <li data-md>
         <p>Let <var>publicKeyU2F</var> be the concatenation <code>0x04 || <var>x</var> || <var>y</var></code>.</p>
         <p class="note" role="note"><span>Note:</span> This signifies uncompressed ECC key format.</p>
       </ul>
      <li data-md>
       <p>Let <var>verificationData</var> be the concatenation of (0x00 || <var>rpIdHash</var> || <var>clientDataHash</var> || <var>credentialId</var> || <var>publicKeyU2F</var>) (see <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#registration-response-message-success" id="ref-for-registration-response-message-success①">Section 4.3</a> of <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]</a>).</p>
      <li data-md>
       <p>Verify the <var>sig</var> using <var>verificationData</var> and the <var>certificate public key</var> per section 4.1.4 of <a data-link-type="biblio" href="#biblio-sec1">[SEC1]</a> with SHA-256 as the hash function used in step two.</p>
      <li data-md>
       <p>Optionally, inspect <var>x5c</var> and consult externally provided knowledge to determine whether <var>attStmt</var> conveys a <a data-link-type="dfn" href="#basic" id="ref-for-basic①⓪">Basic</a> or <a data-link-type="dfn" href="#attca" id="ref-for-attca⑧">AttCA</a> attestation.</p>
      <li data-md>
       <p>If successful, return implementation-specific values representing <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type②⓪">attestation type</a> <a data-link-type="dfn" href="#basic" id="ref-for-basic①①">Basic</a>, <a data-link-type="dfn" href="#attca" id="ref-for-attca⑨">AttCA</a> or uncertainty,
and <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path⑧">attestation trust path</a> <var>x5c</var>.</p>
     </ol>
   </dl>
   <h3 class="heading settled" data-level="8.7" id="sctn-none-attestation"><span class="secno">8.7. </span><span class="content">None Attestation Statement Format</span><a class="self-link" href="#sctn-none-attestation"></a></h3>
   <p>The none attestation statement format is used to replace any <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑥">authenticator</a>-provided <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③⑤">attestation statement</a> when a <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party②⑨">WebAuthn Relying Party</a> indicates it does not wish to receive attestation information, see <a href="#enum-attestation-convey">§ 5.4.7 Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>.</p>
   <p>The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑦">authenticator</a> MAY also directly generate attestation statements of this format
if the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑧">authenticator</a> does not support <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①⑨">attestation</a>.</p>
   <dl>
    <dt data-md>Attestation statement format identifier
    <dd data-md>
     <p>none</p>
    <dt data-md>Attestation types supported
    <dd data-md>
     <p><a data-link-type="dfn" href="#none" id="ref-for-none⑤">None</a></p>
    <dt data-md>Syntax
    <dd data-md>
     <p>The syntax of a none attestation statement is defined as follows:</p>
<pre>    $$attStmtType //= (
                          fmt: "none",
                          attStmt: emptyMap
                      )

    emptyMap = {}
</pre>
    <dt data-md>Signing procedure
    <dd data-md>
     <p>Return the fixed attestation statement defined above.</p>
    <dt data-md>Verification procedure
    <dd data-md>
     <p>Return implementation-specific values representing <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type②①">attestation type</a> <a data-link-type="dfn" href="#none" id="ref-for-none⑥">None</a> and an empty <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path⑨">attestation trust path</a>.</p>
   </dl>
   <h3 class="heading settled" data-level="8.8" id="sctn-apple-anonymous-attestation"><span class="secno">8.8. </span><span class="content">Apple Anonymous Attestation Statement Format</span><a class="self-link" href="#sctn-apple-anonymous-attestation"></a></h3>
   <p>This attestation statement format is exclusively used by Apple for certain types of Apple devices that support WebAuthn.</p>
   <dl>
    <dt data-md>Attestation statement format identifier
    <dd data-md>
     <p>apple</p>
    <dt data-md>Attestation types supported
    <dd data-md>
     <p><a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca④">Anonymization CA</a></p>
    <dt data-md>Syntax
    <dd data-md>
     <p>The syntax of an Apple attestation statement is defined as follows:</p>
<pre>    $$attStmtType //= (
                          fmt: "apple",
                          attStmt: appleStmtFormat
                      )

    appleStmtFormat = {
                          x5c: [ credCert: bytes, * (caCert: bytes) ]
                      }
</pre>
     <p>The semantics of the above fields are as follows:</p>
     <dl>
      <dt data-md>x5c
      <dd data-md>
       <p><var>credCert</var> followed by its certificate chain, each encoded in X.509 format.</p>
      <dt data-md>credCert
      <dd data-md>
       <p>The credential public key certificate used for attestation, encoded in X.509 format.</p>
     </dl>
    <dt data-md>Signing procedure
    <dd data-md>
     <ol>
      <li data-md>
       <p>Let <var>authenticatorData</var> denote the authenticator data for the attestation, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①⑨">hash of the serialized client data</a>.</p>
      <li data-md>
       <p>Concatenate <var>authenticatorData</var> and <var>clientDataHash</var> to form <var>nonceToHash</var>.</p>
      <li data-md>
       <p>Perform SHA-256 hash of <var>nonceToHash</var> to produce <var>nonce</var>.</p>
      <li data-md>
       <p>Let Apple anonymous attestation CA generate an X.509 certificate for the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③②">credential public key</a> and include the <var>nonce</var> as a certificate extension with OID <code>1.2.840.113635.100.8.2</code>. <var>credCert</var> denotes this certificate. The <var>credCert</var> thus serves as a proof of the attestation, and the included <var>nonce</var> proves the attestation is live. In addition to that, the <var>nonce</var> also protects the integrity of the <var>authenticatorData</var> and <a data-link-type="dfn" href="#client-data" id="ref-for-client-data①②">client data</a>.</p>
      <li data-md>
       <p>Set <var>x5c</var> to <var>credCert</var> followed by its certificate chain.</p>
     </ol>
    <dt data-md>Verification procedure
    <dd data-md>
     <p>Given the verification procedure inputs <var>attStmt</var>, <var>authenticatorData</var> and <var>clientDataHash</var>, the verification procedure is as follows:</p>
     <ol>
      <li data-md>
       <p>Verify that <var>attStmt</var> is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the contained fields.</p>
      <li data-md>
       <p>Concatenate <var>authenticatorData</var> and <var>clientDataHash</var> to form <var>nonceToHash</var>.</p>
      <li data-md>
       <p>Perform SHA-256 hash of <var>nonceToHash</var> to produce <var>nonce</var>.</p>
      <li data-md>
       <p>Verify that <var>nonce</var> equals the value of the extension with OID <code>1.2.840.113635.100.8.2</code> in <var>credCert</var>.</p>
      <li data-md>
       <p>Verify that the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③③">credential public key</a> equals the Subject Public Key of <var>credCert</var>.</p>
      <li data-md>
       <p>If successful, return implementation-specific values representing attestation type <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca⑤">Anonymization CA</a> and attestation trust path <var>x5c</var>.</p>
     </ol>
   </dl>
   <h2 class="heading settled" data-level="9" id="sctn-extensions"><span class="secno">9. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="webauthn-extensions">WebAuthn Extensions</dfn></span><a class="self-link" href="#sctn-extensions"></a></h2>
   <p>The mechanism for generating <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤⑥">public key credentials</a>, as well as requesting and generating Authentication assertions, as
defined in <a href="#sctn-api">§ 5 Web Authentication API</a>, can be extended to suit particular use cases. Each case is addressed by defining a <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="registration extension" data-noexport id="registration-extension">registration
extension</dfn> and/or an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authentication-extension">authentication extension</dfn>.</p>
   <p>Every extension is a <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-extension">client extension</dfn>, meaning that the extension involves communication with and processing by the
client. <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension④">Client extensions</a> define the following steps and data:</p>
   <ul>
    <li data-md>
     <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①⑨">navigator.credentials.create()</a></code> extension request parameters and response values for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension②">registration extensions</a>.</p>
    <li data-md>
     <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②⑦">navigator.credentials.get()</a></code> extension request parameters and response values for <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension②">authentication extensions</a>.</p>
    <li data-md>
     <p><a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing⑤">Client extension processing</a> for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension③">registration extensions</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension③">authentication extensions</a>.</p>
   </ul>
   <p>When creating a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤⑦">public key credential</a> or requesting an <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①②">authentication assertion</a>, a <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③⓪">WebAuthn Relying Party</a> can request the use of a set
of extensions. These extensions will be invoked during the requested operation if they are supported by the client and/or the <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator⑥">WebAuthn Authenticator</a>. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②④">Relying Party</a> sends the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input③">client extension input</a> for each extension in the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②⑧">get()</a></code> call
(for <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension④">authentication extensions</a>) or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②⓪">create()</a></code> call (for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension④">registration extensions</a>) to the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⓪">client</a>.
The <a data-link-type="dfn" href="#client" id="ref-for-client⑥①">client</a> performs <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing⑥">client extension processing</a> for each extension that the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④③">client platform</a> supports, and augments the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data①③">client data</a> as specified by each extension, by including the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier⑧">extension identifier</a> and <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①⓪">client extension output</a> values.</p>
   <p>An extension can also be an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-extension">authenticator extension</dfn>, meaning that the extension involves communication with and
processing by the authenticator. <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension④">Authenticator extensions</a> define the following steps and data:</p>
   <ul>
    <li data-md>
     <p><a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①⑤">authenticatorMakeCredential</a> extension request parameters and response values for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension⑤">registration extensions</a>.</p>
    <li data-md>
     <p><a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①⑤">authenticatorGetAssertion</a> extension request parameters and response values for <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension⑤">authentication extensions</a>.</p>
    <li data-md>
     <p><a data-link-type="dfn" href="#authenticator-extension-processing" id="ref-for-authenticator-extension-processing②">Authenticator extension processing</a> for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension⑥">registration extensions</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension⑥">authentication extensions</a>.</p>
   </ul>
   <p>For <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension⑤">authenticator extensions</a>, as part of the <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing⑦">client extension processing</a>, the client also creates the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①①">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input⑤">authenticator extension input</a> value for each extension (often based on the corresponding <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input④">client extension input</a> value),
and passes them to the authenticator in the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②①">create()</a></code> call (for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension⑦">registration extensions</a>) or the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②⑨">get()</a></code> call (for <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension⑦">authentication extensions</a>). These <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input⑥">authenticator extension input</a> values are
represented in <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①②">CBOR</a> and passed as name-value pairs, with the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier⑨">extension identifier</a> as the name, and the corresponding <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input⑦">authenticator extension input</a> as the value. The authenticator, in turn, performs additional processing for the extensions
that it supports, and returns the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①③">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output⑦">authenticator extension output</a> for each as specified by the extension. Part of
the <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing⑧">client extension processing</a> for <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension⑥">authenticator extensions</a> is to use the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output⑧">authenticator extension output</a> as an
input to creating the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①①">client extension output</a>.</p>
   <p>All <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions⑦">WebAuthn Extensions</a> are OPTIONAL for both clients and authenticators. Thus, any extensions requested by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑤">Relying Party</a> MAY be
ignored by the client browser or OS and not passed to the authenticator at all, or they MAY be ignored by the authenticator.
Ignoring an extension is never considered a failure in WebAuthn API processing, so when <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑥">Relying Parties</a> include extensions with any
API calls, they MUST be prepared to handle cases where some or all of those extensions are ignored.</p>
   <p>Clients wishing to support the widest possible range of extensions MAY choose to pass through any extensions that they do not
recognize to authenticators, generating the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input⑧">authenticator extension input</a> by simply encoding the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input⑤">client extension input</a> in CBOR. All <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions⑧">WebAuthn Extensions</a> MUST be defined in such a way that this implementation choice does not endanger the user’s
security or privacy. For instance, if an extension requires client processing, it could be defined in a manner that ensures such
a naïve pass-through will produce a semantically invalid <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input⑨">authenticator extension input</a> value, resulting in the extension
being ignored by the authenticator. Since all extensions are OPTIONAL, this will not cause a functional failure in the API
operation. Likewise, clients can choose to produce a <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①②">client extension output</a> value for an extension that it does not
understand by encoding the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output⑨">authenticator extension output</a> value into JSON, provided that the CBOR output uses only types
present in JSON.</p>
   <p>When <a data-link-type="dfn" href="#client" id="ref-for-client⑥②">clients</a> choose to pass through extensions they do not recognize,
the JavaScript values in the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input⑥">client extension inputs</a> are converted to <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①④">CBOR</a> values in the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①⓪">authenticator extension inputs</a>.
When the JavaScript value is an <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor①⓪">%ArrayBuffer%</a>, it is converted to a <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①⑤">CBOR</a> byte array.
When the JavaScript value is a non-integer number, it is converted to a 64-bit CBOR floating point number.
Otherwise, when the JavaScript type corresponds to a JSON type, the conversion is done
using the rules defined in Section 6.2 of <a data-link-type="biblio" href="#biblio-rfc8949">[RFC8949]</a> (Converting from JSON to CBOR),
but operating on inputs of JavaScript type values rather than inputs of JSON type values.
Once these conversions are done,
canonicalization of the resulting <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①⑥">CBOR</a> MUST be performed using the <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#ctap2-canonical-cbor-encoding-form" id="ref-for-ctap2-canonical-cbor-encoding-form⑤">CTAP2 canonical CBOR encoding form</a>.</p>
   <p>Note that the JavaScript numeric conversion rules have the consequence that
when a client passes through an extension it does not recognize,
if the extension uses floating point values, <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑨">authenticators</a> need to be prepared to receive those values as <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①⑦">CBOR</a> integers,
should the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨⓪">authenticator</a> want the extension to always work without actual <a data-link-type="dfn" href="#client" id="ref-for-client⑥③">client</a> support for it.
This will happen when the floating point values used happen to be integers.</p>
   <p>Likewise, when clients receive outputs from extensions they have passed through that they do not recognize,
the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①⑧">CBOR</a> values in the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①⓪">authenticator extension outputs</a> are converted to JavaScript values in the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①③">client extension outputs</a>.
When the CBOR value is a byte string, it is converted to a JavaScript <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor" id="ref-for-sec-arraybuffer-constructor①①">%ArrayBuffer%</a> (rather than a base64url-encoded string).
Otherwise, when the CBOR type corresponds to a JSON type, the conversion is done
using the rules defined in Section 6.1 of <a data-link-type="biblio" href="#biblio-rfc8949">[RFC8949]</a> (Converting from CBOR to JSON),
but producing outputs of JavaScript type values rather than outputs of JSON type values.</p>
   <p>Note that some clients may choose to implement this pass-through capability under a feature flag.
Supporting this capability can facilitate innovation, allowing authenticators to experiment with new extensions
and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑦">Relying Parties</a> to use them before there is explicit support for them in clients.</p>
   <p>The IANA "WebAuthn Extension Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a> can be consulted
for an up-to-date list of registered <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions⑨">WebAuthn Extensions</a>.</p>
   <h3 class="heading settled" data-level="9.1" id="sctn-extension-id"><span class="secno">9.1. </span><span class="content">Extension Identifiers</span><a class="self-link" href="#sctn-extension-id"></a></h3>
   <p>Extensions are identified by a string, called an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="extension-identifier">extension identifier</dfn>, chosen by the extension author.</p>
   <p>Extension identifiers SHOULD be registered in the
IANA "WebAuthn Extension Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a>.
All registered extension identifiers are unique amongst themselves as a matter of course.</p>
   <p>Unregistered extension identifiers SHOULD aim to be globally unique, e.g., by including the defining entity such as <code>myCompany_extension</code>.</p>
   <p>All extension identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters,
excluding backslash and doublequote, i.e., VCHAR as defined in <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a> but without %x22 and %x5c. Implementations MUST
match WebAuthn extension identifiers in a case-sensitive fashion.</p>
   <p>Extensions that may exist in multiple versions should take care to include a version in their identifier. In effect, different
versions are thus treated as different extensions, e.g., <code>myCompany_extension_01</code></p>
   <p><a href="#sctn-defined-extensions">§ 10 Defined Extensions</a> defines an additional set of extensions and their identifiers.
See the IANA "WebAuthn Extension Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a> for an up-to-date list of registered WebAuthn Extension Identifiers.</p>
   <h3 class="heading settled" data-level="9.2" id="sctn-extension-specification"><span class="secno">9.2. </span><span class="content">Defining Extensions</span><a class="self-link" href="#sctn-extension-specification"></a></h3>
   <p>A definition of an extension MUST specify an <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①⓪">extension identifier</a>, a <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input⑦">client extension input</a> argument
to be sent via the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③⓪">get()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②②">create()</a></code> call,
the <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing⑨">client extension processing</a> rules, and a <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①④">client extension output</a> value.
If the extension communicates with the authenticator (meaning it is an <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension⑦">authenticator extension</a>),
it MUST also specify the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①⑨">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①①">authenticator extension input</a> argument
sent via the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①⑥">authenticatorGetAssertion</a> or <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①⑥">authenticatorMakeCredential</a> call,
the <a data-link-type="dfn" href="#authenticator-extension-processing" id="ref-for-authenticator-extension-processing③">authenticator extension processing</a> rules, and the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor②⓪">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①①">authenticator extension output</a> value.</p>
   <p>Any <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension⑤">client extension</a> that is processed by the client MUST return a <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①⑤">client extension output</a> value so that the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③①">WebAuthn Relying Party</a> knows that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST return
an <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①②">authenticator extension output</a> to let the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑧">Relying Party</a> know that the extension was honored by the authenticator. If an
extension does not otherwise require any result values, it SHOULD be defined as returning a JSON Boolean <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①⑥">client extension
output</a> result, set to <code>true</code> to signify that the extension was understood and processed. Likewise, any <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension⑧">authenticator
extension</a> that does not otherwise require any result values MUST return a value and SHOULD return a CBOR Boolean <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①③">authenticator extension output</a> result, set to <code>true</code> to signify that the extension was understood and processed.</p>
   <h3 class="heading settled" data-level="9.3" id="sctn-extension-request-parameters"><span class="secno">9.3. </span><span class="content">Extending Request Parameters</span><a class="self-link" href="#sctn-extension-request-parameters"></a></h3>
   <p>An extension defines one or two request arguments. The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-extension-input">client extension input</dfn>,
which is a value that can be encoded in JSON, is passed from the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③②">WebAuthn Relying Party</a> to the client
in the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③①">get()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②③">create()</a></code> call,
while the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor②①">CBOR</a> <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-extension-input">authenticator extension input</dfn> is
passed from the client to the authenticator for <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension⑨">authenticator extensions</a> during the processing of these calls.</p>
   <p>A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑨">Relying Party</a> simultaneously requests the use of an extension and sets its <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input⑧">client extension input</a> by including an entry in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions⑦">extensions</a></code> option to the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②④">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③②">get()</a></code> call.
The entry key is the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①①">extension identifier</a> and the value is the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input⑨">client extension input</a>.</p>
   <p class="note" role="note"><span>Note:</span> Other documents have specified extensions where the extension input does not always use the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①②">extension identifier</a> as the entry key.
New extensions SHOULD follow the above convention.</p>
<pre class="example highlight" id="example-5335c503"><a class="self-link" href="#example-5335c503"></a><c- a>var</c-> assertionPromise <c- o>=</c-> navigator<c- p>.</c->credentials<c- p>.</c->get<c- p>({</c->
    publicKey<c- o>:</c-> <c- p>{</c->
        <c- c1>// Other members omitted for brevity</c->
        extensions<c- o>:</c-> <c- p>{</c->
            <c- c1>// An "entry key" identifying the "webauthnExample_foobar" extension, </c->
            <c- c1>// whose value is a map with two input parameters:</c->
            <c- u>"webauthnExample_foobar"</c-><c- o>:</c-> <c- p>{</c->
              foo<c- o>:</c-> <c- mf>42</c-><c- p>,</c->
              bar<c- o>:</c-> <c- u>"barfoo"</c->
            <c- p>}</c->
        <c- p>}</c->
    <c- p>}</c->
<c- p>});</c->
</pre>
   <p>Extension definitions MUST specify the valid values for their <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①⓪">client extension input</a>. Clients SHOULD ignore extensions with
an invalid <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①①">client extension input</a>. If an extension does not require any parameters from the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⓪">Relying Party</a>, it SHOULD be defined
as taking a Boolean client argument, set to <code>true</code> to signify that the extension is requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③①">Relying Party</a>.</p>
   <p>Extensions that only affect client processing need not specify <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①②">authenticator extension input</a>. Extensions that have
authenticator processing MUST specify the method of computing the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①③">authenticator extension input</a> from the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①②">client extension
input</a>,
and MUST define extensions for the <a data-link-type="dfn" href="#cddl" id="ref-for-cddl②">CDDL</a> types <code><a href="#iface-authentication-extensions-authenticator-inputs">AuthenticationExtensionsAuthenticatorInputs</a></code> and <code><a href="#iface-authentication-extensions-authenticator-outputs">AuthenticationExtensionsAuthenticatorOutputs</a></code> by defining an additional choice for the <code>$$extensionInput</code> and <code>$$extensionOutput</code> <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8610#section-3.9" id="ref-for-section-3.9">group sockets</a> using the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①③">extension identifier</a> as the entry key.
Extensions that do not require input parameters, and are thus defined as taking a Boolean <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①③">client extension input</a> value set to <code>true</code>,
SHOULD define the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①④">authenticator extension input</a> also as the constant Boolean value <code>true</code> (CBOR major type
7, value 21).</p>
   <p>The following example defines that an extension with <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①④">identifier</a> <code>webauthnExample_foobar</code> takes an unsigned integer as <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①⑤">authenticator extension input</a>,
and returns an array of at least one byte string as <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①④">authenticator extension output</a>:</p>
<pre class="example" id="example-c42718c0"><a class="self-link" href="#example-c42718c0"></a>$$extensionInput //= (
  webauthnExample_foobar: uint
)
$$extensionOutput //= (
  webauthnExample_foobar: [+ bytes]
)
</pre>
   <p class="note" role="note"><span>Note:</span> Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate
    over low-bandwidth links such as Bluetooth Low-Energy or NFC.</p>
   <h3 class="heading settled" data-level="9.4" id="sctn-client-extension-processing"><span class="secno">9.4. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-extension-processing">Client Extension Processing</dfn></span><a class="self-link" href="#sctn-client-extension-processing"></a></h3>
   <p>Extensions MAY define additional processing requirements on the <a data-link-type="dfn" href="#client" id="ref-for-client⑥④">client</a> during the creation of credentials or the
generation of an assertion. The <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①④">client extension input</a> for the extension is used as an input to this client processing.
For each supported <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension⑥">client extension</a>, the client adds an entry to the <var>clientExtensions</var> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map⑨">map</a> with the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①⑤">extension identifier</a> as the key, and the extension’s <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①⑤">client extension input</a> as the value.</p>
   <p>Likewise, the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①⑦">client extension outputs</a> are represented as a dictionary in the result of <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-getclientextensionresults" id="ref-for-dom-publickeycredential-getclientextensionresults③">getClientExtensionResults()</a></code> with <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①⑥">extension identifiers</a> as keys, and the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-extension-output">client extension output</dfn> value of each extension as the value.
Like the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①⑥">client extension input</a>, the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①⑧">client extension output</a> is a value that can be encoded in JSON.
There MUST NOT be any values returned for ignored extensions.</p>
   <p>Extensions that require authenticator processing MUST define
the process by which the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①⑦">client extension input</a> can be used to determine the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor②②">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①⑥">authenticator extension input</a> and
the process by which the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor②③">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①⑤">authenticator extension output</a> can be used to determine the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①⑨">client extension output</a>.</p>
   <h3 class="heading settled" data-level="9.5" id="sctn-authenticator-extension-processing"><span class="secno">9.5. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-extension-processing">Authenticator Extension Processing</dfn></span><a class="self-link" href="#sctn-authenticator-extension-processing"></a></h3>
   <p>The <a data-link-type="dfn" href="#cbor" id="ref-for-cbor②④">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①⑦">authenticator extension input</a> value of each processed <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension①⓪">authenticator extension</a> is included in the <var>extensions</var> parameter of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①⑦">authenticatorMakeCredential</a> and <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①⑦">authenticatorGetAssertion</a> operations. The <var>extensions</var> parameter is a <a data-link-type="dfn" href="#cbor" id="ref-for-cbor②⑤">CBOR</a> map where each key is an <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①⑦">extension identifier</a> and the corresponding value is the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①⑧">authenticator extension input</a> for that extension.</p>
   <p>Likewise, the extension output is represented in the <a data-link-type="dfn" href="#authdataextensions" id="ref-for-authdataextensions⑨">extensions</a> part of the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④①">authenticator data</a>. The <a data-link-type="dfn" href="#authdataextensions" id="ref-for-authdataextensions①⓪">extensions</a> part of the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④②">authenticator data</a> is a CBOR map where each key is an <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①⑧">extension identifier</a> and the corresponding value is the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-extension-output">authenticator extension output</dfn> for that extension.</p>
   <p>For each supported extension, the <a data-link-type="dfn" href="#authenticator-extension-processing" id="ref-for-authenticator-extension-processing④">authenticator extension processing</a> rule for that extension is used create the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①⑥">authenticator extension output</a> from the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①⑨">authenticator extension input</a> and possibly also other inputs.
There MUST NOT be any values returned for ignored extensions.</p>
   <h2 class="heading settled" data-level="10" id="sctn-defined-extensions"><span class="secno">10. </span><span class="content">Defined Extensions</span><a class="self-link" href="#sctn-defined-extensions"></a></h2>
   <p>This section defines an additional set of extensions to be registered in the
IANA "WebAuthn Extension Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a>.
These MAY be implemented by user agents targeting broad interoperability.</p>
   <h3 class="heading settled" data-level="10.1" id="sctn-appid-extension"><span class="secno">10.1. </span><span class="content">FIDO <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="appid">AppID</dfn> Extension (appid)</span><a class="self-link" href="#sctn-appid-extension"></a></h3>
   <p>This extension allows <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③③">WebAuthn Relying Parties</a> that have previously registered a
credential using the legacy FIDO U2F JavaScript API <a data-link-type="biblio" href="#biblio-fidou2fjavascriptapi">[FIDOU2FJavaScriptAPI]</a> to request an <a data-link-type="dfn" href="#assertion" id="ref-for-assertion③">assertion</a>. The
FIDO APIs use an alternative identifier for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③②">Relying Parties</a> called an <var>AppID</var> <a data-link-type="biblio" href="#biblio-fido-appid">[FIDO-APPID]</a>, and any credentials created using those APIs will be <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑥">scoped</a> to
that identifier. Without this extension, they would need to be re-registered in
order to be <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑦">scoped</a> to an <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑥">RP ID</a>.</p>
   <p>In addition to setting the <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionsclientinputs-appid" id="ref-for-dom-authenticationextensionsclientinputs-appid">appid</a></code> extension input,
using this extension requires some additional processing by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③③">Relying Party</a> in order to allow users to <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①②">authenticate</a> using their registered U2F credentials:</p>
   <ol>
    <li data-md>
     <p>List the desired U2F credentials in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑥">allowCredentials</a></code> option
 of the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③③">get()</a></code> method:</p>
     <ul>
      <li data-md>
       <p>Set the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-type" id="ref-for-dom-publickeycredentialdescriptor-type④">type</a></code> members to <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialtype-public-key" id="ref-for-dom-publickeycredentialtype-public-key⑤">public-key</a></code>.</p>
      <li data-md>
       <p>Set the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id⑥">id</a></code> members to the respective U2F key handles of the desired credentials. Note that U2F key handles commonly use <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①①">base64url encoding</a> but must be decoded to their binary form when used in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id⑦">id</a></code>.</p>
     </ul>
     <p><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑦">allowCredentials</a></code> MAY contain a mixture
 of both WebAuthn <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id②⑨">credential IDs</a> and U2F key handles;
 stating the <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionsclientinputs-appid" id="ref-for-dom-authenticationextensionsclientinputs-appid①">appid</a></code> via this extension
 does not prevent the user from using a WebAuthn-registered credential
 scoped to the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑦">RP ID</a> stated in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid⑤">rpId</a></code>.</p>
    <li data-md>
     <p>When <a href="#rp-op-verifying-assertion-step-rpid-hash">verifying the assertion</a>, expect that the <code><a data-link-type="dfn" href="#rpidhash" id="ref-for-rpidhash④">rpIdHash</a></code> MAY be the hash of the <var>AppID</var> instead of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑧">RP ID</a>.</p>
   </ol>
   <p>This extension does not allow FIDO-compatible credentials to be created. Thus,
credentials created with WebAuthn are not backwards compatible with the FIDO
JavaScript APIs.</p>
   <p class="note" role="note"><span>Note:</span> <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionsclientinputs-appid" id="ref-for-dom-authenticationextensionsclientinputs-appid②">appid</a></code> should be set to the AppID
that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③④">Relying Party</a> <em>previously</em> used in the legacy FIDO APIs.
This might not be the same as the result of translating the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑤">Relying Party</a>'s WebAuthn <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑨">RP ID</a> to the AppID format,
e.g., the previously used AppID may have been "https://accounts.example.com"
but the currently used <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⓪">RP ID</a> might be "example.com".</p>
   <dl>
    <dt data-md>Extension identifier
    <dd data-md>
     <p><code>appid</code></p>
    <dt data-md>Operation applicability
    <dd data-md>
     <p><a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension⑧">Authentication</a></p>
    <dt data-md>Client extension input
    <dd data-md>
     <p>A single USVString specifying a FIDO <var>AppID</var>.</p>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs⑥"><c- g>AuthenticationExtensionsClientInputs</c-></a> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-USVString" id="ref-for-idl-USVString②"><c- b>USVString</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsClientInputs" data-dfn-type="dict-member" data-export data-type="USVString " id="dom-authenticationextensionsclientinputs-appid"><code><c- g>appid</c-></code></dfn>;
};
</pre>
    <dt data-md>Client extension processing
    <dd data-md>
     <ol>
      <li data-md>
       <p>Let <var>facetId</var> be the result of passing the caller’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①④">origin</a> to the
FIDO algorithm for <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application" id="ref-for-determining-the-facetid-of-a-calling-application①">determining the FacetID of a calling application</a>.</p>
      <li data-md>
       <p>Let <var>appId</var> be the extension input.</p>
      <li data-md>
       <p>Pass <var>facetId</var> and <var>appId</var> to the FIDO algorithm for <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid" id="ref-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid①">determining if a
caller’s FacetID is authorized for an AppID</a>. If that algorithm rejects <var>appId</var> then return a "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#securityerror" id="ref-for-securityerror④">SecurityError</a></code>" <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException②①">DOMException</a></code>.</p>
      <li data-md>
       <p>When <a href="#allowCredentialDescriptorListCreation">building allowCredentialDescriptorList</a>,
if a U2F authenticator indicates that a credential is inapplicable (i.e. by
returning <code>SW_WRONG_DATA</code>) then the client MUST retry with the U2F application
parameter set to the SHA-256 hash of <var>appId</var>. If this results in an applicable
credential, the client MUST include the credential in <var>allowCredentialDescriptorList</var>. The value of <var>appId</var> then replaces the <code>rpId</code> parameter of <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①⑧">authenticatorGetAssertion</a>.</p>
      <li data-md>
       <p>Let <var>output</var> be the Boolean value <code>false</code>.</p>
      <li data-md>
       <p>When <a href="#assertionCreationDataCreation">creating assertionCreationData</a>,
if the <a data-link-type="dfn" href="#assertion" id="ref-for-assertion④">assertion</a> was created by a U2F authenticator with the U2F application parameter set to the SHA-256 hash of <var>appId</var> instead of the SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④①">RP ID</a>, set <var>output</var> to <code>true</code>.</p>
     </ol>
   </dl>
   <p class="note" role="note"><span>Note:</span> In practice, several implementations do not implement steps four and onward of the
algorithm for <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid" id="ref-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid②">determining if a caller’s FacetID is authorized for an AppID</a>.
Instead, in step three, the comparison on the host is relaxed to accept hosts on the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#host-same-site" id="ref-for-host-same-site①">same site</a>.</p>
   <dl>
    <dt data-md>Client extension output
    <dd data-md>
     <p>Returns the value of <var>output</var>. If true, the <var>AppID</var> was used and thus, when <a href="#rp-op-verifying-assertion-step-rpid-hash">verifying the assertion</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑥">Relying Party</a> MUST expect the <code><a data-link-type="dfn" href="#rpidhash" id="ref-for-rpidhash⑤">rpIdHash</a></code> to be the hash of the <var>AppID</var>, not the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④②">RP ID</a>.</p>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs⑤"><c- g>AuthenticationExtensionsClientOutputs</c-></a> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean⑤"><c- b>boolean</c-></a> <dfn class="idl-code" data-dfn-for="AuthenticationExtensionsClientOutputs" data-dfn-type="dict-member" data-export data-type="boolean " id="dom-authenticationextensionsclientoutputs-appid"><code><c- g>appid</c-></code><a class="self-link" href="#dom-authenticationextensionsclientoutputs-appid"></a></dfn>;
};
</pre>
    <dt data-md>Authenticator extension input
    <dd data-md>
     <p>None.</p>
    <dt data-md>Authenticator extension processing
    <dd data-md>
     <p>None.</p>
    <dt data-md>Authenticator extension output
    <dd data-md>
     <p>None.</p>
   </dl>
   <h3 class="heading settled" data-level="10.2" id="sctn-appid-exclude-extension"><span class="secno">10.2. </span><span class="content">FIDO AppID Exclusion Extension (appidExclude)</span><a class="self-link" href="#sctn-appid-exclude-extension"></a></h3>
   <p>This registration extension allows <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③④">WebAuthn Relying Parties</a> to exclude authenticators that contain specified credentials that were created with the legacy FIDO U2F JavaScript API <a data-link-type="biblio" href="#biblio-fidou2fjavascriptapi">[FIDOU2FJavaScriptAPI]</a>.</p>
   <p>During a transition from the FIDO U2F JavaScript API, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑦">Relying Party</a> may have a population of users with legacy credentials already registered. The <a href="#sctn-appid-extension">appid</a> extension allows the sign-in flow to be transitioned smoothly but, when transitioning the registration flow, the <a href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials⑤">excludeCredentials</a> field will not be effective in excluding authenticators with legacy credentials because its contents are taken to be WebAuthn credentials. This extension directs <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④④">client platforms</a> to consider the contents of <a href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials⑥">excludeCredentials</a> as both WebAuthn and legacy FIDO credentials. Note that U2F key handles commonly use <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①②">base64url encoding</a> but must be decoded to their binary form when used in <a href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials⑦">excludeCredentials</a>.</p>
   <dl>
    <dt data-md>Extension identifier
    <dd data-md>
     <p><code>appidExclude</code></p>
    <dt data-md>Operation applicability
    <dd data-md>
     <p><a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension⑧">Registration</a></p>
    <dt data-md>Client extension input
    <dd data-md>
     <p>A single USVString specifying a FIDO <var>AppID</var>.</p>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs⑦"><c- g>AuthenticationExtensionsClientInputs</c-></a> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-USVString" id="ref-for-idl-USVString③"><c- b>USVString</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsClientInputs" data-dfn-type="dict-member" data-export data-type="USVString " id="dom-authenticationextensionsclientinputs-appidexclude"><code><c- g>appidExclude</c-></code></dfn>;
};
</pre>
    <dt data-md>Client extension processing
    <dd data-md>
     <p>When <a href="#sctn-createCredential">creating a new credential</a>:</p>
     <ol>
      <li data-md>
       <p>Just after <a href="#CreateCred-DetermineRpId">establishing the RP ID</a> perform these steps:</p>
       <ol>
        <li data-md>
         <p>Let <var>facetId</var> be the result of passing the caller’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①⑤">origin</a> to the FIDO algorithm
for <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application" id="ref-for-determining-the-facetid-of-a-calling-application②">determining the FacetID of a calling application</a>.</p>
        <li data-md>
         <p>Let <var>appId</var> be the value of the extension input <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionsclientinputs-appidexclude" id="ref-for-dom-authenticationextensionsclientinputs-appidexclude">appidExclude</a></code>.</p>
        <li data-md>
         <p>Pass <var>facetId</var> and <var>appId</var> to the FIDO algorithm for <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid" id="ref-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid③">determining if a caller’s
FacetID is authorized for an AppID</a>. If the latter algorithm rejects <var>appId</var> then
return a "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#securityerror" id="ref-for-securityerror⑤">SecurityError</a></code>" <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException②②">DOMException</a></code> and terminate the <a href="#sctn-createCredential">creating a new credential</a> algorithm as well as these steps.</p>
         <p class="note" role="note"><span>Note:</span> In practice, several implementations do not implement steps four and onward of the algorithm for <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid" id="ref-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid④">determining if a caller’s FacetID is authorized for an AppID</a>. Instead, in step three, the comparison on the host is relaxed to accept hosts on the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#host-same-site" id="ref-for-host-same-site②">same site</a>.</p>
        <li data-md>
         <p>Otherwise, continue with normal processing.</p>
       </ol>
      <li data-md>
       <p>Just prior to <a href="#CreateCred-InvokeAuthnrMakeCred">invoking authenticatorMakeCredential</a> perform these steps:</p>
       <ol>
        <li data-md>
         <p>If <var>authenticator</var> supports the U2F protocol <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]</a>, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate①⑧">for each</a> <a href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor①③">credential descriptor</a> <var>C</var> in <var>excludeCredentialDescriptorList</var>:</p>
         <ol>
          <li data-md>
           <p>Check whether <var>C</var> was created using U2F on <var>authenticator</var> by sending a <code>U2F_AUTHENTICATE</code> message to <var>authenticator</var> whose "five parts" are set to the following values:</p>
           <dl>
            <dt data-md><var>control byte</var>
            <dd data-md>
             <p><code>0x07</code> ("check-only")</p>
            <dt data-md><var>challenge parameter</var>
            <dd data-md>
             <p>32 random bytes</p>
            <dt data-md><var>application parameter</var>
            <dd data-md>
             <p>SHA-256 hash of <var>appId</var></p>
            <dt data-md><var>key handle length</var>
            <dd data-md>
             <p>The length of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id⑧">id</a></code></code> (in bytes)</p>
            <dt data-md><var>key handle</var>
            <dd data-md>
             <p>The value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id⑨">id</a></code></code>, i.e., the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⓪">credential id</a>.</p>
           </dl>
          <li data-md>
           <p>If <var>authenticator</var> responds with <code>message:error:test-of-user-presence-required</code> (i.e., success):
cease normal processing of this <var>authenticator</var> and indicate in a platform-specific manner
that the authenticator is inapplicable. For example, this could be in the form of UI, or
could involve requesting <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②②">user consent</a> from <var>authenticator</var> and, upon receipt, treating
it as if the authenticator had returned <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#invalidstateerror" id="ref-for-invalidstateerror⑤">InvalidStateError</a></code>. Requesting <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②③">user consent</a> can be accomplished by sending another <code>U2F_AUTHENTICATE</code> message to <var>authenticator</var> as
above except for setting <var>control byte</var> to <code>0x03</code> ("enforce-user-presence-and-sign"),
and ignoring the response.</p>
         </ol>
        <li data-md>
         <p>Continue with normal processing.</p>
       </ol>
     </ol>
    <dt data-md>Client extension output
    <dd data-md>
     <p>Returns the value <code>true</code> to indicate to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑧">Relying Party</a> that the extension was acted upon.</p>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs⑥"><c- g>AuthenticationExtensionsClientOutputs</c-></a> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean⑥"><c- b>boolean</c-></a> <dfn class="idl-code" data-dfn-for="AuthenticationExtensionsClientOutputs" data-dfn-type="dict-member" data-export data-type="boolean " id="dom-authenticationextensionsclientoutputs-appidexclude"><code><c- g>appidExclude</c-></code><a class="self-link" href="#dom-authenticationextensionsclientoutputs-appidexclude"></a></dfn>;
};
</pre>
    <dt data-md>Authenticator extension input
    <dd data-md>
     <p>None.</p>
    <dt data-md>Authenticator extension processing
    <dd data-md>
     <p>None.</p>
    <dt data-md>Authenticator extension output
    <dd data-md>
     <p>None.</p>
   </dl>
   <h3 class="heading settled" data-level="10.3" id="sctn-uvm-extension"><span class="secno">10.3. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="user-verification-method">User Verification Method</dfn> Extension (uvm)</span><a class="self-link" href="#sctn-uvm-extension"></a></h3>
   <p>This extension enables use of a user verification method.</p>
   <dl>
    <dt data-md>Extension identifier
    <dd data-md>
     <p><code>uvm</code></p>
    <dt data-md>Operation applicability
    <dd data-md>
     <p><a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension⑨">Registration</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension⑨">Authentication</a></p>
    <dt data-md>Client extension input
    <dd data-md>
     <p>The Boolean value <code>true</code> to indicate that this extension is requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑨">Relying Party</a>.</p>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs⑧"><c- g>AuthenticationExtensionsClientInputs</c-></a> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean⑦"><c- b>boolean</c-></a> <dfn class="idl-code" data-dfn-for="AuthenticationExtensionsClientInputs" data-dfn-type="dict-member" data-export data-type="boolean " id="dom-authenticationextensionsclientinputs-uvm"><code><c- g>uvm</c-></code><a class="self-link" href="#dom-authenticationextensionsclientinputs-uvm"></a></dfn>;
};
</pre>
    <dt data-md>Client extension processing
    <dd data-md>
     <p>None, except creating the authenticator extension input from the client extension input.</p>
    <dt data-md>Client extension output
    <dd data-md>
     <p>Returns a JSON array of 3-element arrays of numbers that encodes the factors in the authenticator extension output.</p>
<pre class="idl highlight def"><c- b>typedef</c-> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence" id="ref-for-idl-sequence⑤"><c- b>sequence</c-></a>&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-long" id="ref-for-idl-unsigned-long④"><c- b>unsigned</c-> <c- b>long</c-></a>> <dfn class="dfn-paneled idl-code" data-dfn-type="typedef" data-export id="typedefdef-uvmentry"><code><c- g>UvmEntry</c-></code></dfn>;
<c- b>typedef</c-> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence" id="ref-for-idl-sequence⑥"><c- b>sequence</c-></a>&lt;<a data-link-type="idl-name" href="#typedefdef-uvmentry" id="ref-for-typedefdef-uvmentry"><c- n>UvmEntry</c-></a>> <dfn class="dfn-paneled idl-code" data-dfn-type="typedef" data-export id="typedefdef-uvmentries"><code><c- g>UvmEntries</c-></code></dfn>;

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs⑦"><c- g>AuthenticationExtensionsClientOutputs</c-></a> {
  <a data-link-type="idl-name" href="#typedefdef-uvmentries" id="ref-for-typedefdef-uvmentries"><c- n>UvmEntries</c-></a> <dfn class="idl-code" data-dfn-for="AuthenticationExtensionsClientOutputs" data-dfn-type="dict-member" data-export data-type="UvmEntries " id="dom-authenticationextensionsclientoutputs-uvm"><code><c- g>uvm</c-></code><a class="self-link" href="#dom-authenticationextensionsclientoutputs-uvm"></a></dfn>;
};
</pre>
    <dt data-md>Authenticator extension input
    <dd data-md>
     <p>The Boolean value <code>true</code>, encoded in CBOR (major type 7, value 21).</p>
<pre>    $$extensionInput //= (
      uvm: true,
    )
</pre>
    <dt data-md>Authenticator extension processing
    <dd data-md>
     <p>The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨①">authenticator</a> sets the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①⑦">authenticator extension output</a> to be one or more user verification methods indicating the method(s) used
by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions.</p>
    <dt data-md>Authenticator extension output
    <dd data-md>
     <p>Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance,
using the CBOR syntax defined below:</p>
<pre>    $$extensionOutput //= (
      uvm: [ 1*3 uvmEntry ],
    )

    uvmEntry = [
                   userVerificationMethod: uint .size 4,
                   keyProtectionType: uint .size 2,
                   matcherProtectionType: uint .size 2
               ]
</pre>
     <p>The semantics of the fields in each <code>uvmEntry</code> are as follows:</p>
     <dl>
      <dt data-md>userVerificationMethod
      <dd data-md>
       <p>The authentication method/factor used by the authenticator to verify the user. Available values are defined in <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#user-verification-methods" id="ref-for-user-verification-methods">Section 3.1 User Verification Methods</a> of <a data-link-type="biblio" href="#biblio-fido-registry">[FIDO-Registry]</a>.</p>
      <dt data-md>keyProtectionType
      <dd data-md>
       <p>The method used by the authenticator to protect the FIDO registration private key material. Available values are defined
in <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#key-protection-types" id="ref-for-key-protection-types">Section 3.2 Key Protection Types</a> of <a data-link-type="biblio" href="#biblio-fido-registry">[FIDO-Registry]</a>.</p>
      <dt data-md>matcherProtectionType
      <dd data-md>
       <p>The method used by the authenticator to protect the matcher that performs user verification. Available values are defined
in <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#matcher-protection-types" id="ref-for-matcher-protection-types">Section 3.3 Matcher Protection Types</a> of <a data-link-type="biblio" href="#biblio-fido-registry">[FIDO-Registry]</a>.</p>
     </dl>
     <p>If >3 factors can be used in an authentication instance the authenticator vendor MUST select the 3 factors it believes
will be most relevant to the Server to include in the UVM.</p>
     <p>Example for <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④③">authenticator data</a> containing one UVM extension for a multi-factor authentication instance where 2 factors
were used:</p>
<pre>...                    -- RP ID hash (32 bytes)
81                     -- UP and ED set
00 00 00 01            -- (initial) signature counter
...                    -- all public key alg etc.
A1                     -- extension: CBOR map of one element
    63                 -- Key 1: CBOR text string of 3 bytes
        75 76 6d       -- "uvm" [=UTF-8 encoded=] string
    82                 -- Value 1: CBOR array of length 2 indicating two factor usage
        83              -- Item 1: CBOR array of length 3
            02           -- Subitem 1: CBOR integer for User Verification Method Fingerprint
            04           -- Subitem 2: CBOR short for Key Protection Type TEE
            02           -- Subitem 3: CBOR short for Matcher Protection Type TEE
        83              -- Item 2: CBOR array of length 3
            04           -- Subitem 1: CBOR integer for User Verification Method Passcode
            01           -- Subitem 2: CBOR short for Key Protection Type Software
            01           -- Subitem 3: CBOR short for Matcher Protection Type Software
</pre>
   </dl>
   <h3 class="heading settled" data-level="10.4" id="sctn-authenticator-credential-properties-extension"><span class="secno">10.4. </span><span class="content">Credential Properties Extension (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="credprops">credProps</dfn>)</span><a class="self-link" href="#sctn-authenticator-credential-properties-extension"></a></h3>
   <p>This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension⑦">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⓪">registration extension</a> facilitates reporting certain <a data-link-type="dfn" href="#credential-properties" id="ref-for-credential-properties①">credential properties</a> known by the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑤">client</a> to the requesting <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③⑤">WebAuthn Relying Party</a> upon creation of a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source③①">public key credential source</a> as a result of a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony⑦">registration ceremony</a>.</p>
   <p>At this time, one <a data-link-type="dfn" href="#credential-properties" id="ref-for-credential-properties②">credential property</a> is defined: the <a data-link-type="dfn" href="#credentialpropertiesoutput-resident-key-credential-property" id="ref-for-credentialpropertiesoutput-resident-key-credential-property">resident key credential property</a> (i.e., <a data-link-type="dfn" href="#credentialpropertiesoutput-client-side-discoverable-credential-property" id="ref-for-credentialpropertiesoutput-client-side-discoverable-credential-property">client-side discoverable credential property</a>).</p>
   <dl>
    <dt data-md>Extension identifier
    <dd data-md>
     <p><code>credProps</code></p>
    <dt data-md>Operation applicability
    <dd data-md>
     <p><a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①①">Registration</a></p>
    <dt data-md>Client extension input
    <dd data-md>
     <p>The Boolean value <code>true</code> to indicate that this extension is requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⓪">Relying Party</a>.</p>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs⑨"><c- g>AuthenticationExtensionsClientInputs</c-></a> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean⑧"><c- b>boolean</c-></a> <dfn class="idl-code" data-dfn-for="AuthenticationExtensionsClientInputs" data-dfn-type="dict-member" data-export data-type="boolean " id="dom-authenticationextensionsclientinputs-credprops"><code><c- g>credProps</c-></code><a class="self-link" href="#dom-authenticationextensionsclientinputs-credprops"></a></dfn>;
};
</pre>
    <dt data-md>Client extension processing
    <dd data-md>
     <p>None, other than to report on credential properties in the output.</p>
    <dt data-md>Client extension output
    <dd data-md>
     <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-set" id="ref-for-map-set⑤">Set</a> <code><a data-link-type="dfn" href="#credentialcreationdata-clientextensionresults" id="ref-for-credentialcreationdata-clientextensionresults①">clientExtensionResults</a>["<code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionsclientoutputs-credprops" id="ref-for-dom-authenticationextensionsclientoutputs-credprops">credProps</a></code>"]["rk"]</code> to the value of the <var>requireResidentKey</var> parameter that was used in the <a href="#CreateCred-InvokeAuthnrMakeCred">invocation</a> of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①⑧">authenticatorMakeCredential</a> operation.</p>
<pre class="idl highlight def"><c- b>dictionary</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-credentialpropertiesoutput"><code><c- g>CredentialPropertiesOutput</c-></code></dfn> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean⑨"><c- b>boolean</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="boolean " href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk①"><c- g>rk</c-></a>;
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs⑧"><c- g>AuthenticationExtensionsClientOutputs</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-credentialpropertiesoutput" id="ref-for-dictdef-credentialpropertiesoutput"><c- n>CredentialPropertiesOutput</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsClientOutputs" data-dfn-type="dict-member" data-export data-type="CredentialPropertiesOutput " id="dom-authenticationextensionsclientoutputs-credprops"><code><c- g>credProps</c-></code></dfn>;
};
</pre>
     <div>
      <dl>
       <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="CredentialPropertiesOutput" data-dfn-type="dict-member" data-export id="dom-credentialpropertiesoutput-rk"><code>rk</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean①⓪">boolean</a></span>
       <dd data-md>
        <p>This OPTIONAL property, known abstractly as the <dfn class="dfn-paneled" data-dfn-for="CredentialPropertiesOutput" data-dfn-type="dfn" data-noexport id="credentialpropertiesoutput-resident-key-credential-property">resident key credential property</dfn> (i.e., <dfn class="dfn-paneled" data-dfn-for="CredentialPropertiesOutput" data-dfn-type="dfn" data-noexport id="credentialpropertiesoutput-client-side-discoverable-credential-property">client-side discoverable credential property</dfn>),
is a Boolean value indicating whether the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential①⑦">PublicKeyCredential</a></code> returned as a result of a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony⑧">registration ceremony</a> is a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①⑤">client-side discoverable credential</a>.
If <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk②">rk</a></code> is <code>true</code>, the credential is a <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential④">discoverable credential</a>.
if <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk③">rk</a></code> is <code>false</code>, the credential is a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①⓪">server-side credential</a>.
If <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk④">rk</a></code> is not present, it is not known whether the credential is a <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential⑤">discoverable credential</a> or a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①①">server-side credential</a>.</p>
        <p class="note" role="note"><span>Note:</span> some <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨②">authenticators</a> create <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential⑥">discoverable credentials</a> even when not requested by the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⑤">client platform</a>. Because of this, <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⑥">client platforms</a> may be forced to omit the <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk⑤">rk</a></code> property because they lack the assurance to be able to set it to <code>false</code>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④①">Relying Parties</a> should assume that, if the <code>credProps</code> extension is supported, then <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⑦">client platforms</a> will endeavour to populate the <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk⑥">rk</a></code> property. Therefore a missing <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk⑦">rk</a></code> indicates that the created credential is most likely a <a data-link-type="dfn" href="#non-discoverable-credential" id="ref-for-non-discoverable-credential③">non-discoverable credential</a>.</p>
      </dl>
     </div>
    <dt data-md>Authenticator extension input
    <dd data-md>
     <p>None.</p>
    <dt data-md>Authenticator extension processing
    <dd data-md>
     <p>None.</p>
    <dt data-md>Authenticator extension output
    <dd data-md>
     <p>None.</p>
   </dl>
   <h3 class="heading settled" data-level="10.5" id="sctn-large-blob-extension"><span class="secno">10.5. </span><span class="content">Large blob storage extension (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="largeblob">largeBlob</dfn>)</span><a class="self-link" href="#sctn-large-blob-extension"></a></h3>
   <p>This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension⑧">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①②">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⓪">authentication extension</a> allows a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④②">Relying Party</a> to store opaque data associated with a credential. Since <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨③">authenticators</a> can only store small amounts of data, and most <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④③">Relying Parties</a> are online services that can store arbitrary amounts of state for a user, this is only useful in specific cases. For example, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④④">Relying Party</a> might wish to issue certificates rather than run a centralised authentication service.</p>
   <p class="note" role="note"><span>Note:</span> <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑤">Relying Parties</a> can assume that the opaque data will be compressed when being written to a space-limited device and so need not compress it themselves.</p>
   <p>Since a certificate system needs to sign over the public key of the credential, and that public key is only available after creation, this extension does not add an ability to write blobs in the <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①③">registration</a> context. However, <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑥">Relying Parties</a> SHOULD use the <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①④">registration extension</a> when creating the credential if they wish to later use the <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①①">authentication extension</a>.</p>
   <p>Since certificates are sizable relative to the storage capabilities of typical authenticators, user agents SHOULD consider what indications and confirmations are suitable to best guide the user in allocating this limited resource and prevent abuse.</p>
   <p class="note" role="note"><span>Note:</span> In order to interoperate, user agents storing large blobs on authenticators using <a data-link-type="biblio" href="#biblio-fido-ctap">[FIDO-CTAP]</a> are expected to use the provisions detailed in that specification for storing <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#large-blob" id="ref-for-large-blob">large, per-credential blobs</a>.</p>
   <dl>
    <dt data-md>Extension identifier
    <dd data-md>
     <p><code>largeBlob</code></p>
    <dt data-md>Operation applicability
    <dd data-md>
     <p><a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⑤">Registration</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①②">authentication</a></p>
    <dt data-md>Client extension input
    <dd data-md>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs①⓪"><c- g>AuthenticationExtensionsClientInputs</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-authenticationextensionslargeblobinputs" id="ref-for-dictdef-authenticationextensionslargeblobinputs"><c- n>AuthenticationExtensionsLargeBlobInputs</c-></a> <dfn class="idl-code" data-dfn-for="AuthenticationExtensionsClientInputs" data-dfn-type="dict-member" data-export data-type="AuthenticationExtensionsLargeBlobInputs " id="dom-authenticationextensionsclientinputs-largeblob"><code><c- g>largeBlob</c-></code><a class="self-link" href="#dom-authenticationextensionsclientinputs-largeblob"></a></dfn>;
};

<c- b>enum</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-largeblobsupport"><code><c- g>LargeBlobSupport</c-></code></dfn> {
  <dfn class="dfn-paneled idl-code" data-dfn-for="LargeBlobSupport" data-dfn-type="enum-value" data-export id="dom-largeblobsupport-required"><code><c- s>"required"</c-></code></dfn>,
  <dfn class="dfn-paneled idl-code" data-dfn-for="LargeBlobSupport" data-dfn-type="enum-value" data-export id="dom-largeblobsupport-preferred"><code><c- s>"preferred"</c-></code></dfn>,
};

<c- b>dictionary</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-authenticationextensionslargeblobinputs"><code><c- g>AuthenticationExtensionsLargeBlobInputs</c-></code></dfn> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③⑥"><c- b>DOMString</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-authenticationextensionslargeblobinputs-support" id="ref-for-dom-authenticationextensionslargeblobinputs-support"><c- g>support</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean①①"><c- b>boolean</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="boolean " href="#dom-authenticationextensionslargeblobinputs-read" id="ref-for-dom-authenticationextensionslargeblobinputs-read"><c- g>read</c-></a>;
    <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource①⓪"><c- n>BufferSource</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="BufferSource " href="#dom-authenticationextensionslargeblobinputs-write" id="ref-for-dom-authenticationextensionslargeblobinputs-write"><c- g>write</c-></a>;
};
</pre>
     <div>
      <dl>
       <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsLargeBlobInputs" data-dfn-type="dict-member" data-export id="dom-authenticationextensionslargeblobinputs-support"><code>support</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③⑦">DOMString</a></span>
       <dd data-md>
        <p>A DOMString that takes one of the values of <code class="idl"><a data-link-type="idl" href="#enumdef-largeblobsupport" id="ref-for-enumdef-largeblobsupport">LargeBlobSupport</a></code>. (See <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.) Only valid during <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⑥">registration</a>.</p>
       <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsLargeBlobInputs" data-dfn-type="dict-member" data-export id="dom-authenticationextensionslargeblobinputs-read"><code>read</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean①②">boolean</a></span>
       <dd data-md>
        <p>A boolean that indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑦">Relying Party</a> would like to fetch the previously-written blob associated with the asserted credential. Only valid during <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①③">authentication</a>.</p>
       <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsLargeBlobInputs" data-dfn-type="dict-member" data-export id="dom-authenticationextensionslargeblobinputs-write"><code>write</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource" id="ref-for-BufferSource①①">BufferSource</a></span>
       <dd data-md>
        <p>An opaque byte string that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑧">Relying Party</a> wishes to store with the existing credential. Only valid during <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①④">authentication</a>.</p>
      </dl>
     </div>
    <dt data-md>Client extension processing (<a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⑦">registration</a>)
    <dd data-md>
     <ol>
      <li data-md>
       <p>If <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-read" id="ref-for-dom-authenticationextensionslargeblobinputs-read①">read</a></code> or <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-write" id="ref-for-dom-authenticationextensionslargeblobinputs-write①">write</a></code> is present:</p>
       <ol>
        <li data-md>
         <p>Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException②③">DOMException</a></code> whose name is “<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notsupportederror" id="ref-for-notsupportederror③">NotSupportedError</a></code>”.</p>
       </ol>
      <li data-md>
       <p>If <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-support" id="ref-for-dom-authenticationextensionslargeblobinputs-support①">support</a></code> is present and has the value <code class="idl"><a data-link-type="idl" href="#dom-largeblobsupport-required" id="ref-for-dom-largeblobsupport-required">required</a></code>:</p>
       <ol>
        <li data-md>
         <p>Set <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargebloboutputs-supported" id="ref-for-dom-authenticationextensionslargebloboutputs-supported">supported</a></code> to <code>true</code>.</p>
         <p class="note" role="note"><span>Note:</span> This is in anticipation of an authenticator capable of storing large blobs becoming available. It occurs during extension processing in Step 11 of <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot①⓪">[[Create]]()</a></code>. The <code class="idl"><a data-link-type="idl" href="#dictdef-authenticationextensionslargebloboutputs" id="ref-for-dictdef-authenticationextensionslargebloboutputs">AuthenticationExtensionsLargeBlobOutputs</a></code> will be abandoned if no satisfactory authenticator becomes available.</p>
        <li data-md>
         <p>If a <a data-link-type="dfn" href="#create-candidate-authenticator" id="ref-for-create-candidate-authenticator">candidate authenticator</a> becomes available (Step 19 of <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot①①">[[Create]]()</a></code>) then, before evaluating any <code><var>options</var></code>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue①⑤">continue</a> (i.e. ignore the <a data-link-type="dfn" href="#create-candidate-authenticator" id="ref-for-create-candidate-authenticator①">candidate authenticator</a>) if the <a data-link-type="dfn" href="#create-candidate-authenticator" id="ref-for-create-candidate-authenticator②">candidate authenticator</a> is not capable of storing large blobs.</p>
       </ol>
      <li data-md>
       <p>Otherwise (i.e. <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-support" id="ref-for-dom-authenticationextensionslargeblobinputs-support②">support</a></code> is absent or has the value <code class="idl"><a data-link-type="idl" href="#dom-largeblobsupport-preferred" id="ref-for-dom-largeblobsupport-preferred">preferred</a></code>):</p>
       <ol>
        <li data-md>
         <p>If an <a data-link-type="dfn" href="#create-selected-authenticator" id="ref-for-create-selected-authenticator">authenticator is selected</a> and the <a data-link-type="dfn" href="#create-selected-authenticator" id="ref-for-create-selected-authenticator①">selected authenticator</a> supports large blobs, set <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargebloboutputs-supported" id="ref-for-dom-authenticationextensionslargebloboutputs-supported①">supported</a></code> to <code>true</code>, and <code>false</code> otherwise.</p>
       </ol>
     </ol>
    <dt data-md>Client extension processing (<a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⑤">authentication</a>)
    <dd data-md>
     <ol>
      <li data-md>
       <p>If <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-support" id="ref-for-dom-authenticationextensionslargeblobinputs-support③">support</a></code> is present:</p>
       <ol>
        <li data-md>
         <p>Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException②④">DOMException</a></code> whose name is “<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notsupportederror" id="ref-for-notsupportederror④">NotSupportedError</a></code>”.</p>
       </ol>
      <li data-md>
       <p>If both <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-read" id="ref-for-dom-authenticationextensionslargeblobinputs-read②">read</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-write" id="ref-for-dom-authenticationextensionslargeblobinputs-write②">write</a></code> are present:</p>
       <ol>
        <li data-md>
         <p>Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException②⑤">DOMException</a></code> whose name is “<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notsupportederror" id="ref-for-notsupportederror⑤">NotSupportedError</a></code>”.</p>
       </ol>
      <li data-md>
       <p>If <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-read" id="ref-for-dom-authenticationextensionslargeblobinputs-read③">read</a></code> is present and has the value <code>true</code>:</p>
       <ol>
        <li data-md>
         <p>Initialize the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output②⓪">client extension output</a>, <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionsclientoutputs-largeblob" id="ref-for-dom-authenticationextensionsclientoutputs-largeblob">largeBlob</a></code>.</p>
        <li data-md>
         <p>If any authenticator indicates success (in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot①①">[[DiscoverFromExternalSource]]()</a></code>), attempt to read any largeBlob data associated with the asserted credential.</p>
        <li data-md>
         <p>If successful, set <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargebloboutputs-blob" id="ref-for-dom-authenticationextensionslargebloboutputs-blob">blob</a></code> to the result.</p>
         <p class="note" role="note"><span>Note:</span> if the read is not successful, <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionsclientoutputs-largeblob" id="ref-for-dom-authenticationextensionsclientoutputs-largeblob①">largeBlob</a></code> will be present in <code class="idl"><a data-link-type="idl" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs⑨">AuthenticationExtensionsClientOutputs</a></code> but the <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargebloboutputs-blob" id="ref-for-dom-authenticationextensionslargebloboutputs-blob①">blob</a></code> member will not be present.</p>
       </ol>
      <li data-md>
       <p>If <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-write" id="ref-for-dom-authenticationextensionslargeblobinputs-write③">write</a></code> is present:</p>
       <ol>
        <li data-md>
         <p>If <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑧">allowCredentials</a></code> does not contain exactly one element:</p>
         <ol>
          <li data-md>
           <p>Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException②⑥">DOMException</a></code> whose name is “<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notsupportederror" id="ref-for-notsupportederror⑥">NotSupportedError</a></code>”.</p>
         </ol>
        <li data-md>
         <p>If the <a href="#sctn-getAssertion">assertion</a> operation is successful, attempt to store the contents of <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-write" id="ref-for-dom-authenticationextensionslargeblobinputs-write④">write</a></code> on the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨④">authenticator</a>, associated with the indicated credential.</p>
        <li data-md>
         <p>Set <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargebloboutputs-written" id="ref-for-dom-authenticationextensionslargebloboutputs-written">written</a></code> to <code>true</code> if successful and <code>false</code> otherwise.</p>
       </ol>
     </ol>
    <dt data-md>Client extension output
    <dd data-md>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs①⓪"><c- g>AuthenticationExtensionsClientOutputs</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-authenticationextensionslargebloboutputs" id="ref-for-dictdef-authenticationextensionslargebloboutputs①"><c- n>AuthenticationExtensionsLargeBlobOutputs</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsClientOutputs" data-dfn-type="dict-member" data-export data-type="AuthenticationExtensionsLargeBlobOutputs " id="dom-authenticationextensionsclientoutputs-largeblob"><code><c- g>largeBlob</c-></code></dfn>;
};

<c- b>dictionary</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-authenticationextensionslargebloboutputs"><code><c- g>AuthenticationExtensionsLargeBlobOutputs</c-></code></dfn> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean①③"><c- b>boolean</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="boolean " href="#dom-authenticationextensionslargebloboutputs-supported" id="ref-for-dom-authenticationextensionslargebloboutputs-supported②"><c- g>supported</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer②④"><c- b>ArrayBuffer</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="ArrayBuffer " href="#dom-authenticationextensionslargebloboutputs-blob" id="ref-for-dom-authenticationextensionslargebloboutputs-blob②"><c- g>blob</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean①④"><c- b>boolean</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="boolean " href="#dom-authenticationextensionslargebloboutputs-written" id="ref-for-dom-authenticationextensionslargebloboutputs-written①"><c- g>written</c-></a>;
};
</pre>
     <div>
      <dl>
       <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsLargeBlobOutputs" data-dfn-type="dict-member" data-export id="dom-authenticationextensionslargebloboutputs-supported"><code>supported</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean①⑤">boolean</a></span>
       <dd data-md>
        <p><code>true</code> if, and only if, the created credential supports storing large blobs. Only present in <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⑧">registration</a> outputs.</p>
       <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsLargeBlobOutputs" data-dfn-type="dict-member" data-export id="dom-authenticationextensionslargebloboutputs-blob"><code>blob</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-ArrayBuffer" id="ref-for-idl-ArrayBuffer②⑤">ArrayBuffer</a></span>
       <dd data-md>
        <p>The opaque byte string that was associated with the credential identified by <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-rawid" id="ref-for-dom-publickeycredential-rawid②">rawId</a></code>. Only valid if <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-read" id="ref-for-dom-authenticationextensionslargeblobinputs-read④">read</a></code> was <code>true</code>.</p>
       <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsLargeBlobOutputs" data-dfn-type="dict-member" data-export id="dom-authenticationextensionslargebloboutputs-written"><code>written</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean①⑥">boolean</a></span>
       <dd data-md>
        <p>A boolean that indicates that the contents of <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionslargeblobinputs-write" id="ref-for-dom-authenticationextensionslargeblobinputs-write⑤">write</a></code> were successfully stored on the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨⑤">authenticator</a>, associated with the specified credential.</p>
      </dl>
     </div>
    <dt data-md>Authenticator extension processing
    <dd data-md>
     <p><a data-link-type="dfn" href="#largeblob" id="ref-for-largeblob">This extension</a> directs the user-agent to cause the large blob to be stored on, or retrieved from, the authenticator. It thus does not specify any direct authenticator interaction for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑨">Relying Parties</a>.</p>
   </dl>
   <h2 class="heading settled" data-level="11" id="sctn-automation"><span class="secno">11. </span><span class="content">User Agent Automation</span><a class="self-link" href="#sctn-automation"></a></h2>
   <p>For the purposes of user agent automation and <a data-link-type="dfn" href="#web-application" id="ref-for-web-application④">web application</a> testing, this document defines a number of <a data-link-type="biblio" href="#biblio-webdriver">[WebDriver]</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-command" id="ref-for-dfn-extension-command">extension commands</a>.</p>
   <h3 class="heading settled" data-level="11.1" id="sctn-automation-webdriver-capability"><span class="secno">11.1. </span><span class="content">WebAuthn WebDriver Extension Capability</span><a class="self-link" href="#sctn-automation-webdriver-capability"></a></h3>
   <p>In order to advertise the availability of the <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-command" id="ref-for-dfn-extension-command①">extension commands</a> defined below, a new <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-capability" id="ref-for-dfn-extension-capability">extension capability</a> is defined.</p>
   <figure class="table" id="table-virtualAuthenticatorsWebdriverCapability">
    <table class="data">
     <thead>
      <tr>
       <th>Capability
       <th>Key
       <th>Value Type
       <th>Description
     <tbody>
      <tr>
       <td>Virtual Authenticators Support
       <td><code>"webauthn:virtualAuthenticators"</code>
       <td>boolean
       <td>Indicates whether the <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-endpoint-node" id="ref-for-dfn-endpoint-node">endpoint node</a> supports all <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators">Virtual Authenticators</a> commands.
    </table>
   </figure>
   <p>When <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-validate-capabilities" id="ref-for-dfn-validate-capabilities">validating capabilities</a>, the extension-specific substeps to validate <code>"webauthn:virtualAuthenticators"</code> with <code>value</code> are the following:</p>
   <ol>
    <li data-md>
     <p>If <code>value</code> is not a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#boolean" id="ref-for-boolean">boolean</a> return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error">WebDriver Error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument">invalid argument</a>.</p>
    <li data-md>
     <p>Otherwise, let <code>deserialized</code> be set to <code>value</code>.</p>
   </ol>
   <p>When <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-matching-capabilities" id="ref-for-dfn-matching-capabilities">matching capabilities</a>, the extension-specific steps to match <code>"webauthn:virtualAuthenticators"</code> with <code>value</code> are the following:</p>
   <ol>
    <li data-md>
     <p>If <code>value</code> is <code>true</code> and the <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-endpoint-node" id="ref-for-dfn-endpoint-node①">endpoint node</a> does not support any of the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators①">Virtual Authenticators</a> commands,
the match is unsuccessful.</p>
    <li data-md>
     <p>Otherwise, the match is successful.</p>
   </ol>
   <h4 class="heading settled" data-level="11.1.1" id="sctn-authenticator-extension-capabilities"><span class="secno">11.1.1. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-extension-capabilities">Authenticator Extension Capabilities</dfn></span><a class="self-link" href="#sctn-authenticator-extension-capabilities"></a></h4>
   <p>Additionally, <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-capability" id="ref-for-dfn-extension-capability①">extension capabilities</a> are defined for every <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension①①">authenticator extension</a> (i.e. those defining <a data-link-type="dfn" href="#authenticator-extension-processing" id="ref-for-authenticator-extension-processing⑤">authenticator extension processing</a>) defined in this specification:</p>
   <figure class="table" id="table-virtualAuthenticatorsExtensionsWebdriverCapability">
    <table class="data">
     <thead>
      <tr>
       <th>Capability
       <th>Key
       <th>Value Type
       <th>Description
     <tbody>
      <tr>
       <td>User Verification Method Extension Support
       <td><code>"webauthn:extension:uvm"</code>
       <td>boolean
       <td>Indicates whether the <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-endpoint-node" id="ref-for-dfn-endpoint-node②">endpoint node</a> WebAuthn WebDriver implementation supports the <a data-link-type="dfn" href="#user-verification-method" id="ref-for-user-verification-method">User Verification Method</a> extension.
      <tr>
       <td>Large Blob Storage Extension Support
       <td><code>"webauthn:extension:largeBlob"</code>
       <td>boolean
       <td>Indicates whether the <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-endpoint-node" id="ref-for-dfn-endpoint-node③">endpoint node</a> WebAuthn WebDriver implementation supports the <a data-link-type="dfn" href="#largeblob" id="ref-for-largeblob①">largeBlob</a> extension.
    </table>
   </figure>
   <p>When <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-validate-capabilities" id="ref-for-dfn-validate-capabilities①">validating capabilities</a>, the extension-specific substeps to validate an <a data-link-type="dfn" href="#authenticator-extension-capabilities" id="ref-for-authenticator-extension-capabilities">authenticator extension capability</a> <code>key</code> with <code>value</code> are the following:</p>
   <ol>
    <li data-md>
     <p>If <code>value</code> is not a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#boolean" id="ref-for-boolean①">boolean</a> return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①">WebDriver Error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①">invalid argument</a>.</p>
    <li data-md>
     <p>Otherwise, let <code>deserialized</code> be set to <code>value</code>.</p>
   </ol>
   <p>When <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-matching-capabilities" id="ref-for-dfn-matching-capabilities①">matching capabilities</a>, the extension-specific steps to match an <a data-link-type="dfn" href="#authenticator-extension-capabilities" id="ref-for-authenticator-extension-capabilities①">authenticator extension capability</a> <code>key</code> with <code>value</code> are the following:</p>
   <ol>
    <li data-md>
     <p>If <code>value</code> is <code>true</code> and the <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-endpoint-node" id="ref-for-dfn-endpoint-node④">endpoint node</a> WebAuthn WebDriver implementation does not support the <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension①②">authenticator extension</a> identified by the <code>key</code>,
the match is unsuccessful.</p>
    <li data-md>
     <p>Otherwise, the match is successful.</p>
   </ol>
   <p>User-Agents implementing defined <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension①③">authenticator extensions</a> SHOULD implement the corresponding <a data-link-type="dfn" href="#authenticator-extension-capabilities" id="ref-for-authenticator-extension-capabilities②">authenticator extension capability</a>.</p>
   <h3 class="heading settled" data-level="11.2" id="sctn-automation-virtual-authenticators"><span class="secno">11.2. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="virtual-authenticators">Virtual Authenticators</dfn></span><a class="self-link" href="#sctn-automation-virtual-authenticators"></a></h3>
   <p>These WebDriver <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-command" id="ref-for-dfn-extension-command②">extension commands</a> create and interact with <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators②">Virtual Authenticators</a>: software implementations of the <a data-link-type="dfn" href="#authenticator-model" id="ref-for-authenticator-model③">Authenticator Model</a>. <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators③">Virtual Authenticators</a> are stored in a <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="virtual-authenticator-database">Virtual Authenticator Database</dfn>.
Each stored <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators④">virtual authenticator</a> has the following properties:</p>
   <dl>
    <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticatorid">authenticatorId</dfn>
    <dd data-md>
     <p>An non-null string made using up to 48 characters from the <code>unreserved</code> production defined in Appendix A of <a data-link-type="biblio" href="#biblio-rfc3986">[RFC3986]</a> that uniquely identifies the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators⑤">Virtual Authenticator</a>.</p>
    <dt data-md><var>protocol</var>
    <dd data-md>
     <p>The protocol the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators⑥">Virtual Authenticator</a> speaks: one of <code>"ctap1/u2f"</code>, <code>"ctap2"</code> or <code>"ctap2_1"</code> <a data-link-type="biblio" href="#biblio-fido-ctap">[FIDO-CTAP]</a>.</p>
    <dt data-md><var>transport</var>
    <dd data-md>
     <p>The <code class="idl"><a data-link-type="idl" href="#enumdef-authenticatortransport" id="ref-for-enumdef-authenticatortransport⑤">AuthenticatorTransport</a></code> simulated. If the <var>transport</var> is set to <code class="idl"><a data-link-type="idl" href="#dom-authenticatortransport-internal" id="ref-for-dom-authenticatortransport-internal②">internal</a></code>, the
authenticator simulates <a data-link-type="dfn" href="#platform-attachment" id="ref-for-platform-attachment③">platform attachment</a>. Otherwise, it simulates <a data-link-type="dfn" href="#cross-platform-attachment" id="ref-for-cross-platform-attachment④">cross-platform attachment</a>.</p>
    <dt data-md><var>hasResidentKey</var>
    <dd data-md>
     <p>If set to <code>true</code> the authenticator will support <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①⑥">client-side discoverable credentials</a>.</p>
    <dt data-md><var>hasUserVerification</var>
    <dd data-md>
     <p>If set to <code>true</code>, the authenticator supports <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④①">user verification</a>.</p>
    <dt data-md><var>isUserConsenting</var>
    <dd data-md>
     <p>Determines the result of all <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②④">user consent</a> <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②⑨">authorization gestures</a>, and by extension, any <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence①③">test of user presence</a> performed on the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators⑦">Virtual Authenticator</a>. If set to <code>true</code>, a <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②⑤">user consent</a> will always be granted. If set to <code>false</code>, it will not be granted.</p>
    <dt data-md><var>isUserVerified</var>
    <dd data-md>
     <p>Determines the result of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④②">User Verification</a> performed on the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators⑧">Virtual Authenticator</a>. If set to <code>true</code>, <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④③">User Verification</a> will always succeed. If set to <code>false</code>, it will fail.</p>
     <p class="note" role="note"><span>Note:</span> This property has no effect if <var>hasUserVerification</var> is set to <code>false</code>.</p>
    <dt data-md><var>extensions</var>
    <dd data-md>
     <p>A string array containing the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①⑨">extension identifiers</a> supported by the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators⑨">Virtual Authenticator</a>.</p>
     <p>A <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators①⓪">Virtual authenticator</a> MUST support all <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension①④">authenticator extensions</a> present in its <var>extensions</var> array.
It MUST NOT support any <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension①⑤">authenticator extension</a> not present in its <var>extensions</var> array.</p>
    <dt data-md><var>uvm</var>
    <dd data-md>
     <p>A <code class="idl"><a data-link-type="idl" href="#typedefdef-uvmentries" id="ref-for-typedefdef-uvmentries①">UvmEntries</a></code> array to be set as the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①⑧">authenticator extension output</a> when processing the <a data-link-type="dfn" href="#user-verification-method" id="ref-for-user-verification-method①">User Verification Method</a> extension.</p>
     <p class="note" role="note"><span>Note:</span> This property has no effect if the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators①①">Virtual Authenticator</a> does not support the <a data-link-type="dfn" href="#user-verification-method" id="ref-for-user-verification-method②">User Verification Method</a> extension.</p>
   </dl>
   <h3 class="heading settled" data-level="11.3" id="sctn-automation-add-virtual-authenticator"><span class="secno">11.3. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="add-virtual-authenticator">Add Virtual Authenticator</dfn></span><a class="self-link" href="#sctn-automation-add-virtual-authenticator"></a></h3>
   <p>The <a data-link-type="dfn" href="#add-virtual-authenticator" id="ref-for-add-virtual-authenticator">Add Virtual Authenticator</a> WebDriver <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-command" id="ref-for-dfn-extension-command③">extension command</a> creates a software <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators①②">Virtual Authenticator</a>. It is
defined as follows:</p>
   <figure class="table" id="table-addVirtualAuthenticator">
    <table class="data">
     <thead>
      <tr>
       <th>HTTP Method
       <th>URI Template
     <tbody>
      <tr>
       <td>POST
       <td><code>/session/{session id}/webauthn/authenticator</code>
    </table>
   </figure>
   <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-configuration">Authenticator Configuration</dfn> is a JSON <a data-link-type="dfn" href="https://w3c.github.io/FileAPI/#blob-url-entry-object" id="ref-for-blob-url-entry-object">Object</a> passed to the <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-remote-end-steps" id="ref-for-dfn-remote-end-steps">remote end steps</a> as <var>parameters</var>. It contains the following <var>key</var> and <var>value</var> pairs:</p>
   <figure class="table" id="table-authenticatorConfiguration">
    <table class="data">
     <thead>
      <tr>
       <th>Key
       <th>Value Type
       <th>Valid Values
       <th>Default
     <tbody>
      <tr>
       <td><var>protocol</var>
       <td>string
       <td><code>"ctap1/u2f"</code>, <code>"ctap2"</code>, <code>"ctap2_1"</code>
       <td>None
      <tr>
       <td><var>transport</var>
       <td>string
       <td><code class="idl"><a data-link-type="idl" href="#enumdef-authenticatortransport" id="ref-for-enumdef-authenticatortransport⑥">AuthenticatorTransport</a></code> values
       <td>None
      <tr>
       <td><var>hasResidentKey</var>
       <td>boolean
       <td><code>true</code>, <code>false</code>
       <td><code>false</code>
      <tr>
       <td><var>hasUserVerification</var>
       <td>boolean
       <td><code>true</code>, <code>false</code>
       <td><code>false</code>
      <tr>
       <td><var>isUserConsenting</var>
       <td>boolean
       <td><code>true</code>, <code>false</code>
       <td><code>true</code>
      <tr>
       <td><var>isUserVerified</var>
       <td>boolean
       <td><code>true</code>, <code>false</code>
       <td><code>false</code>
      <tr>
       <td><var>extensions</var>
       <td>string array
       <td>An array containing <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier②⓪">extension identifiers</a>
       <td>Empty array
      <tr>
       <td><var>uvm</var>
       <td><code class="idl"><a data-link-type="idl" href="#typedefdef-uvmentries" id="ref-for-typedefdef-uvmentries②">UvmEntries</a></code>
       <td>Up to 3 <a data-link-type="dfn" href="#user-verification-method" id="ref-for-user-verification-method③">User Verification Method</a> entries
       <td>Empty array
    </table>
   </figure>
   <p>The <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-remote-end-steps" id="ref-for-dfn-remote-end-steps①">remote end steps</a> are:</p>
   <ol>
    <li data-md>
     <p>If <var>parameters</var> is not a JSON <a data-link-type="dfn" href="https://w3c.github.io/FileAPI/#blob-url-entry-object" id="ref-for-blob-url-entry-object①">Object</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error②">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code②">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument②">invalid argument</a>.</p>
     <p class="note" role="note"><span>Note:</span> <var>parameters</var> is a <a data-link-type="dfn" href="#authenticator-configuration" id="ref-for-authenticator-configuration">Authenticator Configuration</a> object.</p>
    <li data-md>
     <p>Let <var>authenticator</var> be a new <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators①③">Virtual Authenticator</a>.</p>
    <li data-md>
     <p>For each enumerable <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-own-property" id="ref-for-sec-own-property">own property</a> in <var>parameters</var>:</p>
     <ol>
      <li data-md>
       <p>Let <var>key</var> be the name of the property.</p>
      <li data-md>
       <p>Let <var>value</var> be the result of <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-getting-properties" id="ref-for-dfn-getting-properties">getting a property</a> named <var>key</var> from <var>parameters</var>.</p>
      <li data-md>
       <p>If there is no matching <code>key</code> for <var>key</var> in <var>parameters</var>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error③">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code③">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument③">invalid argument</a>.</p>
      <li data-md>
       <p>If <var>value</var> is not one of the <code>valid values</code> for that <var>key</var>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error④">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code④">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument④">invalid argument</a>.</p>
      <li data-md>
       <p><a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-set-a-property" id="ref-for-dfn-set-a-property">Set a property</a> <var>key</var> to <var>value</var> on <var>authenticator</var>.</p>
     </ol>
    <li data-md>
     <p>For each property in <a data-link-type="dfn" href="#authenticator-configuration" id="ref-for-authenticator-configuration①">Authenticator Configuration</a> with a default defined:</p>
     <ol>
      <li data-md>
       <p>If <code>key</code> is not a defined property of <var>authenticator</var>, <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-set-a-property" id="ref-for-dfn-set-a-property①">set a property</a> <code>key</code> to <code>default</code> on <var>authenticator</var>.</p>
     </ol>
    <li data-md>
     <p>For each property in <a data-link-type="dfn" href="#authenticator-configuration" id="ref-for-authenticator-configuration②">Authenticator Configuration</a>:</p>
     <ol>
      <li data-md>
       <p>If <code>key</code> is not a defined property of <var>authenticator</var>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error⑤">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code⑤">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument⑤">invalid argument</a>.</p>
     </ol>
    <li data-md>
     <p>For each <var>extension</var> in <var>authenticator</var>.<var>extensions</var>:</p>
     <ol>
      <li data-md>
       <p>If <var>extension</var> is not an <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier②①">extension identifier</a> supported by the <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-endpoint-node" id="ref-for-dfn-endpoint-node⑤">endpoint node</a> WebAuthn WebDriver implementation,
return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error⑥">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code⑥">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-unsupported-operation" id="ref-for-dfn-unsupported-operation">unsupported operation</a>.</p>
     </ol>
    <li data-md>
     <p>Generate a valid unique <a data-link-type="dfn" href="#authenticatorid" id="ref-for-authenticatorid">authenticatorId</a>.</p>
    <li data-md>
     <p><a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-set-a-property" id="ref-for-dfn-set-a-property②">Set a property</a> <code>authenticatorId</code> to <var>authenticatorId</var> on <var>authenticator</var>.</p>
    <li data-md>
     <p>Store <var>authenticator</var> in the <a data-link-type="dfn" href="#virtual-authenticator-database" id="ref-for-virtual-authenticator-database">Virtual Authenticator Database</a>.</p>
    <li data-md>
     <p>Return <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-success" id="ref-for-dfn-success">success</a> with data <var>authenticatorId</var>.</p>
   </ol>
   <h3 class="heading settled" data-level="11.4" id="sctn-automation-remove-virtual-authenticator"><span class="secno">11.4. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="remove-virtual-authenticator">Remove Virtual Authenticator</dfn></span><a class="self-link" href="#sctn-automation-remove-virtual-authenticator"></a></h3>
   <p>The <a data-link-type="dfn" href="#remove-virtual-authenticator" id="ref-for-remove-virtual-authenticator">Remove Virtual Authenticator</a> WebDriver <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-command" id="ref-for-dfn-extension-command④">extension command</a> removes a previously created <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators①④">Virtual Authenticator</a>.
It is defined as follows:</p>
   <figure class="table" id="table-removeVirtualAuthenticator">
    <table class="data">
     <thead>
      <tr>
       <th>HTTP Method
       <th>URI Template
     <tbody>
      <tr>
       <td>DELETE
       <td><code>/session/{session id}/webauthn/authenticator/{authenticatorId}</code>
    </table>
   </figure>
   <p>The <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-remote-end-steps" id="ref-for-dfn-remote-end-steps②">remote end steps</a> are:</p>
   <ol>
    <li data-md>
     <p>If <var>authenticatorId</var> does not match any <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators①⑤">Virtual Authenticator</a> stored in the <a data-link-type="dfn" href="#virtual-authenticator-database" id="ref-for-virtual-authenticator-database①">Virtual Authenticator
 Database</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error⑦">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code⑦">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument⑥">invalid argument</a>.</p>
    <li data-md>
     <p>Remove the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators①⑥">Virtual Authenticator</a> identified by <var>authenticatorId</var> from the <a data-link-type="dfn" href="#virtual-authenticator-database" id="ref-for-virtual-authenticator-database②">Virtual Authenticator Database</a></p>
    <li data-md>
     <p>Return <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-success" id="ref-for-dfn-success①">success</a>.</p>
   </ol>
   <h3 class="heading settled" data-level="11.5" id="sctn-automation-add-credential"><span class="secno">11.5. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="add-credential">Add Credential</dfn></span><a class="self-link" href="#sctn-automation-add-credential"></a></h3>
   <p>The <a data-link-type="dfn" href="#add-credential" id="ref-for-add-credential">Add Credential</a> WebDriver <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-command" id="ref-for-dfn-extension-command⑤">extension command</a> injects a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source③②">Public Key Credential Source</a> into an existing <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators①⑦">Virtual Authenticator</a>. It is defined as follows:</p>
   <figure class="table" id="table-addCredential">
    <table class="data">
     <thead>
      <tr>
       <th>HTTP Method
       <th>URI Template
     <tbody>
      <tr>
       <td>POST
       <td><code>/session/{session id}/webauthn/authenticator/{authenticatorId}/credential</code>
    </table>
   </figure>
   <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="credential-parameters">Credential Parameters</dfn> is a JSON <a data-link-type="dfn" href="https://w3c.github.io/FileAPI/#blob-url-entry-object" id="ref-for-blob-url-entry-object②">Object</a> passed to the <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-remote-end-steps" id="ref-for-dfn-remote-end-steps③">remote end steps</a> as <var>parameters</var>. It contains the following <var>key</var> and <var>value</var> pairs:</p>
   <figure class="table" id="table-credentialParameters">
    <table class="data">
     <thead>
      <tr>
       <th>Key
       <th>Description
       <th>Value Type
     <tbody>
      <tr>
       <td><var>credentialId</var>
       <td>The <a data-link-type="dfn" href="#public-key-credential-source-id" id="ref-for-public-key-credential-source-id④">Credential ID</a> encoded using <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①③">Base64url Encoding</a>.
       <td>string
      <tr>
       <td><var>isResidentCredential</var>
       <td> If set to <code>true</code>, a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①⑦">client-side discoverable credential</a> is created. If set to <code>false</code>, a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①②">server-side credential</a> is created instead. 
       <td>boolean
      <tr>
       <td><var>rpId</var>
       <td>The <a data-link-type="dfn" href="#public-key-credential-source-rpid" id="ref-for-public-key-credential-source-rpid③">Relying Party ID</a> the credential is scoped to.
       <td>string
      <tr>
       <td><var>privateKey</var>
       <td> An asymmetric key package containing a single <a data-link-type="dfn" href="#public-key-credential-source-privatekey" id="ref-for-public-key-credential-source-privatekey②">private key</a> per <a data-link-type="biblio" href="#biblio-rfc5958">[RFC5958]</a>, encoded using <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①④">Base64url Encoding</a>. 
       <td>string
      <tr>
       <td><var>userHandle</var>
       <td> The <a data-link-type="dfn" href="#public-key-credential-source-userhandle" id="ref-for-public-key-credential-source-userhandle④">userHandle</a> associated to the credential encoded using <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①⑤">Base64url Encoding</a>. This property may not be defined. 
       <td>string
      <tr>
       <td><var>signCount</var>
       <td>The initial value for a <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter②④">signature counter</a> associated to the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source③③">public key credential source</a>.
       <td>number
      <tr>
       <td><var>largeBlob</var>
       <td> The <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#large-blob" id="ref-for-large-blob①">large, per-credential blob</a> associated to the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source③④">public key credential source</a>, encoded using <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①⑥">Base64url Encoding</a>.
                    This property may not be defined. 
       <td>string
    </table>
   </figure>
   <p>The <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-remote-end-steps" id="ref-for-dfn-remote-end-steps④">remote end steps</a> are:</p>
   <ol>
    <li data-md>
     <p>If <var>parameters</var> is not a JSON <a data-link-type="dfn" href="https://w3c.github.io/FileAPI/#blob-url-entry-object" id="ref-for-blob-url-entry-object③">Object</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error⑧">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code⑧">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument⑦">invalid argument</a>.</p>
     <p class="note" role="note"><span>Note:</span> <var>parameters</var> is a <a data-link-type="dfn" href="#credential-parameters" id="ref-for-credential-parameters">Credential Parameters</a> object.</p>
    <li data-md>
     <p>Let <var>credentialId</var> be the result of decoding <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①⑦">Base64url Encoding</a> on the <var>parameters</var>’ <var>credentialId</var> property.</p>
    <li data-md>
     <p>If <var>credentialId</var> is failure, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error⑨">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code⑨">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument⑧">invalid argument</a>.</p>
    <li data-md>
     <p>Let <var>isResidentCredential</var> be the <var>parameters</var>’ <var>isResidentCredential</var> property.</p>
    <li data-md>
     <p>If <var>isResidentCredential</var> is not defined, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①⓪">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①⓪">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument⑨">invalid argument</a>.</p>
    <li data-md>
     <p>Let <var>rpId</var> be the <var>parameters</var>’ <var>rpId</var> property.</p>
    <li data-md>
     <p>If <var>rpId</var> is not a valid <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④③">RP ID</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①①">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①①">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①⓪">invalid argument</a>.</p>
    <li data-md>
     <p>Let <var>privateKey</var> be the result of decoding <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①⑧">Base64url Encoding</a> on the <var>parameters</var>’ <var>privateKey</var> property.</p>
    <li data-md>
     <p>If <var>privateKey</var> is failure, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①②">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①②">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①①">invalid argument</a>.</p>
    <li data-md>
     <p>If <var>privateKey</var> is not a validly-encoded asymmetric key package containing a single ECDSA private key on the P-256
 curve per <a data-link-type="biblio" href="#biblio-rfc5958">[RFC5958]</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①③">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①③">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①②">invalid argument</a>.</p>
    <li data-md>
     <p>If the <var>parameters</var>’ <var>userHandle</var> property is defined:</p>
     <ol>
      <li data-md>
       <p>Let <var>userHandle</var> be the result of decoding <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①⑨">Base64url Encoding</a> on the <var>parameters</var>’ <var>userHandle</var> property.</p>
      <li data-md>
       <p>If <var>userHandle</var> is failure, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①④">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①④">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①③">invalid argument</a>.</p>
     </ol>
    <li data-md>
     <p>Otherwise:</p>
     <ol>
      <li data-md>
       <p>If <var>isResidentCredential</var> is <code>true</code>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①⑤">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①⑤">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①④">invalid argument</a>.</p>
      <li data-md>
       <p>Let <var>userHandle</var> be <code>null</code>.</p>
     </ol>
    <li data-md>
     <p>If <var>authenticatorId</var> does not match any <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators①⑧">Virtual Authenticator</a> stored in the <a data-link-type="dfn" href="#virtual-authenticator-database" id="ref-for-virtual-authenticator-database③">Virtual Authenticator
 Database</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①⑥">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①⑥">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①⑤">invalid argument</a>.</p>
    <li data-md>
     <p>Let <var>authenticator</var> be the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators①⑨">Virtual Authenticator</a> matched by <var>authenticatorId</var>.</p>
    <li data-md>
     <p>If <var>isResidentCredential</var> is <code>true</code> and the <var>authenticator</var>’s <var>hasResidentKey</var> property is <code>false</code>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①⑦">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①⑦">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①⑥">invalid argument</a>.</p>
    <li data-md>
     <p>If the <var>authenticator</var> supports the <a data-link-type="dfn" href="#largeblob" id="ref-for-largeblob②">largeBlob</a> extension and the <var>parameters</var>’ <var>largeBlob</var> feature is defined:</p>
     <ol>
      <li data-md>
       <p>Let <var>largeBlob</var> be the result of decoding <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding②⓪">Base64url Encoding</a> on the <var>parameters</var>’ <var>largeBlob</var> property.</p>
      <li data-md>
       <p>If <var>largeBlob</var> is failure, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①⑧">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①⑧">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①⑦">invalid argument</a>.</p>
     </ol>
    <li data-md>
     <p>Otherwise:</p>
     <ol>
      <li data-md>
       <p>Let <var>largeBlob</var> be <code>null</code>.</p>
     </ol>
    <li data-md>
     <p>Let <var>credential</var> be a new <a data-link-type="dfn" href="#client-side-discoverable-public-key-credential-source" id="ref-for-client-side-discoverable-public-key-credential-source⑦">Client-side discoverable Public Key Credential Source</a> if <var>isResidentCredential</var> is <code>true</code> or a <a data-link-type="dfn" href="#server-side-public-key-credential-source" id="ref-for-server-side-public-key-credential-source②">Server-side Public Key Credential Source</a> otherwise whose items are:</p>
     <dl>
      <dt data-md><a data-link-type="dfn" href="#public-key-credential-source-type" id="ref-for-public-key-credential-source-type②">type</a>
      <dd data-md>
       <p><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialtype-public-key" id="ref-for-dom-publickeycredentialtype-public-key⑥">public-key</a></code></p>
      <dt data-md><a data-link-type="dfn" href="#public-key-credential-source-id" id="ref-for-public-key-credential-source-id⑤">id</a>
      <dd data-md>
       <p><var>credentialId</var></p>
      <dt data-md><a data-link-type="dfn" href="#public-key-credential-source-privatekey" id="ref-for-public-key-credential-source-privatekey③">privateKey</a>
      <dd data-md>
       <p><var>privateKey</var></p>
      <dt data-md><a data-link-type="dfn" href="#public-key-credential-source-rpid" id="ref-for-public-key-credential-source-rpid④">rpId</a>
      <dd data-md>
       <p><var>rpId</var></p>
      <dt data-md><a data-link-type="dfn" href="#public-key-credential-source-userhandle" id="ref-for-public-key-credential-source-userhandle⑤">userHandle</a>
      <dd data-md>
       <p><var>userHandle</var></p>
     </dl>
    <li data-md>
     <p>Associate a <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter②⑤">signature counter</a> <var>counter</var> to the <var>credential</var> with a starting value equal to the <var>parameters</var>’ <var>signCount</var> or <code>0</code> if <var>signCount</var> is <code>null</code>.</p>
    <li data-md>
     <p>If <var>largeBlob</var> is not <code>null</code>, set the <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#large-blob" id="ref-for-large-blob②">large, per-credential blob</a> associated to the <var>credential</var> to <var>largeBlob</var>.</p>
    <li data-md>
     <p>Store the <var>credential</var> and <var>counter</var> in the database of the <var>authenticator</var>.</p>
    <li data-md>
     <p>Return <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-success" id="ref-for-dfn-success②">success</a>.</p>
   </ol>
   <h3 class="heading settled" data-level="11.6" id="sctn-automation-get-credentials"><span class="secno">11.6. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="get-credentials">Get Credentials</dfn></span><a class="self-link" href="#sctn-automation-get-credentials"></a></h3>
   <p>The <a data-link-type="dfn" href="#get-credentials" id="ref-for-get-credentials">Get Credentials</a> WebDriver <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-command" id="ref-for-dfn-extension-command⑥">extension command</a> returns one <a data-link-type="dfn" href="#credential-parameters" id="ref-for-credential-parameters①">Credential Parameters</a> object for every <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source③⑤">Public Key Credential Source</a> stored in a <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators②⓪">Virtual Authenticator</a>, regardless of whether they were
stored using <a data-link-type="dfn" href="#add-credential" id="ref-for-add-credential①">Add Credential</a> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②⑤">navigator.credentials.create()</a></code>. It is defined as follows:</p>
   <figure class="table" id="table-getCredentials">
    <table class="data">
     <thead>
      <tr>
       <th>HTTP Method
       <th>URI Template
     <tbody>
      <tr>
       <td>GET
       <td><code>/session/{session id}/webauthn/authenticator/{authenticatorId}/credentials</code>
    </table>
   </figure>
   <p>The <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-remote-end-steps" id="ref-for-dfn-remote-end-steps⑤">remote end steps</a> are:</p>
   <ol>
    <li data-md>
     <p>If <var>authenticatorId</var> does not match any <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators②①">Virtual Authenticator</a> stored in the <a data-link-type="dfn" href="#virtual-authenticator-database" id="ref-for-virtual-authenticator-database④">Virtual Authenticator
 Database</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①⑨">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①⑨">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①⑧">invalid argument</a>.</p>
    <li data-md>
     <p>Let <var>credentialsArray</var> be an empty array.</p>
    <li data-md>
     <p>For each <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source③⑥">Public Key Credential Source</a> <var>credential</var>, managed by the authenticator identified by <var>authenticatorId</var>,
construct a corresponding <a data-link-type="dfn" href="#credential-parameters" id="ref-for-credential-parameters②">Credential Parameters</a> <a data-link-type="dfn" href="https://w3c.github.io/FileAPI/#blob-url-entry-object" id="ref-for-blob-url-entry-object④">Object</a> and add it to <var>credentialsArray</var>.</p>
    <li data-md>
     <p>Return <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-success" id="ref-for-dfn-success③">success</a> with data containing <var>credentialsArray</var>.</p>
   </ol>
   <h3 class="heading settled" data-level="11.7" id="sctn-automation-remove-credential"><span class="secno">11.7. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="remove-credential">Remove Credential</dfn></span><a class="self-link" href="#sctn-automation-remove-credential"></a></h3>
   <p>The <a data-link-type="dfn" href="#remove-credential" id="ref-for-remove-credential">Remove Credential</a> WebDriver <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-command" id="ref-for-dfn-extension-command⑦">extension command</a> removes a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source③⑦">Public Key Credential Source</a> stored on a <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators②②">Virtual Authenticator</a>. It is defined as follows:</p>
   <figure class="table" id="table-removeCredential">
    <table class="data">
     <thead>
      <tr>
       <th>HTTP Method
       <th>URI Template
     <tbody>
      <tr>
       <td>DELETE
       <td><code>/session/{session id}/webauthn/authenticator/{authenticatorId}/credentials/{credentialId}</code>
    </table>
   </figure>
   <p>The <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-remote-end-steps" id="ref-for-dfn-remote-end-steps⑥">remote end steps</a> are:</p>
   <ol>
    <li data-md>
     <p>If <var>authenticatorId</var> does not match any <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators②③">Virtual Authenticator</a> stored in the <a data-link-type="dfn" href="#virtual-authenticator-database" id="ref-for-virtual-authenticator-database⑤">Virtual Authenticator
 Database</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error②⓪">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code②⓪">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①⑨">invalid argument</a>.</p>
    <li data-md>
     <p>Let <var>authenticator</var> be the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators②④">Virtual Authenticator</a> identified by <var>authenticatorId</var>.</p>
    <li data-md>
     <p>If <var>credentialId</var> does not match any <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source③⑧">Public Key Credential Source</a> managed by <var>authenticator</var>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error②①">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code②①">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument②⓪">invalid argument</a>.</p>
    <li data-md>
     <p>Remove the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source③⑨">Public Key Credential Source</a> identified by <var>credentialId</var> managed by <var>authenticator</var>.</p>
    <li data-md>
     <p>Return <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-success" id="ref-for-dfn-success④">success</a>.</p>
   </ol>
   <h3 class="heading settled" data-level="11.8" id="sctn-automation-remove-all-credentials"><span class="secno">11.8. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="remove-all-credentials">Remove All Credentials</dfn></span><a class="self-link" href="#sctn-automation-remove-all-credentials"></a></h3>
   <p>The <a data-link-type="dfn" href="#remove-all-credentials" id="ref-for-remove-all-credentials">Remove All Credentials</a> WebDriver <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-command" id="ref-for-dfn-extension-command⑧">extension command</a> removes all <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source④⓪">Public Key Credential Sources</a> stored on a <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators②⑤">Virtual Authenticator</a>. It is defined as follows:</p>
   <figure class="table" id="table-removeAllCredentials">
    <table class="data">
     <thead>
      <tr>
       <th>HTTP Method
       <th>URI Template
     <tbody>
      <tr>
       <td>DELETE
       <td><code>/session/{session id}/webauthn/authenticator/{authenticatorId}/credentials</code>
    </table>
   </figure>
   <p>The <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-remote-end-steps" id="ref-for-dfn-remote-end-steps⑦">remote end steps</a> are:</p>
   <ol>
    <li data-md>
     <p>If <var>authenticatorId</var> does not match any <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators②⑥">Virtual Authenticator</a> stored in the <a data-link-type="dfn" href="#virtual-authenticator-database" id="ref-for-virtual-authenticator-database⑥">Virtual Authenticator
 Database</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error②②">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code②②">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument②①">invalid argument</a>.</p>
    <li data-md>
     <p>Remove all <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source④①">Public Key Credential Sources</a> managed by the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators②⑦">Virtual Authenticator</a> identified by <var>authenticatorId</var>.</p>
    <li data-md>
     <p>Return <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-success" id="ref-for-dfn-success⑤">success</a>.</p>
   </ol>
   <h3 class="heading settled" data-level="11.9" id="sctn-automation-set-user-verified"><span class="secno">11.9. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="set-user-verified">Set User Verified</dfn></span><a class="self-link" href="#sctn-automation-set-user-verified"></a></h3>
   <p>The <a data-link-type="dfn" href="#set-user-verified" id="ref-for-set-user-verified">Set User Verified</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-extension-command" id="ref-for-dfn-extension-command⑨">extension command</a> sets the <var>isUserVerified</var> property on the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators②⑧">Virtual Authenticator</a>. It
is defined as follows:</p>
   <figure class="table" id="table-setUserVerified">
    <table class="data">
     <thead>
      <tr>
       <th>HTTP Method
       <th>URI Template
     <tbody>
      <tr>
       <td>POST
       <td><code>/session/{session id}/webauthn/authenticator/{authenticatorId}/uv</code>
    </table>
   </figure>
   <p>The <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-remote-end-steps" id="ref-for-dfn-remote-end-steps⑧">remote end steps</a> are:</p>
   <ol>
    <li data-md>
     <p>If <var>parameters</var> is not a JSON <a data-link-type="dfn" href="https://w3c.github.io/FileAPI/#blob-url-entry-object" id="ref-for-blob-url-entry-object⑤">Object</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error②③">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code②③">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument②②">invalid argument</a>.</p>
    <li data-md>
     <p>If <var>authenticatorId</var> does not match any <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators②⑨">Virtual Authenticator</a> stored in the <a data-link-type="dfn" href="#virtual-authenticator-database" id="ref-for-virtual-authenticator-database⑦">Virtual Authenticator
 Database</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error②④">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code②④">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument②③">invalid argument</a>.</p>
    <li data-md>
     <p>If <var>isUserVerified</var> is not a defined property of <var>parameters</var>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error②⑤">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code②⑤">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument②④">invalid argument</a>.</p>
    <li data-md>
     <p>Let <var>authenticator</var> be the <a data-link-type="dfn" href="#virtual-authenticators" id="ref-for-virtual-authenticators③⓪">Virtual Authenticator</a> identified by <var>authenticatorId</var>.</p>
    <li data-md>
     <p>Set the <var>authenticator</var>’s <var>isUserVerified</var> property to the <var>parameters</var>’ <var>isUserVerified</var> property.</p>
    <li data-md>
     <p>Return <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-success" id="ref-for-dfn-success⑥">success</a>.</p>
   </ol>
   <h2 class="heading settled" data-level="12" id="sctn-IANA"><span class="secno">12. </span><span class="content">IANA Considerations</span><a class="self-link" href="#sctn-IANA"></a></h2>
   <h3 class="heading settled" data-level="12.1" id="sctn-att-fmt-reg-update"><span class="secno">12.1. </span><span class="content">WebAuthn Attestation Statement Format Identifier Registrations Updates</span><a class="self-link" href="#sctn-att-fmt-reg-update"></a></h3>
   <p>This section updates the below-listed attestation statement formats defined in Section <a href="#sctn-defined-attestation-formats">§ 8 Defined Attestation Statement Formats</a> in the
IANA "WebAuthn Attestation Statement Format Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a>, originally registered in <a data-link-type="biblio" href="#biblio-webauthn-1">[WebAuthn-1]</a>, to point to this specification.</p>
   <ul>
    <li data-md>
     <p>WebAuthn Attestation Statement Format Identifier: packed</p>
    <li data-md>
     <p>Description: The "packed" attestation statement format is a WebAuthn-optimized format for <a data-link-type="dfn" href="#attestation" id="ref-for-attestation②⓪">attestation</a>. It uses a very
compact but still extensible encoding method. This format is implementable by authenticators with limited resources (e.g.,
secure elements).</p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-packed-attestation">§ 8.2 Packed Attestation Statement Format</a> of this specification <br><br></p>
    <li data-md>
     <p>WebAuthn Attestation Statement Format Identifier: tpm</p>
    <li data-md>
     <p>Description: The TPM attestation statement format returns an attestation statement in the same format as the packed
attestation statement format, although the rawData and signature fields are computed differently.</p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-tpm-attestation">§ 8.3 TPM Attestation Statement Format</a> of this specification <br><br></p>
    <li data-md>
     <p>WebAuthn Attestation Statement Format Identifier: android-key</p>
    <li data-md>
     <p>Description: <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②⑤">Platform authenticators</a> on versions "N", and later, may provide this proprietary "hardware
attestation" statement.</p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-android-key-attestation">§ 8.4 Android Key Attestation Statement Format</a> of this specification <br><br></p>
    <li data-md>
     <p>WebAuthn Attestation Statement Format Identifier: android-safetynet</p>
    <li data-md>
     <p>Description: Android-based <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②⑥">platform authenticators</a> MAY produce an attestation statement based on the Android
SafetyNet API.</p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-android-safetynet-attestation">§ 8.5 Android SafetyNet Attestation Statement Format</a> of this specification <br><br></p>
    <li data-md>
     <p>WebAuthn Attestation Statement Format Identifier: fido-u2f</p>
    <li data-md>
     <p>Description: Used with FIDO U2F authenticators</p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-fido-u2f-attestation">§ 8.6 FIDO U2F Attestation Statement Format</a> of this specification</p>
   </ul>
   <h3 class="heading settled" data-level="12.2" id="sctn-att-fmt-reg"><span class="secno">12.2. </span><span class="content">WebAuthn Attestation Statement Format Identifier Registrations</span><a class="self-link" href="#sctn-att-fmt-reg"></a></h3>
   <p>This section registers the below-listed attestation statement formats, newly defined in Section <a href="#sctn-defined-attestation-formats">§ 8 Defined Attestation Statement Formats</a>, in the IANA "WebAuthn Attestation Statement Format Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a>.</p>
   <ul>
    <li data-md>
     <p>WebAuthn Attestation Statement Format Identifier: apple</p>
    <li data-md>
     <p>Description: Used with Apple devices' <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②⑦">platform authenticators</a></p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-apple-anonymous-attestation">§ 8.8 Apple Anonymous Attestation Statement Format</a> of this specification <br><br></p>
    <li data-md>
     <p>WebAuthn Attestation Statement Format Identifier: none</p>
    <li data-md>
     <p>Description: Used to replace any authenticator-provided attestation statement when a WebAuthn Relying Party indicates it does not wish to receive attestation information.</p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-none-attestation">§ 8.7 None Attestation Statement Format</a> of this specification</p>
   </ul>
   <h3 class="heading settled" data-level="12.3" id="sctn-extensions-reg-update"><span class="secno">12.3. </span><span class="content">WebAuthn Extension Identifier Registrations Updates</span><a class="self-link" href="#sctn-extensions-reg-update"></a></h3>
   <p>This section updates the below-listed <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier②②">extension identifier</a> values defined in Section <a href="#sctn-defined-extensions">§ 10 Defined Extensions</a> in the IANA "WebAuthn Extension Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a>, originally registered in <a data-link-type="biblio" href="#biblio-webauthn-1">[WebAuthn-1]</a>, to point to this specification.</p>
   <ul>
    <li data-md>
     <p>WebAuthn Extension Identifier: appid</p>
    <li data-md>
     <p>Description: This <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⑥">authentication extension</a> allows <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③⑥">WebAuthn Relying Parties</a> that have previously registered a credential using the legacy
FIDO JavaScript APIs to request an assertion.</p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-appid-extension">§ 10.1 FIDO AppID Extension (appid)</a> of this specification <br><br></p>
    <li data-md>
     <p>WebAuthn Extension Identifier: uvm</p>
    <li data-md>
     <p>Description: This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⑨">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⑦">authentication extension</a> enables use of a user verification method.
The user verification method extension returns to the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③⑦">WebAuthn Relying Party</a> which user verification methods (factors) were
used for the WebAuthn operation.</p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-uvm-extension">§ 10.3 User Verification Method Extension (uvm)</a> of this specification</p>
   </ul>
   <h3 class="heading settled" data-level="12.4" id="sctn-extensions-reg"><span class="secno">12.4. </span><span class="content">WebAuthn Extension Identifier Registrations</span><a class="self-link" href="#sctn-extensions-reg"></a></h3>
   <p>This section registers the below-listed <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier②③">extension identifier</a> values, newly defined in Section <a href="#sctn-defined-extensions">§ 10 Defined Extensions</a>, in the IANA "WebAuthn Extension Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809">[RFC8809]</a>.</p>
   <ul>
    <li data-md>
     <p>WebAuthn Extension Identifier: appidExclude</p>
    <li data-md>
     <p>Description: This registration extension allows <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③⑧">WebAuthn Relying Parties</a> to exclude authenticators that contain specified credentials that were created with the legacy FIDO U2F JavaScript API <a data-link-type="biblio" href="#biblio-fidou2fjavascriptapi">[FIDOU2FJavaScriptAPI]</a>.</p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-appid-exclude-extension">§ 10.2 FIDO AppID Exclusion Extension (appidExclude)</a> of this specification <br><br></p>
    <li data-md>
     <p>WebAuthn Extension Identifier: credProps</p>
    <li data-md>
     <p>Description: This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension⑨">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension②⓪">registration extension</a> enables reporting of a newly-created <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential⑨">credential</a>'s properties,
as determined by the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑥">client</a>, to the calling <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③⑨">WebAuthn Relying Party</a>'s <a data-link-type="dfn" href="#web-application" id="ref-for-web-application⑤">web application</a>.</p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-authenticator-credential-properties-extension">§ 10.4 Credential Properties Extension (credProps)</a> of this specification <br><br></p>
    <li data-md>
     <p>WebAuthn Extension Identifier: largeBlob</p>
    <li data-md>
     <p>Description: This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension①⓪">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension②①">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⑧">authentication extension</a> allows a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⓪">Relying Party</a> to store opaque data associated with a credential.</p>
    <li data-md>
     <p>Specification Document: Section <a href="#sctn-large-blob-extension">§ 10.5 Large blob storage extension (largeBlob)</a> of this specification</p>
   </ul>
   <h2 class="heading settled" data-level="13" id="sctn-security-considerations"><span class="secno">13. </span><span class="content">Security Considerations</span><a class="self-link" href="#sctn-security-considerations"></a></h2>
   <p>This specification defines a <a href="#sctn-api">Web API</a> and a cryptographic peer-entity authentication protocol.
The <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①⑤">Web Authentication API</a> allows Web developers (i.e., "authors") to utilize the Web Authentication protocol in their <a data-link-type="dfn" href="#registration" id="ref-for-registration①④">registration</a> and <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①③">authentication</a> <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony⑨">ceremonies</a>.
The entities comprising the Web Authentication protocol endpoints are user-controlled <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator⑦">WebAuthn Authenticators</a> and a <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⓪">WebAuthn Relying Party</a>'s
computing environment hosting the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤①">Relying Party</a>'s <a data-link-type="dfn" href="#web-application" id="ref-for-web-application⑥">web application</a>.
In this model, the user agent, together with the <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client⑦">WebAuthn Client</a>, comprise an intermediary between <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨⑥">authenticators</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤②">Relying Parties</a>.
Additionally, <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨⑦">authenticators</a> can <a data-link-type="dfn" href="#attestation" id="ref-for-attestation②①">attest</a> to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤③">Relying Parties</a> as to their provenance.</p>
   <p>At this time, this specification does not feature detailed security considerations. However, the <a data-link-type="biblio" href="#biblio-fidosecref">[FIDOSecRef]</a> document provides a security analysis which is overall applicable to this specification.
Also, the <a data-link-type="biblio" href="#biblio-fidoauthnrsecreqs">[FIDOAuthnrSecReqs]</a> document suite provides useful information about <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨⑧">authenticator</a> security characteristics.</p>
   <p>The below subsections comprise the current Web Authentication-specific security considerations.
They are divided by audience;
general security considerations are direct subsections of this section,
while security considerations specifically for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨⑨">authenticator</a>, <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑦">client</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤④">Relying Party</a> implementers
are grouped into respective subsections.</p>
   <h3 class="heading settled" data-level="13.1" id="sctn-credentialIdSecurity"><span class="secno">13.1. </span><span class="content">Credential ID Unsigned</span><a class="self-link" href="#sctn-credentialIdSecurity"></a></h3>
   <p>The <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③①">credential ID</a> is not signed.
This is not a problem because all that would happen if an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⓪">authenticator</a> returns
the wrong <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③②">credential ID</a>, or if an attacker intercepts and manipulates the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③③">credential ID</a>, is that the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④①">WebAuthn Relying Party</a> would not look up the correct <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③④">credential public key</a> with which to verify the returned signed <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④④">authenticator data</a> (a.k.a., <a data-link-type="dfn" href="#assertion" id="ref-for-assertion⑤">assertion</a>), and thus the interaction would end in an error.</p>
   <h3 class="heading settled" data-level="13.2" id="sctn-client-authenticator-proximity"><span class="secno">13.2. </span><span class="content">Physical Proximity between Client and Authenticator</span><a class="self-link" href="#sctn-client-authenticator-proximity"></a></h3>
   <p>In the WebAuthn <a data-link-type="dfn" href="#authenticator-model" id="ref-for-authenticator-model④">authenticator model</a>, it is generally assumed that <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②①">roaming authenticators</a> are physically close to, and communicate directly with, the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑧">client</a>.
This arrangement has some important advantages.</p>
   <p>The promise of physical proximity between <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑨">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪①">authenticator</a> is a key strength of a <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②①">something you have</a> <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②②">authentication factor</a>.
For example, if a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②②">roaming authenticator</a> can communicate only via USB or Bluetooth,
the limited range of these transports ensures that any malicious actor
must physically be within that range in order to interact with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪②">authenticator</a>.
This is not necessarily true of an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪③">authenticator</a> that can be invoked remotely —
even if the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪④">authenticator</a> verifies <a data-link-type="dfn" href="#concept-user-present" id="ref-for-concept-user-present⑥">user presence</a>,
users can be tricked into authorizing remotely initiated malicious requests.</p>
   <p>Direct communication between <a data-link-type="dfn" href="#client" id="ref-for-client⑦⓪">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⑤">authenticator</a> means the <a data-link-type="dfn" href="#client" id="ref-for-client⑦①">client</a> can enforce the <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑧">scope</a> restrictions for <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential①⓪">credentials</a>.
By contrast, if the communication between <a data-link-type="dfn" href="#client" id="ref-for-client⑦②">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⑥">authenticator</a> is mediated by some third party,
then the <a data-link-type="dfn" href="#client" id="ref-for-client⑦③">client</a> has to trust the third party to
enforce the <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑨">scope</a> restrictions and control access to the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⑦">authenticator</a>.
Failure to do either could result in
a malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑤">Relying Party</a> receiving <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①③">authentication assertions</a> valid for other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑥">Relying Parties</a>,
or in a malicious user gaining access to <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①④">authentication assertions</a> for other users.</p>
   <p>If designing a solution where the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⑧">authenticator</a> does not need to be physically close to the <a data-link-type="dfn" href="#client" id="ref-for-client⑦④">client</a>,
or where <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑤">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⑨">authenticator</a> do not communicate directly,
designers SHOULD consider how this affects the enforcement of <a data-link-type="dfn" href="#scope" id="ref-for-scope②⓪">scope</a> restrictions
and the strength of the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①⓪">authenticator</a> as a <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②③">something you have</a> authentication factor.</p>
   <h3 class="heading settled" data-level="13.3" id="sctn-security-considerations-authenticator"><span class="secno">13.3. </span><span class="content">Security considerations for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①①">authenticators</a> <span id="sctn-attestation-security-considerations"></span></span><a class="self-link" href="#sctn-security-considerations-authenticator"></a></h3>
   <h4 class="heading settled" data-level="13.3.1" id="sctn-cert-hierarchy"><span class="secno">13.3.1. </span><span class="content">Attestation Certificate Hierarchy</span><a class="self-link" href="#sctn-cert-hierarchy"></a></h4>
   <p>A 3-tier hierarchy for attestation certificates is RECOMMENDED (i.e., Attestation Root, Attestation Issuing CA, Attestation
Certificate). It is also RECOMMENDED that for each <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator⑧">WebAuthn Authenticator</a> device line (i.e., model), a separate issuing CA is
used to help facilitate isolating problems with a specific version of an authenticator model.</p>
   <p>If the attestation root certificate is not dedicated to a single <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator⑨">WebAuthn Authenticator</a> device line (i.e., AAGUID), the AAGUID
SHOULD be specified in the attestation certificate itself, so that it can be verified against the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④⑤">authenticator data</a>.</p>
   <h4 class="heading settled" data-level="13.3.2" id="sctn-ca-compromise"><span class="secno">13.3.2. </span><span class="content">Attestation Certificate and Attestation Certificate CA Compromise</span><a class="self-link" href="#sctn-ca-compromise"></a></h4>
   <p>When an intermediate CA or a root CA used for issuing attestation certificates is compromised, <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①⓪">WebAuthn Authenticator</a> <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair⑥">attestation key pairs</a> are still safe although their certificates can no longer be trusted. A <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①①">WebAuthn Authenticator</a> manufacturer that
has recorded the <a data-link-type="dfn" href="#attestation-public-key" id="ref-for-attestation-public-key①">attestation public keys</a> for their <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①②">authenticator</a> models can issue new <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate⑨">attestation certificates</a> for these keys from a new
intermediate CA or from a new root CA. If the root CA changes, the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④②">WebAuthn Relying Parties</a> MUST update their trusted root certificates
accordingly.</p>
   <p>A <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①②">WebAuthn Authenticator</a> <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①⓪">attestation certificate</a> MUST be revoked by the issuing CA if its <a data-link-type="dfn" href="#attestation-private-key" id="ref-for-attestation-private-key④">private key</a> has been compromised. A WebAuthn
Authenticator manufacturer may need to ship a firmware update and inject new <a data-link-type="dfn" href="#attestation-private-key" id="ref-for-attestation-private-key⑤">attestation private keys</a> and <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①①">certificates</a> into already
manufactured <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①③">WebAuthn Authenticators</a>, if the exposure was due to a firmware flaw. (The process by which this happens is out of
scope for this specification.) If the <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①④">WebAuthn Authenticator</a> manufacturer does not have this capability, then it may not be
possible for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑦">Relying Parties</a> to trust any further <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③⑥">attestation statements</a> from the affected <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①⑤">WebAuthn Authenticators</a>.</p>
   <p>See also the related security consideration for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑧">Relying Parties</a> in <a href="#sctn-revoked-attestation-certificates">§ 13.4.5 Revoked Attestation Certificates</a>.</p>
   <h3 class="heading settled" data-level="13.4" id="sctn-security-considerations-rp"><span class="secno">13.4. </span><span class="content">Security considerations for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑨">Relying Parties</a></span><a class="self-link" href="#sctn-security-considerations-rp"></a></h3>
   <h4 class="heading settled" data-level="13.4.1" id="sctn-rp-benefits"><span class="secno">13.4.1. </span><span class="content">Security Benefits for WebAuthn Relying Parties</span><a class="self-link" href="#sctn-rp-benefits"></a></h4>
   <p>The main benefits offered to <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④③">WebAuthn Relying Parties</a> by this specification include:</p>
   <ol>
    <li data-md>
     <p>Users and accounts can be secured using widely compatible, easy-to-use multi-factor authentication.</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⓪">Relying Party</a> does not need to provision <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①③">authenticator</a> hardware to its users. Instead, each user can independently obtain
any conforming <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①④">authenticator</a> and use that same <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①⑤">authenticator</a> with any number of <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥①">Relying Parties</a>. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥②">Relying Party</a> can optionally
enforce requirements on <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①⑥">authenticators</a>' security properties by inspecting the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③⑦">attestation statements</a> returned from the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①⑦">authenticators</a>.</p>
    <li data-md>
     <p><a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony①⑤">Authentication ceremonies</a> are resistant to <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186">man-in-the-middle attacks</a>.
Regarding <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony⑨">registration ceremonies</a>, see <a href="#sctn-attestation-limitations">§ 13.4.4 Attestation Limitations</a>, below.</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥③">Relying Party</a> can automatically support multiple types of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④④">user verification</a> - for example PIN, biometrics and/or future
methods - with little or no code change, and can let each user decide which they prefer to use via their choice of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①⑧">authenticator</a>.</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥④">Relying Party</a> does not need to store additional secrets in order to gain the above benefits.</p>
   </ol>
   <p>As stated in the <a href="#sctn-conforming-relying-parties">Conformance</a> section, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑤">Relying Party</a> MUST behave as described in <a href="#sctn-rp-operations">§ 7 WebAuthn Relying Party Operations</a> to obtain all of the above security benefits. However, one notable use case that departs slightly from this is described below in <a href="#sctn-attestation-limitations">§ 13.4.4 Attestation Limitations</a>.</p>
   <h4 class="heading settled" data-level="13.4.2" id="sctn-seccons-visibility"><span class="secno">13.4.2. </span><span class="content">Visibility Considerations for Embedded Usage</span><a class="self-link" href="#sctn-seccons-visibility"></a></h4>
   <p>Simplistic use of WebAuthn in an embedded context, e.g., within <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element④">iframe</a></code>s as described in <a href="#sctn-iframe-guidance">§ 5.10 Using Web Authentication within iframe elements</a>, may make users vulnerable to <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="ui-redressing">UI Redressing</dfn> attacks, also known as "<a href="https://en.wikipedia.org/wiki/Clickjacking">Clickjacking</a>". This is where an attacker overlays their own UI on top of a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑥">Relying Party</a>'s intended UI and attempts to trick the user into performing unintended actions with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑦">Relying Party</a>. For example, using these techniques, an attacker might be able to trick users into purchasing items, transferring money, etc.</p>
   <p>Even though WebAuthn-specific UI is typically handled by the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⑧">client platform</a> and thus is not vulnerable to <a data-link-type="dfn" href="#ui-redressing" id="ref-for-ui-redressing①">UI Redressing</a>, it is likely important for an <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑧">Relying Party</a> having embedded WebAuthn-wielding content to ensure that their content’s UI is visible to the user. An emerging means to do so is by observing the status of the experimental <a href="https://w3c.github.io/IntersectionObserver/v2/">Intersection Observer v2</a>'s <code>isVisible</code> attribute. For example, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑨">Relying Party</a>'s script running in the embedded context could pre-emptively load itself in a popup window if it detects <code>isVisble</code> being set to <code>false</code>, thus side-stepping any occlusion of their content.</p>
   <h4 class="heading settled" data-level="13.4.3" id="sctn-cryptographic-challenges"><span class="secno">13.4.3. </span><span class="content">Cryptographic Challenges</span><a class="self-link" href="#sctn-cryptographic-challenges"></a></h4>
   <p>As a cryptographic protocol, Web Authentication is dependent upon randomized challenges
to avoid replay attacks. Therefore, the values of both <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions⑥">PublicKeyCredentialCreationOptions</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-challenge" id="ref-for-dom-publickeycredentialcreationoptions-challenge③">challenge</a></code> and <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions⑦">PublicKeyCredentialRequestOptions</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-challenge" id="ref-for-dom-publickeycredentialrequestoptions-challenge④">challenge</a></code> MUST be randomly generated
by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⓪">Relying Parties</a> in an environment they trust (e.g., on the server-side), and the
returned <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge⑧">challenge</a></code> value in the client’s
response MUST match what was generated. This SHOULD be done in a fashion that does not rely
upon a client’s behavior, e.g., the Relying Party SHOULD store the challenge temporarily
until the operation is complete. Tolerating a mismatch will compromise the security
of the protocol.</p>
   <p>In order to prevent replay attacks, the challenges MUST contain enough entropy to make guessing them infeasible. Challenges SHOULD
therefore be at least 16 bytes long.</p>
   <h4 class="heading settled" data-level="13.4.4" id="sctn-attestation-limitations"><span class="secno">13.4.4. </span><span class="content">Attestation Limitations</span><a class="self-link" href="#sctn-attestation-limitations"></a></h4>
   <p><em>This section is not normative.</em></p>
   <p>When <a href="#sctn-registering-a-new-credential">registering a new credential</a>, the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③⑧">attestation statement</a>, if present,
may allow the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④④">WebAuthn Relying Party</a> to derive assurances about various <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①⑨">authenticator</a> qualities.
For example, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②⓪">authenticator</a> model, or how it stores and protects <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key②①">credential private keys</a>.
However, it is important to note that an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③⑨">attestation statement</a>, on its own,
provides no means for a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦①">Relying Party</a> to verify that an <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑧">attestation object</a> was generated
by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②①">authenticator</a> the user intended, and not by a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186①">man-in-the-middle attacker</a>.
For example, such an attacker could use malicious code injected into <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦②">Relying Party</a> script.
The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦③">Relying Party</a> must therefore rely on other means, e.g., TLS and related technologies,
to protect the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑨">attestation object</a> from <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186②">man-in-the-middle attacks</a>.</p>
   <p>Under the assumption that a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①⓪">registration ceremony</a> is completed securely, and that the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②②">authenticator</a> maintains
confidentiality of the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key②②">credential private key</a>, subsequent <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony①⑥">authentication ceremonies</a> using that <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤⑧">public key
credential</a> are resistant to <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186③">man-in-the-middle attacks</a>.</p>
   <p>The discussion above holds for all <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type②②">attestation types</a>. In all cases it is possible for a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186④">man-in-the-middle attacker</a> to replace the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential①⑧">PublicKeyCredential</a></code> object, including the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement④⓪">attestation statement</a> and the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⑤">credential public key</a> to be registered, and subsequently tamper with future <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①⑤">authentication assertions</a> <a data-link-type="dfn" href="#scope" id="ref-for-scope②①">scoped</a> for the
same <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦④">Relying Party</a> and passing through the same attacker.</p>
   <p>Such an attack would potentially be detectable; since the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑤">Relying Party</a> has registered the attacker’s <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⑥">credential public key</a> rather
than the user’s, the attacker must tamper with all subsequent <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony①⑦">authentication ceremonies</a> with that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑥">Relying Party</a>: unscathed
ceremonies will fail, potentially revealing the attack.</p>
   <p><a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type②③">Attestation types</a> other than <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①⑦">Self Attestation</a> and <a data-link-type="dfn" href="#none" id="ref-for-none⑦">None</a> can increase the difficulty of such attacks, since <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑦">Relying Parties</a> can possibly display <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②③">authenticator</a> information, e.g., model designation, to the user. An attacker might therefore need to use
a genuine <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②④">authenticator</a> of the same model as the user’s <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②⑤">authenticator</a>, or the user might notice that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑧">Relying Party</a> reports
a different <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②⑥">authenticator</a> model than the user expects.</p>
   <p class="note" role="note"><span>Note:</span> All variants of <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186⑤">man-in-the-middle attacks</a> described above are more difficult for an attacker to mount
than a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186⑥">man-in-the-middle attack</a> against conventional password authentication.</p>
   <h4 class="heading settled" data-level="13.4.5" id="sctn-revoked-attestation-certificates"><span class="secno">13.4.5. </span><span class="content">Revoked Attestation Certificates</span><a class="self-link" href="#sctn-revoked-attestation-certificates"></a></h4>
   <p>If <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①②">attestation certificate</a> validation fails due to a revoked intermediate attestation CA certificate, and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑨">Relying Party</a>'s policy
requires rejecting the registration/authentication request in these situations, then it is RECOMMENDED that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⓪">Relying Party</a> also
un-registers (or marks with a trust level equivalent to "<a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①⑧">self attestation</a>") <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤⑨">public key credentials</a> that were registered
after the CA compromise date using an <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①③">attestation certificate</a> chaining up to the same intermediate CA. It is thus RECOMMENDED
that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧①">Relying Parties</a> remember intermediate attestation CA certificates during <a data-link-type="dfn" href="#registration" id="ref-for-registration①⑤">registration</a> in order to un-register
related <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⓪">public key credentials</a> if the <a data-link-type="dfn" href="#registration" id="ref-for-registration①⑥">registration</a> was performed after revocation of such certificates.</p>
   <p>See also the related security consideration for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②⑦">authenticators</a> in <a href="#sctn-ca-compromise">§ 13.3.2 Attestation Certificate and Attestation Certificate CA Compromise</a>.</p>
   <h4 class="heading settled" data-level="13.4.6" id="sctn-credential-loss-key-mobility"><span class="secno">13.4.6. </span><span class="content">Credential Loss and Key Mobility</span><a class="self-link" href="#sctn-credential-loss-key-mobility"></a></h4>
   <p>This specification defines no protocol for backing up <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key②③">credential private keys</a>, or for sharing them between <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②⑧">authenticators</a>.
In general, it is expected that a <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key②④">credential private key</a> never leaves the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②⑨">authenticator</a> that created it. Losing an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③⓪">authenticator</a> therefore, in general, means losing all <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥①">credentials</a> <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①②">bound</a> to the
lost <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③①">authenticator</a>, which could lock the user out of an account if the user has only one <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥②">credential</a> registered with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧②">Relying Party</a>. Instead of backing up or sharing private keys, the Web Authentication API allows registering
multiple <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥③">credentials</a> for the same user. For example, a user might register <a data-link-type="dfn" href="#platform-credential" id="ref-for-platform-credential②">platform credentials</a> on
frequently used <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④④">client devices</a>, and one or more <a data-link-type="dfn" href="#roaming-credential" id="ref-for-roaming-credential①">roaming credentials</a> for use as backup and with new or rarely used <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④⑤">client
devices</a>.</p>
   <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧③">Relying Parties</a> SHOULD allow and encourage users to register multiple <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥④">credentials</a> to the same account. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧④">Relying Parties</a> SHOULD make use of the <code><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials②">excludeCredentials</a></code></code> and <code><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-user" id="ref-for-dom-publickeycredentialcreationoptions-user⑤">user</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-id" id="ref-for-dom-publickeycredentialuserentity-id⑥">id</a></code></code> options to ensure that these
different <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑤">credentials</a> are <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①③">bound</a> to different <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③②">authenticators</a>.</p>
   <h4 class="heading settled" data-level="13.4.7" id="sctn-unprotected-account-detection"><span class="secno">13.4.7. </span><span class="content">Unprotected account detection</span><a class="self-link" href="#sctn-unprotected-account-detection"></a></h4>
   <p><em>This section is not normative.</em></p>
   <p>This security consideration applies to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑤">Relying Parties</a> that support <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony①⑧">authentication ceremonies</a> with a non-<a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-empty" id="ref-for-list-empty">empty</a> <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑨">allowCredentials</a></code> argument as the first authentication step.
For example, if using authentication with <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①③">server-side credentials</a> as the first authentication step.</p>
   <p>In this case the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⓪">allowCredentials</a></code> argument risks leaking information
about which user accounts have WebAuthn credentials registered and which do not,
which may be a signal of account protection strength.
For example, say an attacker can initiate an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony①⑨">authentication ceremony</a> by providing only a username,
and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑥">Relying Party</a> responds with an non-empty <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②①">allowCredentials</a></code> for some users,
and with failure or a password challenge for other users.
The attacker can then conclude that the latter user accounts
likely do not require a WebAuthn <a data-link-type="dfn" href="#assertion" id="ref-for-assertion⑥">assertion</a> for successful authentication,
and thus focus an attack on those likely weaker accounts.</p>
   <p>This issue is similar to the one described in <a href="#sctn-username-enumeration">§ 14.6.2 Username Enumeration</a> and <a href="#sctn-credential-id-privacy-leak">§ 14.6.3 Privacy leak via credential IDs</a>, and can be mitigated in similar ways.</p>
   <h2 class="heading settled" data-level="14" id="sctn-privacy-considerations"><span class="secno">14. </span><span class="content">Privacy Considerations</span><a class="self-link" href="#sctn-privacy-considerations"></a></h2>
   <p>The privacy principles in <a data-link-type="biblio" href="#biblio-fido-privacy-principles">[FIDO-Privacy-Principles]</a> also apply to this specification.</p>
   <p>This section is divided by audience;
general privacy considerations are direct subsections of this section,
while privacy considerations specifically for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③③">authenticator</a>, <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑥">client</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑦">Relying Party</a> implementers
are grouped into respective subsections.</p>
   <h3 class="heading settled" data-level="14.1" id="sctn-privacy-attacks"><span class="secno">14.1. </span><span class="content">De-anonymization Prevention Measures</span><a class="self-link" href="#sctn-privacy-attacks"></a></h3>
   <p><em>This section is not normative.</em></p>
   <p>Many aspects of the design of the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①⑥">Web Authentication API</a> are motivated by privacy concerns. The main concern considered in
this specification is the protection of the user’s personal identity, i.e., the identification of a human being or a correlation
of separate identities as belonging to the same human being. Although the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①⑦">Web Authentication API</a> does not use or provide any
form of global identity, the following kinds of potentially correlatable identifiers are used:</p>
   <ul>
    <li data-md>
     <p>The user’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③④">credential IDs</a> and <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⑦">credential public keys</a>.</p>
     <p>These are registered by the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⑤">WebAuthn Relying Party</a> and subsequently used by the user to prove possession of the corresponding <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key②⑤">credential
private key</a>. They are also visible to the <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑦">client</a> in the communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③④">authenticator</a>.</p>
    <li data-md>
     <p>The user’s identities specific to each <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑧">Relying Party</a>, e.g., usernames and <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①⑤">user handles</a>.</p>
     <p>These identities are obviously used by each <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑨">Relying Party</a> to identify a user in their system. They are also visible to the <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑧">client</a> in the communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③⑤">authenticator</a>.</p>
    <li data-md>
     <p>The user’s biometric characteristic(s), e.g., fingerprints or facial recognition data <a data-link-type="biblio" href="#biblio-isobiometricvocabulary">[ISOBiometricVocabulary]</a>.</p>
     <p>This is optionally used by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③⑥">authenticator</a> to perform <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④⑤">user verification</a>. It is not revealed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⓪">Relying Party</a>, but in
the case of <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②⑧">platform authenticators</a>, it might be visible to the <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑨">client</a> depending on the implementation.</p>
    <li data-md>
     <p>The models of the user’s <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③⑦">authenticators</a>, e.g., product names.</p>
     <p>This is exposed in the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement④①">attestation statement</a> provided to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨①">Relying Party</a> during <a data-link-type="dfn" href="#registration" id="ref-for-registration①⑦">registration</a>. It is also visible to the <a data-link-type="dfn" href="#client" id="ref-for-client⑧⓪">client</a> in the communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③⑧">authenticator</a>.</p>
    <li data-md>
     <p>The identities of the user’s <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③⑨">authenticators</a>, e.g., serial numbers.</p>
     <p>This is possibly used by the <a data-link-type="dfn" href="#client" id="ref-for-client⑧①">client</a> to enable communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⓪">authenticator</a>, but is not exposed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨②">Relying Party</a>.</p>
   </ul>
   <p>Some of the above information is necessarily shared with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨③">Relying Party</a>. The following sections describe the measures taken to
prevent malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨④">Relying Parties</a> from using it to discover a user’s personal identity.</p>
   <h3 class="heading settled" data-level="14.2" id="sctn-non-correlatable-credentials"><span class="secno">14.2. </span><span class="content">Anonymous, Scoped, Non-correlatable <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑥">Public Key Credentials</a></span><a class="self-link" href="#sctn-non-correlatable-credentials"></a></h3>
   <p><em>This section is not normative.</em></p>
   <p>Although <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⑤">Credential IDs</a> and <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⑧">credential public keys</a> are necessarily shared with the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⑥">WebAuthn Relying Party</a> to enable strong
authentication, they are designed to be minimally identifying and not shared between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑤">Relying Parties</a>.</p>
   <ul>
    <li data-md>
     <p><a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⑥">Credential IDs</a> and <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⑨">credential public keys</a> are meaningless in isolation, as they only identify <a data-link-type="dfn" href="#credential-key-pair" id="ref-for-credential-key-pair⑤">credential key pairs</a> and not users directly.</p>
    <li data-md>
     <p>Each <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑦">public key credential</a> is strictly <a data-link-type="dfn" href="#scope" id="ref-for-scope②②">scoped</a> to a specific <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑥">Relying Party</a>, and the <a data-link-type="dfn" href="#client" id="ref-for-client⑧②">client</a> ensures that its existence is not
revealed to other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑦">Relying Parties</a>. A malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑧">Relying Party</a> thus cannot ask the <a data-link-type="dfn" href="#client" id="ref-for-client⑧③">client</a> to reveal a user’s other identities.</p>
    <li data-md>
     <p>The <a data-link-type="dfn" href="#client" id="ref-for-client⑧④">client</a> also ensures that the existence of a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑧">public key credential</a> is not revealed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑨">Relying Party</a> without <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②⑥">user
consent</a>. This is detailed further in <a href="#sctn-make-credential-privacy">§ 14.5.1 Registration Ceremony Privacy</a> and <a href="#sctn-assertion-privacy">§ 14.5.2 Authentication Ceremony Privacy</a>. A malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⓪">Relying Party</a> thus cannot silently identify a user, even if the user has a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑨">public key credential</a> registered and available.</p>
    <li data-md>
     <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④①">Authenticators</a> ensure that the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⑦">credential IDs</a> and <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key④⓪">credential public keys</a> of different <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⓪">public key credentials</a> are
not correlatable as belonging to the same user. A pair of malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪①">Relying Parties</a> thus cannot correlate users between their
systems without additional information, e.g., a willfully reused username or e-mail address.</p>
    <li data-md>
     <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④②">Authenticators</a> ensure that their <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①④">attestation certificates</a> are not unique enough to identify a single <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④③">authenticator</a> or a small group of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④④">authenticators</a>. This is detailed further in <a href="#sctn-attestation-privacy">§ 14.4.1 Attestation Privacy</a>. A pair of malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪②">Relying Parties</a> thus cannot correlate users between their systems by tracking individual <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⑤">authenticators</a>.</p>
   </ul>
   <p>Additionally, a <a data-link-type="dfn" href="#client-side-discoverable-public-key-credential-source" id="ref-for-client-side-discoverable-public-key-credential-source⑧">client-side discoverable public key credential source</a> can optionally include a <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①⑥">user
handle</a> specified by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪③">Relying Party</a>. The <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦①">credential</a> can then be used to both identify and <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①④">authenticate</a> the user. This means that a privacy-conscious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪④">Relying Party</a> can allow the user to create an account
without a traditional username, further improving non-correlatability between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑤">Relying Parties</a>.</p>
   <h3 class="heading settled" data-level="14.3" id="sctn-biometric-privacy"><span class="secno">14.3. </span><span class="content">Authenticator-local <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition④">Biometric Recognition</a></span><a class="self-link" href="#sctn-biometric-privacy"></a></h3>
   <p><a data-link-type="dfn" href="#biometric-authenticator" id="ref-for-biometric-authenticator①">Biometric authenticators</a> perform the <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition⑤">biometric recognition</a> internally in the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⑥">authenticator</a> - though for <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②⑨">platform
authenticators</a> the biometric data might also be visible to the <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑤">client</a>, depending on the implementation. Biometric data is
not revealed to the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⑦">WebAuthn Relying Party</a>; it is used only locally to perform <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④⑥">user verification</a> authorizing the creation and <a data-link-type="dfn" href="#registration" id="ref-for-registration①⑧">registration</a> of, or <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①⑤">authentication</a> using, a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦②">public key credential</a>. A malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑥">Relying Party</a> therefore cannot discover the
user’s personal identity via biometric data, and a security breach at a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑦">Relying Party</a> cannot expose biometric data for an attacker to
use for forging logins at other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑧">Relying Parties</a>.</p>
   <p>In the case where a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑨">Relying Party</a> requires <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition⑥">biometric recognition</a>, this is performed locally by the <a data-link-type="dfn" href="#biometric-authenticator" id="ref-for-biometric-authenticator②">biometric authenticator</a> perfoming <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④⑦">user verification</a> and then signaling the result by setting the <a data-link-type="dfn" href="#uv" id="ref-for-uv⑥">UV</a> <a data-link-type="dfn" href="#flags" id="ref-for-flags②⓪">flag</a> in the signed <a data-link-type="dfn" href="#assertion" id="ref-for-assertion⑦">assertion</a> response,
instead of revealing the biometric data itself to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⓪">Relying Party</a>.</p>
   <h3 class="heading settled" data-level="14.4" id="sctn-privacy-considerations-authenticator"><span class="secno">14.4. </span><span class="content">Privacy considerations for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⑦">authenticators</a></span><a class="self-link" href="#sctn-privacy-considerations-authenticator"></a></h3>
   <h4 class="heading settled" data-level="14.4.1" id="sctn-attestation-privacy"><span class="secno">14.4.1. </span><span class="content">Attestation Privacy</span><a class="self-link" href="#sctn-attestation-privacy"></a></h4>
   <p><a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①⑤">Attestation certificates</a> and <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair⑦">attestation key pairs</a> can be used to track users
or link various online identities of the same user together.
This can be mitigated in several ways, including:</p>
   <ul>
    <li data-md>
     <p>A <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①⑥">WebAuthn Authenticator</a> manufacturer may choose to ship <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⑧">authenticators</a> in batches
where <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⑨">authenticators</a> in a batch share the same <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①⑥">attestation certificate</a> (called <a data-link-type="dfn" href="#basic-attestation" id="ref-for-basic-attestation①">Basic Attestation</a> or <a data-link-type="dfn" href="#batch-attestation" id="ref-for-batch-attestation">batch attestation</a>).
This will anonymize the user at the risk of not being able to revoke a particular <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①⑦">attestation certificate</a> if its <a data-link-type="dfn" href="#attestation-private-key" id="ref-for-attestation-private-key⑥">private key</a> is compromised.
The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⓪">authenticator</a> manufacturer SHOULD then ensure that such batches are large enough to provide meaningful anonymization,
while also minimizing the batch size in order to limit the number of affected users
in case an <a data-link-type="dfn" href="#attestation-private-key" id="ref-for-attestation-private-key⑦">attestation private key</a> is compromised.</p>
     <p><a data-link-type="biblio" href="#biblio-uafprotocol">[UAFProtocol]</a> requires that at least 100,000 <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤①">authenticator</a> devices share the same <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①⑧">attestation certificate</a> in order to produce
sufficiently large groups. This may serve as guidance about suitable batch sizes.</p>
    <li data-md>
     <p>A <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①⑦">WebAuthn Authenticator</a> may be capable of dynamically generating different <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair⑧">attestation key pairs</a> (and requesting related <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①⑨">certificates</a>) per-<a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential①①">credential</a> as described in the <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca⑥">Anonymization CA</a> approach. For example, an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤②">authenticator</a> can ship with a
master <a data-link-type="dfn" href="#attestation-private-key" id="ref-for-attestation-private-key⑧">attestation private key</a> (and <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate②⓪">certificate</a>),
and combined with a cloud-operated <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca⑦">Anonymization CA</a>,
can dynamically generate per-<a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential①②">credential</a> <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair⑨">attestation key pairs</a> and <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate②①">attestation certificates</a>.</p>
     <p class="note" role="note"><span>Note:</span> In various places outside this specification, the term "Privacy CA" is used to refer to what is termed here
    as an <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca⑧">Anonymization CA</a>. Because the Trusted Computing Group (TCG) also used the term "Privacy CA" to refer to what
    the TCG now refers to as an <a data-link-type="dfn" href="#attestation-ca" id="ref-for-attestation-ca③">Attestation CA</a> (ACA) <a data-link-type="biblio" href="#biblio-tcg-cmcprofile-aikcertenroll">[TCG-CMCProfile-AIKCertEnroll]</a>, we are using the term <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca⑨">Anonymization CA</a> here to try to mitigate
    confusion in the specific context of this specification.</p>
   </ul>
   <h4 class="heading settled" data-level="14.4.2" id="sctn-pii-privacy"><span class="secno">14.4.2. </span><span class="content">Privacy of personally identifying information Stored in Authenticators</span><a class="self-link" href="#sctn-pii-privacy"></a></h4>
   <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤③">Authenticators</a> MAY provide additional information to <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑥">clients</a> outside what’s defined by this specification, e.g.,
to enable the <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑦">client</a> to provide a rich UI with which the user can pick which <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential①③">credential</a> to use for an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②⓪">authentication
ceremony</a>. If an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤④">authenticator</a> chooses to do so, it SHOULD NOT expose personally identifying information unless successful <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④⑧">user verification</a> has been
performed. If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑤">authenticator</a> supports <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④⑨">user verification</a> with more than one concurrently enrolled user, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑥">authenticator</a> SHOULD NOT expose personally identifying information of users other than the currently <a data-link-type="dfn" href="#concept-user-verified" id="ref-for-concept-user-verified⑥">verified</a> user. Consequently, an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑦">authenticator</a> that is not capable of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤⓪">user verification</a> SHOULD NOT store personally identifying information.</p>
   <p>For the purposes of this discussion, the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①⑦">user handle</a> conveyed as the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-id" id="ref-for-dom-publickeycredentialuserentity-id⑦">id</a></code> member of <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity⑦">PublicKeyCredentialUserEntity</a></code> is not considered personally identifying information; see <a href="#sctn-user-handle-privacy">§ 14.6.1 User Handle Contents</a>.</p>
   <p>These recommendations serve to prevent an adversary with physical access to an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑧">authenticator</a> from extracting personally identifying information about the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑨">authenticator</a>'s enrolled user(s).</p>
   <h3 class="heading settled" data-level="14.5" id="sctn-privacy-considerations-client"><span class="secno">14.5. </span><span class="content">Privacy considerations for <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑧">clients</a></span><a class="self-link" href="#sctn-privacy-considerations-client"></a></h3>
   <h4 class="heading settled" data-level="14.5.1" id="sctn-make-credential-privacy"><span class="secno">14.5.1. </span><span class="content">Registration Ceremony Privacy</span><a class="self-link" href="#sctn-make-credential-privacy"></a></h4>
   <p>In order to protect users from being identified without <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②⑦">consent</a>, implementations of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot①②">[[Create]](origin, options, sameOriginWithAncestors)</a></code> method need to take care to not leak information that
could enable a malicious <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⑧">WebAuthn Relying Party</a> to distinguish between these cases, where "excluded" means that at least one of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦③">credentials</a> listed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①①">Relying Party</a> in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials③">excludeCredentials</a></code> is <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①④">bound</a> to the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⓪">authenticator</a>:</p>
   <ul>
    <li data-md>
     <p>No <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥①">authenticators</a> are present.</p>
    <li data-md>
     <p>At least one <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥②">authenticator</a> is present, and at least one present <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥③">authenticator</a> is excluded.</p>
   </ul>
   <p>If the above cases are distinguishable, information is leaked by which a malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①②">Relying Party</a> could identify the user by probing for
which <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦④">credentials</a> are available. For example, one such information leak is if the client returns a
failure response as soon as an excluded <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥④">authenticator</a> becomes available. In this case - especially if the excluded <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⑤">authenticator</a> is a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators③⓪">platform authenticator</a> - the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①③">Relying Party</a> could detect that the <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①⓪">ceremony</a> was canceled before the
timeout and before the user could feasibly have canceled it manually, and thus conclude that at least one of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑤">credentials</a> listed in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials④">excludeCredentials</a></code> parameter is available to the user.</p>
   <p>The above is not a concern, however, if the user has <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②⑧">consented</a> to create a new credential before a
distinguishable error is returned, because in this case the user has confirmed intent to share the information that would be
leaked.</p>
   <h4 class="heading settled" data-level="14.5.2" id="sctn-assertion-privacy"><span class="secno">14.5.2. </span><span class="content">Authentication Ceremony Privacy</span><a class="self-link" href="#sctn-assertion-privacy"></a></h4>
   <p>In order to protect users from being identified without <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②⑨">consent</a>, implementations of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot①②">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> method need to take care to not
leak information that could enable a malicious <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⑨">WebAuthn Relying Party</a> to distinguish between these cases, where "named" means that the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑥">credential</a> is listed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①④">Relying Party</a> in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②②">allowCredentials</a></code>:</p>
   <ul>
    <li data-md>
     <p>A named <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑦">credential</a> is not available.</p>
    <li data-md>
     <p>A named <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑧">credential</a> is available, but the user does not <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent③⓪">consent</a> to use it.</p>
   </ul>
   <p>If the above cases are distinguishable, information is leaked by which a malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑤">Relying Party</a> could identify the user by probing
for which <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑨">credentials</a> are available. For example, one such information leak is if the client returns a
failure response as soon as the user denies <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent③①">consent</a> to proceed with an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②①">authentication ceremony</a>. In this
case the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑥">Relying Party</a> could detect that the <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①①">ceremony</a> was canceled by the user and not the timeout, and thus conclude that at least
one of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑧⓪">credentials</a> listed in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②③">allowCredentials</a></code> parameter is
available to the user.</p>
   <h4 class="heading settled" data-level="14.5.3" id="sctn-os-account-privacy"><span class="secno">14.5.3. </span><span class="content">Privacy Between Operating System Accounts</span><a class="self-link" href="#sctn-os-account-privacy"></a></h4>
   <p>If a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators③①">platform authenticator</a> is included in a <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④⑥">client device</a> with a multi-user operating system, the <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators③②">platform
authenticator</a> and <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④⑦">client device</a> SHOULD work together to ensure that the existence of any <a data-link-type="dfn" href="#platform-credential" id="ref-for-platform-credential③">platform credential</a> is revealed
only to the operating system user that created that <a data-link-type="dfn" href="#platform-credential" id="ref-for-platform-credential④">platform credential</a>.</p>
   <h3 class="heading settled" data-level="14.6" id="sctn-privacy-considerations-rp"><span class="secno">14.6. </span><span class="content">Privacy considerations for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑦">Relying Parties</a></span><a class="self-link" href="#sctn-privacy-considerations-rp"></a></h3>
   <h4 class="heading settled" data-level="14.6.1" id="sctn-user-handle-privacy"><span class="secno">14.6.1. </span><span class="content">User Handle Contents</span><a class="self-link" href="#sctn-user-handle-privacy"></a></h4>
   <p>Since the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①⑧">user handle</a> is not considered personally identifying information in <a href="#sctn-pii-privacy">§ 14.4.2 Privacy of personally identifying information Stored in Authenticators</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑧">Relying Party</a> MUST NOT include personally identifying information, e.g., e-mail
addresses or usernames, in the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①⑨">user handle</a>. This includes hash values of personally identifying information, unless the hash
function is <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-258" id="ref-for-page-258">salted</a> with <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-258" id="ref-for-page-258①">salt</a> values private to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑨">Relying Party</a>, since hashing does not prevent probing for guessable input
values. It is RECOMMENDED to let the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②⓪">user handle</a> be 64 random bytes, and store this value in the user’s account.</p>
   <h4 class="heading settled" data-level="14.6.2" id="sctn-username-enumeration"><span class="secno">14.6.2. </span><span class="content">Username Enumeration</span><a class="self-link" href="#sctn-username-enumeration"></a></h4>
   <p>While initiating a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①①">registration</a> or <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②②">authentication ceremony</a>, there is a risk that the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑤⓪">WebAuthn Relying Party</a> might leak sensitive
information about its registered users. For example, if a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⓪">Relying Party</a> uses e-mail addresses as usernames and an attacker attempts to
initiate an <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①⑥">authentication</a> <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①②">ceremony</a> for "alex.mueller@example.com" and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②①">Relying Party</a> responds with a failure, but then
successfully initiates an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②③">authentication ceremony</a> for "j.doe@example.com", then the attacker can conclude that "j.doe@example.com"
is registered and "alex.mueller@example.com" is not. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②②">Relying Party</a> has thus leaked the possibly sensitive information that
"j.doe@example.com" has an account at this <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②③">Relying Party</a>.</p>
   <p>The following is a non-normative, non-exhaustive list of measures the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②④">Relying Party</a> may implement to mitigate or prevent information
leakage due to such an attack:</p>
   <ul>
    <li data-md>
     <p>For <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①②">registration ceremonies</a>:</p>
     <ul>
      <li data-md>
       <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑤">Relying Party</a> uses <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑥">Relying Party</a>-specific usernames to identify users:</p>
       <ul>
        <li data-md>
         <p>When initiating a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①③">registration ceremony</a>, disallow registration of usernames that are syntactically valid e-mail
addresses.</p>
         <p class="note" role="note"><span>Note:</span> The motivation for this suggestion is that in this case the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑦">Relying Party</a> probably has no choice but to fail the <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①④">registration ceremony</a> if the user attempts to register a username that is already registered, and an information
leak might therefore be unavoidable. By disallowing e-mail addresses as usernames, the impact of the leakage can be
mitigated since it will be less likely that a user has the same username at this <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑧">Relying Party</a> as at other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑨">Relying Parties</a>.</p>
       </ul>
      <li data-md>
       <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⓪">Relying Party</a> uses e-mail addresses to identify users:</p>
       <ul>
        <li data-md>
         <p>When initiating a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①⑤">registration ceremony</a>, interrupt the user interaction after the e-mail address is supplied and
send a message to this address, containing an unpredictable one-time code and instructions for how to use it to
proceed with the ceremony. Display the same message to the user in the web interface regardless of the contents of the
sent e-mail and whether or not this e-mail address was already registered.</p>
         <p class="note" role="note"><span>Note:</span> This suggestion can be similarly adapted for other externally meaningful identifiers, for example, national ID
numbers or credit card numbers — if they provide similar out-of-band contact information, for example,
conventional postal address.</p>
       </ul>
     </ul>
    <li data-md>
     <p>For <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②④">authentication ceremonies</a>:</p>
     <ul>
      <li data-md>
       <p>If, when initiating an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②⑤">authentication ceremony</a>, there is no account matching the provided username, continue the
ceremony by invoking <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③④">navigator.credentials.get()</a></code> using a syntactically valid <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions⑧">PublicKeyCredentialRequestOptions</a></code> object that is populated with plausible imaginary values.</p>
       <p>This approach could also be used to mitigate information leakage via <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②④">allowCredentials</a></code>;
see <a href="#sctn-unprotected-account-detection">§ 13.4.7 Unprotected account detection</a> and <a href="#sctn-credential-id-privacy-leak">§ 14.6.3 Privacy leak via credential IDs</a>.</p>
       <p class="note" role="note"><span>Note:</span> The username may be "provided" in various <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③①">Relying Party</a>-specific fashions: login form, session cookie, etc.</p>
       <p class="note" role="note"><span>Note:</span> If returned imaginary values noticeably differ from actual ones, clever attackers may be able to discern them and
    thus be able to test for existence of actual accounts. Examples of noticeably different values include if the values
    are always the same for all username inputs, or are different in repeated attempts with the same username input. The <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑤">allowCredentials</a></code> member could therefore be populated with pseudo-random values
    derived deterministically from the username, for example.</p>
      <li data-md>
       <p>When verifying an <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse⑦">AuthenticatorAssertionResponse</a></code> response from the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⑥">authenticator</a>, make it indistinguishable whether
  verification failed because the signature is invalid or because no such user or credential is registered.</p>
      <li data-md>
       <p>Perform a multi-step <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②⑥">authentication ceremony</a>, e.g., beginning with supplying username and password or a session cookie,
before initiating the WebAuthn <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①③">ceremony</a> as a subsequent step.
This moves the username enumeration problem from the WebAuthn step
to the preceding authentication step, where it may be easier to solve.</p>
     </ul>
   </ul>
   <h4 class="heading settled" data-level="14.6.3" id="sctn-credential-id-privacy-leak"><span class="secno">14.6.3. </span><span class="content">Privacy leak via credential IDs</span><a class="self-link" href="#sctn-credential-id-privacy-leak"></a></h4>
   <p><em>This section is not normative.</em></p>
   <p>This privacy consideration applies to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③②">Relying Parties</a> that support <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②⑦">authentication ceremonies</a> with a non-<a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-empty" id="ref-for-list-empty①">empty</a> <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑥">allowCredentials</a></code> argument as the first authentication step.
For example, if using authentication with <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①④">server-side credentials</a> as the first authentication step.</p>
   <p>In this case the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑦">allowCredentials</a></code> argument risks leaking personally identifying information,
since it exposes the user’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⑧">credential IDs</a> to an unauthenticated caller. <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⑨">Credential IDs</a> are designed to not be correlatable between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③③">Relying Parties</a>,
but the length of a <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④⓪">credential ID</a> might be a hint as to what type of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⑦">authenticator</a> created it.
It is likely that a user will use the same username and set of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⑧">authenticators</a> for several <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③④">Relying Parties</a>,
so the number of <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④①">credential IDs</a> in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑧">allowCredentials</a></code> and their lengths
might serve as a global correlation handle to de-anonymize the user.
Knowing a user’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④②">credential IDs</a> also makes it possible to confirm guesses about the user’s identity
given only momentary physical access to one of the user’s <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⑨">authenticators</a>.</p>
   <p>In order to prevent such information leakage, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑤">Relying Party</a> could for example:</p>
   <ul>
    <li data-md>
     <p>Perform a separate authentication step,
such as username and password authentication or session cookie authentication,
before initiating the WebAuthn <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②⑧">authentication ceremony</a> and exposing the user’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④③">credential IDs</a>.</p>
    <li data-md>
     <p>Use <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①⑧">client-side discoverable credentials</a>,
so the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑨">allowCredentials</a></code> argument is not needed.</p>
   </ul>
   <p>If the above prevention measures are not available,
i.e., if <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③⓪">allowCredentials</a></code> needs to be exposed given only a username,
the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑥">Relying Party</a> could mitigate the privacy leak using the same approach of returning imaginary <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④④">credential IDs</a> as discussed in <a href="#sctn-username-enumeration">§ 14.6.2 Username Enumeration</a>.</p>
   <h2 class="heading settled" data-level="15" id="sctn-accessiblility-considerations"><span class="secno">15. </span><span class="content">Accessibility Considerations</span><a class="self-link" href="#sctn-accessiblility-considerations"></a></h2>
   <p><a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤①">User verification</a>-capable <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦⓪">authenticators</a>, whether <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②③">roaming</a> or <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators③③">platform</a>, should offer users more than one user verification method.  For example, both fingerprint sensing and PIN entry. This allows for fallback to other user verification means if the selected one is not working for some reason. Note that in the case of <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②④">roaming authenticators</a>, the authenticator and platform might work together to provide a user verification method such as PIN entry <a data-link-type="biblio" href="#biblio-fido-ctap">[FIDO-CTAP]</a>.</p>
   <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑦">Relying Parties</a>, at <a data-link-type="dfn" href="#registration" id="ref-for-registration①⑨">registration</a> time, SHOULD provide affordances for users to complete future <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture③⓪">authorization gestures</a> correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).</p>
   <p><a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①④">Ceremonies</a> relying on timing, e.g., a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①⑥">registration ceremony</a> (see <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-timeout" id="ref-for-dom-publickeycredentialcreationoptions-timeout④">timeout</a></code>) or an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②⑨">authentication ceremony</a> (see <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-timeout" id="ref-for-dom-publickeycredentialrequestoptions-timeout④">timeout</a></code>), ought to follow <a data-link-type="biblio" href="#biblio-wcag21">[WCAG21]</a>'s <a href="https://www.w3.org/TR/WCAG21/#enough-time">Guideline 2.2 Enough Time</a>. If a <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⑨">client platform</a> determines that a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑧">Relying Party</a>-supplied timeout does not appropriately adhere to the latter <a data-link-type="biblio" href="#biblio-wcag21">[WCAG21]</a> guidelines, then the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⓪">client platform</a> MAY adjust the timeout accordingly.</p>
   <h2 class="heading settled" data-level="16" id="sctn-acknowledgements"><span class="secno">16. </span><span class="content">Acknowledgements</span><a class="self-link" href="#sctn-acknowledgements"></a></h2>
    We thank the following people for their reviews of, and contributions to, this specification:
Yuriy Ackermann,
James Barclay,
Richard Barnes,
Dominic Battré,
Julien Cayzac,
Domenic Denicola,
Rahul Ghosh,
Brad Hill,
Jing Jin,
Wally Jones,
Ian Kilpatrick,
Axel Nennker,
Yoshikazu Nojima,
Kimberly Paulhamus,
Adam Powers,
Yaron Sheffer,
Ki-Eun Shin,
Anne van Kesteren,
Johan Verrept,
and
Boris Zbarsky. 
   <p>Thanks to Adam Powers for creating the overall <a data-link-type="dfn" href="#registration" id="ref-for-registration②⓪">registration</a> and <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①⑦">authentication</a> flow diagrams
(<a href="#fig-registration">Figure 1</a> and <a href="#fig-authentication">Figure 2</a>).</p>
   <p>We thank
Anthony Nadalin,
John Fontana,
and
Richard Barnes
for their contributions as co-chairs of the <a href="https://www.w3.org/Webauthn/">Web Authentication Working Group</a>.</p>
   <p>We also thank
Wendy Seltzer,
Samuel Weiler,
and
Harry Halpin
for their contributions as our W3C Team Contacts.</p>
</main>
<script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script>
  <h2 class="no-num no-ref heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
  <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
  <ul class="index">
   <li><a href="#aaguid">aaguid</a><span>, in §6.5.1</span>
   <li><a href="#add-credential">Add Credential</a><span>, in §11.5</span>
   <li><a href="#add-virtual-authenticator">Add Virtual Authenticator</a><span>, in §11.3</span>
   <li><a href="#dom-publickeycredentialparameters-alg">alg</a><span>, in §5.3</span>
   <li><a href="#dom-publickeycredentialrequestoptions-allowcredentials">allowCredentials</a><span>, in §5.5</span>
   <li><a href="#android-key-attestation-certificate-extension-data">android key attestation certificate extension data</a><span>, in §8.4.1</span>
   <li><a href="#anonca">AnonCA</a><span>, in §6.5.3</span>
   <li><a href="#anonymization-ca">Anonymization CA</a><span>, in §6.5.3</span>
   <li><a href="#appid">AppID</a><span>, in §10.1</span>
   <li>
    appid
    <ul>
     <li><a href="#dom-authenticationextensionsclientinputs-appid">dict-member for AuthenticationExtensionsClientInputs</a><span>, in §10.1</span>
     <li><a href="#dom-authenticationextensionsclientoutputs-appid">dict-member for AuthenticationExtensionsClientOutputs</a><span>, in §10.1</span>
    </ul>
   <li>
    appidExclude
    <ul>
     <li><a href="#dom-authenticationextensionsclientinputs-appidexclude">dict-member for AuthenticationExtensionsClientInputs</a><span>, in §10.2</span>
     <li><a href="#dom-authenticationextensionsclientoutputs-appidexclude">dict-member for AuthenticationExtensionsClientOutputs</a><span>, in §10.2</span>
    </ul>
   <li><a href="#assertion">Assertion</a><span>, in §4</span>
   <li><a href="#assertion-signature">assertion signature</a><span>, in §6</span>
   <li><a href="#attca">AttCA</a><span>, in §6.5.3</span>
   <li><a href="#attestation">Attestation</a><span>, in §4</span>
   <li><a href="#dom-publickeycredentialcreationoptions-attestation">attestation</a><span>, in §5.4</span>
   <li><a href="#attestation-ca">Attestation CA</a><span>, in §6.5.3</span>
   <li><a href="#attestation-certificate">Attestation Certificate</a><span>, in §4</span>
   <li><a href="#attestation-conveyance">Attestation Conveyance</a><span>, in §5.4.7</span>
   <li><a href="#enumdef-attestationconveyancepreference">AttestationConveyancePreference</a><span>, in §5.4.7</span>
   <li><a href="#credentialcreationdata-attestationconveyancepreferenceoption">attestationConveyancePreferenceOption</a><span>, in §5.1.3</span>
   <li><a href="#attestation-key-pair">attestation key pair</a><span>, in §4</span>
   <li><a href="#attestation-object">attestation object</a><span>, in §6.5</span>
   <li><a href="#dom-authenticatorattestationresponse-attestationobject">attestationObject</a><span>, in §5.2.1</span>
   <li><a href="#credentialcreationdata-attestationobjectresult">attestationObjectResult</a><span>, in §5.1.3</span>
   <li><a href="#attestation-private-key">attestation private key</a><span>, in §4</span>
   <li><a href="#attestation-public-key">attestation public key</a><span>, in §4</span>
   <li><a href="#attestation-signature">attestation signature</a><span>, in §6</span>
   <li><a href="#attestation-statement">attestation statement</a><span>, in §6.5</span>
   <li><a href="#attestation-statement-format">attestation statement format</a><span>, in §6.5</span>
   <li><a href="#attestation-statement-format-identifier">attestation statement format identifier</a><span>, in §8.1</span>
   <li><a href="#attestation-trust-path">attestation trust path</a><span>, in §6.5.2</span>
   <li><a href="#attestation-type">attestation type</a><span>, in §6.5</span>
   <li><a href="#attested-credential-data">Attested credential data</a><span>, in §6.5.1</span>
   <li><a href="#attestedcredentialdata">attestedCredentialData</a><span>, in §6.1</span>
   <li><a href="#authdataextensions">authDataExtensions</a><span>, in §6.1</span>
   <li><a href="#authentication">Authentication</a><span>, in §4</span>
   <li><a href="#authentication-assertion">Authentication Assertion</a><span>, in §4</span>
   <li><a href="#authentication-ceremony">Authentication Ceremony</a><span>, in §4</span>
   <li><a href="#authentication-extension">authentication extension</a><span>, in §9</span>
   <li><a href="#dictdef-authenticationextensionsclientinputs">AuthenticationExtensionsClientInputs</a><span>, in §5.7.1</span>
   <li><a href="#dictdef-authenticationextensionsclientoutputs">AuthenticationExtensionsClientOutputs</a><span>, in §5.7.2</span>
   <li><a href="#dictdef-authenticationextensionslargeblobinputs">AuthenticationExtensionsLargeBlobInputs</a><span>, in §10.5</span>
   <li><a href="#dictdef-authenticationextensionslargebloboutputs">AuthenticationExtensionsLargeBlobOutputs</a><span>, in §10.5</span>
   <li><a href="#authentication-factor-capability">Authentication Factor Capability</a><span>, in §6.2.3</span>
   <li><a href="#authenticator">Authenticator</a><span>, in §4</span>
   <li><a href="#authenticatorassertionresponse">AuthenticatorAssertionResponse</a><span>, in §5.2.2</span>
   <li><a href="#enumdef-authenticatorattachment">AuthenticatorAttachment</a><span>, in §5.4.5</span>
   <li><a href="#dom-authenticatorselectioncriteria-authenticatorattachment">authenticatorAttachment</a><span>, in §5.4.4</span>
   <li><a href="#authenticator-attachment-modality">Authenticator Attachment Modality</a><span>, in §6.2.1</span>
   <li><a href="#authenticatorattestationresponse">AuthenticatorAttestationResponse</a><span>, in §5.2.1</span>
   <li><a href="#authenticatorcancel">authenticatorCancel</a><span>, in §6.3.4</span>
   <li><a href="#authenticator-configuration">Authenticator Configuration</a><span>, in §11.3</span>
   <li><a href="#authenticator-data">authenticator data</a><span>, in §6.1</span>
   <li><a href="#dom-authenticatorassertionresponse-authenticatordata">authenticatorData</a><span>, in §5.2.2</span>
   <li><a href="#authenticator-data-claimed-to-have-been-used-for-the-attestation">authenticator data claimed to have been used for the attestation</a><span>, in §6.5.2</span>
   <li><a href="#authenticator-data-for-the-attestation">authenticator data for the attestation</a><span>, in §6.5.2</span>
   <li><a href="#assertioncreationdata-authenticatordataresult">authenticatorDataResult</a><span>, in §5.1.4.1</span>
   <li><a href="#authenticator-extension">authenticator extension</a><span>, in §9</span>
   <li><a href="#authenticator-extension-capabilities">Authenticator Extension Capabilities</a><span>, in §11.1.1</span>
   <li><a href="#authenticator-extension-input">authenticator extension input</a><span>, in §9.3</span>
   <li><a href="#authenticator-extension-output">authenticator extension output</a><span>, in §9.5</span>
   <li><a href="#authenticator-extension-processing">Authenticator Extension Processing</a><span>, in §9.5</span>
   <li><a href="#authenticatorgetassertion">authenticatorGetAssertion</a><span>, in §6.3.3</span>
   <li><a href="#authenticatorid">authenticatorId</a><span>, in §11.2</span>
   <li><a href="#authenticatormakecredential">authenticatorMakeCredential</a><span>, in §6.3.2</span>
   <li><a href="#authenticator-model">Authenticator Model</a><span>, in §6</span>
   <li><a href="#authenticator-operations">Authenticator Operations</a><span>, in §6.3</span>
   <li><a href="#authenticatorresponse">AuthenticatorResponse</a><span>, in §5.2</span>
   <li><a href="#dom-publickeycredentialcreationoptions-authenticatorselection">authenticatorSelection</a><span>, in §5.4</span>
   <li><a href="#dictdef-authenticatorselectioncriteria">AuthenticatorSelectionCriteria</a><span>, in §5.4.4</span>
   <li><a href="#authenticator-session">authenticator session</a><span>, in §6.3</span>
   <li><a href="#enumdef-authenticatortransport">AuthenticatorTransport</a><span>, in §5.8.4</span>
   <li><a href="#authenticator-type">authenticator type</a><span>, in §6.2</span>
   <li><a href="#authorization-gesture">Authorization Gesture</a><span>, in §4</span>
   <li><a href="#base64url-encoding">Base64url Encoding</a><span>, in §3</span>
   <li><a href="#basic">Basic</a><span>, in §6.5.3</span>
   <li><a href="#basic-attestation">Basic Attestation</a><span>, in §6.5.3</span>
   <li><a href="#batch-attestation">batch attestation</a><span>, in §6.5.3</span>
   <li><a href="#biometric-authenticator">Biometric Authenticator</a><span>, in §4</span>
   <li><a href="#biometric-recognition">Biometric Recognition</a><span>, in §4</span>
   <li><a href="#dom-authenticatortransport-ble">"ble"</a><span>, in §5.8.4</span>
   <li><a href="#dom-authenticatortransport-ble">ble</a><span>, in §5.8.4</span>
   <li><a href="#dom-authenticationextensionslargebloboutputs-blob">blob</a><span>, in §10.5</span>
   <li><a href="#bound-credential">Bound credential</a><span>, in §4</span>
   <li><a href="#create-candidate-authenticator">candidate authenticator</a><span>, in §5.1.3</span>
   <li><a href="#cbor">CBOR</a><span>, in §3</span>
   <li><a href="#ccdtostring">CCDToString</a><span>, in §5.8.1.1</span>
   <li><a href="#cddl">CDDL</a><span>, in §3</span>
   <li><a href="#ceremony">Ceremony</a><span>, in §4</span>
   <li>
    challenge
    <ul>
     <li><a href="#dom-collectedclientdata-challenge">dict-member for CollectedClientData</a><span>, in §5.8.1</span>
     <li><a href="#dom-publickeycredentialcreationoptions-challenge">dict-member for PublicKeyCredentialCreationOptions</a><span>, in §5.4</span>
     <li><a href="#dom-publickeycredentialrequestoptions-challenge">dict-member for PublicKeyCredentialRequestOptions</a><span>, in §5.5</span>
    </ul>
   <li><a href="#client">Client</a><span>, in §4</span>
   <li><a href="#client-data">client data</a><span>, in §5.8.1</span>
   <li><a href="#dom-authenticatorresponse-clientdatajson">clientDataJSON</a><span>, in §5.2</span>
   <li>
    clientDataJSONResult
    <ul>
     <li><a href="#assertioncreationdata-clientdatajsonresult">dfn for assertionCreationData</a><span>, in §5.1.4.1</span>
     <li><a href="#credentialcreationdata-clientdatajsonresult">dfn for credentialCreationData</a><span>, in §5.1.3</span>
    </ul>
   <li><a href="#client-device">Client Device</a><span>, in §4</span>
   <li><a href="#client-extension">client extension</a><span>, in §9</span>
   <li><a href="#client-extension-input">client extension input</a><span>, in §9.3</span>
   <li><a href="#client-extension-output">client extension output</a><span>, in §9.4</span>
   <li><a href="#client-extension-processing">Client Extension Processing</a><span>, in §9.4</span>
   <li>
    clientExtensionResults
    <ul>
     <li><a href="#assertioncreationdata-clientextensionresults">dfn for assertionCreationData</a><span>, in §5.1.4.1</span>
     <li><a href="#credentialcreationdata-clientextensionresults">dfn for credentialCreationData</a><span>, in §5.1.3</span>
    </ul>
   <li><a href="#dom-publickeycredential-clientextensionsresults-slot">[[clientExtensionsResults]]</a><span>, in §5.1</span>
   <li><a href="#client-platform">Client Platform</a><span>, in §4</span>
   <li><a href="#client-side">Client-Side</a><span>, in §4</span>
   <li><a href="#client-side-credential-storage-modality">client-side credential storage modality</a><span>, in §6.2.2</span>
   <li><a href="#client-side-discoverable-credential">Client-side discoverable Credential</a><span>, in §4</span>
   <li><a href="#credentialpropertiesoutput-client-side-discoverable-credential-property">client-side discoverable credential property</a><span>, in §10.4</span>
   <li><a href="#client-side-discoverable-public-key-credential-source">Client-side discoverable Public Key Credential Source</a><span>, in §4</span>
   <li><a href="#dictdef-collectedclientdata">CollectedClientData</a><span>, in §5.8.1</span>
   <li><a href="#dom-publickeycredential-collectfromcredentialstore-slot">[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)</a><span>, in §5.1.4</span>
   <li><a href="#conforming-user-agent">Conforming User Agent</a><span>, in §4</span>
   <li><a href="#typedefdef-cosealgorithmidentifier">COSEAlgorithmIdentifier</a><span>, in §5.8.5</span>
   <li><a href="#dom-publickeycredential-create-slot">[[Create]](origin, options, sameOriginWithAncestors)</a><span>, in §5.1.3</span>
   <li><a href="#credential-id">Credential ID</a><span>, in §4</span>
   <li><a href="#credentialid">credentialId</a><span>, in §6.5.1</span>
   <li><a href="#credentialidlength">credentialIdLength</a><span>, in §6.5.1</span>
   <li><a href="#assertioncreationdata-credentialidresult">credentialIdResult</a><span>, in §5.1.4.1</span>
   <li><a href="#credential-key-pair">Credential Key Pair</a><span>, in §4</span>
   <li><a href="#credential-parameters">Credential Parameters</a><span>, in §11.5</span>
   <li><a href="#credential-private-key">Credential Private Key</a><span>, in §4</span>
   <li><a href="#credential-properties">Credential Properties</a><span>, in §4</span>
   <li><a href="#dictdef-credentialpropertiesoutput">CredentialPropertiesOutput</a><span>, in §10.4</span>
   <li><a href="#credential-public-key">Credential Public Key</a><span>, in §4</span>
   <li><a href="#credentialpublickey">credentialPublicKey</a><span>, in §6.5.1</span>
   <li><a href="#authenticator-credentials-map">credentials map</a><span>, in §6</span>
   <li><a href="#credential-storage-modality">credential storage modality</a><span>, in §6.2.2</span>
   <li>
    credProps
    <ul>
     <li><a href="#credprops">definition of</a><span>, in §10.4</span>
     <li><a href="#dom-authenticationextensionsclientinputs-credprops">dict-member for AuthenticationExtensionsClientInputs</a><span>, in §10.4</span>
     <li><a href="#dom-authenticationextensionsclientoutputs-credprops">dict-member for AuthenticationExtensionsClientOutputs</a><span>, in §10.4</span>
    </ul>
   <li><a href="#dom-collectedclientdata-crossorigin">crossOrigin</a><span>, in §5.8.1</span>
   <li><a href="#dom-authenticatorattachment-cross-platform">"cross-platform"</a><span>, in §5.4.5</span>
   <li><a href="#dom-authenticatorattachment-cross-platform">cross-platform</a><span>, in §5.4.5</span>
   <li><a href="#cross-platform-attachment">cross-platform attachment</a><span>, in §6.2.1</span>
   <li><a href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised">determines the set of origins on which the public key credential may be exercised</a><span>, in §4</span>
   <li><a href="#dom-attestationconveyancepreference-direct">"direct"</a><span>, in §5.4.7</span>
   <li><a href="#dom-attestationconveyancepreference-direct">direct</a><span>, in §5.4.7</span>
   <li>
    "discouraged"
    <ul>
     <li><a href="#dom-residentkeyrequirement-discouraged">enum-value for ResidentKeyRequirement</a><span>, in §5.4.6</span>
     <li><a href="#dom-userverificationrequirement-discouraged">enum-value for UserVerificationRequirement</a><span>, in §5.8.6</span>
    </ul>
   <li>
    discouraged
    <ul>
     <li><a href="#dom-residentkeyrequirement-discouraged">enum-value for ResidentKeyRequirement</a><span>, in §5.4.6</span>
     <li><a href="#dom-userverificationrequirement-discouraged">enum-value for UserVerificationRequirement</a><span>, in §5.8.6</span>
    </ul>
   <li><a href="#discoverable-credential">Discoverable Credential</a><span>, in §4</span>
   <li><a href="#discoverable-credential-capable">discoverable credential capable</a><span>, in §6.2.2</span>
   <li><a href="#dom-publickeycredential-discoverfromexternalsource-slot">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a><span>, in §5.1.4.1</span>
   <li><a href="#dom-publickeycredential-discovery-slot">[[discovery]]</a><span>, in §5.1</span>
   <li><a href="#dom-publickeycredentialuserentity-displayname">displayName</a><span>, in §5.4.3</span>
   <li><a href="#effective-resident-key-requirement-for-credential-creation">effective resident key requirement for credential creation</a><span>, in §5.1.3</span>
   <li><a href="#effective-user-verification-requirement-for-assertion">effective user verification requirement for assertion</a><span>, in §5.1.4.1</span>
   <li><a href="#effective-user-verification-requirement-for-credential-creation">effective user verification requirement for credential creation</a><span>, in §5.1.3</span>
   <li><a href="#dom-attestationconveyancepreference-enterprise">"enterprise"</a><span>, in §5.4.7</span>
   <li><a href="#dom-attestationconveyancepreference-enterprise">enterprise</a><span>, in §5.4.7</span>
   <li><a href="#dom-publickeycredentialcreationoptions-excludecredentials">excludeCredentials</a><span>, in §5.4</span>
   <li><a href="#extension-identifier">extension identifier</a><span>, in §9.1</span>
   <li>
    extensions
    <ul>
     <li><a href="#dom-publickeycredentialcreationoptions-extensions">dict-member for PublicKeyCredentialCreationOptions</a><span>, in §5.4</span>
     <li><a href="#dom-publickeycredentialrequestoptions-extensions">dict-member for PublicKeyCredentialRequestOptions</a><span>, in §5.5</span>
    </ul>
   <li><a href="#first-factor-roaming-authenticator">First-factor roaming authenticator</a><span>, in §6.2</span>
   <li><a href="#flags">flags</a><span>, in §6.1</span>
   <li><a href="#dom-authenticatorattestationresponse-getauthenticatordata">getAuthenticatorData()</a><span>, in §5.2.1</span>
   <li><a href="#dom-publickeycredential-getclientextensionresults">getClientExtensionResults()</a><span>, in §5.1</span>
   <li><a href="#get-credentials">Get Credentials</a><span>, in §11.6</span>
   <li><a href="#dom-authenticatorattestationresponse-getpublickey">getPublicKey()</a><span>, in §5.2.1</span>
   <li><a href="#dom-authenticatorattestationresponse-getpublickeyalgorithm">getPublicKeyAlgorithm()</a><span>, in §5.2.1</span>
   <li><a href="#dom-authenticatorattestationresponse-gettransports">getTransports()</a><span>, in §5.2.1</span>
   <li><a href="#collectedclientdata-hash-of-the-serialized-client-data">Hash of the serialized client data</a><span>, in §5.8.1</span>
   <li><a href="#human-palatability">Human Palatability</a><span>, in §4</span>
   <li>
    id
    <ul>
     <li><a href="#public-key-credential-source-id">dfn for public key credential source</a><span>, in §4</span>
     <li><a href="#dom-publickeycredentialdescriptor-id">dict-member for PublicKeyCredentialDescriptor</a><span>, in §5.8.3</span>
     <li><a href="#dom-publickeycredentialrpentity-id">dict-member for PublicKeyCredentialRpEntity</a><span>, in §5.4.2</span>
     <li><a href="#dom-publickeycredentialuserentity-id">dict-member for PublicKeyCredentialUserEntity</a><span>, in §5.4.3</span>
     <li><a href="#dom-tokenbinding-id">dict-member for TokenBinding</a><span>, in §5.8.1</span>
    </ul>
   <li><a href="#dom-publickeycredential-identifier-slot">[[identifier]]</a><span>, in §5.1</span>
   <li><a href="#dom-attestationconveyancepreference-indirect">"indirect"</a><span>, in §5.4.7</span>
   <li><a href="#dom-attestationconveyancepreference-indirect">indirect</a><span>, in §5.4.7</span>
   <li><a href="#dom-authenticatortransport-internal">"internal"</a><span>, in §5.8.4</span>
   <li><a href="#dom-authenticatortransport-internal">internal</a><span>, in §5.8.4</span>
   <li><a href="#dom-publickeycredential-isuserverifyingplatformauthenticatoravailable">isUserVerifyingPlatformAuthenticatorAvailable()</a><span>, in §5.1.7</span>
   <li><a href="#collectedclientdata-json-compatible-serialization-of-client-data">JSON-compatible serialization of client data</a><span>, in §5.8.1</span>
   <li>
    largeBlob
    <ul>
     <li><a href="#largeblob">definition of</a><span>, in §10.5</span>
     <li><a href="#dom-authenticationextensionsclientinputs-largeblob">dict-member for AuthenticationExtensionsClientInputs</a><span>, in §10.5</span>
     <li><a href="#dom-authenticationextensionsclientoutputs-largeblob">dict-member for AuthenticationExtensionsClientOutputs</a><span>, in §10.5</span>
    </ul>
   <li><a href="#enumdef-largeblobsupport">LargeBlobSupport</a><span>, in §10.5</span>
   <li><a href="#credential-id-looking-up">looking up</a><span>, in §6.3.1</span>
   <li><a href="#public-key-credential-source-managing-authenticator">managing authenticator</a><span>, in §4</span>
   <li><a href="#multi-factor-capable">multi-factor capable</a><span>, in §6.2.3</span>
   <li><a href="#public-key-credential-source-mutable-item">mutable item</a><span>, in §4</span>
   <li><a href="#dom-publickeycredentialentity-name">name</a><span>, in §5.4.1</span>
   <li><a href="#dom-authenticatortransport-nfc">"nfc"</a><span>, in §5.8.4</span>
   <li><a href="#dom-authenticatortransport-nfc">nfc</a><span>, in §5.8.4</span>
   <li><a href="#non-discoverable-credential">Non-Discoverable Credential</a><span>, in §4</span>
   <li><a href="#dom-attestationconveyancepreference-none">"none"</a><span>, in §5.4.7</span>
   <li><a href="#none">None</a><span>, in §6.5.3</span>
   <li><a href="#dom-attestationconveyancepreference-none">none</a><span>, in §5.4.7</span>
   <li><a href="#non-resident-credential">Non-Resident Credential</a><span>, in §4</span>
   <li><a href="#dom-collectedclientdata-origin">origin</a><span>, in §5.8.1</span>
   <li><a href="#public-key-credential-source-otherui">otherUI</a><span>, in §4</span>
   <li><a href="#authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure">perform the following steps to generate an authenticator data structure</a><span>, in §6.1</span>
   <li><a href="#dom-authenticatorattachment-platform">"platform"</a><span>, in §5.4.5</span>
   <li><a href="#dom-authenticatorattachment-platform">platform</a><span>, in §5.4.5</span>
   <li><a href="#platform-attachment">platform attachment</a><span>, in §6.2.1</span>
   <li><a href="#platform-authenticators">platform authenticators</a><span>, in §6.2.1</span>
   <li><a href="#platform-credential">platform credential</a><span>, in §6.2.1</span>
   <li>
    "preferred"
    <ul>
     <li><a href="#dom-largeblobsupport-preferred">enum-value for LargeBlobSupport</a><span>, in §10.5</span>
     <li><a href="#dom-residentkeyrequirement-preferred">enum-value for ResidentKeyRequirement</a><span>, in §5.4.6</span>
     <li><a href="#dom-userverificationrequirement-preferred">enum-value for UserVerificationRequirement</a><span>, in §5.8.6</span>
    </ul>
   <li>
    preferred
    <ul>
     <li><a href="#dom-residentkeyrequirement-preferred">enum-value for ResidentKeyRequirement</a><span>, in §5.4.6</span>
     <li><a href="#dom-userverificationrequirement-preferred">enum-value for UserVerificationRequirement</a><span>, in §5.8.6</span>
    </ul>
   <li><a href="#dom-tokenbindingstatus-present">"present"</a><span>, in §5.8.1</span>
   <li><a href="#dom-tokenbindingstatus-present">present</a><span>, in §5.8.1</span>
   <li><a href="#dom-publickeycredential-preventsilentaccess-slot">[[preventSilentAccess]](credential, sameOriginWithAncestors)</a><span>, in §5.1.6</span>
   <li><a href="#public-key-credential-source-privatekey">privateKey</a><span>, in §4</span>
   <li><a href="#dom-publickeycredentialcreationoptions-pubkeycredparams">pubKeyCredParams</a><span>, in §5.4</span>
   <li><a href="#dom-publickeycredentialtype-public-key">"public-key"</a><span>, in §5.8.2</span>
   <li><a href="#dom-publickeycredentialtype-public-key">public-key</a><span>, in §5.8.2</span>
   <li>
    publicKey
    <ul>
     <li><a href="#dom-credentialcreationoptions-publickey">dict-member for CredentialCreationOptions</a><span>, in §5.1.1</span>
     <li><a href="#dom-credentialrequestoptions-publickey">dict-member for CredentialRequestOptions</a><span>, in §5.1.2</span>
    </ul>
   <li><a href="#public-key-credential">Public Key Credential</a><span>, in §4</span>
   <li><a href="#publickeycredential">PublicKeyCredential</a><span>, in §5.1</span>
   <li><a href="#dictdef-publickeycredentialcreationoptions">PublicKeyCredentialCreationOptions</a><span>, in §5.4</span>
   <li><a href="#dictdef-publickeycredentialdescriptor">PublicKeyCredentialDescriptor</a><span>, in §5.8.3</span>
   <li><a href="#dictdef-publickeycredentialentity">PublicKeyCredentialEntity</a><span>, in §5.4.1</span>
   <li><a href="#dictdef-publickeycredentialparameters">PublicKeyCredentialParameters</a><span>, in §5.3</span>
   <li><a href="#dictdef-publickeycredentialrequestoptions">PublicKeyCredentialRequestOptions</a><span>, in §5.5</span>
   <li><a href="#dictdef-publickeycredentialrpentity">PublicKeyCredentialRpEntity</a><span>, in §5.4.2</span>
   <li><a href="#publickey-credentials-get-feature">publickey-credentials-get-feature</a><span>, in §5.9</span>
   <li><a href="#public-key-credential-source">Public Key Credential Source</a><span>, in §4</span>
   <li><a href="#enumdef-publickeycredentialtype">PublicKeyCredentialType</a><span>, in §5.8.2</span>
   <li><a href="#dictdef-publickeycredentialuserentity">PublicKeyCredentialUserEntity</a><span>, in §5.4.3</span>
   <li><a href="#rate-limiting">Rate Limiting</a><span>, in §4</span>
   <li><a href="#dom-publickeycredential-rawid">rawId</a><span>, in §5.1</span>
   <li><a href="#dom-authenticationextensionslargeblobinputs-read">read</a><span>, in §10.5</span>
   <li><a href="#registration">Registration</a><span>, in §4</span>
   <li><a href="#registration-ceremony">Registration Ceremony</a><span>, in §4</span>
   <li><a href="#registration-extension">registration extension</a><span>, in §9</span>
   <li><a href="#relying-party">Relying Party</a><span>, in §4</span>
   <li><a href="#relying-party-identifier">Relying Party Identifier</a><span>, in §4</span>
   <li><a href="#remove-all-credentials">Remove All Credentials</a><span>, in §11.8</span>
   <li><a href="#remove-credential">Remove Credential</a><span>, in §11.7</span>
   <li><a href="#remove-virtual-authenticator">Remove Virtual Authenticator</a><span>, in §11.4</span>
   <li>
    "required"
    <ul>
     <li><a href="#dom-largeblobsupport-required">enum-value for LargeBlobSupport</a><span>, in §10.5</span>
     <li><a href="#dom-residentkeyrequirement-required">enum-value for ResidentKeyRequirement</a><span>, in §5.4.6</span>
     <li><a href="#dom-userverificationrequirement-required">enum-value for UserVerificationRequirement</a><span>, in §5.8.6</span>
    </ul>
   <li>
    required
    <ul>
     <li><a href="#dom-residentkeyrequirement-required">enum-value for ResidentKeyRequirement</a><span>, in §5.4.6</span>
     <li><a href="#dom-userverificationrequirement-required">enum-value for UserVerificationRequirement</a><span>, in §5.8.6</span>
    </ul>
   <li><a href="#dom-authenticatorselectioncriteria-requireresidentkey">requireResidentKey</a><span>, in §5.4.4</span>
   <li><a href="#resident-credential">Resident Credential</a><span>, in §4</span>
   <li><a href="#resident-key">Resident Key</a><span>, in §4</span>
   <li><a href="#dom-authenticatorselectioncriteria-residentkey">residentKey</a><span>, in §5.4.4</span>
   <li><a href="#credentialpropertiesoutput-resident-key-credential-property">resident key credential property</a><span>, in §10.4</span>
   <li><a href="#enumdef-residentkeyrequirement">ResidentKeyRequirement</a><span>, in §5.4.6</span>
   <li><a href="#dom-publickeycredential-response">response</a><span>, in §5.1</span>
   <li><a href="#dom-credentialpropertiesoutput-rk">rk</a><span>, in §10.4</span>
   <li><a href="#roaming-authenticators">roaming authenticators</a><span>, in §6.2.1</span>
   <li><a href="#roaming-credential">roaming credential</a><span>, in §6.2.1</span>
   <li><a href="#dom-publickeycredentialcreationoptions-rp">rp</a><span>, in §5.4</span>
   <li><a href="#rp-id">RP ID</a><span>, in §4</span>
   <li>
    rpId
    <ul>
     <li><a href="#public-key-credential-source-rpid">dfn for public key credential source</a><span>, in §4</span>
     <li><a href="#dom-publickeycredentialrequestoptions-rpid">dict-member for PublicKeyCredentialRequestOptions</a><span>, in §5.5</span>
    </ul>
   <li><a href="#rpidhash">rpIdHash</a><span>, in §6.1</span>
   <li><a href="#scope">scope</a><span>, in §4</span>
   <li><a href="#second-factor-platform-authenticator">Second-factor platform authenticator</a><span>, in §6.2</span>
   <li><a href="#second-factor-roaming-authenticator">Second-factor roaming authenticator</a><span>, in §6.2</span>
   <li><a href="#create-selected-authenticator">selected authenticator</a><span>, in §5.1.3</span>
   <li><a href="#self">Self</a><span>, in §6.5.3</span>
   <li><a href="#self-attestation">Self Attestation</a><span>, in §6.5.3</span>
   <li><a href="#server-side-credential">Server-side Credential</a><span>, in §4</span>
   <li><a href="#server-side-credential-storage-modality">server-side credential storage modality</a><span>, in §6.2.2</span>
   <li><a href="#server-side-public-key-credential-source">Server-side Public Key Credential Source</a><span>, in §4</span>
   <li><a href="#set-user-verified">Set User Verified</a><span>, in §11.9</span>
   <li><a href="#dom-authenticatorassertionresponse-signature">signature</a><span>, in §5.2.2</span>
   <li><a href="#signature-counter">Signature Counter</a><span>, in §6.1.1</span>
   <li><a href="#assertioncreationdata-signatureresult">signatureResult</a><span>, in §5.1.4.1</span>
   <li><a href="#signcount">signCount</a><span>, in §6.1</span>
   <li><a href="#signing-procedure">Signing procedure</a><span>, in §6.5.2</span>
   <li><a href="#single-factor-capable">single-factor capable</a><span>, in §6.2.3</span>
   <li><a href="#dom-tokenbinding-status">status</a><span>, in §5.8.1</span>
   <li><a href="#dom-publickeycredential-store-slot">[[Store]](credential, sameOriginWithAncestors)</a><span>, in §5.1.5</span>
   <li><a href="#dom-authenticationextensionslargeblobinputs-support">support</a><span>, in §10.5</span>
   <li><a href="#dom-tokenbindingstatus-supported">"supported"</a><span>, in §5.8.1</span>
   <li>
    supported
    <ul>
     <li><a href="#dom-authenticationextensionslargebloboutputs-supported">dict-member for AuthenticationExtensionsLargeBlobOutputs</a><span>, in §10.5</span>
     <li><a href="#dom-tokenbindingstatus-supported">enum-value for TokenBindingStatus</a><span>, in §5.8.1</span>
    </ul>
   <li><a href="#test-of-user-presence">Test of User Presence</a><span>, in §4</span>
   <li>
    timeout
    <ul>
     <li><a href="#dom-publickeycredentialcreationoptions-timeout">dict-member for PublicKeyCredentialCreationOptions</a><span>, in §5.4</span>
     <li><a href="#dom-publickeycredentialrequestoptions-timeout">dict-member for PublicKeyCredentialRequestOptions</a><span>, in §5.5</span>
    </ul>
   <li><a href="#dictdef-tokenbinding">TokenBinding</a><span>, in §5.8.1</span>
   <li><a href="#dom-collectedclientdata-tokenbinding">tokenBinding</a><span>, in §5.8.1</span>
   <li><a href="#enumdef-tokenbindingstatus">TokenBindingStatus</a><span>, in §5.8.1</span>
   <li><a href="#dom-authenticatorattestationresponse-transports-slot">[[transports]]</a><span>, in §5.2.1</span>
   <li><a href="#dom-publickeycredentialdescriptor-transports">transports</a><span>, in §5.8.3</span>
   <li><a href="#dom-publickeycredential-type-slot">[[type]]</a><span>, in §5.1</span>
   <li>
    type
    <ul>
     <li><a href="#public-key-credential-source-type">dfn for public key credential source</a><span>, in §4</span>
     <li><a href="#dom-collectedclientdata-type">dict-member for CollectedClientData</a><span>, in §5.8.1</span>
     <li><a href="#dom-publickeycredentialdescriptor-type">dict-member for PublicKeyCredentialDescriptor</a><span>, in §5.8.3</span>
     <li><a href="#dom-publickeycredentialparameters-type">dict-member for PublicKeyCredentialParameters</a><span>, in §5.3</span>
    </ul>
   <li><a href="#ui-redressing">UI Redressing</a><span>, in §13.4.2</span>
   <li><a href="#up">UP</a><span>, in §4</span>
   <li><a href="#dom-authenticatortransport-usb">"usb"</a><span>, in §5.8.4</span>
   <li><a href="#dom-authenticatortransport-usb">usb</a><span>, in §5.8.4</span>
   <li><a href="#dom-publickeycredentialcreationoptions-user">user</a><span>, in §5.4</span>
   <li><a href="#user-consent">User Consent</a><span>, in §4</span>
   <li><a href="#user-handle">User Handle</a><span>, in §4</span>
   <li>
    userHandle
    <ul>
     <li><a href="#dom-authenticatorassertionresponse-userhandle">attribute for AuthenticatorAssertionResponse</a><span>, in §5.2.2</span>
     <li><a href="#public-key-credential-source-userhandle">dfn for public key credential source</a><span>, in §4</span>
    </ul>
   <li><a href="#assertioncreationdata-userhandleresult">userHandleResult</a><span>, in §5.1.4.1</span>
   <li><a href="#concept-user-present">User Present</a><span>, in §4</span>
   <li><a href="#user-public-key">User Public Key</a><span>, in §4</span>
   <li><a href="#user-verification">User Verification</a><span>, in §4</span>
   <li>
    userVerification
    <ul>
     <li><a href="#dom-authenticatorselectioncriteria-userverification">dict-member for AuthenticatorSelectionCriteria</a><span>, in §5.4.4</span>
     <li><a href="#dom-publickeycredentialrequestoptions-userverification">dict-member for PublicKeyCredentialRequestOptions</a><span>, in §5.5</span>
    </ul>
   <li><a href="#user-verification-method">User Verification Method</a><span>, in §10.3</span>
   <li><a href="#enumdef-userverificationrequirement">UserVerificationRequirement</a><span>, in §5.8.6</span>
   <li><a href="#concept-user-verified">User Verified</a><span>, in §4</span>
   <li><a href="#user-verifying-platform-authenticator">User-verifying platform authenticator</a><span>, in §6.2</span>
   <li><a href="#uv">UV</a><span>, in §4</span>
   <li>
    uvm
    <ul>
     <li><a href="#dom-authenticationextensionsclientinputs-uvm">dict-member for AuthenticationExtensionsClientInputs</a><span>, in §10.3</span>
     <li><a href="#dom-authenticationextensionsclientoutputs-uvm">dict-member for AuthenticationExtensionsClientOutputs</a><span>, in §10.3</span>
    </ul>
   <li><a href="#typedefdef-uvmentries">UvmEntries</a><span>, in §10.3</span>
   <li><a href="#typedefdef-uvmentry">UvmEntry</a><span>, in §10.3</span>
   <li><a href="#verification-procedure">Verification procedure</a><span>, in §6.5.2</span>
   <li><a href="#verification-procedure-inputs">verification procedure inputs</a><span>, in §6.5.2</span>
   <li><a href="#virtual-authenticator-database">Virtual Authenticator Database</a><span>, in §11.2</span>
   <li><a href="#virtual-authenticators">Virtual Authenticators</a><span>, in §11.2</span>
   <li><a href="#web-application">web application</a><span>, in §4</span>
   <li><a href="#web-authentication-api">Web Authentication API</a><span>, in §5</span>
   <li><a href="#webauthn-authenticator">WebAuthn Authenticator</a><span>, in §4</span>
   <li><a href="#webauthn-client">WebAuthn Client</a><span>, in §4</span>
   <li><a href="#webauthn-client-device">WebAuthn Client Device</a><span>, in §4</span>
   <li><a href="#webauthn-extensions">WebAuthn Extensions</a><span>, in §9</span>
   <li><a href="#webauthn-fido2-protocol">WebAuthn/FIDO2 protocol</a><span>, in §1.1</span>
   <li><a href="#webauthn-relying-party">WebAuthn Relying Party</a><span>, in §4</span>
   <li><a href="#webauthn-signature">WebAuthn signature</a><span>, in §6</span>
   <li><a href="#dom-authenticationextensionslargeblobinputs-write">write</a><span>, in §10.5</span>
   <li><a href="#dom-authenticationextensionslargebloboutputs-written">written</a><span>, in §10.5</span>
  </ul>
  <aside class="dfn-panel" data-for="term-for-section-2.1">
   <a href="https://tools.ietf.org/html/bcp47#section-2.1">https://tools.ietf.org/html/bcp47#section-2.1</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-2.1">6.4.2. Language and Direction Encoding</a> <a href="#ref-for-section-2.1①">(2)</a> <a href="#ref-for-section-2.1②">(3)</a> <a href="#ref-for-section-2.1③">(4)</a> <a href="#ref-for-section-2.1④">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-credential">
   <a href="https://w3c.github.io/webappsec-credential-management/#credential">https://w3c.github.io/webappsec-credential-management/#credential</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential">3. Dependencies</a>
    <li><a href="#ref-for-credential①">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-credential②">(2)</a> <a href="#ref-for-credential③">(3)</a> <a href="#ref-for-credential④">(4)</a> <a href="#ref-for-credential⑤">(5)</a> <a href="#ref-for-credential⑥">(6)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dictdef-credentialcreationoptions">
   <a href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions">https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-credentialcreationoptions">5.1.1. CredentialCreationOptions Dictionary Extension</a> <a href="#ref-for-dictdef-credentialcreationoptions①">(2)</a>
    <li><a href="#ref-for-dictdef-credentialcreationoptions②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dictdef-credentialrequestoptions">
   <a href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions">https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-credentialrequestoptions">5.1.2. CredentialRequestOptions Dictionary Extension</a> <a href="#ref-for-dictdef-credentialrequestoptions①">(2)</a>
    <li><a href="#ref-for-dictdef-credentialrequestoptions②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-credentialscontainer">
   <a href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer">https://w3c.github.io/webappsec-credential-management/#credentialscontainer</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentialscontainer">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-credentialscontainer①">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-credentialscontainer②">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-abstract-opdef-request-a-credential">
   <a href="https://w3c.github.io/webappsec-credential-management/#abstract-opdef-request-a-credential">https://w3c.github.io/webappsec-credential-management/#abstract-opdef-request-a-credential</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-abstract-opdef-request-a-credential">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-collectfromcredentialstore-origin-options-sameoriginwithancestors">
   <a href="https://w3c.github.io/webappsec-credential-management/#collectfromcredentialstore-origin-options-sameoriginwithancestors">https://w3c.github.io/webappsec-credential-management/#collectfromcredentialstore-origin-options-sameoriginwithancestors</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-collectfromcredentialstore-origin-options-sameoriginwithancestors">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-collectfromcredentialstore-origin-options-sameoriginwithancestors①">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-create-origin-options-sameoriginwithancestors">
   <a href="https://w3c.github.io/webappsec-credential-management/#create-origin-options-sameoriginwithancestors">https://w3c.github.io/webappsec-credential-management/#create-origin-options-sameoriginwithancestors</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-create-origin-options-sameoriginwithancestors">5.6. Abort Operations with AbortSignal</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-store-credential-sameoriginwithancestors">
   <a href="https://w3c.github.io/webappsec-credential-management/#store-credential-sameoriginwithancestors">https://w3c.github.io/webappsec-credential-management/#store-credential-sameoriginwithancestors</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-store-credential-sameoriginwithancestors">5.1. PublicKeyCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credential-discovery-slot">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-discovery-slot">https://w3c.github.io/webappsec-credential-management/#dom-credential-discovery-slot</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credential-discovery-slot">5.1. PublicKeyCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credential-type-slot">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-type-slot">https://w3c.github.io/webappsec-credential-management/#dom-credential-type-slot</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credential-type-slot">5.1. PublicKeyCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credentialscontainer-create">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialscontainer-create">1. Introduction</a>
    <li><a href="#ref-for-dom-credentialscontainer-create①">4. Terminology</a>
    <li><a href="#ref-for-dom-credentialscontainer-create②">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-dom-credentialscontainer-create③">(2)</a>
    <li><a href="#ref-for-dom-credentialscontainer-create④">5.1.1. CredentialCreationOptions Dictionary Extension</a>
    <li><a href="#ref-for-dom-credentialscontainer-create⑤">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-credentialscontainer-create⑥">(2)</a> <a href="#ref-for-dom-credentialscontainer-create⑦">(3)</a> <a href="#ref-for-dom-credentialscontainer-create⑧">(4)</a> <a href="#ref-for-dom-credentialscontainer-create⑨">(5)</a>
    <li><a href="#ref-for-dom-credentialscontainer-create①⓪">5.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-dom-credentialscontainer-create①①">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dom-credentialscontainer-create①②">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a>
    <li><a href="#ref-for-dom-credentialscontainer-create①③">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
    <li><a href="#ref-for-dom-credentialscontainer-create①④">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
    <li><a href="#ref-for-dom-credentialscontainer-create①⑤">6.2.2. Credential Storage Modality</a>
    <li><a href="#ref-for-dom-credentialscontainer-create①⑥">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-dom-credentialscontainer-create①⑦">7. WebAuthn Relying Party Operations</a>
    <li><a href="#ref-for-dom-credentialscontainer-create①⑧">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-credentialscontainer-create①⑨">9. WebAuthn Extensions</a> <a href="#ref-for-dom-credentialscontainer-create②⓪">(2)</a> <a href="#ref-for-dom-credentialscontainer-create②①">(3)</a>
    <li><a href="#ref-for-dom-credentialscontainer-create②②">9.2. Defining Extensions</a>
    <li><a href="#ref-for-dom-credentialscontainer-create②③">9.3. Extending Request Parameters</a> <a href="#ref-for-dom-credentialscontainer-create②④">(2)</a>
    <li><a href="#ref-for-dom-credentialscontainer-create②⑤">11.6. Get Credentials</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-credential">
   <a href="https://w3c.github.io/webappsec-credential-management/#concept-credential">https://w3c.github.io/webappsec-credential-management/#concept-credential</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-credential">4. Terminology</a> <a href="#ref-for-concept-credential①">(2)</a> <a href="#ref-for-concept-credential②">(3)</a> <a href="#ref-for-concept-credential③">(4)</a>
    <li><a href="#ref-for-concept-credential④">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a> <a href="#ref-for-concept-credential⑤">(2)</a> <a href="#ref-for-concept-credential⑥">(3)</a>
    <li><a href="#ref-for-concept-credential⑦">6.2.2. Credential Storage Modality</a>
    <li><a href="#ref-for-concept-credential⑧">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-concept-credential⑨">12.4. WebAuthn Extension Identifier Registrations</a>
    <li><a href="#ref-for-concept-credential①⓪">13.2. Physical Proximity between Client and Authenticator</a>
    <li><a href="#ref-for-concept-credential①①">14.4.1. Attestation Privacy</a> <a href="#ref-for-concept-credential①②">(2)</a>
    <li><a href="#ref-for-concept-credential①③">14.4.2. Privacy of personally identifying information Stored in Authenticators</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-credential-source">
   <a href="https://w3c.github.io/webappsec-credential-management/#credential-source">https://w3c.github.io/webappsec-credential-management/#credential-source</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-source">4. Terminology</a>
    <li><a href="#ref-for-credential-source①">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a> <a href="#ref-for-credential-source②">(2)</a> <a href="#ref-for-credential-source③">(3)</a> <a href="#ref-for-credential-source④">(4)</a> <a href="#ref-for-credential-source⑤">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credentialscontainer-get">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialscontainer-get">1. Introduction</a>
    <li><a href="#ref-for-dom-credentialscontainer-get①">4. Terminology</a> <a href="#ref-for-dom-credentialscontainer-get②">(2)</a> <a href="#ref-for-dom-credentialscontainer-get③">(3)</a> <a href="#ref-for-dom-credentialscontainer-get④">(4)</a> <a href="#ref-for-dom-credentialscontainer-get⑤">(5)</a> <a href="#ref-for-dom-credentialscontainer-get⑥">(6)</a> <a href="#ref-for-dom-credentialscontainer-get⑦">(7)</a> <a href="#ref-for-dom-credentialscontainer-get⑧">(8)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get⑨">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-dom-credentialscontainer-get①⓪">(2)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get①①">5.1.2. CredentialRequestOptions Dictionary Extension</a>
    <li><a href="#ref-for-dom-credentialscontainer-get①②">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a> <a href="#ref-for-dom-credentialscontainer-get①③">(2)</a> <a href="#ref-for-dom-credentialscontainer-get①④">(3)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get①⑤">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-credentialscontainer-get①⑥">(2)</a> <a href="#ref-for-dom-credentialscontainer-get①⑦">(3)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get①⑧">5.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get①⑨">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-dom-credentialscontainer-get②⓪">(2)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get②①">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get②②">5.9. Permissions Policy integration</a>
    <li><a href="#ref-for-dom-credentialscontainer-get②③">6.2.2. Credential Storage Modality</a>
    <li><a href="#ref-for-dom-credentialscontainer-get②④">7. WebAuthn Relying Party Operations</a>
    <li><a href="#ref-for-dom-credentialscontainer-get②⑤">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-credentialscontainer-get②⑥">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-dom-credentialscontainer-get②⑦">9. WebAuthn Extensions</a> <a href="#ref-for-dom-credentialscontainer-get②⑧">(2)</a> <a href="#ref-for-dom-credentialscontainer-get②⑨">(3)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get③⓪">9.2. Defining Extensions</a>
    <li><a href="#ref-for-dom-credentialscontainer-get③①">9.3. Extending Request Parameters</a> <a href="#ref-for-dom-credentialscontainer-get③②">(2)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get③③">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get③④">14.6.2. Username Enumeration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credential-id">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id">https://w3c.github.io/webappsec-credential-management/#dom-credential-id</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credential-id">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-dom-credential-id①">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-dom-credential-id②">(2)</a> <a href="#ref-for-dom-credential-id③">(3)</a> <a href="#ref-for-dom-credential-id④">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credential-discovery-remote">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-discovery-remote">https://w3c.github.io/webappsec-credential-management/#dom-credential-discovery-remote</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credential-discovery-remote">5.1. PublicKeyCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-same-origin-with-its-ancestors">
   <a href="https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors">https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-same-origin-with-its-ancestors">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-same-origin-with-its-ancestors①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-same-origin-with-its-ancestors②">5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credentialrequestoptions-signal">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credentialrequestoptions-signal">https://w3c.github.io/webappsec-credential-management/#dom-credentialrequestoptions-signal</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialrequestoptions-signal">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-credentialrequestoptions-signal①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credentialscontainer-store">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-store">https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-store</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialscontainer-store">5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credential-type">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-type">https://w3c.github.io/webappsec-credential-management/#dom-credential-type</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credential-type">5.1. PublicKeyCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-user-mediated">
   <a href="https://w3c.github.io/webappsec-credential-management/#user-mediated">https://w3c.github.io/webappsec-credential-management/#user-mediated</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-user-mediated">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-abortcontroller">
   <a href="https://dom.spec.whatwg.org/#abortcontroller">https://dom.spec.whatwg.org/#abortcontroller</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-abortcontroller">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-abortcontroller①">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>
    <li><a href="#ref-for-abortcontroller②">5.6. Abort Operations with AbortSignal</a> <a href="#ref-for-abortcontroller③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-document">
   <a href="https://dom.spec.whatwg.org/#document">https://dom.spec.whatwg.org/#document</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-document">5.9. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-abortsignal-aborted-flag">
   <a href="https://dom.spec.whatwg.org/#abortsignal-aborted-flag">https://dom.spec.whatwg.org/#abortsignal-aborted-flag</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-abortsignal-aborted-flag">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-abortsignal-aborted-flag①">(2)</a>
    <li><a href="#ref-for-abortsignal-aborted-flag②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-abortsignal-aborted-flag③">(2)</a>
    <li><a href="#ref-for-abortsignal-aborted-flag④">5.6. Abort Operations with AbortSignal</a> <a href="#ref-for-abortsignal-aborted-flag⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-document">
   <a href="https://dom.spec.whatwg.org/#concept-document">https://dom.spec.whatwg.org/#concept-document</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-document">5.6. Abort Operations with AbortSignal</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-sec-arraybuffer-constructor">
   <a href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor">https://tc39.github.io/ecma262/#sec-arraybuffer-constructor</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-sec-arraybuffer-constructor">3. Dependencies</a>
    <li><a href="#ref-for-sec-arraybuffer-constructor①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-sec-arraybuffer-constructor②">(2)</a> <a href="#ref-for-sec-arraybuffer-constructor③">(3)</a>
    <li><a href="#ref-for-sec-arraybuffer-constructor④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-sec-arraybuffer-constructor⑤">(2)</a> <a href="#ref-for-sec-arraybuffer-constructor⑥">(3)</a> <a href="#ref-for-sec-arraybuffer-constructor⑦">(4)</a> <a href="#ref-for-sec-arraybuffer-constructor⑧">(5)</a> <a href="#ref-for-sec-arraybuffer-constructor⑨">(6)</a>
    <li><a href="#ref-for-sec-arraybuffer-constructor①⓪">9. WebAuthn Extensions</a> <a href="#ref-for-sec-arraybuffer-constructor①①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-sec-object-internal-methods-and-internal-slots">
   <a href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots">https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots">4. Terminology</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots②">(2)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots③">(3)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots④">(4)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots⑤">(5)</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots⑥">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots⑦">(2)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots⑧">(3)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots⑨">(4)</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①⓪">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots①②">(2)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots①③">(3)</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①④">5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①⑤">5.1.6. Preventing Silent Access to an Existing Credential - PublicKeyCredential’s [[preventSilentAccess]](credential, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①⑥">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①⑦">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①⑧">5.9. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-sec-object-internal-methods-and-internal-slots">
   <a href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots">https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots">4. Terminology</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots②">(2)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots③">(3)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots④">(4)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots⑤">(5)</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots⑥">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots⑦">(2)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots⑧">(3)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots⑨">(4)</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①⓪">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots①②">(2)</a> <a href="#ref-for-sec-object-internal-methods-and-internal-slots①③">(3)</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①④">5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①⑤">5.1.6. Preventing Silent Access to an Existing Credential - PublicKeyCredential’s [[preventSilentAccess]](credential, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①⑥">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①⑦">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-sec-object-internal-methods-and-internal-slots①⑧">5.9. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-sec-own-property">
   <a href="https://tc39.github.io/ecma262/#sec-own-property">https://tc39.github.io/ecma262/#sec-own-property</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-sec-own-property">11.3. Add Virtual Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-utf-8-decode">
   <a href="https://encoding.spec.whatwg.org/#utf-8-decode">https://encoding.spec.whatwg.org/#utf-8-decode</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-utf-8-decode">7.1. Registering a New Credential</a> <a href="#ref-for-utf-8-decode①">(2)</a> <a href="#ref-for-utf-8-decode②">(3)</a>
    <li><a href="#ref-for-utf-8-decode③">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-utf-8-decode④">(2)</a> <a href="#ref-for-utf-8-decode⑤">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-utf-8-encode">
   <a href="https://encoding.spec.whatwg.org/#utf-8-encode">https://encoding.spec.whatwg.org/#utf-8-encode</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-utf-8-encode">8.5. Android SafetyNet Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-request-window">
   <a href="https://fetch.spec.whatwg.org/#concept-request-window">https://fetch.spec.whatwg.org/#concept-request-window</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-request-window">5.6. Abort Operations with AbortSignal</a> <a href="#ref-for-concept-request-window①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid">
   <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid">https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid">3. Dependencies</a>
    <li><a href="#ref-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid①">10.1. FIDO AppID Extension (appid)</a> <a href="#ref-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid②">(2)</a>
    <li><a href="#ref-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid③">10.2. FIDO AppID Exclusion Extension (appidExclude)</a> <a href="#ref-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-determining-the-facetid-of-a-calling-application">
   <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application">https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-determining-the-facetid-of-a-calling-application">3. Dependencies</a>
    <li><a href="#ref-for-determining-the-facetid-of-a-calling-application①">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-determining-the-facetid-of-a-calling-application②">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-ctap2-canonical-cbor-encoding-form">
   <a href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#ctap2-canonical-cbor-encoding-form">https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#ctap2-canonical-cbor-encoding-form</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ctap2-canonical-cbor-encoding-form">2.4. All Conformance Classes</a> <a href="#ref-for-ctap2-canonical-cbor-encoding-form①">(2)</a>
    <li><a href="#ref-for-ctap2-canonical-cbor-encoding-form②">3. Dependencies</a>
    <li><a href="#ref-for-ctap2-canonical-cbor-encoding-form③">6.5.1. Attested Credential Data</a>
    <li><a href="#ref-for-ctap2-canonical-cbor-encoding-form④">6.5.1.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format</a>
    <li><a href="#ref-for-ctap2-canonical-cbor-encoding-form⑤">9. WebAuthn Extensions</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-large-blob">
   <a href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#large-blob">https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#large-blob</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-large-blob">10.5. Large blob storage extension (largeBlob)</a>
    <li><a href="#ref-for-large-blob①">11.5. Add Credential</a> <a href="#ref-for-large-blob②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-responses">
   <a href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#responses">https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#responses</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-responses">6. WebAuthn Authenticator Model</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-user-verification-methods">
   <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#user-verification-methods">https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#user-verification-methods</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-user-verification-methods">10.3. User Verification Method Extension (uvm)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-key-protection-types">
   <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#key-protection-types">https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#key-protection-types</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-key-protection-types">10.3. User Verification Method Extension (uvm)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-matcher-protection-types">
   <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#matcher-protection-types">https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#matcher-protection-types</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-matcher-protection-types">10.3. User Verification Method Extension (uvm)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-public-key-representation-formats">
   <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#public-key-representation-formats">https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#public-key-representation-formats</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-representation-formats">8.6. FIDO U2F Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-authentication-request-message---u2f_authenticate">
   <a href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-request-message---u2f_authenticate">https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-request-message---u2f_authenticate</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authentication-request-message---u2f_authenticate">6.1.2. FIDO U2F Signature Format Compatibility</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-registration-response-message-success">
   <a href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#registration-response-message-success">https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#registration-response-message-success</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-registration-response-message-success">8.6. FIDO U2F Attestation Statement Format</a> <a href="#ref-for-registration-response-message-success①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-authentication-response-message-success">
   <a href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success">https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authentication-response-message-success">6.1.2. FIDO U2F Signature Format Compatibility</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-blob-url-entry-object">
   <a href="https://w3c.github.io/FileAPI/#blob-url-entry-object">https://w3c.github.io/FileAPI/#blob-url-entry-object</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-blob-url-entry-object">11.3. Add Virtual Authenticator</a> <a href="#ref-for-blob-url-entry-object①">(2)</a>
    <li><a href="#ref-for-blob-url-entry-object②">11.5. Add Credential</a> <a href="#ref-for-blob-url-entry-object③">(2)</a>
    <li><a href="#ref-for-blob-url-entry-object④">11.6. Get Credentials</a>
    <li><a href="#ref-for-blob-url-entry-object⑤">11.9. Set User Verified</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-attr-iframe-allow">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attr-iframe-allow">5.10. Using Web Authentication within iframe elements</a> <a href="#ref-for-attr-iframe-allow①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-allowed-to-use">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-allowed-to-use">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
    <li><a href="#ref-for-allowed-to-use①">5.9. Permissions Policy integration</a> <a href="#ref-for-allowed-to-use②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-ascii-serialisation-of-an-origin">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin">https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ascii-serialisation-of-an-origin">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-ascii-serialisation-of-an-origin①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-browsing-context">
   <a href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context">https://html.spec.whatwg.org/multipage/browsers.html#browsing-context</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-browsing-context">3. Dependencies</a>
    <li><a href="#ref-for-browsing-context①">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-current-settings-object">
   <a href="https://html.spec.whatwg.org/multipage/webappapis.html#current-settings-object">https://html.spec.whatwg.org/multipage/webappapis.html#current-settings-object</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-current-settings-object">5.9. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-document-domain">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#dom-document-domain">https://html.spec.whatwg.org/multipage/origin.html#dom-document-domain</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-document-domain">4. Terminology</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-origin-effective-domain">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain">https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-origin-effective-domain">4. Terminology</a> <a href="#ref-for-concept-origin-effective-domain①">(2)</a> <a href="#ref-for-concept-origin-effective-domain②">(3)</a> <a href="#ref-for-concept-origin-effective-domain③">(4)</a>
    <li><a href="#ref-for-concept-origin-effective-domain④">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-concept-origin-effective-domain⑤">(2)</a> <a href="#ref-for-concept-origin-effective-domain⑥">(3)</a> <a href="#ref-for-concept-origin-effective-domain⑦">(4)</a>
    <li><a href="#ref-for-concept-origin-effective-domain⑧">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-concept-origin-effective-domain⑨">(2)</a> <a href="#ref-for-concept-origin-effective-domain①⓪">(3)</a> <a href="#ref-for-concept-origin-effective-domain①①">(4)</a>
    <li><a href="#ref-for-concept-origin-effective-domain①②">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-concept-origin-effective-domain①③">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-environment-settings-object">
   <a href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-environment-settings-object">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-environment-settings-object①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-environment-settings-object②">5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-settings-object-global">
   <a href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global">https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-settings-object-global">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-concept-settings-object-global①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-the-iframe-element">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-the-iframe-element">5.8.1.2. Limited Verification Algorithm</a>
    <li><a href="#ref-for-the-iframe-element①">5.10. Using Web Authentication within iframe elements</a> <a href="#ref-for-the-iframe-element②">(2)</a> <a href="#ref-for-the-iframe-element③">(3)</a>
    <li><a href="#ref-for-the-iframe-element④">13.4.2. Visibility Considerations for Embedded Usage</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-in-parallel">
   <a href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-in-parallel">5.9. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-is-a-registrable-domain-suffix-of-or-is-equal-to">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to">https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to">3. Dependencies</a>
    <li><a href="#ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to①">4. Terminology</a> <a href="#ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to②">(2)</a>
    <li><a href="#ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to③">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-is-a-registrable-domain-suffix-of-or-is-equal-to">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to">https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to">3. Dependencies</a>
    <li><a href="#ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to①">4. Terminology</a> <a href="#ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to②">(2)</a>
    <li><a href="#ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to③">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-origin-opaque">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque">https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-origin-opaque">3. Dependencies</a>
    <li><a href="#ref-for-concept-origin-opaque①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-concept-origin-opaque②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-settings-object-origin">
   <a href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-settings-object-origin">4. Terminology</a> <a href="#ref-for-concept-settings-object-origin①">(2)</a>
    <li><a href="#ref-for-concept-settings-object-origin②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-concept-settings-object-origin③">(2)</a>
    <li><a href="#ref-for-concept-settings-object-origin④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-concept-settings-object-origin⑤">(2)</a>
    <li><a href="#ref-for-concept-settings-object-origin⑥">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-concept-settings-object-origin⑦">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-document-permissions-policy">
   <a href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-permissions-policy">https://html.spec.whatwg.org/multipage/dom.html#concept-document-permissions-policy</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-document-permissions-policy">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-concept-document-permissions-policy①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-concept-document-permissions-policy②">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
    <li><a href="#ref-for-concept-document-permissions-policy③">5.9. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-relevant-settings-object">
   <a href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object">https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-relevant-settings-object">3. Dependencies</a>
    <li><a href="#ref-for-relevant-settings-object①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-relevant-settings-object②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-relevant-settings-object③">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-relevant-settings-object④">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-origin-tuple">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-tuple">https://html.spec.whatwg.org/multipage/origin.html#concept-origin-tuple</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-origin-tuple">3. Dependencies</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-set-append">
   <a href="https://infra.spec.whatwg.org/#set-append">https://infra.spec.whatwg.org/#set-append</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-set-append">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-set-append①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-set-append②">(2)</a>
    <li><a href="#ref-for-set-append③">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-set-append④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-boolean">
   <a href="https://infra.spec.whatwg.org/#boolean">https://infra.spec.whatwg.org/#boolean</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-boolean">11.1. WebAuthn WebDriver Extension Capability</a>
    <li><a href="#ref-for-boolean①">11.1.1. Authenticator Extension Capabilities</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-byte-sequence">
   <a href="https://infra.spec.whatwg.org/#byte-sequence">https://infra.spec.whatwg.org/#byte-sequence</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-byte-sequence">4. Terminology</a> <a href="#ref-for-byte-sequence①">(2)</a>
    <li><a href="#ref-for-byte-sequence②">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-iteration-continue">
   <a href="https://infra.spec.whatwg.org/#iteration-continue">https://infra.spec.whatwg.org/#iteration-continue</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-iteration-continue">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-iteration-continue①">(2)</a> <a href="#ref-for-iteration-continue②">(3)</a> <a href="#ref-for-iteration-continue③">(4)</a> <a href="#ref-for-iteration-continue④">(5)</a> <a href="#ref-for-iteration-continue⑤">(6)</a> <a href="#ref-for-iteration-continue⑥">(7)</a> <a href="#ref-for-iteration-continue⑦">(8)</a> <a href="#ref-for-iteration-continue⑧">(9)</a> <a href="#ref-for-iteration-continue⑨">(10)</a>
    <li><a href="#ref-for-iteration-continue①⓪">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-iteration-continue①①">(2)</a> <a href="#ref-for-iteration-continue①②">(3)</a> <a href="#ref-for-iteration-continue①③">(4)</a> <a href="#ref-for-iteration-continue①④">(5)</a>
    <li><a href="#ref-for-iteration-continue①⑤">10.5. Large blob storage extension (largeBlob)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-list-empty">
   <a href="https://infra.spec.whatwg.org/#list-empty">https://infra.spec.whatwg.org/#list-empty</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-list-empty">13.4.7. Unprotected account detection</a>
    <li><a href="#ref-for-list-empty①">14.6.3. Privacy leak via credential IDs</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-map-exists">
   <a href="https://infra.spec.whatwg.org/#map-exists">https://infra.spec.whatwg.org/#map-exists</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-map-exists">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-map-exists①">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a> <a href="#ref-for-map-exists②">(2)</a> <a href="#ref-for-map-exists③">(3)</a>
    <li><a href="#ref-for-map-exists④">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-map-exists⑤">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-map-iterate">
   <a href="https://infra.spec.whatwg.org/#map-iterate">https://infra.spec.whatwg.org/#map-iterate</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-map-iterate">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-map-iterate①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-map-iterate②">6.3.1. Lookup Credential Source by Credential ID Algorithm</a>
    <li><a href="#ref-for-map-iterate③">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-map-iterate④">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-map-iterate⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-list-is-empty">
   <a href="https://infra.spec.whatwg.org/#list-is-empty">https://infra.spec.whatwg.org/#list-is-empty</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-list-is-empty">4. Terminology</a> <a href="#ref-for-list-is-empty①">(2)</a>
    <li><a href="#ref-for-list-is-empty②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-list-is-empty③">(2)</a>
    <li><a href="#ref-for-list-is-empty④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-list-is-empty⑤">(2)</a> <a href="#ref-for-list-is-empty⑥">(3)</a> <a href="#ref-for-list-is-empty⑦">(4)</a> <a href="#ref-for-list-is-empty⑧">(5)</a>
    <li><a href="#ref-for-list-is-empty⑨">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-list-is-empty">
   <a href="https://infra.spec.whatwg.org/#list-is-empty">https://infra.spec.whatwg.org/#list-is-empty</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-list-is-empty">4. Terminology</a> <a href="#ref-for-list-is-empty①">(2)</a>
    <li><a href="#ref-for-list-is-empty②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-list-is-empty③">(2)</a>
    <li><a href="#ref-for-list-is-empty④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-list-is-empty⑤">(2)</a> <a href="#ref-for-list-is-empty⑥">(3)</a> <a href="#ref-for-list-is-empty⑦">(4)</a> <a href="#ref-for-list-is-empty⑧">(5)</a>
    <li><a href="#ref-for-list-is-empty⑨">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-struct-item">
   <a href="https://infra.spec.whatwg.org/#struct-item">https://infra.spec.whatwg.org/#struct-item</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-struct-item">4. Terminology</a> <a href="#ref-for-struct-item①">(2)</a>
    <li><a href="#ref-for-struct-item②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-struct-item③">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-list">
   <a href="https://infra.spec.whatwg.org/#list">https://infra.spec.whatwg.org/#list</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-list">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-list①">(2)</a>
    <li><a href="#ref-for-list②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-list③">6.3.3. The authenticatorGetAssertion Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-ordered-map">
   <a href="https://infra.spec.whatwg.org/#ordered-map">https://infra.spec.whatwg.org/#ordered-map</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ordered-map">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-ordered-map①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-ordered-map②">(2)</a>
    <li><a href="#ref-for-ordered-map③">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-ordered-map④">(2)</a> <a href="#ref-for-ordered-map⑤">(3)</a>
    <li><a href="#ref-for-ordered-map⑥">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-ordered-map⑦">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-ordered-map⑧">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-ordered-map⑨">9.4. Client Extension Processing</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-ordered-set">
   <a href="https://infra.spec.whatwg.org/#ordered-set">https://infra.spec.whatwg.org/#ordered-set</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ordered-set">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-ordered-set①">(2)</a>
    <li><a href="#ref-for-ordered-set②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-ordered-set③">(2)</a> <a href="#ref-for-ordered-set④">(3)</a> <a href="#ref-for-ordered-set⑤">(4)</a>
    <li><a href="#ref-for-ordered-set⑥">6.3.3. The authenticatorGetAssertion Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-list-remove">
   <a href="https://infra.spec.whatwg.org/#list-remove">https://infra.spec.whatwg.org/#list-remove</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-list-remove">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-list-remove①">(2)</a> <a href="#ref-for-list-remove②">(3)</a> <a href="#ref-for-list-remove③">(4)</a> <a href="#ref-for-list-remove④">(5)</a> <a href="#ref-for-list-remove⑤">(6)</a> <a href="#ref-for-list-remove⑥">(7)</a> <a href="#ref-for-list-remove⑦">(8)</a> <a href="#ref-for-list-remove⑧">(9)</a> <a href="#ref-for-list-remove⑨">(10)</a> <a href="#ref-for-list-remove①⓪">(11)</a>
    <li><a href="#ref-for-list-remove①①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-list-remove①②">(2)</a> <a href="#ref-for-list-remove①③">(3)</a> <a href="#ref-for-list-remove①④">(4)</a> <a href="#ref-for-list-remove①⑤">(5)</a> <a href="#ref-for-list-remove①⑥">(6)</a> <a href="#ref-for-list-remove①⑦">(7)</a> <a href="#ref-for-list-remove①⑧">(8)</a> <a href="#ref-for-list-remove①⑨">(9)</a>
    <li><a href="#ref-for-list-remove②⓪">6.3.3. The authenticatorGetAssertion Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-serialize-a-javascript-value-to-json-bytes">
   <a href="https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-json-bytes">https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-json-bytes</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-serialize-a-javascript-value-to-json-bytes">5.8.1.1. Serialization</a> <a href="#ref-for-serialize-a-javascript-value-to-json-bytes①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-map-set">
   <a href="https://infra.spec.whatwg.org/#map-set">https://infra.spec.whatwg.org/#map-set</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-map-set">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-map-set①">(2)</a>
    <li><a href="#ref-for-map-set②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-map-set③">(2)</a>
    <li><a href="#ref-for-map-set④">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-map-set⑤">10.4. Credential Properties Extension (credProps)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-list-size">
   <a href="https://infra.spec.whatwg.org/#list-size">https://infra.spec.whatwg.org/#list-size</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-list-size">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-struct">
   <a href="https://infra.spec.whatwg.org/#struct">https://infra.spec.whatwg.org/#struct</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-struct">4. Terminology</a>
    <li><a href="#ref-for-struct①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-struct②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-iteration-while">
   <a href="https://infra.spec.whatwg.org/#iteration-while">https://infra.spec.whatwg.org/#iteration-while</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-iteration-while">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-iteration-while①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-willful-violation">
   <a href="https://infra.spec.whatwg.org/#willful-violation">https://infra.spec.whatwg.org/#willful-violation</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-willful-violation">4. Terminology</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-visibility-states">
   <a href="https://www.w3.org/TR/page-visibility/#visibility-states">https://www.w3.org/TR/page-visibility/#visibility-states</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-visibility-states">5.6. Abort Operations with AbortSignal</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-default-allowlist">
   <a href="https://w3c.github.io/webappsec-permissions-policy/#default-allowlist">https://w3c.github.io/webappsec-permissions-policy/#default-allowlist</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-default-allowlist">5.9. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-policy-controlled-feature">
   <a href="https://w3c.github.io/webappsec-permissions-policy/#policy-controlled-feature">https://w3c.github.io/webappsec-permissions-policy/#policy-controlled-feature</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-controlled-feature">5.9. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-page-186">
   <a href="https://tools.ietf.org/html/rfc4949#page-186">https://tools.ietf.org/html/rfc4949#page-186</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-page-186">13.4.1. Security Benefits for WebAuthn Relying Parties</a>
    <li><a href="#ref-for-page-186①">13.4.4. Attestation Limitations</a> <a href="#ref-for-page-186②">(2)</a> <a href="#ref-for-page-186③">(3)</a> <a href="#ref-for-page-186④">(4)</a> <a href="#ref-for-page-186⑤">(5)</a> <a href="#ref-for-page-186⑥">(6)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-page-258">
   <a href="https://tools.ietf.org/html/rfc4949#page-258">https://tools.ietf.org/html/rfc4949#page-258</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-page-258">14.6.1. User Handle Contents</a> <a href="#ref-for-page-258①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-page-258">
   <a href="https://tools.ietf.org/html/rfc4949#page-258">https://tools.ietf.org/html/rfc4949#page-258</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-page-258">14.6.1. User Handle Contents</a> <a href="#ref-for-page-258①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-4.1.2.7">
   <a href="https://tools.ietf.org/html/rfc5280#section-4.1.2.7">https://tools.ietf.org/html/rfc5280#section-4.1.2.7</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-4.1.2.7">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-section-4.1.2.7①">5.2.1.1. Easily accessing credential data</a> <a href="#ref-for-section-4.1.2.7②">(2)</a> <a href="#ref-for-section-4.1.2.7③">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-7">
   <a href="https://tools.ietf.org/html/rfc8152#section-7">https://tools.ietf.org/html/rfc8152#section-7</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-7">5.8.5. Cryptographic Algorithm Identifier (typedef COSEAlgorithmIdentifier)</a>
    <li><a href="#ref-for-section-7①">6.1. Authenticator Data</a>
    <li><a href="#ref-for-section-7②">6.5.1. Attested Credential Data</a>
    <li><a href="#ref-for-section-7③">6.5.1.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format</a>
    <li><a href="#ref-for-section-7④">8.6. FIDO U2F Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-13.1.1">
   <a href="https://tools.ietf.org/html/rfc8152#section-13.1.1">https://tools.ietf.org/html/rfc8152#section-13.1.1</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-13.1.1">5.2.1.1. Easily accessing credential data</a> <a href="#ref-for-section-13.1.1①">(2)</a>
    <li><a href="#ref-for-section-13.1.1②">5.8.5. Cryptographic Algorithm Identifier (typedef COSEAlgorithmIdentifier)</a> <a href="#ref-for-section-13.1.1③">(2)</a> <a href="#ref-for-section-13.1.1④">(3)</a> <a href="#ref-for-section-13.1.1⑤">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-7.1">
   <a href="https://tools.ietf.org/html/rfc8152#section-7.1">https://tools.ietf.org/html/rfc8152#section-7.1</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-7.1">5.2.1.1. Easily accessing credential data</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-13.1">
   <a href="https://tools.ietf.org/html/rfc8152#section-13.1">https://tools.ietf.org/html/rfc8152#section-13.1</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-13.1">6.5.1.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-7">
   <a href="https://tools.ietf.org/html/rfc8152#section-7">https://tools.ietf.org/html/rfc8152#section-7</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-7">5.8.5. Cryptographic Algorithm Identifier (typedef COSEAlgorithmIdentifier)</a>
    <li><a href="#ref-for-section-7①">6.1. Authenticator Data</a>
    <li><a href="#ref-for-section-7②">6.5.1. Attested Credential Data</a>
    <li><a href="#ref-for-section-7③">6.5.1.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format</a>
    <li><a href="#ref-for-section-7④">8.6. FIDO U2F Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-8.1">
   <a href="https://tools.ietf.org/html/rfc8152#section-8.1">https://tools.ietf.org/html/rfc8152#section-8.1</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-8.1">6.5.1.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-2">
   <a href="https://tools.ietf.org/html/rfc8230#section-2">https://tools.ietf.org/html/rfc8230#section-2</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-2">6.5.1.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-4">
   <a href="https://tools.ietf.org/html/rfc8230#section-4">https://tools.ietf.org/html/rfc8230#section-4</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-4">6.5.1.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-3.9">
   <a href="https://tools.ietf.org/html/rfc8610#section-3.9">https://tools.ietf.org/html/rfc8610#section-3.9</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-3.9">9.3. Extending Request Parameters</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-secure-contexts">
   <a href="https://w3c.github.io/webappsec-secure-contexts/#secure-contexts">https://w3c.github.io/webappsec-secure-contexts/#secure-contexts</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-secure-contexts">5. Web Authentication API</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-af">
   <a href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af">https://pages.nist.gov/800-63-3/sp800-63-3.html#af</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-af">4. Terminology</a>
    <li><a href="#ref-for-af①">6.2. Authenticator Taxonomy</a> <a href="#ref-for-af②">(2)</a> <a href="#ref-for-af③">(3)</a> <a href="#ref-for-af④">(4)</a> <a href="#ref-for-af⑤">(5)</a> <a href="#ref-for-af⑥">(6)</a> <a href="#ref-for-af⑦">(7)</a> <a href="#ref-for-af⑧">(8)</a>
    <li><a href="#ref-for-af⑨">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-af①⓪">(2)</a>
    <li><a href="#ref-for-af①①">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-af①②">(2)</a> <a href="#ref-for-af①③">(3)</a> <a href="#ref-for-af①④">(4)</a> <a href="#ref-for-af①⑤">(5)</a> <a href="#ref-for-af①⑥">(6)</a> <a href="#ref-for-af①⑦">(7)</a> <a href="#ref-for-af①⑧">(8)</a> <a href="#ref-for-af①⑨">(9)</a> <a href="#ref-for-af②⓪">(10)</a>
    <li><a href="#ref-for-af②①">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-af②②">(2)</a> <a href="#ref-for-af②③">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-af">
   <a href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af">https://pages.nist.gov/800-63-3/sp800-63-3.html#af</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-af">4. Terminology</a>
    <li><a href="#ref-for-af①">6.2. Authenticator Taxonomy</a> <a href="#ref-for-af②">(2)</a> <a href="#ref-for-af③">(3)</a> <a href="#ref-for-af④">(4)</a> <a href="#ref-for-af⑤">(5)</a> <a href="#ref-for-af⑥">(6)</a> <a href="#ref-for-af⑦">(7)</a> <a href="#ref-for-af⑧">(8)</a>
    <li><a href="#ref-for-af⑨">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-af①⓪">(2)</a>
    <li><a href="#ref-for-af①①">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-af①②">(2)</a> <a href="#ref-for-af①③">(3)</a> <a href="#ref-for-af①④">(4)</a> <a href="#ref-for-af①⑤">(5)</a> <a href="#ref-for-af①⑥">(6)</a> <a href="#ref-for-af①⑦">(7)</a> <a href="#ref-for-af①⑧">(8)</a> <a href="#ref-for-af①⑨">(9)</a> <a href="#ref-for-af②⓪">(10)</a>
    <li><a href="#ref-for-af②①">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-af②②">(2)</a> <a href="#ref-for-af②③">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-af">
   <a href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af">https://pages.nist.gov/800-63-3/sp800-63-3.html#af</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-af">4. Terminology</a>
    <li><a href="#ref-for-af①">6.2. Authenticator Taxonomy</a> <a href="#ref-for-af②">(2)</a> <a href="#ref-for-af③">(3)</a> <a href="#ref-for-af④">(4)</a> <a href="#ref-for-af⑤">(5)</a> <a href="#ref-for-af⑥">(6)</a> <a href="#ref-for-af⑦">(7)</a> <a href="#ref-for-af⑧">(8)</a>
    <li><a href="#ref-for-af⑨">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-af①⓪">(2)</a>
    <li><a href="#ref-for-af①①">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-af①②">(2)</a> <a href="#ref-for-af①③">(3)</a> <a href="#ref-for-af①④">(4)</a> <a href="#ref-for-af①⑤">(5)</a> <a href="#ref-for-af①⑥">(6)</a> <a href="#ref-for-af①⑦">(7)</a> <a href="#ref-for-af①⑧">(8)</a> <a href="#ref-for-af①⑨">(9)</a> <a href="#ref-for-af②⓪">(10)</a>
    <li><a href="#ref-for-af②①">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-af②②">(2)</a> <a href="#ref-for-af②③">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-sf">
   <a href="https://pages.nist.gov/800-63-3/sp800-63-3.html#sf">https://pages.nist.gov/800-63-3/sp800-63-3.html#sf</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-sf">6.2. Authenticator Taxonomy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-af">
   <a href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af">https://pages.nist.gov/800-63-3/sp800-63-3.html#af</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-af">4. Terminology</a>
    <li><a href="#ref-for-af①">6.2. Authenticator Taxonomy</a> <a href="#ref-for-af②">(2)</a> <a href="#ref-for-af③">(3)</a> <a href="#ref-for-af④">(4)</a> <a href="#ref-for-af⑤">(5)</a> <a href="#ref-for-af⑥">(6)</a> <a href="#ref-for-af⑦">(7)</a> <a href="#ref-for-af⑧">(8)</a>
    <li><a href="#ref-for-af⑨">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-af①⓪">(2)</a>
    <li><a href="#ref-for-af①①">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-af①②">(2)</a> <a href="#ref-for-af①③">(3)</a> <a href="#ref-for-af①④">(4)</a> <a href="#ref-for-af①⑤">(5)</a> <a href="#ref-for-af①⑥">(6)</a> <a href="#ref-for-af①⑦">(7)</a> <a href="#ref-for-af①⑧">(8)</a> <a href="#ref-for-af①⑨">(9)</a> <a href="#ref-for-af②⓪">(10)</a>
    <li><a href="#ref-for-af②①">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-af②②">(2)</a> <a href="#ref-for-af②③">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-af">
   <a href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af">https://pages.nist.gov/800-63-3/sp800-63-3.html#af</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-af">4. Terminology</a>
    <li><a href="#ref-for-af①">6.2. Authenticator Taxonomy</a> <a href="#ref-for-af②">(2)</a> <a href="#ref-for-af③">(3)</a> <a href="#ref-for-af④">(4)</a> <a href="#ref-for-af⑤">(5)</a> <a href="#ref-for-af⑥">(6)</a> <a href="#ref-for-af⑦">(7)</a> <a href="#ref-for-af⑧">(8)</a>
    <li><a href="#ref-for-af⑨">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-af①⓪">(2)</a>
    <li><a href="#ref-for-af①①">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-af①②">(2)</a> <a href="#ref-for-af①③">(3)</a> <a href="#ref-for-af①④">(4)</a> <a href="#ref-for-af①⑤">(5)</a> <a href="#ref-for-af①⑥">(6)</a> <a href="#ref-for-af①⑦">(7)</a> <a href="#ref-for-af①⑧">(8)</a> <a href="#ref-for-af①⑨">(9)</a> <a href="#ref-for-af②⓪">(10)</a>
    <li><a href="#ref-for-af②①">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-af②②">(2)</a> <a href="#ref-for-af②③">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-af">
   <a href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af">https://pages.nist.gov/800-63-3/sp800-63-3.html#af</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-af">4. Terminology</a>
    <li><a href="#ref-for-af①">6.2. Authenticator Taxonomy</a> <a href="#ref-for-af②">(2)</a> <a href="#ref-for-af③">(3)</a> <a href="#ref-for-af④">(4)</a> <a href="#ref-for-af⑤">(5)</a> <a href="#ref-for-af⑥">(6)</a> <a href="#ref-for-af⑦">(7)</a> <a href="#ref-for-af⑧">(8)</a>
    <li><a href="#ref-for-af⑨">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-af①⓪">(2)</a>
    <li><a href="#ref-for-af①①">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-af①②">(2)</a> <a href="#ref-for-af①③">(3)</a> <a href="#ref-for-af①④">(4)</a> <a href="#ref-for-af①⑤">(5)</a> <a href="#ref-for-af①⑥">(6)</a> <a href="#ref-for-af①⑦">(7)</a> <a href="#ref-for-af①⑧">(8)</a> <a href="#ref-for-af①⑨">(9)</a> <a href="#ref-for-af②⓪">(10)</a>
    <li><a href="#ref-for-af②①">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-af②②">(2)</a> <a href="#ref-for-af②③">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-1">
   <a href="https://tools.ietf.org/html/rfc8471#section-1">https://tools.ietf.org/html/rfc8471#section-1</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-1">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-section-1①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-section-1②">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-section-1③">7.1. Registering a New Credential</a> <a href="#ref-for-section-1④">(2)</a>
    <li><a href="#ref-for-section-1⑤">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-section-1⑥">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-section-3.2">
   <a href="https://tools.ietf.org/html/rfc8471#section-3.2">https://tools.ietf.org/html/rfc8471#section-3.2</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-section-3.2">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-section-3.2①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-section-3.2②">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-section-3.2③">(2)</a>
    <li><a href="#ref-for-section-3.2④">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-section-3.2⑤">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-domain">
   <a href="https://url.spec.whatwg.org/#concept-domain">https://url.spec.whatwg.org/#concept-domain</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-domain">4. Terminology</a>
    <li><a href="#ref-for-concept-domain①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-concept-domain②">(2)</a>
    <li><a href="#ref-for-concept-domain③">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-concept-domain④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-empty-host">
   <a href="https://url.spec.whatwg.org/#empty-host">https://url.spec.whatwg.org/#empty-host</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-empty-host">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-empty-host①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-url-host">
   <a href="https://url.spec.whatwg.org/#concept-url-host">https://url.spec.whatwg.org/#concept-url-host</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-url-host">4. Terminology</a>
    <li><a href="#ref-for-concept-url-host①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-concept-url-host②">(2)</a>
    <li><a href="#ref-for-concept-url-host③">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-concept-url-host④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-ipv4">
   <a href="https://url.spec.whatwg.org/#concept-ipv4">https://url.spec.whatwg.org/#concept-ipv4</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-ipv4">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-concept-ipv4①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-ipv6">
   <a href="https://url.spec.whatwg.org/#concept-ipv6">https://url.spec.whatwg.org/#concept-ipv6</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-ipv6">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-concept-ipv6①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-opaque-host">
   <a href="https://url.spec.whatwg.org/#opaque-host">https://url.spec.whatwg.org/#opaque-host</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-opaque-host">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-opaque-host①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-url-port">
   <a href="https://url.spec.whatwg.org#concept-url-port">https://url.spec.whatwg.org#concept-url-port</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-url-port">4. Terminology</a> <a href="#ref-for-concept-url-port①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-url-scheme">
   <a href="https://url.spec.whatwg.org#concept-url-scheme">https://url.spec.whatwg.org#concept-url-scheme</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-url-scheme">4. Terminology</a> <a href="#ref-for-concept-url-scheme①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-valid-domain">
   <a href="https://url.spec.whatwg.org/#valid-domain">https://url.spec.whatwg.org/#valid-domain</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-valid-domain">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-valid-domain①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-valid-domain-string">
   <a href="https://url.spec.whatwg.org/#valid-domain-string">https://url.spec.whatwg.org/#valid-domain-string</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-valid-domain-string">4. Terminology</a> <a href="#ref-for-valid-domain-string①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-Grapheme_Cluster_Boundaries">
   <a href="https://unicode.org/reports/tr29/#Grapheme_Cluster_Boundaries">https://unicode.org/reports/tr29/#Grapheme_Cluster_Boundaries</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-Grapheme_Cluster_Boundaries">6.4.1. String Truncation</a> <a href="#ref-for-Grapheme_Cluster_Boundaries①">(2)</a> <a href="#ref-for-Grapheme_Cluster_Boundaries②">(3)</a> <a href="#ref-for-Grapheme_Cluster_Boundaries③">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-endpoint-node">
   <a href="https://w3c.github.io/webdriver/#dfn-endpoint-node">https://w3c.github.io/webdriver/#dfn-endpoint-node</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-endpoint-node">11.1. WebAuthn WebDriver Extension Capability</a> <a href="#ref-for-dfn-endpoint-node①">(2)</a>
    <li><a href="#ref-for-dfn-endpoint-node②">11.1.1. Authenticator Extension Capabilities</a> <a href="#ref-for-dfn-endpoint-node③">(2)</a> <a href="#ref-for-dfn-endpoint-node④">(3)</a>
    <li><a href="#ref-for-dfn-endpoint-node⑤">11.3. Add Virtual Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-extension-capability">
   <a href="https://w3c.github.io/webdriver/#dfn-extension-capability">https://w3c.github.io/webdriver/#dfn-extension-capability</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-extension-capability">11.1. WebAuthn WebDriver Extension Capability</a>
    <li><a href="#ref-for-dfn-extension-capability①">11.1.1. Authenticator Extension Capabilities</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-extension-command">
   <a href="https://w3c.github.io/webdriver/#dfn-extension-command">https://w3c.github.io/webdriver/#dfn-extension-command</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-extension-command">11. User Agent Automation</a>
    <li><a href="#ref-for-dfn-extension-command①">11.1. WebAuthn WebDriver Extension Capability</a>
    <li><a href="#ref-for-dfn-extension-command②">11.2. Virtual Authenticators</a>
    <li><a href="#ref-for-dfn-extension-command③">11.3. Add Virtual Authenticator</a>
    <li><a href="#ref-for-dfn-extension-command④">11.4. Remove Virtual Authenticator</a>
    <li><a href="#ref-for-dfn-extension-command⑤">11.5. Add Credential</a>
    <li><a href="#ref-for-dfn-extension-command⑥">11.6. Get Credentials</a>
    <li><a href="#ref-for-dfn-extension-command⑦">11.7. Remove Credential</a>
    <li><a href="#ref-for-dfn-extension-command⑧">11.8. Remove All Credentials</a>
    <li><a href="#ref-for-dfn-extension-command⑨">11.9. Set User Verified</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-getting-properties">
   <a href="https://w3c.github.io/webdriver/#dfn-getting-properties">https://w3c.github.io/webdriver/#dfn-getting-properties</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-getting-properties">11.3. Add Virtual Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-invalid-argument">
   <a href="https://w3c.github.io/webdriver/#dfn-invalid-argument">https://w3c.github.io/webdriver/#dfn-invalid-argument</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-invalid-argument">11.1. WebAuthn WebDriver Extension Capability</a>
    <li><a href="#ref-for-dfn-invalid-argument①">11.1.1. Authenticator Extension Capabilities</a>
    <li><a href="#ref-for-dfn-invalid-argument②">11.3. Add Virtual Authenticator</a> <a href="#ref-for-dfn-invalid-argument③">(2)</a> <a href="#ref-for-dfn-invalid-argument④">(3)</a> <a href="#ref-for-dfn-invalid-argument⑤">(4)</a>
    <li><a href="#ref-for-dfn-invalid-argument⑥">11.4. Remove Virtual Authenticator</a>
    <li><a href="#ref-for-dfn-invalid-argument⑦">11.5. Add Credential</a> <a href="#ref-for-dfn-invalid-argument⑧">(2)</a> <a href="#ref-for-dfn-invalid-argument⑨">(3)</a> <a href="#ref-for-dfn-invalid-argument①⓪">(4)</a> <a href="#ref-for-dfn-invalid-argument①①">(5)</a> <a href="#ref-for-dfn-invalid-argument①②">(6)</a> <a href="#ref-for-dfn-invalid-argument①③">(7)</a> <a href="#ref-for-dfn-invalid-argument①④">(8)</a> <a href="#ref-for-dfn-invalid-argument①⑤">(9)</a> <a href="#ref-for-dfn-invalid-argument①⑥">(10)</a> <a href="#ref-for-dfn-invalid-argument①⑦">(11)</a>
    <li><a href="#ref-for-dfn-invalid-argument①⑧">11.6. Get Credentials</a>
    <li><a href="#ref-for-dfn-invalid-argument①⑨">11.7. Remove Credential</a> <a href="#ref-for-dfn-invalid-argument②⓪">(2)</a>
    <li><a href="#ref-for-dfn-invalid-argument②①">11.8. Remove All Credentials</a>
    <li><a href="#ref-for-dfn-invalid-argument②②">11.9. Set User Verified</a> <a href="#ref-for-dfn-invalid-argument②③">(2)</a> <a href="#ref-for-dfn-invalid-argument②④">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-matching-capabilities">
   <a href="https://w3c.github.io/webdriver/#dfn-matching-capabilities">https://w3c.github.io/webdriver/#dfn-matching-capabilities</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-matching-capabilities">11.1. WebAuthn WebDriver Extension Capability</a>
    <li><a href="#ref-for-dfn-matching-capabilities①">11.1.1. Authenticator Extension Capabilities</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-remote-end-steps">
   <a href="https://w3c.github.io/webdriver/#dfn-remote-end-steps">https://w3c.github.io/webdriver/#dfn-remote-end-steps</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-remote-end-steps">11.3. Add Virtual Authenticator</a> <a href="#ref-for-dfn-remote-end-steps①">(2)</a>
    <li><a href="#ref-for-dfn-remote-end-steps②">11.4. Remove Virtual Authenticator</a>
    <li><a href="#ref-for-dfn-remote-end-steps③">11.5. Add Credential</a> <a href="#ref-for-dfn-remote-end-steps④">(2)</a>
    <li><a href="#ref-for-dfn-remote-end-steps⑤">11.6. Get Credentials</a>
    <li><a href="#ref-for-dfn-remote-end-steps⑥">11.7. Remove Credential</a>
    <li><a href="#ref-for-dfn-remote-end-steps⑦">11.8. Remove All Credentials</a>
    <li><a href="#ref-for-dfn-remote-end-steps⑧">11.9. Set User Verified</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-set-a-property">
   <a href="https://w3c.github.io/webdriver/#dfn-set-a-property">https://w3c.github.io/webdriver/#dfn-set-a-property</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-set-a-property">11.3. Add Virtual Authenticator</a> <a href="#ref-for-dfn-set-a-property①">(2)</a> <a href="#ref-for-dfn-set-a-property②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-success">
   <a href="https://w3c.github.io/webdriver/#dfn-success">https://w3c.github.io/webdriver/#dfn-success</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-success">11.3. Add Virtual Authenticator</a>
    <li><a href="#ref-for-dfn-success①">11.4. Remove Virtual Authenticator</a>
    <li><a href="#ref-for-dfn-success②">11.5. Add Credential</a>
    <li><a href="#ref-for-dfn-success③">11.6. Get Credentials</a>
    <li><a href="#ref-for-dfn-success④">11.7. Remove Credential</a>
    <li><a href="#ref-for-dfn-success⑤">11.8. Remove All Credentials</a>
    <li><a href="#ref-for-dfn-success⑥">11.9. Set User Verified</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-unsupported-operation">
   <a href="https://w3c.github.io/webdriver/#dfn-unsupported-operation">https://w3c.github.io/webdriver/#dfn-unsupported-operation</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-unsupported-operation">11.3. Add Virtual Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-validate-capabilities">
   <a href="https://w3c.github.io/webdriver/#dfn-validate-capabilities">https://w3c.github.io/webdriver/#dfn-validate-capabilities</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-validate-capabilities">11.1. WebAuthn WebDriver Extension Capability</a>
    <li><a href="#ref-for-dfn-validate-capabilities①">11.1.1. Authenticator Extension Capabilities</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-error">
   <a href="https://w3c.github.io/webdriver/#dfn-error">https://w3c.github.io/webdriver/#dfn-error</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-error">11.1. WebAuthn WebDriver Extension Capability</a>
    <li><a href="#ref-for-dfn-error①">11.1.1. Authenticator Extension Capabilities</a>
    <li><a href="#ref-for-dfn-error②">11.3. Add Virtual Authenticator</a> <a href="#ref-for-dfn-error③">(2)</a> <a href="#ref-for-dfn-error④">(3)</a> <a href="#ref-for-dfn-error⑤">(4)</a> <a href="#ref-for-dfn-error⑥">(5)</a>
    <li><a href="#ref-for-dfn-error⑦">11.4. Remove Virtual Authenticator</a>
    <li><a href="#ref-for-dfn-error⑧">11.5. Add Credential</a> <a href="#ref-for-dfn-error⑨">(2)</a> <a href="#ref-for-dfn-error①⓪">(3)</a> <a href="#ref-for-dfn-error①①">(4)</a> <a href="#ref-for-dfn-error①②">(5)</a> <a href="#ref-for-dfn-error①③">(6)</a> <a href="#ref-for-dfn-error①④">(7)</a> <a href="#ref-for-dfn-error①⑤">(8)</a> <a href="#ref-for-dfn-error①⑥">(9)</a> <a href="#ref-for-dfn-error①⑦">(10)</a> <a href="#ref-for-dfn-error①⑧">(11)</a>
    <li><a href="#ref-for-dfn-error①⑨">11.6. Get Credentials</a>
    <li><a href="#ref-for-dfn-error②⓪">11.7. Remove Credential</a> <a href="#ref-for-dfn-error②①">(2)</a>
    <li><a href="#ref-for-dfn-error②②">11.8. Remove All Credentials</a>
    <li><a href="#ref-for-dfn-error②③">11.9. Set User Verified</a> <a href="#ref-for-dfn-error②④">(2)</a> <a href="#ref-for-dfn-error②⑤">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-error-code">
   <a href="https://w3c.github.io/webdriver/#dfn-error-code">https://w3c.github.io/webdriver/#dfn-error-code</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-error-code">11.1. WebAuthn WebDriver Extension Capability</a>
    <li><a href="#ref-for-dfn-error-code①">11.1.1. Authenticator Extension Capabilities</a>
    <li><a href="#ref-for-dfn-error-code②">11.3. Add Virtual Authenticator</a> <a href="#ref-for-dfn-error-code③">(2)</a> <a href="#ref-for-dfn-error-code④">(3)</a> <a href="#ref-for-dfn-error-code⑤">(4)</a> <a href="#ref-for-dfn-error-code⑥">(5)</a>
    <li><a href="#ref-for-dfn-error-code⑦">11.4. Remove Virtual Authenticator</a>
    <li><a href="#ref-for-dfn-error-code⑧">11.5. Add Credential</a> <a href="#ref-for-dfn-error-code⑨">(2)</a> <a href="#ref-for-dfn-error-code①⓪">(3)</a> <a href="#ref-for-dfn-error-code①①">(4)</a> <a href="#ref-for-dfn-error-code①②">(5)</a> <a href="#ref-for-dfn-error-code①③">(6)</a> <a href="#ref-for-dfn-error-code①④">(7)</a> <a href="#ref-for-dfn-error-code①⑤">(8)</a> <a href="#ref-for-dfn-error-code①⑥">(9)</a> <a href="#ref-for-dfn-error-code①⑦">(10)</a> <a href="#ref-for-dfn-error-code①⑧">(11)</a>
    <li><a href="#ref-for-dfn-error-code①⑨">11.6. Get Credentials</a>
    <li><a href="#ref-for-dfn-error-code②⓪">11.7. Remove Credential</a> <a href="#ref-for-dfn-error-code②①">(2)</a>
    <li><a href="#ref-for-dfn-error-code②②">11.8. Remove All Credentials</a>
    <li><a href="#ref-for-dfn-error-code②③">11.9. Set User Verified</a> <a href="#ref-for-dfn-error-code②④">(2)</a> <a href="#ref-for-dfn-error-code②⑤">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-aborterror">
   <a href="https://heycam.github.io/webidl/#aborterror">https://heycam.github.io/webidl/#aborterror</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-aborterror">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-aborterror①">(2)</a>
    <li><a href="#ref-for-aborterror②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-aborterror③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-ArrayBuffer">
   <a href="https://heycam.github.io/webidl/#idl-ArrayBuffer">https://heycam.github.io/webidl/#idl-ArrayBuffer</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-ArrayBuffer">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-idl-ArrayBuffer①">(2)</a>
    <li><a href="#ref-for-idl-ArrayBuffer②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-idl-ArrayBuffer③">(2)</a> <a href="#ref-for-idl-ArrayBuffer④">(3)</a>
    <li><a href="#ref-for-idl-ArrayBuffer⑤">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-idl-ArrayBuffer⑥">(2)</a> <a href="#ref-for-idl-ArrayBuffer⑦">(3)</a> <a href="#ref-for-idl-ArrayBuffer⑧">(4)</a> <a href="#ref-for-idl-ArrayBuffer⑨">(5)</a> <a href="#ref-for-idl-ArrayBuffer①⓪">(6)</a>
    <li><a href="#ref-for-idl-ArrayBuffer①①">5.2. Authenticator Responses (interface AuthenticatorResponse)</a> <a href="#ref-for-idl-ArrayBuffer①②">(2)</a>
    <li><a href="#ref-for-idl-ArrayBuffer①③">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-idl-ArrayBuffer①④">(2)</a> <a href="#ref-for-idl-ArrayBuffer①⑤">(3)</a> <a href="#ref-for-idl-ArrayBuffer①⑥">(4)</a>
    <li><a href="#ref-for-idl-ArrayBuffer①⑦">5.2.1.1. Easily accessing credential data</a>
    <li><a href="#ref-for-idl-ArrayBuffer①⑧">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a> <a href="#ref-for-idl-ArrayBuffer①⑨">(2)</a> <a href="#ref-for-idl-ArrayBuffer②⓪">(3)</a> <a href="#ref-for-idl-ArrayBuffer②①">(4)</a> <a href="#ref-for-idl-ArrayBuffer②②">(5)</a> <a href="#ref-for-idl-ArrayBuffer②③">(6)</a>
    <li><a href="#ref-for-idl-ArrayBuffer②④">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-idl-ArrayBuffer②⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-BufferSource">
   <a href="https://heycam.github.io/webidl/#BufferSource">https://heycam.github.io/webidl/#BufferSource</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-BufferSource">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-BufferSource①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-BufferSource②">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-BufferSource③">(2)</a>
    <li><a href="#ref-for-BufferSource④">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a> <a href="#ref-for-BufferSource⑤">(2)</a>
    <li><a href="#ref-for-BufferSource⑥">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-BufferSource⑦">(2)</a>
    <li><a href="#ref-for-BufferSource⑧">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a> <a href="#ref-for-BufferSource⑨">(2)</a>
    <li><a href="#ref-for-BufferSource①⓪">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-BufferSource①①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-constrainterror">
   <a href="https://heycam.github.io/webidl/#constrainterror">https://heycam.github.io/webidl/#constrainterror</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-constrainterror">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-constrainterror①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-DOMException">
   <a href="https://heycam.github.io/webidl/#idl-DOMException">https://heycam.github.io/webidl/#idl-DOMException</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-DOMException">3. Dependencies</a>
    <li><a href="#ref-for-idl-DOMException①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-idl-DOMException②">(2)</a> <a href="#ref-for-idl-DOMException③">(3)</a> <a href="#ref-for-idl-DOMException④">(4)</a> <a href="#ref-for-idl-DOMException⑤">(5)</a> <a href="#ref-for-idl-DOMException⑥">(6)</a> <a href="#ref-for-idl-DOMException⑦">(7)</a> <a href="#ref-for-idl-DOMException⑧">(8)</a> <a href="#ref-for-idl-DOMException⑨">(9)</a> <a href="#ref-for-idl-DOMException①⓪">(10)</a>
    <li><a href="#ref-for-idl-DOMException①①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-idl-DOMException①②">(2)</a> <a href="#ref-for-idl-DOMException①③">(3)</a> <a href="#ref-for-idl-DOMException①④">(4)</a> <a href="#ref-for-idl-DOMException①⑤">(5)</a> <a href="#ref-for-idl-DOMException①⑥">(6)</a> <a href="#ref-for-idl-DOMException①⑦">(7)</a> <a href="#ref-for-idl-DOMException①⑧">(8)</a>
    <li><a href="#ref-for-idl-DOMException①⑨">5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-idl-DOMException②⓪">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
    <li><a href="#ref-for-idl-DOMException②①">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-idl-DOMException②②">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
    <li><a href="#ref-for-idl-DOMException②③">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-idl-DOMException②④">(2)</a> <a href="#ref-for-idl-DOMException②⑤">(3)</a> <a href="#ref-for-idl-DOMException②⑥">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-DOMString">
   <a href="https://heycam.github.io/webidl/#idl-DOMString">https://heycam.github.io/webidl/#idl-DOMString</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-DOMString">2.1.1. Enumerations as DOMString types</a>
    <li><a href="#ref-for-idl-DOMString①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-idl-DOMString②">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-idl-DOMString③">(2)</a>
    <li><a href="#ref-for-idl-DOMString④">5.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)</a> <a href="#ref-for-idl-DOMString⑤">(2)</a>
    <li><a href="#ref-for-idl-DOMString⑥">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-idl-DOMString⑦">(2)</a>
    <li><a href="#ref-for-idl-DOMString⑧">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a> <a href="#ref-for-idl-DOMString⑨">(2)</a>
    <li><a href="#ref-for-idl-DOMString①⓪">5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)</a> <a href="#ref-for-idl-DOMString①①">(2)</a>
    <li><a href="#ref-for-idl-DOMString①②">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a> <a href="#ref-for-idl-DOMString①③">(2)</a>
    <li><a href="#ref-for-idl-DOMString①④">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a> <a href="#ref-for-idl-DOMString①⑤">(2)</a> <a href="#ref-for-idl-DOMString①⑥">(3)</a> <a href="#ref-for-idl-DOMString①⑦">(4)</a> <a href="#ref-for-idl-DOMString①⑧">(5)</a> <a href="#ref-for-idl-DOMString①⑨">(6)</a>
    <li><a href="#ref-for-idl-DOMString②⓪">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-idl-DOMString②①">(2)</a>
    <li><a href="#ref-for-idl-DOMString②②">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-idl-DOMString②③">(2)</a> <a href="#ref-for-idl-DOMString②④">(3)</a> <a href="#ref-for-idl-DOMString②⑤">(4)</a> <a href="#ref-for-idl-DOMString②⑥">(5)</a> <a href="#ref-for-idl-DOMString②⑦">(6)</a> <a href="#ref-for-idl-DOMString②⑧">(7)</a> <a href="#ref-for-idl-DOMString②⑨">(8)</a> <a href="#ref-for-idl-DOMString③⓪">(9)</a> <a href="#ref-for-idl-DOMString③①">(10)</a>
    <li><a href="#ref-for-idl-DOMString③②">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a> <a href="#ref-for-idl-DOMString③③">(2)</a> <a href="#ref-for-idl-DOMString③④">(3)</a> <a href="#ref-for-idl-DOMString③⑤">(4)</a>
    <li><a href="#ref-for-idl-DOMString③⑥">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-idl-DOMString③⑦">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-Exposed">
   <a href="https://heycam.github.io/webidl/#Exposed">https://heycam.github.io/webidl/#Exposed</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-Exposed">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-Exposed①">5.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-Exposed②">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-Exposed③">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-invalidstateerror">
   <a href="https://heycam.github.io/webidl/#invalidstateerror">https://heycam.github.io/webidl/#invalidstateerror</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-invalidstateerror">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-invalidstateerror①">(2)</a> <a href="#ref-for-invalidstateerror②">(3)</a>
    <li><a href="#ref-for-invalidstateerror③">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-invalidstateerror④">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-invalidstateerror⑤">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-notallowederror">
   <a href="https://heycam.github.io/webidl/#notallowederror">https://heycam.github.io/webidl/#notallowederror</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-notallowederror">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-notallowederror①">(2)</a> <a href="#ref-for-notallowederror②">(3)</a> <a href="#ref-for-notallowederror③">(4)</a>
    <li><a href="#ref-for-notallowederror④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-notallowederror⑤">(2)</a> <a href="#ref-for-notallowederror⑥">(3)</a> <a href="#ref-for-notallowederror⑦">(4)</a>
    <li><a href="#ref-for-notallowederror⑧">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
    <li><a href="#ref-for-notallowederror⑨">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-notallowederror①⓪">(2)</a>
    <li><a href="#ref-for-notallowederror①①">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-notallowederror①②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-notsupportederror">
   <a href="https://heycam.github.io/webidl/#notsupportederror">https://heycam.github.io/webidl/#notsupportederror</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-notsupportederror">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-notsupportederror①">5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-notsupportederror②">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-notsupportederror③">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-notsupportederror④">(2)</a> <a href="#ref-for-notsupportederror⑤">(3)</a> <a href="#ref-for-notsupportederror⑥">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-promise">
   <a href="https://heycam.github.io/webidl/#idl-promise">https://heycam.github.io/webidl/#idl-promise</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-promise">3. Dependencies</a>
    <li><a href="#ref-for-idl-promise①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-idl-promise②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-idl-promise③">5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-idl-promise④">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-SameObject">
   <a href="https://heycam.github.io/webidl/#SameObject">https://heycam.github.io/webidl/#SameObject</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-SameObject">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-SameObject①">(2)</a>
    <li><a href="#ref-for-SameObject②">5.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-SameObject③">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-SameObject④">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a> <a href="#ref-for-SameObject⑤">(2)</a> <a href="#ref-for-SameObject⑥">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-SecureContext">
   <a href="https://heycam.github.io/webidl/#SecureContext">https://heycam.github.io/webidl/#SecureContext</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-SecureContext">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-SecureContext①">5.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-SecureContext②">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-SecureContext③">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-securityerror">
   <a href="https://heycam.github.io/webidl/#securityerror">https://heycam.github.io/webidl/#securityerror</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-securityerror">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-securityerror①">(2)</a>
    <li><a href="#ref-for-securityerror②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-securityerror③">(2)</a>
    <li><a href="#ref-for-securityerror④">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-securityerror⑤">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-exceptiondef-typeerror">
   <a href="https://heycam.github.io/webidl/#exceptiondef-typeerror">https://heycam.github.io/webidl/#exceptiondef-typeerror</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-exceptiondef-typeerror">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-USVString">
   <a href="https://heycam.github.io/webidl/#idl-USVString">https://heycam.github.io/webidl/#idl-USVString</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-USVString">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-idl-USVString①">(2)</a>
    <li><a href="#ref-for-idl-USVString②">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-idl-USVString③">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-unknownerror">
   <a href="https://heycam.github.io/webidl/#unknownerror">https://heycam.github.io/webidl/#unknownerror</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-unknownerror">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-unknownerror①">(2)</a>
    <li><a href="#ref-for-unknownerror②">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-unknownerror③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-boolean">
   <a href="https://heycam.github.io/webidl/#idl-boolean">https://heycam.github.io/webidl/#idl-boolean</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-boolean">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
    <li><a href="#ref-for-idl-boolean①">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a> <a href="#ref-for-idl-boolean②">(2)</a>
    <li><a href="#ref-for-idl-boolean③">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-idl-boolean④">(2)</a>
    <li><a href="#ref-for-idl-boolean⑤">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-idl-boolean⑥">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
    <li><a href="#ref-for-idl-boolean⑦">10.3. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-idl-boolean⑧">10.4. Credential Properties Extension (credProps)</a> <a href="#ref-for-idl-boolean⑨">(2)</a> <a href="#ref-for-idl-boolean①⓪">(3)</a>
    <li><a href="#ref-for-idl-boolean①①">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-idl-boolean①②">(2)</a> <a href="#ref-for-idl-boolean①③">(3)</a> <a href="#ref-for-idl-boolean①④">(4)</a> <a href="#ref-for-idl-boolean①⑤">(5)</a> <a href="#ref-for-idl-boolean①⑥">(6)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-get-buffer-source-reference">
   <a href="https://heycam.github.io/webidl#dfn-get-buffer-source-reference">https://heycam.github.io/webidl#dfn-get-buffer-source-reference</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-get-buffer-source-reference">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dfn-get-buffer-source-reference①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-interface-object">
   <a href="https://heycam.github.io/webidl/#dfn-interface-object">https://heycam.github.io/webidl/#dfn-interface-object</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-interface-object">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-dfn-interface-object①">(2)</a> <a href="#ref-for-dfn-interface-object②">(3)</a>
    <li><a href="#ref-for-dfn-interface-object③">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-long">
   <a href="https://heycam.github.io/webidl/#idl-long">https://heycam.github.io/webidl/#idl-long</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-long">5.8.5. Cryptographic Algorithm Identifier (typedef COSEAlgorithmIdentifier)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-sequence">
   <a href="https://heycam.github.io/webidl/#idl-sequence">https://heycam.github.io/webidl/#idl-sequence</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-sequence">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-idl-sequence①">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-idl-sequence②">(2)</a>
    <li><a href="#ref-for-idl-sequence③">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-idl-sequence④">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
    <li><a href="#ref-for-idl-sequence⑤">10.3. User Verification Method Extension (uvm)</a> <a href="#ref-for-idl-sequence⑥">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-unsigned-long">
   <a href="https://heycam.github.io/webidl/#idl-unsigned-long">https://heycam.github.io/webidl/#idl-unsigned-long</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-unsigned-long">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-idl-unsigned-long①">(2)</a>
    <li><a href="#ref-for-idl-unsigned-long②">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-idl-unsigned-long③">(2)</a>
    <li><a href="#ref-for-idl-unsigned-long④">10.3. User Verification Method Extension (uvm)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-focus">
   <a href="https://html.spec.whatwg.org/#focus">https://html.spec.whatwg.org/#focus</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-focus">5.6. Abort Operations with AbortSignal</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-host-same-site">
   <a href="https://url.spec.whatwg.org/#host-same-site">https://url.spec.whatwg.org/#host-same-site</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-host-same-site">3. Dependencies</a>
    <li><a href="#ref-for-host-same-site①">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-host-same-site②">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
   </ul>
  </aside>
  <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
  <ul class="index">
   <li>
    <a data-link-type="biblio">[BCP47]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-section-2.1">language tag</span>
    </ul>
   <li>
    <a data-link-type="biblio">[CREDENTIAL-MANAGEMENT-1]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-credential">Credential</span>
     <li><span class="dfn-paneled" id="term-for-dictdef-credentialcreationoptions">CredentialCreationOptions</span>
     <li><span class="dfn-paneled" id="term-for-dictdef-credentialrequestoptions">CredentialRequestOptions</span>
     <li><span class="dfn-paneled" id="term-for-credentialscontainer">CredentialsContainer</span>
     <li><span class="dfn-paneled" id="term-for-abstract-opdef-request-a-credential">Request a Credential</span>
     <li><span class="dfn-paneled" id="term-for-collectfromcredentialstore-origin-options-sameoriginwithancestors">[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)</span>
     <li><span class="dfn-paneled" id="term-for-create-origin-options-sameoriginwithancestors">[[Create]](origin, options, sameOriginWithAncestors)</span>
     <li><span class="dfn-paneled" id="term-for-store-credential-sameoriginwithancestors">[[Store]](credential, sameOriginWithAncestors)</span>
     <li><span class="dfn-paneled" id="term-for-dom-credential-discovery-slot">[[discovery]]</span>
     <li><span class="dfn-paneled" id="term-for-dom-credential-type-slot">[[type]]</span>
     <li><span class="dfn-paneled" id="term-for-dom-credentialscontainer-create">create()</span>
     <li><span class="dfn-paneled" id="term-for-concept-credential">credential</span>
     <li><span class="dfn-paneled" id="term-for-credential-source">credential source</span>
     <li><span class="dfn-paneled" id="term-for-dom-credentialscontainer-get">get()</span>
     <li><span class="dfn-paneled" id="term-for-dom-credential-id">id</span>
     <li><span class="dfn-paneled" id="term-for-dom-credential-discovery-remote">remote</span>
     <li><span class="dfn-paneled" id="term-for-same-origin-with-its-ancestors">same-origin with its ancestors</span>
     <li><span class="dfn-paneled" id="term-for-dom-credentialrequestoptions-signal">signal <small>(for CredentialRequestOptions)</small></span>
     <li><span class="dfn-paneled" id="term-for-dom-credentialscontainer-store">store()</span>
     <li><span class="dfn-paneled" id="term-for-dom-credential-type">type</span>
     <li><span class="dfn-paneled" id="term-for-user-mediated">user mediation</span>
    </ul>
   <li>
    <a data-link-type="biblio">[DOM4]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-abortcontroller">AbortController</span>
     <li><span class="dfn-paneled" id="term-for-document">Document</span>
     <li><span class="dfn-paneled" id="term-for-abortsignal-aborted-flag">aborted flag</span>
     <li><span class="dfn-paneled" id="term-for-concept-document">document</span>
    </ul>
   <li>
    <a data-link-type="biblio">[ECMAScript]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-sec-arraybuffer-constructor">%arraybuffer%</span>
     <li><span class="dfn-paneled" id="term-for-sec-object-internal-methods-and-internal-slots">internal method</span>
     <li><span class="dfn-paneled" id="term-for-sec-object-internal-methods-and-internal-slots①">internal slot</span>
     <li><span class="dfn-paneled" id="term-for-sec-own-property">own property</span>
    </ul>
   <li>
    <a data-link-type="biblio">[ENCODING]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-utf-8-decode">utf-8 decode</span>
     <li><span class="dfn-paneled" id="term-for-utf-8-encode">utf-8 encode</span>
    </ul>
   <li>
    <a data-link-type="biblio">[FETCH]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-concept-request-window">window</span>
    </ul>
   <li>
    <a data-link-type="biblio">[FIDO-APPID]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-determining-if-a-caller-s-facetid-is-authorized-for-an-appid">determining if a caller's facetid is authorized for an appid</span>
     <li><span class="dfn-paneled" id="term-for-determining-the-facetid-of-a-calling-application">determining the facetid of a calling application</span>
    </ul>
   <li>
    <a data-link-type="biblio">[FIDO-CTAP]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-ctap2-canonical-cbor-encoding-form">ctap2 canonical cbor encoding form</span>
     <li><span class="dfn-paneled" id="term-for-large-blob">large, per-credential blobs</span>
     <li><span class="dfn-paneled" id="term-for-responses">§6.2. responses</span>
    </ul>
   <li>
    <a data-link-type="biblio">[FIDO-Registry]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-user-verification-methods">section 3.1 user verification methods</span>
     <li><span class="dfn-paneled" id="term-for-key-protection-types">section 3.2 key protection types</span>
     <li><span class="dfn-paneled" id="term-for-matcher-protection-types">section 3.3 matcher protection types</span>
     <li><span class="dfn-paneled" id="term-for-public-key-representation-formats">section 3.6.2 public key representation formats</span>
    </ul>
   <li>
    <a data-link-type="biblio">[FIDO-U2F-Message-Formats]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-authentication-request-message---u2f_authenticate">application parameter</span>
     <li><span class="dfn-paneled" id="term-for-registration-response-message-success">section 4.3</span>
     <li><span class="dfn-paneled" id="term-for-authentication-response-message-success">section 5.4</span>
    </ul>
   <li>
    <a data-link-type="biblio">[FileAPI]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-blob-url-entry-object">object</span>
    </ul>
   <li>
    <a data-link-type="biblio">[HTML]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-attr-iframe-allow">allow</span>
     <li><span class="dfn-paneled" id="term-for-allowed-to-use">allowed to use</span>
     <li><span class="dfn-paneled" id="term-for-ascii-serialisation-of-an-origin">ascii serialization of an origin</span>
     <li><span class="dfn-paneled" id="term-for-browsing-context">browsing context</span>
     <li><span class="dfn-paneled" id="term-for-current-settings-object">current settings object</span>
     <li><span class="dfn-paneled" id="term-for-dom-document-domain">document.domain</span>
     <li><span class="dfn-paneled" id="term-for-concept-origin-effective-domain">effective domain</span>
     <li><span class="dfn-paneled" id="term-for-environment-settings-object">environment settings object</span>
     <li><span class="dfn-paneled" id="term-for-concept-settings-object-global">global object</span>
     <li><span class="dfn-paneled" id="term-for-the-iframe-element">iframe</span>
     <li><span class="dfn-paneled" id="term-for-in-parallel">in parallel</span>
     <li><span class="dfn-paneled" id="term-for-is-a-registrable-domain-suffix-of-or-is-equal-to">is a registrable domain suffix of or is equal to</span>
     <li><span class="dfn-paneled" id="term-for-is-a-registrable-domain-suffix-of-or-is-equal-to①">is not a registrable domain suffix of and is not equal to</span>
     <li><span class="dfn-paneled" id="term-for-concept-origin-opaque">opaque origin</span>
     <li><span class="dfn-paneled" id="term-for-concept-settings-object-origin">origin <small>(for environment settings object)</small></span>
     <li><span class="dfn-paneled" id="term-for-concept-document-permissions-policy">permissions policy</span>
     <li><span class="dfn-paneled" id="term-for-relevant-settings-object">relevant settings object</span>
     <li><span class="dfn-paneled" id="term-for-concept-origin-tuple">tuple origin</span>
    </ul>
   <li>
    <a data-link-type="biblio">[INFRA]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-set-append">append <small>(for set)</small></span>
     <li><span class="dfn-paneled" id="term-for-boolean">boolean</span>
     <li><span class="dfn-paneled" id="term-for-byte-sequence">byte sequence</span>
     <li><span class="dfn-paneled" id="term-for-iteration-continue">continue</span>
     <li><span class="dfn-paneled" id="term-for-list-empty">empty</span>
     <li><span class="dfn-paneled" id="term-for-map-exists">exist</span>
     <li><span class="dfn-paneled" id="term-for-map-iterate">for each <small>(for map)</small></span>
     <li><span class="dfn-paneled" id="term-for-list-is-empty">is empty</span>
     <li><span class="dfn-paneled" id="term-for-list-is-empty①">is not empty</span>
     <li><span class="dfn-paneled" id="term-for-struct-item">item <small>(for struct)</small></span>
     <li><span class="dfn-paneled" id="term-for-list">list</span>
     <li><span class="dfn-paneled" id="term-for-ordered-map">map</span>
     <li><span class="dfn-paneled" id="term-for-ordered-set">ordered set</span>
     <li><span class="dfn-paneled" id="term-for-list-remove">remove</span>
     <li><span class="dfn-paneled" id="term-for-serialize-a-javascript-value-to-json-bytes">serialize json to bytes</span>
     <li><span class="dfn-paneled" id="term-for-map-set">set <small>(for map)</small></span>
     <li><span class="dfn-paneled" id="term-for-list-size">size</span>
     <li><span class="dfn-paneled" id="term-for-struct">struct</span>
     <li><span class="dfn-paneled" id="term-for-iteration-while">while</span>
     <li><span class="dfn-paneled" id="term-for-willful-violation">willful violation</span>
    </ul>
   <li>
    <a data-link-type="biblio">[page-visibility]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-visibility-states">visibility states</span>
    </ul>
   <li>
    <a data-link-type="biblio">[Permissions-Policy]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-default-allowlist">default allowlist</span>
     <li><span class="dfn-paneled" id="term-for-policy-controlled-feature">policy-controlled feature</span>
    </ul>
   <li>
    <a data-link-type="biblio">[RFC4949]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-page-186">man-in-the-middle attack</span>
     <li><span class="dfn-paneled" id="term-for-page-258">salt</span>
     <li><span class="dfn-paneled" id="term-for-page-258①">salted</span>
    </ul>
   <li>
    <a data-link-type="biblio">[RFC5280]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-section-4.1.2.7">subjectpublickeyinfo</span>
    </ul>
   <li>
    <a data-link-type="biblio">[RFC8152]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-section-7">cose key</span>
     <li><span class="dfn-paneled" id="term-for-section-13.1.1">crv</span>
     <li><span class="dfn-paneled" id="term-for-section-7.1">kty</span>
     <li><span class="dfn-paneled" id="term-for-section-13.1">section 13.1</span>
     <li><span class="dfn-paneled" id="term-for-section-7①">section 7</span>
     <li><span class="dfn-paneled" id="term-for-section-8.1">section 8.1</span>
    </ul>
   <li>
    <a data-link-type="biblio">[RFC8230]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-section-2">section 2</span>
     <li><span class="dfn-paneled" id="term-for-section-4">section 4</span>
    </ul>
   <li>
    <a data-link-type="biblio">[RFC8610]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-section-3.9">group sockets</span>
    </ul>
   <li>
    <a data-link-type="biblio">[secure-contexts]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-secure-contexts">secure contexts</span>
    </ul>
   <li>
    <a data-link-type="biblio">[SP800-800-63r3]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-af">authentication factor</span>
     <li><span class="dfn-paneled" id="term-for-af①">multi-factor</span>
     <li><span class="dfn-paneled" id="term-for-af②">second-factor</span>
     <li><span class="dfn-paneled" id="term-for-sf">single-factor</span>
     <li><span class="dfn-paneled" id="term-for-af③">something you are</span>
     <li><span class="dfn-paneled" id="term-for-af④">something you have</span>
     <li><span class="dfn-paneled" id="term-for-af⑤">something you know</span>
    </ul>
   <li>
    <a data-link-type="biblio">[TokenBinding]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-section-1">token binding</span>
     <li><span class="dfn-paneled" id="term-for-section-3.2">token binding id</span>
    </ul>
   <li>
    <a data-link-type="biblio">[URL]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-concept-domain">domain</span>
     <li><span class="dfn-paneled" id="term-for-empty-host">empty host</span>
     <li><span class="dfn-paneled" id="term-for-concept-url-host">host</span>
     <li><span class="dfn-paneled" id="term-for-concept-ipv4">ipv4 address</span>
     <li><span class="dfn-paneled" id="term-for-concept-ipv6">ipv6 address</span>
     <li><span class="dfn-paneled" id="term-for-opaque-host">opaque host</span>
     <li><span class="dfn-paneled" id="term-for-concept-url-port">port</span>
     <li><span class="dfn-paneled" id="term-for-concept-url-scheme">scheme</span>
     <li><span class="dfn-paneled" id="term-for-valid-domain">valid domain</span>
     <li><span class="dfn-paneled" id="term-for-valid-domain-string">valid domain string</span>
    </ul>
   <li>
    <a data-link-type="biblio">[UTR29]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-Grapheme_Cluster_Boundaries">grapheme cluster</span>
    </ul>
   <li>
    <a data-link-type="biblio">[WebDriver]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-dfn-endpoint-node">endpoint node</span>
     <li><span class="dfn-paneled" id="term-for-dfn-extension-capability">extension capability</span>
     <li><span class="dfn-paneled" id="term-for-dfn-extension-command">extension command</span>
     <li><span class="dfn-paneled" id="term-for-dfn-getting-properties">getting a property</span>
     <li><span class="dfn-paneled" id="term-for-dfn-invalid-argument">invalid argument</span>
     <li><span class="dfn-paneled" id="term-for-dfn-matching-capabilities">matching capabilities</span>
     <li><span class="dfn-paneled" id="term-for-dfn-remote-end-steps">remote end steps</span>
     <li><span class="dfn-paneled" id="term-for-dfn-set-a-property">set a property</span>
     <li><span class="dfn-paneled" id="term-for-dfn-success">success</span>
     <li><span class="dfn-paneled" id="term-for-dfn-unsupported-operation">unsupported operation</span>
     <li><span class="dfn-paneled" id="term-for-dfn-validate-capabilities">validating capabilities</span>
     <li><span class="dfn-paneled" id="term-for-dfn-error">webdriver error</span>
     <li><span class="dfn-paneled" id="term-for-dfn-error-code">webdriver error code</span>
    </ul>
   <li>
    <a data-link-type="biblio">[WebIDL]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-aborterror">AbortError</span>
     <li><span class="dfn-paneled" id="term-for-idl-ArrayBuffer">ArrayBuffer</span>
     <li><span class="dfn-paneled" id="term-for-BufferSource">BufferSource</span>
     <li><span class="dfn-paneled" id="term-for-constrainterror">ConstraintError</span>
     <li><span class="dfn-paneled" id="term-for-idl-DOMException">DOMException</span>
     <li><span class="dfn-paneled" id="term-for-idl-DOMString">DOMString</span>
     <li><span class="dfn-paneled" id="term-for-Exposed">Exposed</span>
     <li><span class="dfn-paneled" id="term-for-invalidstateerror">InvalidStateError</span>
     <li><span class="dfn-paneled" id="term-for-notallowederror">NotAllowedError</span>
     <li><span class="dfn-paneled" id="term-for-notsupportederror">NotSupportedError</span>
     <li><span class="dfn-paneled" id="term-for-idl-promise">Promise</span>
     <li><span class="dfn-paneled" id="term-for-SameObject">SameObject</span>
     <li><span class="dfn-paneled" id="term-for-SecureContext">SecureContext</span>
     <li><span class="dfn-paneled" id="term-for-securityerror">SecurityError</span>
     <li><span class="dfn-paneled" id="term-for-exceptiondef-typeerror">TypeError</span>
     <li><span class="dfn-paneled" id="term-for-idl-USVString">USVString</span>
     <li><span class="dfn-paneled" id="term-for-unknownerror">UnknownError</span>
     <li><span class="dfn-paneled" id="term-for-idl-boolean">boolean</span>
     <li><span class="dfn-paneled" id="term-for-dfn-get-buffer-source-reference">get a copy of the bytes held by the buffer source</span>
     <li><span class="dfn-paneled" id="term-for-dfn-interface-object">interface object</span>
     <li><span class="dfn-paneled" id="term-for-idl-long">long</span>
     <li><span class="dfn-paneled" id="term-for-idl-sequence">sequence</span>
     <li><span class="dfn-paneled" id="term-for-idl-unsigned-long">unsigned long</span>
    </ul>
   <li>
    <a data-link-type="biblio">[whatwg html]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-focus">focus</span>
    </ul>
   <li>
    <a data-link-type="biblio">[whatwg url]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-host-same-site">same site</span>
    </ul>
  </ul>
  <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num no-ref heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
  <dl>
   <dt id="biblio-bcp47">[BCP47]
   <dd>A. Phillips; M. Davis. <a href="https://tools.ietf.org/html/bcp47">Tags for Identifying Languages</a>. September 2009. IETF Best Current Practice. URL: <a href="https://tools.ietf.org/html/bcp47">https://tools.ietf.org/html/bcp47</a>
   <dt id="biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]
   <dd>Mike West. <a href="https://www.w3.org/TR/credential-management-1/">Credential Management Level 1</a>. 17 January 2019. WD. URL: <a href="https://www.w3.org/TR/credential-management-1/">https://www.w3.org/TR/credential-management-1/</a>
   <dt id="biblio-dom4">[DOM4]
   <dd>Anne van Kesteren. <a href="https://dom.spec.whatwg.org/">DOM Standard</a>. Living Standard. URL: <a href="https://dom.spec.whatwg.org/">https://dom.spec.whatwg.org/</a>
   <dt id="biblio-ecmascript">[ECMAScript]
   <dd><a href="https://tc39.es/ecma262/">ECMAScript Language Specification</a>. URL: <a href="https://tc39.es/ecma262/">https://tc39.es/ecma262/</a>
   <dt id="biblio-encoding">[ENCODING]
   <dd>Anne van Kesteren. <a href="https://encoding.spec.whatwg.org/">Encoding Standard</a>. Living Standard. URL: <a href="https://encoding.spec.whatwg.org/">https://encoding.spec.whatwg.org/</a>
   <dt id="biblio-fetch">[FETCH]
   <dd>Anne van Kesteren. <a href="https://fetch.spec.whatwg.org/">Fetch Standard</a>. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a>
   <dt id="biblio-fido-appid">[FIDO-APPID]
   <dd>D. Balfanz; et al. <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html">FIDO AppID and Facet Specification</a>. 27 February 2018. FIDO Alliance Implementation Draft. URL: <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html">https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html</a>
   <dt id="biblio-fido-ctap">[FIDO-CTAP]
   <dd>M. Antoine; et al. <a href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html">Client to Authenticator Protocol</a>. 27 February 2018. FIDO Alliance Implementation Draft. URL: <a href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html">https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html</a>
   <dt id="biblio-fido-privacy-principles">[FIDO-Privacy-Principles]
   <dd>FIDO Alliance. <a href="https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf">FIDO Privacy Principles</a>. FIDO Alliance Whitepaper. URL: <a href="https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf">https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf</a>
   <dt id="biblio-fido-registry">[FIDO-Registry]
   <dd>R. Lindemann; D. Baghdasaryan; B. Hill. <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html">FIDO Registry of Predefined Values</a>. 27 February 2018. FIDO Alliance Implementation Draft. URL: <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html">https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html</a>
   <dt id="biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]
   <dd>D. Balfanz; J. Ehrensvard; J. Lang. <a href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html">FIDO U2F Raw Message Formats</a>. FIDO Alliance Implementation Draft. URL: <a href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html">https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html</a>
   <dt id="biblio-fileapi">[FileAPI]
   <dd>Marijn Kruisselbrink; Arun Ranganathan. <a href="https://www.w3.org/TR/FileAPI/">File API</a>. 11 September 2019. WD. URL: <a href="https://www.w3.org/TR/FileAPI/">https://www.w3.org/TR/FileAPI/</a>
   <dt id="biblio-html">[HTML]
   <dd>Anne van Kesteren; et al. <a href="https://html.spec.whatwg.org/multipage/">HTML Standard</a>. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a>
   <dt id="biblio-iana-cose-algs-reg">[IANA-COSE-ALGS-REG]
   <dd><a href="https://www.iana.org/assignments/cose/cose.xhtml#algorithms">IANA CBOR Object Signing and Encryption (COSE) Algorithms Registry</a>. URL: <a href="https://www.iana.org/assignments/cose/cose.xhtml#algorithms">https://www.iana.org/assignments/cose/cose.xhtml#algorithms</a>
   <dt id="biblio-iana-webauthn-registries">[IANA-WebAuthn-Registries]
   <dd>IANA. <a href="https://www.iana.org/assignments/webauthn/">Web Authentication (WebAuthn) registries</a>. URL: <a href="https://www.iana.org/assignments/webauthn/">https://www.iana.org/assignments/webauthn/</a>
   <dt id="biblio-infra">[INFRA]
   <dd>Anne van Kesteren; Domenic Denicola. <a href="https://infra.spec.whatwg.org/">Infra Standard</a>. Living Standard. URL: <a href="https://infra.spec.whatwg.org/">https://infra.spec.whatwg.org/</a>
   <dt id="biblio-page-visibility">[PAGE-VISIBILITY]
   <dd>Jatinder Mann; Arvind Jain. <a href="https://www.w3.org/TR/page-visibility/">Page Visibility (Second Edition)</a>. 29 October 2013. REC. URL: <a href="https://www.w3.org/TR/page-visibility/">https://www.w3.org/TR/page-visibility/</a>
   <dt id="biblio-permissions-policy">[Permissions-Policy]
   <dd>Ian Clelland. <a href="https://www.w3.org/TR/permissions-policy-1/">Permissions Policy</a>. 16 July 2020. WD. URL: <a href="https://www.w3.org/TR/permissions-policy-1/">https://www.w3.org/TR/permissions-policy-1/</a>
   <dt id="biblio-rfc2119">[RFC2119]
   <dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
   <dt id="biblio-rfc3986">[RFC3986]
   <dd>T. Berners-Lee; R. Fielding; L. Masinter. <a href="https://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>. January 2005. Internet Standard. URL: <a href="https://tools.ietf.org/html/rfc3986">https://tools.ietf.org/html/rfc3986</a>
   <dt id="biblio-rfc4648">[RFC4648]
   <dd>S. Josefsson. <a href="https://tools.ietf.org/html/rfc4648">The Base16, Base32, and Base64 Data Encodings</a>. October 2006. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc4648">https://tools.ietf.org/html/rfc4648</a>
   <dt id="biblio-rfc4949">[RFC4949]
   <dd>R. Shirey. <a href="https://tools.ietf.org/html/rfc4949">Internet Security Glossary, Version 2</a>. August 2007. Informational. URL: <a href="https://tools.ietf.org/html/rfc4949">https://tools.ietf.org/html/rfc4949</a>
   <dt id="biblio-rfc5234">[RFC5234]
   <dd>D. Crocker, Ed.; P. Overell. <a href="https://tools.ietf.org/html/rfc5234">Augmented BNF for Syntax Specifications: ABNF</a>. January 2008. Internet Standard. URL: <a href="https://tools.ietf.org/html/rfc5234">https://tools.ietf.org/html/rfc5234</a>
   <dt id="biblio-rfc5280">[RFC5280]
   <dd>D. Cooper; et al. <a href="https://tools.ietf.org/html/rfc5280">Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</a>. May 2008. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc5280">https://tools.ietf.org/html/rfc5280</a>
   <dt id="biblio-rfc5890">[RFC5890]
   <dd>J. Klensin. <a href="https://tools.ietf.org/html/rfc5890">Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework</a>. August 2010. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc5890">https://tools.ietf.org/html/rfc5890</a>
   <dt id="biblio-rfc6454">[RFC6454]
   <dd>A. Barth. <a href="https://tools.ietf.org/html/rfc6454">The Web Origin Concept</a>. December 2011. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6454">https://tools.ietf.org/html/rfc6454</a>
   <dt id="biblio-rfc7515">[RFC7515]
   <dd>M. Jones; J. Bradley; N. Sakimura. <a href="https://tools.ietf.org/html/rfc7515">JSON Web Signature (JWS)</a>. May 2015. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7515">https://tools.ietf.org/html/rfc7515</a>
   <dt id="biblio-rfc8152">[RFC8152]
   <dd>J. Schaad. <a href="https://tools.ietf.org/html/rfc8152">CBOR Object Signing and Encryption (COSE)</a>. July 2017. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc8152">https://tools.ietf.org/html/rfc8152</a>
   <dt id="biblio-rfc8230">[RFC8230]
   <dd>M. Jones. <a href="https://tools.ietf.org/html/rfc8230">Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages</a>. September 2017. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc8230">https://tools.ietf.org/html/rfc8230</a>
   <dt id="biblio-rfc8264">[RFC8264]
   <dd>P. Saint-Andre; M. Blanchet. <a href="https://tools.ietf.org/html/rfc8264">PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols</a>. October 2017. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc8264">https://tools.ietf.org/html/rfc8264</a>
   <dt id="biblio-rfc8265">[RFC8265]
   <dd>P. Saint-Andre; A. Melnikov. <a href="https://tools.ietf.org/html/rfc8265">Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords</a>. October 2017. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc8265">https://tools.ietf.org/html/rfc8265</a>
   <dt id="biblio-rfc8266">[RFC8266]
   <dd>P. Saint-Andre. <a href="https://tools.ietf.org/html/rfc8266">Preparation, Enforcement, and Comparison of Internationalized Strings Representing Nicknames</a>. October 2017. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc8266">https://tools.ietf.org/html/rfc8266</a>
   <dt id="biblio-rfc8610">[RFC8610]
   <dd>H. Birkholz; C. Vigano; C. Bormann. <a href="https://tools.ietf.org/html/rfc8610">Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</a>. June 2019. IETF Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc8610">https://tools.ietf.org/html/rfc8610</a>
   <dt id="biblio-rfc8809">[RFC8809]
   <dd>Jeff Hodges; Giridhar Mandyam; Michael B. Jones. <a href="https://www.rfc-editor.org/rfc/rfc8809">Registries for Web Authentication (WebAuthn)</a>. August 2020. IETF Proposed Standard. URL: <a href="https://www.rfc-editor.org/rfc/rfc8809">https://www.rfc-editor.org/rfc/rfc8809</a>
   <dt id="biblio-rfc8949">[RFC8949]
   <dd>C. Bormann; P. Hoffman. <a href="https://tools.ietf.org/html/rfc8949">Concise Binary Object Representation (CBOR)</a>. December 2020. Internet Standard. URL: <a href="https://tools.ietf.org/html/rfc8949">https://tools.ietf.org/html/rfc8949</a>
   <dt id="biblio-sec1">[SEC1]
   <dd><a href="http://www.secg.org/sec1-v2.pdf">SEC1: Elliptic Curve Cryptography, Version 2.0</a>. URL: <a href="http://www.secg.org/sec1-v2.pdf">http://www.secg.org/sec1-v2.pdf</a>
   <dt id="biblio-secure-contexts">[SECURE-CONTEXTS]
   <dd>Mike West. <a href="https://www.w3.org/TR/secure-contexts/">Secure Contexts</a>. 15 September 2016. CR. URL: <a href="https://www.w3.org/TR/secure-contexts/">https://www.w3.org/TR/secure-contexts/</a>
   <dt id="biblio-sp800-800-63r3">[SP800-800-63r3]
   <dd>Paul A. Grassi; Michael E. Garcia; James L. Fenton. <a href="https://pages.nist.gov/800-63-3/sp800-63-3.html">NIST Special Publication 800-63: Digital Identity Guidelines</a>. June 2017. URL: <a href="https://pages.nist.gov/800-63-3/sp800-63-3.html">https://pages.nist.gov/800-63-3/sp800-63-3.html</a>
   <dt id="biblio-tcg-cmcprofile-aikcertenroll">[TCG-CMCProfile-AIKCertEnroll]
   <dd>Scott Kelly; et al. <a href="https://trustedcomputinggroup.org/wp-content/uploads/IWG_CMC_Profile_Cert_Enrollment_v1_r7.pdf">TCG Infrastructure Working Group: A CMC Profile for AIK Certificate Enrollment</a>. 24 March 2011. Published. URL: <a href="https://trustedcomputinggroup.org/wp-content/uploads/IWG_CMC_Profile_Cert_Enrollment_v1_r7.pdf">https://trustedcomputinggroup.org/wp-content/uploads/IWG_CMC_Profile_Cert_Enrollment_v1_r7.pdf</a>
   <dt id="biblio-tokenbinding">[TokenBinding]
   <dd>A. Popov; et al. <a href="https://tools.ietf.org/html/rfc8471">The Token Binding Protocol Version 1.0</a>. October, 2018. IETF Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc8471">https://tools.ietf.org/html/rfc8471</a>
   <dt id="biblio-tpmv2-ek-profile">[TPMv2-EK-Profile]
   <dd><a href="https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf">TCG EK Credential Profile for TPM Family 2.0</a>. URL: <a href="https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf">https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf</a>
   <dt id="biblio-tpmv2-part1">[TPMv2-Part1]
   <dd><a href="https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf">Trusted Platform Module Library, Part 1: Architecture</a>. URL: <a href="https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf">https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf</a>
   <dt id="biblio-tpmv2-part2">[TPMv2-Part2]
   <dd><a href="https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf">Trusted Platform Module Library, Part 2: Structures</a>. URL: <a href="https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf">https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf</a>
   <dt id="biblio-tpmv2-part3">[TPMv2-Part3]
   <dd><a href="https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf">Trusted Platform Module Library, Part 3: Commands</a>. URL: <a href="https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf">https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf</a>
   <dt id="biblio-url">[URL]
   <dd>Anne van Kesteren. <a href="https://url.spec.whatwg.org/">URL Standard</a>. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a>
   <dt id="biblio-utr29">[UTR29]
   <dd><a href="http://www.unicode.org/reports/tr29/">UNICODE Text Segmentation</a>. URL: <a href="http://www.unicode.org/reports/tr29/">http://www.unicode.org/reports/tr29/</a>
   <dt id="biblio-wcag21">[WCAG21]
   <dd>Andrew Kirkpatrick; et al. <a href="https://www.w3.org/TR/WCAG21/">Web Content Accessibility Guidelines (WCAG) 2.1</a>. 5 June 2018. REC. URL: <a href="https://www.w3.org/TR/WCAG21/">https://www.w3.org/TR/WCAG21/</a>
   <dt id="biblio-webdriver">[WebDriver]
   <dd>Simon Stewart; David Burns. <a href="https://www.w3.org/TR/webdriver1/">WebDriver</a>. 5 June 2018. REC. URL: <a href="https://www.w3.org/TR/webdriver1/">https://www.w3.org/TR/webdriver1/</a>
   <dt id="biblio-webidl">[WebIDL]
   <dd>Boris Zbarsky. <a href="https://heycam.github.io/webidl/">Web IDL</a>. 15 December 2016. ED. URL: <a href="https://heycam.github.io/webidl/">https://heycam.github.io/webidl/</a>
  </dl>
  <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-ceremony">[Ceremony]
   <dd>Carl Ellison. <a href="https://eprint.iacr.org/2007/399.pdf">Ceremony Design and Analysis</a>. 2007. URL: <a href="https://eprint.iacr.org/2007/399.pdf">https://eprint.iacr.org/2007/399.pdf</a>
   <dt id="biblio-css-overflow-3">[CSS-OVERFLOW-3]
   <dd>David Baron; Elika Etemad; Florian Rivoal. <a href="https://www.w3.org/TR/css-overflow-3/">CSS Overflow Module Level 3</a>. 3 June 2020. WD. URL: <a href="https://www.w3.org/TR/css-overflow-3/">https://www.w3.org/TR/css-overflow-3/</a>
   <dt id="biblio-edupersonobjectclassspec">[EduPersonObjectClassSpec]
   <dd><a href="https://refeds.org/eduperson">EduPerson</a>. ongoing. URL: <a href="https://refeds.org/eduperson">https://refeds.org/eduperson</a>
   <dt id="biblio-fido-transports-ext">[FIDO-Transports-Ext]
   <dd>FIDO Alliance. <a href="https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-authenticator-transports-extension-v1.2-ps-20170411.html">FIDO U2F Authenticator Transports Extension</a>. FIDO Alliance Proposed Standard. URL: <a href="https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-authenticator-transports-extension-v1.2-ps-20170411.html">https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-authenticator-transports-extension-v1.2-ps-20170411.html</a>
   <dt id="biblio-fido-uaf-authnr-cmds">[FIDO-UAF-AUTHNR-CMDS]
   <dd>R. Lindemann; J. Kemp. <a href="https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-uaf-authnr-cmds-v1.1-id-20170202.html">FIDO UAF Authenticator Commands</a>. FIDO Alliance Implementation Draft. URL: <a href="https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-uaf-authnr-cmds-v1.1-id-20170202.html">https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-uaf-authnr-cmds-v1.1-id-20170202.html</a>
   <dt id="biblio-fidoauthnrsecreqs">[FIDOAuthnrSecReqs]
   <dd>D. Biggs; et al. <a href="https://fidoalliance.org/specs/fido-security-requirements-v1.0-fd-20170524/">FIDO Authenticator Security Requirements</a>. FIDO Alliance Final Documents. URL: <a href="https://fidoalliance.org/specs/fido-security-requirements-v1.0-fd-20170524/">https://fidoalliance.org/specs/fido-security-requirements-v1.0-fd-20170524/</a>
   <dt id="biblio-fidometadataservice">[FIDOMetadataService]
   <dd>R. Lindemann; B. Hill; D. Baghdasaryan. <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-metadata-service-v2.0-id-20180227.html">FIDO Metadata Service</a>. 27 February 2018. FIDO Alliance Implementation Draft. URL: <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-metadata-service-v2.0-id-20180227.html">https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-metadata-service-v2.0-id-20180227.html</a>
   <dt id="biblio-fidosecref">[FIDOSecRef]
   <dd>R. Lindemann; et al. <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html">FIDO Security Reference</a>. 27 February 2018. FIDO Alliance Implementation Draft. URL: <a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html">https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html</a>
   <dt id="biblio-fidou2fjavascriptapi">[FIDOU2FJavaScriptAPI]
   <dd>D. Balfanz; A. Birgisson; J. Lang. <a href="https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html">FIDO U2F JavaScript API</a>. FIDO Alliance Proposed Standard. URL: <a href="https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html">https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html</a>
   <dt id="biblio-isobiometricvocabulary">[ISOBiometricVocabulary]
   <dd>ISO/IEC JTC1/SC37. <a href="http://standards.iso.org/ittf/PubliclyAvailableStandards/c055194_ISOIEC_2382-37_2012.zip">Information technology — Vocabulary — Biometrics</a>. 15 December 2012. International Standard: ISO/IEC 2382-37:2012(E) First Edition. URL: <a href="http://standards.iso.org/ittf/PubliclyAvailableStandards/c055194_ISOIEC_2382-37_2012.zip">http://standards.iso.org/ittf/PubliclyAvailableStandards/c055194_ISOIEC_2382-37_2012.zip</a>
   <dt id="biblio-rfc3279">[RFC3279]
   <dd>L. Bassham; W. Polk; R. Housley. <a href="https://tools.ietf.org/html/rfc3279">Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</a>. April 2002. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc3279">https://tools.ietf.org/html/rfc3279</a>
   <dt id="biblio-rfc5958">[RFC5958]
   <dd>S. Turner. <a href="https://tools.ietf.org/html/rfc5958">Asymmetric Key Packages</a>. August 2010. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc5958">https://tools.ietf.org/html/rfc5958</a>
   <dt id="biblio-rfc6265">[RFC6265]
   <dd>A. Barth. <a href="https://httpwg.org/specs/rfc6265.html">HTTP State Management Mechanism</a>. April 2011. Proposed Standard. URL: <a href="https://httpwg.org/specs/rfc6265.html">https://httpwg.org/specs/rfc6265.html</a>
   <dt id="biblio-rfc8017">[RFC8017]
   <dd>K. Moriarty, Ed.; et al. <a href="https://tools.ietf.org/html/rfc8017">PKCS #1: RSA Cryptography Specifications Version 2.2</a>. November 2016. Informational. URL: <a href="https://tools.ietf.org/html/rfc8017">https://tools.ietf.org/html/rfc8017</a>
   <dt id="biblio-uafprotocol">[UAFProtocol]
   <dd>R. Lindemann; et al. <a href="https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html">FIDO UAF Protocol Specification v1.0</a>. FIDO Alliance Proposed Standard. URL: <a href="https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html">https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html</a>
   <dt id="biblio-webauthn-1">[WebAuthn-1]
   <dd>Dirk Balfanz; et al. <a href="https://www.w3.org/TR/webauthn-1/">Web Authentication:An API for accessing Public Key Credentials Level 1</a>. 4 March 2019. REC. URL: <a href="https://www.w3.org/TR/webauthn-1/">https://www.w3.org/TR/webauthn-1/</a>
   <dt id="biblio-webauthnapiguide">[WebAuthnAPIGuide]
   <dd><a href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API">Web Authentication API Guide</a>. Experimental. URL: <a href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API">https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API</a>
  </dl>
  <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">IDL Index</span><a class="self-link" href="#idl-index"></a></h2>
<pre class="idl highlight def">[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext"><c- g>SecureContext</c-></a>, <a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="#publickeycredential"><c- g>PublicKeyCredential</c-></a> : <a data-link-type="idl-name" href="https://w3c.github.io/webappsec-credential-management/#credential"><c- n>Credential</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><c- b>ArrayBuffer</c-></a>              <a data-readonly data-type="ArrayBuffer" href="#dom-publickeycredential-rawid"><code><c- g>rawId</c-></code></a>;
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a data-link-type="idl-name" href="#authenticatorresponse"><c- n>AuthenticatorResponse</c-></a>    <a class="idl-code" data-link-type="attribute" data-readonly data-type="AuthenticatorResponse" href="#dom-publickeycredential-response"><c- g>response</c-></a>;
    <a data-link-type="idl-name" href="#dictdef-authenticationextensionsclientoutputs"><c- n>AuthenticationExtensionsClientOutputs</c-></a> <a href="#dom-publickeycredential-getclientextensionresults"><code><c- g>getClientExtensionResults</c-></code></a>();
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions"><c- g>CredentialCreationOptions</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-publickeycredentialcreationoptions"><c- n>PublicKeyCredentialCreationOptions</c-></a>      <a data-type="PublicKeyCredentialCreationOptions      " href="#dom-credentialcreationoptions-publickey"><code><c- g>publicKey</c-></code></a>;
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions"><c- g>CredentialRequestOptions</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-publickeycredentialrequestoptions"><c- n>PublicKeyCredentialRequestOptions</c-></a>      <a data-type="PublicKeyCredentialRequestOptions      " href="#dom-credentialrequestoptions-publickey"><code><c- g>publicKey</c-></code></a>;
};

<c- b>partial</c-> <c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="#publickeycredential"><c- g>PublicKeyCredential</c-></a> {
    <c- b>static</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-promise"><c- b>Promise</c-></a>&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><c- b>boolean</c-></a>> <a href="#dom-publickeycredential-isuserverifyingplatformauthenticatoravailable"><code><c- g>isUserVerifyingPlatformAuthenticatorAvailable</c-></code></a>();
};

[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext"><c- g>SecureContext</c-></a>, <a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="#authenticatorresponse"><c- g>AuthenticatorResponse</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><c- b>ArrayBuffer</c-></a>      <a class="idl-code" data-link-type="attribute" data-readonly data-type="ArrayBuffer" href="#dom-authenticatorresponse-clientdatajson"><c- g>clientDataJSON</c-></a>;
};

[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext"><c- g>SecureContext</c-></a>, <a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="#authenticatorattestationresponse"><c- g>AuthenticatorAttestationResponse</c-></a> : <a data-link-type="idl-name" href="#authenticatorresponse"><c- n>AuthenticatorResponse</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><c- b>ArrayBuffer</c-></a>      <a class="idl-code" data-link-type="attribute" data-readonly data-type="ArrayBuffer" href="#dom-authenticatorattestationresponse-attestationobject"><c- g>attestationObject</c-></a>;
    <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence"><c- b>sequence</c-></a>&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>>                              <a href="#dom-authenticatorattestationresponse-gettransports"><code><c- g>getTransports</c-></code></a>();
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><c- b>ArrayBuffer</c-></a>                                      <a href="#dom-authenticatorattestationresponse-getauthenticatordata"><code><c- g>getAuthenticatorData</c-></code></a>();
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><c- b>ArrayBuffer</c-></a>?                                     <a href="#dom-authenticatorattestationresponse-getpublickey"><code><c- g>getPublicKey</c-></code></a>();
    <a data-link-type="idl-name" href="#typedefdef-cosealgorithmidentifier"><c- n>COSEAlgorithmIdentifier</c-></a>                          <a href="#dom-authenticatorattestationresponse-getpublickeyalgorithm"><code><c- g>getPublicKeyAlgorithm</c-></code></a>();
};

[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext"><c- g>SecureContext</c-></a>, <a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="#authenticatorassertionresponse"><c- g>AuthenticatorAssertionResponse</c-></a> : <a data-link-type="idl-name" href="#authenticatorresponse"><c- n>AuthenticatorResponse</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><c- b>ArrayBuffer</c-></a>      <a class="idl-code" data-link-type="attribute" data-readonly data-type="ArrayBuffer" href="#dom-authenticatorassertionresponse-authenticatordata"><c- g>authenticatorData</c-></a>;
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><c- b>ArrayBuffer</c-></a>      <a class="idl-code" data-link-type="attribute" data-readonly data-type="ArrayBuffer" href="#dom-authenticatorassertionresponse-signature"><c- g>signature</c-></a>;
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><c- b>ArrayBuffer</c-></a>?     <a class="idl-code" data-link-type="attribute" data-readonly data-type="ArrayBuffer?" href="#dom-authenticatorassertionresponse-userhandle"><c- g>userHandle</c-></a>;
};

<c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialparameters"><c- g>PublicKeyCredentialParameters</c-></a> {
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>                    <a class="idl-code" data-link-type="dict-member" data-type="DOMString                    " href="#dom-publickeycredentialparameters-type"><c- g>type</c-></a>;
    <c- b>required</c-> <a data-link-type="idl-name" href="#typedefdef-cosealgorithmidentifier"><c- n>COSEAlgorithmIdentifier</c-></a>      <a class="idl-code" data-link-type="dict-member" data-type="COSEAlgorithmIdentifier      " href="#dom-publickeycredentialparameters-alg"><c- g>alg</c-></a>;
};

<c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialcreationoptions"><c- g>PublicKeyCredentialCreationOptions</c-></a> {
    <c- b>required</c-> <a data-link-type="idl-name" href="#dictdef-publickeycredentialrpentity"><c- n>PublicKeyCredentialRpEntity</c-></a>         <a class="idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialRpEntity         " href="#dom-publickeycredentialcreationoptions-rp"><c- g>rp</c-></a>;
    <c- b>required</c-> <a data-link-type="idl-name" href="#dictdef-publickeycredentialuserentity"><c- n>PublicKeyCredentialUserEntity</c-></a>       <a class="idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialUserEntity       " href="#dom-publickeycredentialcreationoptions-user"><c- g>user</c-></a>;

    <c- b>required</c-> <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource"><c- n>BufferSource</c-></a>                             <a class="idl-code" data-link-type="dict-member" data-type="BufferSource                             " href="#dom-publickeycredentialcreationoptions-challenge"><c- g>challenge</c-></a>;
    <c- b>required</c-> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence"><c- b>sequence</c-></a>&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialparameters"><c- n>PublicKeyCredentialParameters</c-></a>>  <a class="idl-code" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialParameters>  " href="#dom-publickeycredentialcreationoptions-pubkeycredparams"><c- g>pubKeyCredParams</c-></a>;

    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-long"><c- b>unsigned</c-> <c- b>long</c-></a>                                <a class="idl-code" data-link-type="dict-member" data-type="unsigned long                                " href="#dom-publickeycredentialcreationoptions-timeout"><c- g>timeout</c-></a>;
    <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence"><c- b>sequence</c-></a>&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor"><c- n>PublicKeyCredentialDescriptor</c-></a>>      <a class="idl-code" data-default="[]" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialDescriptor>      " href="#dom-publickeycredentialcreationoptions-excludecredentials"><c- g>excludeCredentials</c-></a> = [];
    <a data-link-type="idl-name" href="#dictdef-authenticatorselectioncriteria"><c- n>AuthenticatorSelectionCriteria</c-></a>               <a class="idl-code" data-link-type="dict-member" data-type="AuthenticatorSelectionCriteria               " href="#dom-publickeycredentialcreationoptions-authenticatorselection"><c- g>authenticatorSelection</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>                                    <a class="idl-code" data-default="&quot;none&quot;" data-link-type="dict-member" data-type="DOMString                                    " href="#dom-publickeycredentialcreationoptions-attestation"><c- g>attestation</c-></a> = "none";
    <a data-link-type="idl-name" href="#dictdef-authenticationextensionsclientinputs"><c- n>AuthenticationExtensionsClientInputs</c-></a>         <a class="idl-code" data-link-type="dict-member" data-type="AuthenticationExtensionsClientInputs         " href="#dom-publickeycredentialcreationoptions-extensions"><c- g>extensions</c-></a>;
};

<c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialentity"><c- g>PublicKeyCredentialEntity</c-></a> {
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>    <a class="idl-code" data-link-type="dict-member" data-type="DOMString    " href="#dom-publickeycredentialentity-name"><c- g>name</c-></a>;
};

<c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialrpentity"><c- g>PublicKeyCredentialRpEntity</c-></a> : <a data-link-type="idl-name" href="#dictdef-publickeycredentialentity"><c- n>PublicKeyCredentialEntity</c-></a> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>      <a class="idl-code" data-link-type="dict-member" data-type="DOMString      " href="#dom-publickeycredentialrpentity-id"><c- g>id</c-></a>;
};

<c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialuserentity"><c- g>PublicKeyCredentialUserEntity</c-></a> : <a data-link-type="idl-name" href="#dictdef-publickeycredentialentity"><c- n>PublicKeyCredentialEntity</c-></a> {
    <c- b>required</c-> <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource"><c- n>BufferSource</c-></a>   <a class="idl-code" data-link-type="dict-member" data-type="BufferSource   " href="#dom-publickeycredentialuserentity-id"><c- g>id</c-></a>;
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>      <a class="idl-code" data-link-type="dict-member" data-type="DOMString      " href="#dom-publickeycredentialuserentity-displayname"><c- g>displayName</c-></a>;
};

<c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticatorselectioncriteria"><c- g>AuthenticatorSelectionCriteria</c-></a> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>                    <a class="idl-code" data-link-type="dict-member" data-type="DOMString                    " href="#dom-authenticatorselectioncriteria-authenticatorattachment"><c- g>authenticatorAttachment</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>                    <a class="idl-code" data-link-type="dict-member" data-type="DOMString                    " href="#dom-authenticatorselectioncriteria-residentkey"><c- g>residentKey</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><c- b>boolean</c-></a>                      <a class="idl-code" data-default="false" data-link-type="dict-member" data-type="boolean                      " href="#dom-authenticatorselectioncriteria-requireresidentkey"><c- g>requireResidentKey</c-></a> = <c- b>false</c->;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>                    <a class="idl-code" data-default="&quot;preferred&quot;" data-link-type="dict-member" data-type="DOMString                    " href="#dom-authenticatorselectioncriteria-userverification"><c- g>userVerification</c-></a> = "preferred";
};

<c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-authenticatorattachment"><c- g>AuthenticatorAttachment</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatorattachment-platform"><c- s>"platform"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatorattachment-cross-platform"><c- s>"cross-platform"</c-></a>
};

<c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-residentkeyrequirement"><c- g>ResidentKeyRequirement</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-residentkeyrequirement-discouraged"><c- s>"discouraged"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-residentkeyrequirement-preferred"><c- s>"preferred"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-residentkeyrequirement-required"><c- s>"required"</c-></a>
};

<c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-attestationconveyancepreference"><c- g>AttestationConveyancePreference</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-attestationconveyancepreference-none"><c- s>"none"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-attestationconveyancepreference-indirect"><c- s>"indirect"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-attestationconveyancepreference-direct"><c- s>"direct"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-attestationconveyancepreference-enterprise"><c- s>"enterprise"</c-></a>
};

<c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialrequestoptions"><c- g>PublicKeyCredentialRequestOptions</c-></a> {
    <c- b>required</c-> <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource"><c- n>BufferSource</c-></a>                <a class="idl-code" data-link-type="dict-member" data-type="BufferSource                " href="#dom-publickeycredentialrequestoptions-challenge"><c- g>challenge</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-long"><c- b>unsigned</c-> <c- b>long</c-></a>                        <a class="idl-code" data-link-type="dict-member" data-type="unsigned long                        " href="#dom-publickeycredentialrequestoptions-timeout"><c- g>timeout</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-USVString"><c- b>USVString</c-></a>                            <a class="idl-code" data-link-type="dict-member" data-type="USVString                            " href="#dom-publickeycredentialrequestoptions-rpid"><c- g>rpId</c-></a>;
    <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence"><c- b>sequence</c-></a>&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor"><c- n>PublicKeyCredentialDescriptor</c-></a>> <a class="idl-code" data-default="[]" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialDescriptor> " href="#dom-publickeycredentialrequestoptions-allowcredentials"><c- g>allowCredentials</c-></a> = [];
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>                            <a class="idl-code" data-default="&quot;preferred&quot;" data-link-type="dict-member" data-type="DOMString                            " href="#dom-publickeycredentialrequestoptions-userverification"><c- g>userVerification</c-></a> = "preferred";
    <a data-link-type="idl-name" href="#dictdef-authenticationextensionsclientinputs"><c- n>AuthenticationExtensionsClientInputs</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="AuthenticationExtensionsClientInputs " href="#dom-publickeycredentialrequestoptions-extensions"><c- g>extensions</c-></a>;
};

<c- b>dictionary</c-> <a href="#dictdef-authenticationextensionsclientinputs"><code><c- g>AuthenticationExtensionsClientInputs</c-></code></a> {
};

<c- b>dictionary</c-> <a href="#dictdef-authenticationextensionsclientoutputs"><code><c- g>AuthenticationExtensionsClientOutputs</c-></code></a> {
};

<c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-collectedclientdata"><c- g>CollectedClientData</c-></a> {
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>           <a class="idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-type"><c- g>type</c-></a>;
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>           <a class="idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-challenge"><c- g>challenge</c-></a>;
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>           <a class="idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-origin"><c- g>origin</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><c- b>boolean</c-></a>                      <a class="idl-code" data-link-type="dict-member" data-type="boolean                      " href="#dom-collectedclientdata-crossorigin"><c- g>crossOrigin</c-></a>;
    <a data-link-type="idl-name" href="#dictdef-tokenbinding"><c- n>TokenBinding</c-></a>                 <a class="idl-code" data-link-type="dict-member" data-type="TokenBinding                 " href="#dom-collectedclientdata-tokenbinding"><c- g>tokenBinding</c-></a>;
};

<c- b>dictionary</c-> <a href="#dictdef-tokenbinding"><code><c- g>TokenBinding</c-></code></a> {
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-tokenbinding-status"><c- g>status</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-tokenbinding-id"><c- g>id</c-></a>;
};

<c- b>enum</c-> <a href="#enumdef-tokenbindingstatus"><code><c- g>TokenBindingStatus</c-></code></a> { <a class="idl-code" data-link-type="enum-value" href="#dom-tokenbindingstatus-present"><c- s>"present"</c-></a>, <a class="idl-code" data-link-type="enum-value" href="#dom-tokenbindingstatus-supported"><c- s>"supported"</c-></a> };

<c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-publickeycredentialtype"><c- g>PublicKeyCredentialType</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-publickeycredentialtype-public-key"><c- s>"public-key"</c-></a>
};

<c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialdescriptor"><c- g>PublicKeyCredentialDescriptor</c-></a> {
    <c- b>required</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>                    <a class="idl-code" data-link-type="dict-member" data-type="DOMString                    " href="#dom-publickeycredentialdescriptor-type"><c- g>type</c-></a>;
    <c- b>required</c-> <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource"><c- n>BufferSource</c-></a>                 <a class="idl-code" data-link-type="dict-member" data-type="BufferSource                 " href="#dom-publickeycredentialdescriptor-id"><c- g>id</c-></a>;
    <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence"><c- b>sequence</c-></a>&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a>>                   <a class="idl-code" data-link-type="dict-member" data-type="sequence<DOMString>                   " href="#dom-publickeycredentialdescriptor-transports"><c- g>transports</c-></a>;
};

<c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-authenticatortransport"><c- g>AuthenticatorTransport</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatortransport-usb"><c- s>"usb"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatortransport-nfc"><c- s>"nfc"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatortransport-ble"><c- s>"ble"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatortransport-internal"><c- s>"internal"</c-></a>
};

<c- b>typedef</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long"><c- b>long</c-></a> <a href="#typedefdef-cosealgorithmidentifier"><code><c- g>COSEAlgorithmIdentifier</c-></code></a>;

<c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-userverificationrequirement"><c- g>UserVerificationRequirement</c-></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-userverificationrequirement-required"><c- s>"required"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-userverificationrequirement-preferred"><c- s>"preferred"</c-></a>,
    <a class="idl-code" data-link-type="enum-value" href="#dom-userverificationrequirement-discouraged"><c- s>"discouraged"</c-></a>
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientinputs"><c- g>AuthenticationExtensionsClientInputs</c-></a> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-USVString"><c- b>USVString</c-></a> <a data-type="USVString " href="#dom-authenticationextensionsclientinputs-appid"><code><c- g>appid</c-></code></a>;
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs"><c- g>AuthenticationExtensionsClientOutputs</c-></a> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><c- b>boolean</c-></a> <a data-type="boolean " href="#dom-authenticationextensionsclientoutputs-appid"><code><c- g>appid</c-></code></a>;
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientinputs"><c- g>AuthenticationExtensionsClientInputs</c-></a> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-USVString"><c- b>USVString</c-></a> <a data-type="USVString " href="#dom-authenticationextensionsclientinputs-appidexclude"><code><c- g>appidExclude</c-></code></a>;
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs"><c- g>AuthenticationExtensionsClientOutputs</c-></a> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><c- b>boolean</c-></a> <a data-type="boolean " href="#dom-authenticationextensionsclientoutputs-appidexclude"><code><c- g>appidExclude</c-></code></a>;
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientinputs"><c- g>AuthenticationExtensionsClientInputs</c-></a> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><c- b>boolean</c-></a> <a data-type="boolean " href="#dom-authenticationextensionsclientinputs-uvm"><code><c- g>uvm</c-></code></a>;
};

<c- b>typedef</c-> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence"><c- b>sequence</c-></a>&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-long"><c- b>unsigned</c-> <c- b>long</c-></a>> <a href="#typedefdef-uvmentry"><code><c- g>UvmEntry</c-></code></a>;
<c- b>typedef</c-> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence"><c- b>sequence</c-></a>&lt;<a data-link-type="idl-name" href="#typedefdef-uvmentry"><c- n>UvmEntry</c-></a>> <a href="#typedefdef-uvmentries"><code><c- g>UvmEntries</c-></code></a>;

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs"><c- g>AuthenticationExtensionsClientOutputs</c-></a> {
  <a data-link-type="idl-name" href="#typedefdef-uvmentries"><c- n>UvmEntries</c-></a> <a data-type="UvmEntries " href="#dom-authenticationextensionsclientoutputs-uvm"><code><c- g>uvm</c-></code></a>;
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientinputs"><c- g>AuthenticationExtensionsClientInputs</c-></a> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><c- b>boolean</c-></a> <a data-type="boolean " href="#dom-authenticationextensionsclientinputs-credprops"><code><c- g>credProps</c-></code></a>;
};

<c- b>dictionary</c-> <a href="#dictdef-credentialpropertiesoutput"><code><c- g>CredentialPropertiesOutput</c-></code></a> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><c- b>boolean</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="boolean " href="#dom-credentialpropertiesoutput-rk"><c- g>rk</c-></a>;
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs"><c- g>AuthenticationExtensionsClientOutputs</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-credentialpropertiesoutput"><c- n>CredentialPropertiesOutput</c-></a> <a data-type="CredentialPropertiesOutput " href="#dom-authenticationextensionsclientoutputs-credprops"><code><c- g>credProps</c-></code></a>;
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientinputs"><c- g>AuthenticationExtensionsClientInputs</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-authenticationextensionslargeblobinputs"><c- n>AuthenticationExtensionsLargeBlobInputs</c-></a> <a data-type="AuthenticationExtensionsLargeBlobInputs " href="#dom-authenticationextensionsclientinputs-largeblob"><code><c- g>largeBlob</c-></code></a>;
};

<c- b>enum</c-> <a href="#enumdef-largeblobsupport"><code><c- g>LargeBlobSupport</c-></code></a> {
  <a href="#dom-largeblobsupport-required"><code><c- s>"required"</c-></code></a>,
  <a href="#dom-largeblobsupport-preferred"><code><c- s>"preferred"</c-></code></a>,
};

<c- b>dictionary</c-> <a href="#dictdef-authenticationextensionslargeblobinputs"><code><c- g>AuthenticationExtensionsLargeBlobInputs</c-></code></a> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-authenticationextensionslargeblobinputs-support"><c- g>support</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><c- b>boolean</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="boolean " href="#dom-authenticationextensionslargeblobinputs-read"><c- g>read</c-></a>;
    <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource"><c- n>BufferSource</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="BufferSource " href="#dom-authenticationextensionslargeblobinputs-write"><c- g>write</c-></a>;
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs"><c- g>AuthenticationExtensionsClientOutputs</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-authenticationextensionslargebloboutputs"><c- n>AuthenticationExtensionsLargeBlobOutputs</c-></a> <a data-type="AuthenticationExtensionsLargeBlobOutputs " href="#dom-authenticationextensionsclientoutputs-largeblob"><code><c- g>largeBlob</c-></code></a>;
};

<c- b>dictionary</c-> <a href="#dictdef-authenticationextensionslargebloboutputs"><code><c- g>AuthenticationExtensionsLargeBlobOutputs</c-></code></a> {
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><c- b>boolean</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="boolean " href="#dom-authenticationextensionslargebloboutputs-supported"><c- g>supported</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><c- b>ArrayBuffer</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="ArrayBuffer " href="#dom-authenticationextensionslargebloboutputs-blob"><c- g>blob</c-></a>;
    <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><c- b>boolean</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="boolean " href="#dom-authenticationextensionslargebloboutputs-written"><c- g>written</c-></a>;
};

</pre>
  <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content">Issues Index</span><a class="self-link" href="#issues-index"></a></h2>
  <div style="counter-reset:issue">
   <div class="issue"> The WHATWG HTML WG is discussing whether to provide a hook when a browsing context gains or
    loses focuses. If a hook is provided, the above paragraph will be updated to include the hook.
    See <a href="https://github.com/whatwg/html/issues/2711">WHATWG HTML WG Issue #2711</a> for more details.<a href="#issue-c0359d2a"> ↵ </a></div>
  </div>
  <aside class="dfn-panel" data-for="base64url-encoding">
   <b><a href="#base64url-encoding">#base64url-encoding</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-base64url-encoding">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-base64url-encoding①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-base64url-encoding②">(2)</a>
    <li><a href="#ref-for-base64url-encoding③">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-base64url-encoding④">(2)</a>
    <li><a href="#ref-for-base64url-encoding⑤">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-base64url-encoding⑥">5.8.1.1. Serialization</a>
    <li><a href="#ref-for-base64url-encoding⑦">5.8.1.2. Limited Verification Algorithm</a>
    <li><a href="#ref-for-base64url-encoding⑧">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-base64url-encoding⑨">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-base64url-encoding①⓪">(2)</a>
    <li><a href="#ref-for-base64url-encoding①①">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-base64url-encoding①②">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
    <li><a href="#ref-for-base64url-encoding①③">11.5. Add Credential</a> <a href="#ref-for-base64url-encoding①④">(2)</a> <a href="#ref-for-base64url-encoding①⑤">(3)</a> <a href="#ref-for-base64url-encoding①⑥">(4)</a> <a href="#ref-for-base64url-encoding①⑦">(5)</a> <a href="#ref-for-base64url-encoding①⑧">(6)</a> <a href="#ref-for-base64url-encoding①⑨">(7)</a> <a href="#ref-for-base64url-encoding②⓪">(8)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="cbor">
   <b><a href="#cbor">#cbor</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-cbor">2.4. All Conformance Classes</a>
    <li><a href="#ref-for-cbor①">3. Dependencies</a>
    <li><a href="#ref-for-cbor②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-cbor③">(2)</a>
    <li><a href="#ref-for-cbor④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-cbor⑤">5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs)</a>
    <li><a href="#ref-for-cbor⑥">5.7.4. Authentication Extensions Authenticator Outputs (CDDL type AuthenticationExtensionsAuthenticatorOutputs)</a>
    <li><a href="#ref-for-cbor⑦">6.1. Authenticator Data</a> <a href="#ref-for-cbor⑧">(2)</a>
    <li><a href="#ref-for-cbor⑨">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-cbor①⓪">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-cbor①①">9. WebAuthn Extensions</a> <a href="#ref-for-cbor①②">(2)</a> <a href="#ref-for-cbor①③">(3)</a> <a href="#ref-for-cbor①④">(4)</a> <a href="#ref-for-cbor①⑤">(5)</a> <a href="#ref-for-cbor①⑥">(6)</a> <a href="#ref-for-cbor①⑦">(7)</a> <a href="#ref-for-cbor①⑧">(8)</a>
    <li><a href="#ref-for-cbor①⑨">9.2. Defining Extensions</a> <a href="#ref-for-cbor②⓪">(2)</a>
    <li><a href="#ref-for-cbor②①">9.3. Extending Request Parameters</a>
    <li><a href="#ref-for-cbor②②">9.4. Client Extension Processing</a> <a href="#ref-for-cbor②③">(2)</a>
    <li><a href="#ref-for-cbor②④">9.5. Authenticator Extension Processing</a> <a href="#ref-for-cbor②⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="cddl">
   <b><a href="#cddl">#cddl</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-cddl">5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs)</a>
    <li><a href="#ref-for-cddl①">5.7.4. Authentication Extensions Authenticator Outputs (CDDL type AuthenticationExtensionsAuthenticatorOutputs)</a>
    <li><a href="#ref-for-cddl②">9.3. Extending Request Parameters</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation">
   <b><a href="#attestation">#attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation②">1.1. Specification Roadmap</a>
    <li><a href="#ref-for-attestation③">4. Terminology</a> <a href="#ref-for-attestation④">(2)</a> <a href="#ref-for-attestation⑤">(3)</a>
    <li><a href="#ref-for-attestation⑥">5.2.1.1. Easily accessing credential data</a> <a href="#ref-for-attestation⑦">(2)</a>
    <li><a href="#ref-for-attestation⑧">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a> <a href="#ref-for-attestation⑨">(2)</a>
    <li><a href="#ref-for-attestation①⓪">6. WebAuthn Authenticator Model</a> <a href="#ref-for-attestation①①">(2)</a>
    <li><a href="#ref-for-attestation①②">6.5. Attestation</a> <a href="#ref-for-attestation①③">(2)</a> <a href="#ref-for-attestation①④">(3)</a> <a href="#ref-for-attestation①⑤">(4)</a>
    <li><a href="#ref-for-attestation①⑥">6.5.3. Attestation Types</a> <a href="#ref-for-attestation①⑦">(2)</a>
    <li><a href="#ref-for-attestation①⑧">8.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-attestation①⑨">8.7. None Attestation Statement Format</a>
    <li><a href="#ref-for-attestation②⓪">12.1. WebAuthn Attestation Statement Format Identifier Registrations Updates</a>
    <li><a href="#ref-for-attestation②①">13. Security Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-certificate">
   <b><a href="#attestation-certificate">#attestation-certificate</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-certificate">4. Terminology</a> <a href="#ref-for-attestation-certificate①">(2)</a>
    <li><a href="#ref-for-attestation-certificate②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-attestation-certificate③">6.5.3. Attestation Types</a> <a href="#ref-for-attestation-certificate④">(2)</a> <a href="#ref-for-attestation-certificate⑤">(3)</a>
    <li><a href="#ref-for-attestation-certificate⑥">8.3.1. TPM Attestation Statement Certificate Requirements</a>
    <li><a href="#ref-for-attestation-certificate⑦">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-certificate⑧">8.4.1. Android Key Attestation Statement Certificate Requirements</a>
    <li><a href="#ref-for-attestation-certificate⑨">13.3.2. Attestation Certificate and Attestation Certificate CA Compromise</a> <a href="#ref-for-attestation-certificate①⓪">(2)</a> <a href="#ref-for-attestation-certificate①①">(3)</a>
    <li><a href="#ref-for-attestation-certificate①②">13.4.5. Revoked Attestation Certificates</a> <a href="#ref-for-attestation-certificate①③">(2)</a>
    <li><a href="#ref-for-attestation-certificate①④">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a>
    <li><a href="#ref-for-attestation-certificate①⑤">14.4.1. Attestation Privacy</a> <a href="#ref-for-attestation-certificate①⑥">(2)</a> <a href="#ref-for-attestation-certificate①⑦">(3)</a> <a href="#ref-for-attestation-certificate①⑧">(4)</a> <a href="#ref-for-attestation-certificate①⑨">(5)</a> <a href="#ref-for-attestation-certificate②⓪">(6)</a> <a href="#ref-for-attestation-certificate②①">(7)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-key-pair">
   <b><a href="#attestation-key-pair">#attestation-key-pair</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-key-pair">4. Terminology</a> <a href="#ref-for-attestation-key-pair①">(2)</a>
    <li><a href="#ref-for-attestation-key-pair②">6.5. Attestation</a>
    <li><a href="#ref-for-attestation-key-pair③">6.5.3. Attestation Types</a> <a href="#ref-for-attestation-key-pair④">(2)</a> <a href="#ref-for-attestation-key-pair⑤">(3)</a>
    <li><a href="#ref-for-attestation-key-pair⑥">13.3.2. Attestation Certificate and Attestation Certificate CA Compromise</a>
    <li><a href="#ref-for-attestation-key-pair⑦">14.4.1. Attestation Privacy</a> <a href="#ref-for-attestation-key-pair⑧">(2)</a> <a href="#ref-for-attestation-key-pair⑨">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-private-key">
   <b><a href="#attestation-private-key">#attestation-private-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-private-key">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-attestation-private-key①">6.5. Attestation</a>
    <li><a href="#ref-for-attestation-private-key②">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-attestation-private-key③">8.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-private-key④">13.3.2. Attestation Certificate and Attestation Certificate CA Compromise</a> <a href="#ref-for-attestation-private-key⑤">(2)</a>
    <li><a href="#ref-for-attestation-private-key⑥">14.4.1. Attestation Privacy</a> <a href="#ref-for-attestation-private-key⑦">(2)</a> <a href="#ref-for-attestation-private-key⑧">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-public-key">
   <b><a href="#attestation-public-key">#attestation-public-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-public-key">6.5. Attestation</a>
    <li><a href="#ref-for-attestation-public-key①">13.3.2. Attestation Certificate and Attestation Certificate CA Compromise</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authentication">
   <b><a href="#authentication">#authentication</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authentication">1. Introduction</a> <a href="#ref-for-authentication①">(2)</a>
    <li><a href="#ref-for-authentication②">1.1. Specification Roadmap</a>
    <li><a href="#ref-for-authentication③">4. Terminology</a> <a href="#ref-for-authentication④">(2)</a> <a href="#ref-for-authentication⑤">(3)</a> <a href="#ref-for-authentication⑥">(4)</a> <a href="#ref-for-authentication⑦">(5)</a> <a href="#ref-for-authentication⑧">(6)</a>
    <li><a href="#ref-for-authentication⑨">5. Web Authentication API</a>
    <li><a href="#ref-for-authentication①⓪">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-authentication①①">(2)</a>
    <li><a href="#ref-for-authentication①②">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-authentication①③">13. Security Considerations</a>
    <li><a href="#ref-for-authentication①④">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a>
    <li><a href="#ref-for-authentication①⑤">14.3. Authenticator-local Biometric Recognition</a>
    <li><a href="#ref-for-authentication①⑥">14.6.2. Username Enumeration</a>
    <li><a href="#ref-for-authentication①⑦">16. Acknowledgements</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authentication-ceremony">
   <b><a href="#authentication-ceremony">#authentication-ceremony</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authentication-ceremony">4. Terminology</a> <a href="#ref-for-authentication-ceremony①">(2)</a> <a href="#ref-for-authentication-ceremony②">(3)</a> <a href="#ref-for-authentication-ceremony③">(4)</a> <a href="#ref-for-authentication-ceremony④">(5)</a>
    <li><a href="#ref-for-authentication-ceremony⑤">6.2.1. Authenticator Attachment Modality</a>
    <li><a href="#ref-for-authentication-ceremony⑥">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-authentication-ceremony⑦">(2)</a>
    <li><a href="#ref-for-authentication-ceremony⑧">7. WebAuthn Relying Party Operations</a>
    <li><a href="#ref-for-authentication-ceremony⑨">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-authentication-ceremony①⓪">(2)</a> <a href="#ref-for-authentication-ceremony①①">(3)</a> <a href="#ref-for-authentication-ceremony①②">(4)</a> <a href="#ref-for-authentication-ceremony①③">(5)</a> <a href="#ref-for-authentication-ceremony①④">(6)</a>
    <li><a href="#ref-for-authentication-ceremony①⑤">13.4.1. Security Benefits for WebAuthn Relying Parties</a>
    <li><a href="#ref-for-authentication-ceremony①⑥">13.4.4. Attestation Limitations</a> <a href="#ref-for-authentication-ceremony①⑦">(2)</a>
    <li><a href="#ref-for-authentication-ceremony①⑧">13.4.7. Unprotected account detection</a> <a href="#ref-for-authentication-ceremony①⑨">(2)</a>
    <li><a href="#ref-for-authentication-ceremony②⓪">14.4.2. Privacy of personally identifying information Stored in Authenticators</a>
    <li><a href="#ref-for-authentication-ceremony②①">14.5.2. Authentication Ceremony Privacy</a>
    <li><a href="#ref-for-authentication-ceremony②②">14.6.2. Username Enumeration</a> <a href="#ref-for-authentication-ceremony②③">(2)</a> <a href="#ref-for-authentication-ceremony②④">(3)</a> <a href="#ref-for-authentication-ceremony②⑤">(4)</a> <a href="#ref-for-authentication-ceremony②⑥">(5)</a>
    <li><a href="#ref-for-authentication-ceremony②⑦">14.6.3. Privacy leak via credential IDs</a> <a href="#ref-for-authentication-ceremony②⑧">(2)</a>
    <li><a href="#ref-for-authentication-ceremony②⑨">15. Accessibility Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authentication-assertion">
   <b><a href="#authentication-assertion">#authentication-assertion</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authentication-assertion">1. Introduction</a>
    <li><a href="#ref-for-authentication-assertion①">4. Terminology</a> <a href="#ref-for-authentication-assertion②">(2)</a> <a href="#ref-for-authentication-assertion③">(3)</a> <a href="#ref-for-authentication-assertion④">(4)</a> <a href="#ref-for-authentication-assertion⑤">(5)</a> <a href="#ref-for-authentication-assertion⑥">(6)</a> <a href="#ref-for-authentication-assertion⑦">(7)</a>
    <li><a href="#ref-for-authentication-assertion⑧">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-authentication-assertion⑨">5.2.1.1. Easily accessing credential data</a>
    <li><a href="#ref-for-authentication-assertion①⓪">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-authentication-assertion①①">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-authentication-assertion①②">9. WebAuthn Extensions</a>
    <li><a href="#ref-for-authentication-assertion①③">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-authentication-assertion①④">(2)</a>
    <li><a href="#ref-for-authentication-assertion①⑤">13.4.4. Attestation Limitations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="assertion">
   <b><a href="#assertion">#assertion</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-assertion">4. Terminology</a>
    <li><a href="#ref-for-assertion①">6.1. Authenticator Data</a>
    <li><a href="#ref-for-assertion②">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-assertion③">10.1. FIDO AppID Extension (appid)</a> <a href="#ref-for-assertion④">(2)</a>
    <li><a href="#ref-for-assertion⑤">13.1. Credential ID Unsigned</a>
    <li><a href="#ref-for-assertion⑥">13.4.7. Unprotected account detection</a>
    <li><a href="#ref-for-assertion⑦">14.3. Authenticator-local Biometric Recognition</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator">
   <b><a href="#authenticator">#authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator⑤">1. Introduction</a> <a href="#ref-for-authenticator⑥">(2)</a> <a href="#ref-for-authenticator⑦">(3)</a>
    <li><a href="#ref-for-authenticator⑧">1.1. Specification Roadmap</a> <a href="#ref-for-authenticator⑨">(2)</a> <a href="#ref-for-authenticator①⓪">(3)</a> <a href="#ref-for-authenticator①①">(4)</a> <a href="#ref-for-authenticator①②">(5)</a> <a href="#ref-for-authenticator①③">(6)</a> <a href="#ref-for-authenticator①④">(7)</a> <a href="#ref-for-authenticator①⑤">(8)</a>
    <li><a href="#ref-for-authenticator①⑥">1.2. Use Cases</a>
    <li><a href="#ref-for-authenticator①⑦">1.2.3. New Device Registration</a>
    <li><a href="#ref-for-authenticator①⑧">1.3.5. Decommissioning</a> <a href="#ref-for-authenticator①⑨">(2)</a> <a href="#ref-for-authenticator②⓪">(3)</a> <a href="#ref-for-authenticator②①">(4)</a>
    <li><a href="#ref-for-authenticator②②">2.2.1. Backwards Compatibility with FIDO U2F</a>
    <li><a href="#ref-for-authenticator②③">4. Terminology</a> <a href="#ref-for-authenticator②④">(2)</a> <a href="#ref-for-authenticator②⑤">(3)</a> <a href="#ref-for-authenticator②⑥">(4)</a> <a href="#ref-for-authenticator②⑦">(5)</a> <a href="#ref-for-authenticator②⑧">(6)</a> <a href="#ref-for-authenticator②⑨">(7)</a> <a href="#ref-for-authenticator③⓪">(8)</a> <a href="#ref-for-authenticator③①">(9)</a> <a href="#ref-for-authenticator③②">(10)</a> <a href="#ref-for-authenticator③③">(11)</a> <a href="#ref-for-authenticator③④">(12)</a> <a href="#ref-for-authenticator③⑤">(13)</a> <a href="#ref-for-authenticator③⑥">(14)</a> <a href="#ref-for-authenticator③⑦">(15)</a> <a href="#ref-for-authenticator③⑧">(16)</a> <a href="#ref-for-authenticator③⑨">(17)</a> <a href="#ref-for-authenticator④⓪">(18)</a> <a href="#ref-for-authenticator④①">(19)</a> <a href="#ref-for-authenticator④②">(20)</a> <a href="#ref-for-authenticator④③">(21)</a> <a href="#ref-for-authenticator④④">(22)</a> <a href="#ref-for-authenticator④⑤">(23)</a> <a href="#ref-for-authenticator④⑥">(24)</a> <a href="#ref-for-authenticator④⑦">(25)</a> <a href="#ref-for-authenticator④⑧">(26)</a> <a href="#ref-for-authenticator④⑨">(27)</a> <a href="#ref-for-authenticator⑤⓪">(28)</a> <a href="#ref-for-authenticator⑤①">(29)</a> <a href="#ref-for-authenticator⑤②">(30)</a> <a href="#ref-for-authenticator⑤③">(31)</a> <a href="#ref-for-authenticator⑤④">(32)</a> <a href="#ref-for-authenticator⑤⑤">(33)</a> <a href="#ref-for-authenticator⑤⑥">(34)</a>
    <li><a href="#ref-for-authenticator⑤⑦">5. Web Authentication API</a> <a href="#ref-for-authenticator⑤⑧">(2)</a> <a href="#ref-for-authenticator⑤⑨">(3)</a>
    <li><a href="#ref-for-authenticator⑥⓪">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-authenticator⑥①">(2)</a>
    <li><a href="#ref-for-authenticator⑥②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-authenticator⑥③">(2)</a> <a href="#ref-for-authenticator⑥④">(3)</a> <a href="#ref-for-authenticator⑥⑤">(4)</a> <a href="#ref-for-authenticator⑥⑥">(5)</a> <a href="#ref-for-authenticator⑥⑦">(6)</a> <a href="#ref-for-authenticator⑥⑧">(7)</a> <a href="#ref-for-authenticator⑥⑨">(8)</a> <a href="#ref-for-authenticator⑦⓪">(9)</a>
    <li><a href="#ref-for-authenticator⑦①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-authenticator⑦②">(2)</a> <a href="#ref-for-authenticator⑦③">(3)</a> <a href="#ref-for-authenticator⑦④">(4)</a> <a href="#ref-for-authenticator⑦⑤">(5)</a> <a href="#ref-for-authenticator⑦⑥">(6)</a> <a href="#ref-for-authenticator⑦⑦">(7)</a> <a href="#ref-for-authenticator⑦⑧">(8)</a>
    <li><a href="#ref-for-authenticator⑦⑨">5.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-authenticator⑧⓪">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-authenticator⑧①">(2)</a> <a href="#ref-for-authenticator⑧②">(3)</a>
    <li><a href="#ref-for-authenticator⑧③">5.2.1.1. Easily accessing credential data</a> <a href="#ref-for-authenticator⑧④">(2)</a>
    <li><a href="#ref-for-authenticator⑧⑤">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-authenticator⑧⑥">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a>
    <li><a href="#ref-for-authenticator⑧⑦">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a> <a href="#ref-for-authenticator⑧⑧">(2)</a>
    <li><a href="#ref-for-authenticator⑧⑨">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
    <li><a href="#ref-for-authenticator⑨⓪">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a>
    <li><a href="#ref-for-authenticator⑨①">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a> <a href="#ref-for-authenticator⑨②">(2)</a>
    <li><a href="#ref-for-authenticator⑨③">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-authenticator⑨④">5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs)</a>
    <li><a href="#ref-for-authenticator⑨⑤">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a> <a href="#ref-for-authenticator⑨⑥">(2)</a> <a href="#ref-for-authenticator⑨⑦">(3)</a> <a href="#ref-for-authenticator⑨⑧">(4)</a> <a href="#ref-for-authenticator⑨⑨">(5)</a>
    <li><a href="#ref-for-authenticator①⓪⓪">6. WebAuthn Authenticator Model</a> <a href="#ref-for-authenticator①⓪①">(2)</a> <a href="#ref-for-authenticator①⓪②">(3)</a> <a href="#ref-for-authenticator①⓪③">(4)</a> <a href="#ref-for-authenticator①⓪④">(5)</a>
    <li><a href="#ref-for-authenticator①⓪⑤">6.1. Authenticator Data</a> <a href="#ref-for-authenticator①⓪⑥">(2)</a>
    <li><a href="#ref-for-authenticator①⓪⑦">6.2. Authenticator Taxonomy</a> <a href="#ref-for-authenticator①⓪⑧">(2)</a> <a href="#ref-for-authenticator①⓪⑨">(3)</a> <a href="#ref-for-authenticator①①⓪">(4)</a> <a href="#ref-for-authenticator①①①">(5)</a> <a href="#ref-for-authenticator①①②">(6)</a>
    <li><a href="#ref-for-authenticator①①③">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-authenticator①①④">(2)</a> <a href="#ref-for-authenticator①①⑤">(3)</a> <a href="#ref-for-authenticator①①⑥">(4)</a> <a href="#ref-for-authenticator①①⑦">(5)</a> <a href="#ref-for-authenticator①①⑧">(6)</a>
    <li><a href="#ref-for-authenticator①①⑨">6.2.2. Credential Storage Modality</a> <a href="#ref-for-authenticator①②⓪">(2)</a> <a href="#ref-for-authenticator①②①">(3)</a> <a href="#ref-for-authenticator①②②">(4)</a> <a href="#ref-for-authenticator①②③">(5)</a> <a href="#ref-for-authenticator①②④">(6)</a> <a href="#ref-for-authenticator①②⑤">(7)</a> <a href="#ref-for-authenticator①②⑥">(8)</a> <a href="#ref-for-authenticator①②⑦">(9)</a> <a href="#ref-for-authenticator①②⑧">(10)</a> <a href="#ref-for-authenticator①②⑨">(11)</a> <a href="#ref-for-authenticator①③⓪">(12)</a> <a href="#ref-for-authenticator①③①">(13)</a> <a href="#ref-for-authenticator①③②">(14)</a> <a href="#ref-for-authenticator①③③">(15)</a>
    <li><a href="#ref-for-authenticator①③④">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-authenticator①③⑤">(2)</a> <a href="#ref-for-authenticator①③⑥">(3)</a> <a href="#ref-for-authenticator①③⑦">(4)</a> <a href="#ref-for-authenticator①③⑧">(5)</a> <a href="#ref-for-authenticator①③⑨">(6)</a> <a href="#ref-for-authenticator①④⓪">(7)</a> <a href="#ref-for-authenticator①④①">(8)</a>
    <li><a href="#ref-for-authenticator①④②">6.3.1. Lookup Credential Source by Credential ID Algorithm</a>
    <li><a href="#ref-for-authenticator①④③">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-authenticator①④④">(2)</a> <a href="#ref-for-authenticator①④⑤">(3)</a> <a href="#ref-for-authenticator①④⑥">(4)</a> <a href="#ref-for-authenticator①④⑦">(5)</a> <a href="#ref-for-authenticator①④⑧">(6)</a>
    <li><a href="#ref-for-authenticator①④⑨">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-authenticator①⑤⓪">(2)</a> <a href="#ref-for-authenticator①⑤①">(3)</a> <a href="#ref-for-authenticator①⑤②">(4)</a> <a href="#ref-for-authenticator①⑤③">(5)</a>
    <li><a href="#ref-for-authenticator①⑤④">6.4.1. String Truncation</a> <a href="#ref-for-authenticator①⑤⑤">(2)</a>
    <li><a href="#ref-for-authenticator①⑤⑥">6.4.2. Language and Direction Encoding</a>
    <li><a href="#ref-for-authenticator①⑤⑦">6.5. Attestation</a> <a href="#ref-for-authenticator①⑤⑧">(2)</a> <a href="#ref-for-authenticator①⑤⑨">(3)</a> <a href="#ref-for-authenticator①⑥⓪">(4)</a> <a href="#ref-for-authenticator①⑥①">(5)</a> <a href="#ref-for-authenticator①⑥②">(6)</a> <a href="#ref-for-authenticator①⑥③">(7)</a> <a href="#ref-for-authenticator①⑥④">(8)</a> <a href="#ref-for-authenticator①⑥⑤">(9)</a> <a href="#ref-for-authenticator①⑥⑥">(10)</a> <a href="#ref-for-authenticator①⑥⑦">(11)</a>
    <li><a href="#ref-for-authenticator①⑥⑧">6.5.2. Attestation Statement Formats</a>
    <li><a href="#ref-for-authenticator①⑥⑨">6.5.3. Attestation Types</a> <a href="#ref-for-authenticator①⑦⓪">(2)</a> <a href="#ref-for-authenticator①⑦①">(3)</a> <a href="#ref-for-authenticator①⑦②">(4)</a> <a href="#ref-for-authenticator①⑦③">(5)</a> <a href="#ref-for-authenticator①⑦④">(6)</a>
    <li><a href="#ref-for-authenticator①⑦⑤">6.5.4. Generating an Attestation Object</a>
    <li><a href="#ref-for-authenticator①⑦⑥">6.5.5. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures</a> <a href="#ref-for-authenticator①⑦⑦">(2)</a>
    <li><a href="#ref-for-authenticator①⑦⑧">7.1. Registering a New Credential</a> <a href="#ref-for-authenticator①⑦⑨">(2)</a> <a href="#ref-for-authenticator①⑧⓪">(3)</a> <a href="#ref-for-authenticator①⑧①">(4)</a>
    <li><a href="#ref-for-authenticator①⑧②">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-authenticator①⑧③">8.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator①⑧④">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator①⑧⑤">8.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator①⑧⑥">8.7. None Attestation Statement Format</a> <a href="#ref-for-authenticator①⑧⑦">(2)</a> <a href="#ref-for-authenticator①⑧⑧">(3)</a>
    <li><a href="#ref-for-authenticator①⑧⑨">9. WebAuthn Extensions</a> <a href="#ref-for-authenticator①⑨⓪">(2)</a>
    <li><a href="#ref-for-authenticator①⑨①">10.3. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-authenticator①⑨②">10.4. Credential Properties Extension (credProps)</a>
    <li><a href="#ref-for-authenticator①⑨③">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-authenticator①⑨④">(2)</a> <a href="#ref-for-authenticator①⑨⑤">(3)</a>
    <li><a href="#ref-for-authenticator①⑨⑥">13. Security Considerations</a> <a href="#ref-for-authenticator①⑨⑦">(2)</a> <a href="#ref-for-authenticator①⑨⑧">(3)</a> <a href="#ref-for-authenticator①⑨⑨">(4)</a>
    <li><a href="#ref-for-authenticator②⓪⓪">13.1. Credential ID Unsigned</a>
    <li><a href="#ref-for-authenticator②⓪①">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-authenticator②⓪②">(2)</a> <a href="#ref-for-authenticator②⓪③">(3)</a> <a href="#ref-for-authenticator②⓪④">(4)</a> <a href="#ref-for-authenticator②⓪⑤">(5)</a> <a href="#ref-for-authenticator②⓪⑥">(6)</a> <a href="#ref-for-authenticator②⓪⑦">(7)</a> <a href="#ref-for-authenticator②⓪⑧">(8)</a> <a href="#ref-for-authenticator②⓪⑨">(9)</a> <a href="#ref-for-authenticator②①⓪">(10)</a>
    <li><a href="#ref-for-authenticator②①①">13.3. Security considerations for authenticators </a>
    <li><a href="#ref-for-authenticator②①②">13.3.2. Attestation Certificate and Attestation Certificate CA Compromise</a>
    <li><a href="#ref-for-authenticator②①③">13.4.1. Security Benefits for WebAuthn Relying Parties</a> <a href="#ref-for-authenticator②①④">(2)</a> <a href="#ref-for-authenticator②①⑤">(3)</a> <a href="#ref-for-authenticator②①⑥">(4)</a> <a href="#ref-for-authenticator②①⑦">(5)</a> <a href="#ref-for-authenticator②①⑧">(6)</a>
    <li><a href="#ref-for-authenticator②①⑨">13.4.4. Attestation Limitations</a> <a href="#ref-for-authenticator②②⓪">(2)</a> <a href="#ref-for-authenticator②②①">(3)</a> <a href="#ref-for-authenticator②②②">(4)</a> <a href="#ref-for-authenticator②②③">(5)</a> <a href="#ref-for-authenticator②②④">(6)</a> <a href="#ref-for-authenticator②②⑤">(7)</a> <a href="#ref-for-authenticator②②⑥">(8)</a>
    <li><a href="#ref-for-authenticator②②⑦">13.4.5. Revoked Attestation Certificates</a>
    <li><a href="#ref-for-authenticator②②⑧">13.4.6. Credential Loss and Key Mobility</a> <a href="#ref-for-authenticator②②⑨">(2)</a> <a href="#ref-for-authenticator②③⓪">(3)</a> <a href="#ref-for-authenticator②③①">(4)</a> <a href="#ref-for-authenticator②③②">(5)</a>
    <li><a href="#ref-for-authenticator②③③">14. Privacy Considerations</a>
    <li><a href="#ref-for-authenticator②③④">14.1. De-anonymization Prevention Measures</a> <a href="#ref-for-authenticator②③⑤">(2)</a> <a href="#ref-for-authenticator②③⑥">(3)</a> <a href="#ref-for-authenticator②③⑦">(4)</a> <a href="#ref-for-authenticator②③⑧">(5)</a> <a href="#ref-for-authenticator②③⑨">(6)</a> <a href="#ref-for-authenticator②④⓪">(7)</a>
    <li><a href="#ref-for-authenticator②④①">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a> <a href="#ref-for-authenticator②④②">(2)</a> <a href="#ref-for-authenticator②④③">(3)</a> <a href="#ref-for-authenticator②④④">(4)</a> <a href="#ref-for-authenticator②④⑤">(5)</a>
    <li><a href="#ref-for-authenticator②④⑥">14.3. Authenticator-local Biometric Recognition</a>
    <li><a href="#ref-for-authenticator②④⑦">14.4. Privacy considerations for authenticators</a>
    <li><a href="#ref-for-authenticator②④⑧">14.4.1. Attestation Privacy</a> <a href="#ref-for-authenticator②④⑨">(2)</a> <a href="#ref-for-authenticator②⑤⓪">(3)</a> <a href="#ref-for-authenticator②⑤①">(4)</a> <a href="#ref-for-authenticator②⑤②">(5)</a>
    <li><a href="#ref-for-authenticator②⑤③">14.4.2. Privacy of personally identifying information Stored in Authenticators</a> <a href="#ref-for-authenticator②⑤④">(2)</a> <a href="#ref-for-authenticator②⑤⑤">(3)</a> <a href="#ref-for-authenticator②⑤⑥">(4)</a> <a href="#ref-for-authenticator②⑤⑦">(5)</a> <a href="#ref-for-authenticator②⑤⑧">(6)</a> <a href="#ref-for-authenticator②⑤⑨">(7)</a>
    <li><a href="#ref-for-authenticator②⑥⓪">14.5.1. Registration Ceremony Privacy</a> <a href="#ref-for-authenticator②⑥①">(2)</a> <a href="#ref-for-authenticator②⑥②">(3)</a> <a href="#ref-for-authenticator②⑥③">(4)</a> <a href="#ref-for-authenticator②⑥④">(5)</a> <a href="#ref-for-authenticator②⑥⑤">(6)</a>
    <li><a href="#ref-for-authenticator②⑥⑥">14.6.2. Username Enumeration</a>
    <li><a href="#ref-for-authenticator②⑥⑦">14.6.3. Privacy leak via credential IDs</a> <a href="#ref-for-authenticator②⑥⑧">(2)</a> <a href="#ref-for-authenticator②⑥⑨">(3)</a>
    <li><a href="#ref-for-authenticator②⑦⓪">15. Accessibility Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="webauthn-authenticator">
   <b><a href="#webauthn-authenticator">#webauthn-authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-webauthn-authenticator">1. Introduction</a>
    <li><a href="#ref-for-webauthn-authenticator①">2.2. Authenticators</a>
    <li><a href="#ref-for-webauthn-authenticator②">4. Terminology</a>
    <li><a href="#ref-for-webauthn-authenticator③">5. Web Authentication API</a>
    <li><a href="#ref-for-webauthn-authenticator④">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-webauthn-authenticator⑤">6.2.3. Authentication Factor Capability</a>
    <li><a href="#ref-for-webauthn-authenticator⑥">9. WebAuthn Extensions</a>
    <li><a href="#ref-for-webauthn-authenticator⑦">13. Security Considerations</a>
    <li><a href="#ref-for-webauthn-authenticator⑧">13.3.1. Attestation Certificate Hierarchy</a> <a href="#ref-for-webauthn-authenticator⑨">(2)</a>
    <li><a href="#ref-for-webauthn-authenticator①⓪">13.3.2. Attestation Certificate and Attestation Certificate CA Compromise</a> <a href="#ref-for-webauthn-authenticator①①">(2)</a> <a href="#ref-for-webauthn-authenticator①②">(3)</a> <a href="#ref-for-webauthn-authenticator①③">(4)</a> <a href="#ref-for-webauthn-authenticator①④">(5)</a> <a href="#ref-for-webauthn-authenticator①⑤">(6)</a>
    <li><a href="#ref-for-webauthn-authenticator①⑥">14.4.1. Attestation Privacy</a> <a href="#ref-for-webauthn-authenticator①⑦">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authorization-gesture">
   <b><a href="#authorization-gesture">#authorization-gesture</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authorization-gesture">1.2.1. Registration</a>
    <li><a href="#ref-for-authorization-gesture①">1.2.2. Authentication</a>
    <li><a href="#ref-for-authorization-gesture②">1.2.3. New Device Registration</a> <a href="#ref-for-authorization-gesture③">(2)</a>
    <li><a href="#ref-for-authorization-gesture④">1.2.4. Other Use Cases and Configurations</a>
    <li><a href="#ref-for-authorization-gesture⑤">1.3.1. Registration</a>
    <li><a href="#ref-for-authorization-gesture⑥">1.3.3. Authentication</a>
    <li><a href="#ref-for-authorization-gesture⑦">4. Terminology</a> <a href="#ref-for-authorization-gesture⑧">(2)</a> <a href="#ref-for-authorization-gesture⑨">(3)</a> <a href="#ref-for-authorization-gesture①⓪">(4)</a> <a href="#ref-for-authorization-gesture①①">(5)</a> <a href="#ref-for-authorization-gesture①②">(6)</a>
    <li><a href="#ref-for-authorization-gesture①③">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a> <a href="#ref-for-authorization-gesture①④">(2)</a>
    <li><a href="#ref-for-authorization-gesture①⑤">5.1.6. Preventing Silent Access to an Existing Credential - PublicKeyCredential’s [[preventSilentAccess]](credential, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-authorization-gesture①⑥">6.1. Authenticator Data</a>
    <li><a href="#ref-for-authorization-gesture①⑦">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-authorization-gesture①⑧">(2)</a> <a href="#ref-for-authorization-gesture①⑨">(3)</a> <a href="#ref-for-authorization-gesture②⓪">(4)</a> <a href="#ref-for-authorization-gesture②①">(5)</a> <a href="#ref-for-authorization-gesture②②">(6)</a> <a href="#ref-for-authorization-gesture②③">(7)</a> <a href="#ref-for-authorization-gesture②④">(8)</a>
    <li><a href="#ref-for-authorization-gesture②⑤">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-authorization-gesture②⑥">(2)</a> <a href="#ref-for-authorization-gesture②⑦">(3)</a> <a href="#ref-for-authorization-gesture②⑧">(4)</a>
    <li><a href="#ref-for-authorization-gesture②⑨">11.2. Virtual Authenticators</a>
    <li><a href="#ref-for-authorization-gesture③⓪">15. Accessibility Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="biometric-recognition">
   <b><a href="#biometric-recognition">#biometric-recognition</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-biometric-recognition">4. Terminology</a> <a href="#ref-for-biometric-recognition①">(2)</a> <a href="#ref-for-biometric-recognition②">(3)</a>
    <li><a href="#ref-for-biometric-recognition③">6.2. Authenticator Taxonomy</a>
    <li><a href="#ref-for-biometric-recognition④">14.3. Authenticator-local Biometric Recognition</a> <a href="#ref-for-biometric-recognition⑤">(2)</a> <a href="#ref-for-biometric-recognition⑥">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="biometric-authenticator">
   <b><a href="#biometric-authenticator">#biometric-authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-biometric-authenticator">6.2.3. Authentication Factor Capability</a>
    <li><a href="#ref-for-biometric-authenticator①">14.3. Authenticator-local Biometric Recognition</a> <a href="#ref-for-biometric-authenticator②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="bound-credential">
   <b><a href="#bound-credential">#bound-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-bound-credential①">4. Terminology</a> <a href="#ref-for-bound-credential②">(2)</a> <a href="#ref-for-bound-credential③">(3)</a>
    <li><a href="#ref-for-bound-credential④">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-bound-credential⑤">(2)</a> <a href="#ref-for-bound-credential⑥">(3)</a>
    <li><a href="#ref-for-bound-credential⑦">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-bound-credential⑧">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-bound-credential⑨">(2)</a>
    <li><a href="#ref-for-bound-credential①⓪">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-bound-credential①①">(2)</a>
    <li><a href="#ref-for-bound-credential①②">13.4.6. Credential Loss and Key Mobility</a> <a href="#ref-for-bound-credential①③">(2)</a>
    <li><a href="#ref-for-bound-credential①④">14.5.1. Registration Ceremony Privacy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="ceremony">
   <b><a href="#ceremony">#ceremony</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ceremony">1. Introduction</a>
    <li><a href="#ref-for-ceremony①">4. Terminology</a> <a href="#ref-for-ceremony②">(2)</a> <a href="#ref-for-ceremony③">(3)</a> <a href="#ref-for-ceremony④">(4)</a> <a href="#ref-for-ceremony⑤">(5)</a> <a href="#ref-for-ceremony⑥">(6)</a> <a href="#ref-for-ceremony⑦">(7)</a>
    <li><a href="#ref-for-ceremony⑧">7. WebAuthn Relying Party Operations</a>
    <li><a href="#ref-for-ceremony⑨">13. Security Considerations</a>
    <li><a href="#ref-for-ceremony①⓪">14.5.1. Registration Ceremony Privacy</a>
    <li><a href="#ref-for-ceremony①①">14.5.2. Authentication Ceremony Privacy</a>
    <li><a href="#ref-for-ceremony①②">14.6.2. Username Enumeration</a> <a href="#ref-for-ceremony①③">(2)</a>
    <li><a href="#ref-for-ceremony①④">15. Accessibility Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client">
   <b><a href="#client">#client</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client">1.1. Specification Roadmap</a>
    <li><a href="#ref-for-client①">1.3.1. Registration</a> <a href="#ref-for-client②">(2)</a>
    <li><a href="#ref-for-client③">1.3.3. Authentication</a> <a href="#ref-for-client④">(2)</a> <a href="#ref-for-client⑤">(3)</a>
    <li><a href="#ref-for-client⑥">4. Terminology</a> <a href="#ref-for-client⑦">(2)</a> <a href="#ref-for-client⑧">(3)</a> <a href="#ref-for-client⑨">(4)</a> <a href="#ref-for-client①⓪">(5)</a> <a href="#ref-for-client①①">(6)</a> <a href="#ref-for-client①②">(7)</a> <a href="#ref-for-client①③">(8)</a> <a href="#ref-for-client①④">(9)</a> <a href="#ref-for-client①⑤">(10)</a> <a href="#ref-for-client①⑥">(11)</a>
    <li><a href="#ref-for-client①⑦">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client①⑧">(2)</a> <a href="#ref-for-client①⑨">(3)</a> <a href="#ref-for-client②⓪">(4)</a> <a href="#ref-for-client②①">(5)</a>
    <li><a href="#ref-for-client②②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client②③">(2)</a> <a href="#ref-for-client②④">(3)</a> <a href="#ref-for-client②⑤">(4)</a>
    <li><a href="#ref-for-client②⑥">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
    <li><a href="#ref-for-client②⑦">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-client②⑧">(2)</a> <a href="#ref-for-client②⑨">(3)</a>
    <li><a href="#ref-for-client③⓪">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a> <a href="#ref-for-client③①">(2)</a> <a href="#ref-for-client③②">(3)</a>
    <li><a href="#ref-for-client③③">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a> <a href="#ref-for-client③④">(2)</a>
    <li><a href="#ref-for-client③⑤">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
    <li><a href="#ref-for-client③⑥">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-client③⑦">5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs)</a>
    <li><a href="#ref-for-client③⑧">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-client③⑨">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
    <li><a href="#ref-for-client④⓪">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>
    <li><a href="#ref-for-client④①">6. WebAuthn Authenticator Model</a> <a href="#ref-for-client④②">(2)</a>
    <li><a href="#ref-for-client④③">6.1. Authenticator Data</a> <a href="#ref-for-client④④">(2)</a>
    <li><a href="#ref-for-client④⑤">6.2. Authenticator Taxonomy</a>
    <li><a href="#ref-for-client④⑥">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-client④⑦">(2)</a> <a href="#ref-for-client④⑧">(3)</a> <a href="#ref-for-client④⑨">(4)</a> <a href="#ref-for-client⑤⓪">(5)</a>
    <li><a href="#ref-for-client⑤①">6.2.2. Credential Storage Modality</a>
    <li><a href="#ref-for-client⑤②">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-client⑤③">(2)</a> <a href="#ref-for-client⑤④">(3)</a> <a href="#ref-for-client⑤⑤">(4)</a>
    <li><a href="#ref-for-client⑤⑥">7.1. Registering a New Credential</a> <a href="#ref-for-client⑤⑦">(2)</a>
    <li><a href="#ref-for-client⑤⑧">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-client⑤⑨">8.6. FIDO U2F Attestation Statement Format</a>
    <li><a href="#ref-for-client⑥⓪">9. WebAuthn Extensions</a> <a href="#ref-for-client⑥①">(2)</a> <a href="#ref-for-client⑥②">(3)</a> <a href="#ref-for-client⑥③">(4)</a>
    <li><a href="#ref-for-client⑥④">9.4. Client Extension Processing</a>
    <li><a href="#ref-for-client⑥⑤">10.4. Credential Properties Extension (credProps)</a>
    <li><a href="#ref-for-client⑥⑥">12.4. WebAuthn Extension Identifier Registrations</a>
    <li><a href="#ref-for-client⑥⑦">13. Security Considerations</a>
    <li><a href="#ref-for-client⑥⑧">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-client⑥⑨">(2)</a> <a href="#ref-for-client⑦⓪">(3)</a> <a href="#ref-for-client⑦①">(4)</a> <a href="#ref-for-client⑦②">(5)</a> <a href="#ref-for-client⑦③">(6)</a> <a href="#ref-for-client⑦④">(7)</a> <a href="#ref-for-client⑦⑤">(8)</a>
    <li><a href="#ref-for-client⑦⑥">14. Privacy Considerations</a>
    <li><a href="#ref-for-client⑦⑦">14.1. De-anonymization Prevention Measures</a> <a href="#ref-for-client⑦⑧">(2)</a> <a href="#ref-for-client⑦⑨">(3)</a> <a href="#ref-for-client⑧⓪">(4)</a> <a href="#ref-for-client⑧①">(5)</a>
    <li><a href="#ref-for-client⑧②">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a> <a href="#ref-for-client⑧③">(2)</a> <a href="#ref-for-client⑧④">(3)</a>
    <li><a href="#ref-for-client⑧⑤">14.3. Authenticator-local Biometric Recognition</a>
    <li><a href="#ref-for-client⑧⑥">14.4.2. Privacy of personally identifying information Stored in Authenticators</a> <a href="#ref-for-client⑧⑦">(2)</a>
    <li><a href="#ref-for-client⑧⑧">14.5. Privacy considerations for clients</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="webauthn-client">
   <b><a href="#webauthn-client">#webauthn-client</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-webauthn-client">1.1. Specification Roadmap</a>
    <li><a href="#ref-for-webauthn-client①">4. Terminology</a> <a href="#ref-for-webauthn-client②">(2)</a> <a href="#ref-for-webauthn-client③">(3)</a> <a href="#ref-for-webauthn-client④">(4)</a> <a href="#ref-for-webauthn-client⑤">(5)</a>
    <li><a href="#ref-for-webauthn-client⑥">6.3. Authenticator Operations</a>
    <li><a href="#ref-for-webauthn-client⑦">13. Security Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-device">
   <b><a href="#client-device">#client-device</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-device">1.2.3. New Device Registration</a> <a href="#ref-for-client-device①">(2)</a> <a href="#ref-for-client-device②">(3)</a>
    <li><a href="#ref-for-client-device③">1.3. Sample API Usage Scenarios</a>
    <li><a href="#ref-for-client-device④">4. Terminology</a> <a href="#ref-for-client-device⑤">(2)</a> <a href="#ref-for-client-device⑥">(3)</a> <a href="#ref-for-client-device⑦">(4)</a> <a href="#ref-for-client-device⑧">(5)</a> <a href="#ref-for-client-device⑨">(6)</a> <a href="#ref-for-client-device①⓪">(7)</a> <a href="#ref-for-client-device①①">(8)</a>
    <li><a href="#ref-for-client-device①②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client-device①③">(2)</a>
    <li><a href="#ref-for-client-device①④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client-device①⑤">(2)</a>
    <li><a href="#ref-for-client-device①⑥">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a> <a href="#ref-for-client-device①⑦">(2)</a>
    <li><a href="#ref-for-client-device①⑧">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a> <a href="#ref-for-client-device①⑨">(2)</a>
    <li><a href="#ref-for-client-device②⓪">6. WebAuthn Authenticator Model</a> <a href="#ref-for-client-device②①">(2)</a>
    <li><a href="#ref-for-client-device②②">6.2. Authenticator Taxonomy</a> <a href="#ref-for-client-device②③">(2)</a> <a href="#ref-for-client-device②④">(3)</a> <a href="#ref-for-client-device②⑤">(4)</a> <a href="#ref-for-client-device②⑥">(5)</a> <a href="#ref-for-client-device②⑦">(6)</a> <a href="#ref-for-client-device②⑧">(7)</a>
    <li><a href="#ref-for-client-device②⑨">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-client-device③⓪">(2)</a> <a href="#ref-for-client-device③①">(3)</a> <a href="#ref-for-client-device③②">(4)</a> <a href="#ref-for-client-device③③">(5)</a> <a href="#ref-for-client-device③④">(6)</a> <a href="#ref-for-client-device③⑤">(7)</a> <a href="#ref-for-client-device③⑥">(8)</a> <a href="#ref-for-client-device③⑦">(9)</a> <a href="#ref-for-client-device③⑧">(10)</a> <a href="#ref-for-client-device③⑨">(11)</a> <a href="#ref-for-client-device④⓪">(12)</a> <a href="#ref-for-client-device④①">(13)</a> <a href="#ref-for-client-device④②">(14)</a>
    <li><a href="#ref-for-client-device④③">6.2.2. Credential Storage Modality</a>
    <li><a href="#ref-for-client-device④④">13.4.6. Credential Loss and Key Mobility</a> <a href="#ref-for-client-device④⑤">(2)</a>
    <li><a href="#ref-for-client-device④⑥">14.5.3. Privacy Between Operating System Accounts</a> <a href="#ref-for-client-device④⑦">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="webauthn-client-device">
   <b><a href="#webauthn-client-device">#webauthn-client-device</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-webauthn-client-device">4. Terminology</a> <a href="#ref-for-webauthn-client-device①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-platform">
   <b><a href="#client-platform">#client-platform</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-platform">1.3. Sample API Usage Scenarios</a> <a href="#ref-for-client-platform①">(2)</a> <a href="#ref-for-client-platform②">(3)</a>
    <li><a href="#ref-for-client-platform③">1.3.1. Registration</a>
    <li><a href="#ref-for-client-platform④">1.3.3. Authentication</a>
    <li><a href="#ref-for-client-platform⑤">2.1.1. Enumerations as DOMString types</a>
    <li><a href="#ref-for-client-platform⑥">4. Terminology</a> <a href="#ref-for-client-platform⑦">(2)</a> <a href="#ref-for-client-platform⑧">(3)</a> <a href="#ref-for-client-platform⑨">(4)</a> <a href="#ref-for-client-platform①⓪">(5)</a> <a href="#ref-for-client-platform①①">(6)</a>
    <li><a href="#ref-for-client-platform①②">5. Web Authentication API</a> <a href="#ref-for-client-platform①③">(2)</a>
    <li><a href="#ref-for-client-platform①④">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client-platform①⑤">(2)</a> <a href="#ref-for-client-platform①⑥">(3)</a> <a href="#ref-for-client-platform①⑦">(4)</a>
    <li><a href="#ref-for-client-platform①⑧">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>
    <li><a href="#ref-for-client-platform①⑨">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client-platform②⓪">(2)</a> <a href="#ref-for-client-platform②①">(3)</a> <a href="#ref-for-client-platform②②">(4)</a> <a href="#ref-for-client-platform②③">(5)</a> <a href="#ref-for-client-platform②④">(6)</a>
    <li><a href="#ref-for-client-platform②⑤">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
    <li><a href="#ref-for-client-platform②⑥">5.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)</a>
    <li><a href="#ref-for-client-platform②⑦">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-client-platform②⑧">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a>
    <li><a href="#ref-for-client-platform②⑨">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a>
    <li><a href="#ref-for-client-platform③⓪">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a> <a href="#ref-for-client-platform③①">(2)</a> <a href="#ref-for-client-platform③②">(3)</a>
    <li><a href="#ref-for-client-platform③③">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-client-platform③④">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-client-platform③⑤">(2)</a>
    <li><a href="#ref-for-client-platform③⑥">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a> <a href="#ref-for-client-platform③⑦">(2)</a>
    <li><a href="#ref-for-client-platform③⑧">6. WebAuthn Authenticator Model</a> <a href="#ref-for-client-platform③⑨">(2)</a>
    <li><a href="#ref-for-client-platform④⓪">6.1. Authenticator Data</a>
    <li><a href="#ref-for-client-platform④①">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-client-platform④②">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-client-platform④③">9. WebAuthn Extensions</a>
    <li><a href="#ref-for-client-platform④④">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
    <li><a href="#ref-for-client-platform④⑤">10.4. Credential Properties Extension (credProps)</a> <a href="#ref-for-client-platform④⑥">(2)</a> <a href="#ref-for-client-platform④⑦">(3)</a>
    <li><a href="#ref-for-client-platform④⑧">13.4.2. Visibility Considerations for Embedded Usage</a>
    <li><a href="#ref-for-client-platform④⑨">15. Accessibility Considerations</a> <a href="#ref-for-client-platform⑤⓪">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-side">
   <b><a href="#client-side">#client-side</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-side">4. Terminology</a> <a href="#ref-for-client-side①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-side-discoverable-public-key-credential-source">
   <b><a href="#client-side-discoverable-public-key-credential-source">#client-side-discoverable-public-key-credential-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-side-discoverable-public-key-credential-source">4. Terminology</a>
    <li><a href="#ref-for-client-side-discoverable-public-key-credential-source①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client-side-discoverable-public-key-credential-source②">(2)</a>
    <li><a href="#ref-for-client-side-discoverable-public-key-credential-source③">6.2.2. Credential Storage Modality</a> <a href="#ref-for-client-side-discoverable-public-key-credential-source④">(2)</a>
    <li><a href="#ref-for-client-side-discoverable-public-key-credential-source⑤">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-client-side-discoverable-public-key-credential-source⑥">(2)</a>
    <li><a href="#ref-for-client-side-discoverable-public-key-credential-source⑦">11.5. Add Credential</a>
    <li><a href="#ref-for-client-side-discoverable-public-key-credential-source⑧">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-side-discoverable-credential">
   <b><a href="#client-side-discoverable-credential">#client-side-discoverable-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-side-discoverable-credential">4. Terminology</a> <a href="#ref-for-client-side-discoverable-credential①">(2)</a> <a href="#ref-for-client-side-discoverable-credential②">(3)</a> <a href="#ref-for-client-side-discoverable-credential③">(4)</a> <a href="#ref-for-client-side-discoverable-credential④">(5)</a> <a href="#ref-for-client-side-discoverable-credential⑤">(6)</a>
    <li><a href="#ref-for-client-side-discoverable-credential⑥">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a>
    <li><a href="#ref-for-client-side-discoverable-credential⑦">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a> <a href="#ref-for-client-side-discoverable-credential⑧">(2)</a> <a href="#ref-for-client-side-discoverable-credential⑨">(3)</a> <a href="#ref-for-client-side-discoverable-credential①⓪">(4)</a> <a href="#ref-for-client-side-discoverable-credential①①">(5)</a> <a href="#ref-for-client-side-discoverable-credential①②">(6)</a> <a href="#ref-for-client-side-discoverable-credential①③">(7)</a> <a href="#ref-for-client-side-discoverable-credential①④">(8)</a>
    <li><a href="#ref-for-client-side-discoverable-credential①⑤">10.4. Credential Properties Extension (credProps)</a>
    <li><a href="#ref-for-client-side-discoverable-credential①⑥">11.2. Virtual Authenticators</a>
    <li><a href="#ref-for-client-side-discoverable-credential①⑦">11.5. Add Credential</a>
    <li><a href="#ref-for-client-side-discoverable-credential①⑧">14.6.3. Privacy leak via credential IDs</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="discoverable-credential">
   <b><a href="#discoverable-credential">#discoverable-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-discoverable-credential">4. Terminology</a> <a href="#ref-for-discoverable-credential①">(2)</a>
    <li><a href="#ref-for-discoverable-credential②">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a>
    <li><a href="#ref-for-discoverable-credential③">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a>
    <li><a href="#ref-for-discoverable-credential④">10.4. Credential Properties Extension (credProps)</a> <a href="#ref-for-discoverable-credential⑤">(2)</a> <a href="#ref-for-discoverable-credential⑥">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="resident-credential">
   <b><a href="#resident-credential">#resident-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-resident-credential">4. Terminology</a>
    <li><a href="#ref-for-resident-credential①">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="resident-key">
   <b><a href="#resident-key">#resident-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-resident-key">4. Terminology</a> <a href="#ref-for-resident-key①">(2)</a>
    <li><a href="#ref-for-resident-key②">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="conforming-user-agent">
   <b><a href="#conforming-user-agent">#conforming-user-agent</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-conforming-user-agent">1. Introduction</a>
    <li><a href="#ref-for-conforming-user-agent①">2.1. User Agents</a>
    <li><a href="#ref-for-conforming-user-agent②">2.2. Authenticators</a>
    <li><a href="#ref-for-conforming-user-agent③">4. Terminology</a>
    <li><a href="#ref-for-conforming-user-agent④">6.4.1. String Truncation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credential-id">
   <b><a href="#credential-id">#credential-id</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-id">1.3.1. Registration</a>
    <li><a href="#ref-for-credential-id①">1.3.3. Authentication</a> <a href="#ref-for-credential-id②">(2)</a> <a href="#ref-for-credential-id③">(3)</a>
    <li><a href="#ref-for-credential-id④">4. Terminology</a> <a href="#ref-for-credential-id⑤">(2)</a> <a href="#ref-for-credential-id⑥">(3)</a> <a href="#ref-for-credential-id⑦">(4)</a> <a href="#ref-for-credential-id⑧">(5)</a> <a href="#ref-for-credential-id⑨">(6)</a> <a href="#ref-for-credential-id①⓪">(7)</a> <a href="#ref-for-credential-id①①">(8)</a> <a href="#ref-for-credential-id①②">(9)</a> <a href="#ref-for-credential-id①③">(10)</a> <a href="#ref-for-credential-id①④">(11)</a>
    <li><a href="#ref-for-credential-id①⑤">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-credential-id①⑥">(2)</a>
    <li><a href="#ref-for-credential-id①⑦">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-credential-id①⑧">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-credential-id①⑨">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
    <li><a href="#ref-for-credential-id②⓪">6.2.2. Credential Storage Modality</a> <a href="#ref-for-credential-id②①">(2)</a> <a href="#ref-for-credential-id②②">(3)</a>
    <li><a href="#ref-for-credential-id②③">6.3.1. Lookup Credential Source by Credential ID Algorithm</a>
    <li><a href="#ref-for-credential-id②④">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-credential-id②⑤">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-credential-id②⑥">6.5.1. Attested Credential Data</a>
    <li><a href="#ref-for-credential-id②⑦">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-credential-id②⑧">8.6. FIDO U2F Attestation Statement Format</a>
    <li><a href="#ref-for-credential-id②⑨">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-credential-id③⓪">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
    <li><a href="#ref-for-credential-id③①">13.1. Credential ID Unsigned</a> <a href="#ref-for-credential-id③②">(2)</a> <a href="#ref-for-credential-id③③">(3)</a>
    <li><a href="#ref-for-credential-id③④">14.1. De-anonymization Prevention Measures</a>
    <li><a href="#ref-for-credential-id③⑤">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a> <a href="#ref-for-credential-id③⑥">(2)</a> <a href="#ref-for-credential-id③⑦">(3)</a>
    <li><a href="#ref-for-credential-id③⑧">14.6.3. Privacy leak via credential IDs</a> <a href="#ref-for-credential-id③⑨">(2)</a> <a href="#ref-for-credential-id④⓪">(3)</a> <a href="#ref-for-credential-id④①">(4)</a> <a href="#ref-for-credential-id④②">(5)</a> <a href="#ref-for-credential-id④③">(6)</a> <a href="#ref-for-credential-id④④">(7)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credential-key-pair">
   <b><a href="#credential-key-pair">#credential-key-pair</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-key-pair">4. Terminology</a> <a href="#ref-for-credential-key-pair①">(2)</a> <a href="#ref-for-credential-key-pair②">(3)</a> <a href="#ref-for-credential-key-pair③">(4)</a> <a href="#ref-for-credential-key-pair④">(5)</a>
    <li><a href="#ref-for-credential-key-pair⑤">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credential-private-key">
   <b><a href="#credential-private-key">#credential-private-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-private-key">4. Terminology</a> <a href="#ref-for-credential-private-key①">(2)</a> <a href="#ref-for-credential-private-key②">(3)</a> <a href="#ref-for-credential-private-key③">(4)</a> <a href="#ref-for-credential-private-key④">(5)</a> <a href="#ref-for-credential-private-key⑤">(6)</a> <a href="#ref-for-credential-private-key⑥">(7)</a>
    <li><a href="#ref-for-credential-private-key⑦">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-credential-private-key⑧">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-credential-private-key⑨">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-credential-private-key①⓪">6.2. Authenticator Taxonomy</a> <a href="#ref-for-credential-private-key①①">(2)</a>
    <li><a href="#ref-for-credential-private-key①②">6.2.2. Credential Storage Modality</a> <a href="#ref-for-credential-private-key①③">(2)</a> <a href="#ref-for-credential-private-key①④">(3)</a> <a href="#ref-for-credential-private-key①⑤">(4)</a> <a href="#ref-for-credential-private-key①⑥">(5)</a>
    <li><a href="#ref-for-credential-private-key①⑦">6.5. Attestation</a> <a href="#ref-for-credential-private-key①⑧">(2)</a>
    <li><a href="#ref-for-credential-private-key①⑨">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-credential-private-key②⓪">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-credential-private-key②①">13.4.4. Attestation Limitations</a> <a href="#ref-for-credential-private-key②②">(2)</a>
    <li><a href="#ref-for-credential-private-key②③">13.4.6. Credential Loss and Key Mobility</a> <a href="#ref-for-credential-private-key②④">(2)</a>
    <li><a href="#ref-for-credential-private-key②⑤">14.1. De-anonymization Prevention Measures</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credential-public-key">
   <b><a href="#credential-public-key">#credential-public-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-public-key">1.3.1. Registration</a> <a href="#ref-for-credential-public-key①">(2)</a>
    <li><a href="#ref-for-credential-public-key②">4. Terminology</a> <a href="#ref-for-credential-public-key③">(2)</a> <a href="#ref-for-credential-public-key④">(3)</a> <a href="#ref-for-credential-public-key⑤">(4)</a> <a href="#ref-for-credential-public-key⑥">(5)</a> <a href="#ref-for-credential-public-key⑦">(6)</a> <a href="#ref-for-credential-public-key⑧">(7)</a> <a href="#ref-for-credential-public-key⑨">(8)</a> <a href="#ref-for-credential-public-key①⓪">(9)</a> <a href="#ref-for-credential-public-key①①">(10)</a>
    <li><a href="#ref-for-credential-public-key①②">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-credential-public-key①③">5.2.1.1. Easily accessing credential data</a> <a href="#ref-for-credential-public-key①④">(2)</a> <a href="#ref-for-credential-public-key①⑤">(3)</a> <a href="#ref-for-credential-public-key①⑥">(4)</a> <a href="#ref-for-credential-public-key①⑦">(5)</a> <a href="#ref-for-credential-public-key①⑧">(6)</a> <a href="#ref-for-credential-public-key①⑨">(7)</a> <a href="#ref-for-credential-public-key②⓪">(8)</a>
    <li><a href="#ref-for-credential-public-key②①">5.8.5. Cryptographic Algorithm Identifier (typedef COSEAlgorithmIdentifier)</a>
    <li><a href="#ref-for-credential-public-key②②">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-credential-public-key②③">6.5. Attestation</a> <a href="#ref-for-credential-public-key②④">(2)</a> <a href="#ref-for-credential-public-key②⑤">(3)</a>
    <li><a href="#ref-for-credential-public-key②⑥">6.5.1. Attested Credential Data</a> <a href="#ref-for-credential-public-key②⑦">(2)</a> <a href="#ref-for-credential-public-key②⑧">(3)</a>
    <li><a href="#ref-for-credential-public-key②⑨">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-credential-public-key③⓪">(2)</a>
    <li><a href="#ref-for-credential-public-key③①">8.6. FIDO U2F Attestation Statement Format</a>
    <li><a href="#ref-for-credential-public-key③②">8.8. Apple Anonymous Attestation Statement Format</a> <a href="#ref-for-credential-public-key③③">(2)</a>
    <li><a href="#ref-for-credential-public-key③④">13.1. Credential ID Unsigned</a>
    <li><a href="#ref-for-credential-public-key③⑤">13.4.4. Attestation Limitations</a> <a href="#ref-for-credential-public-key③⑥">(2)</a>
    <li><a href="#ref-for-credential-public-key③⑦">14.1. De-anonymization Prevention Measures</a>
    <li><a href="#ref-for-credential-public-key③⑧">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a> <a href="#ref-for-credential-public-key③⑨">(2)</a> <a href="#ref-for-credential-public-key④⓪">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="user-public-key">
   <b><a href="#user-public-key">#user-public-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-user-public-key">4. Terminology</a>
    <li><a href="#ref-for-user-public-key①">8.6. FIDO U2F Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credential-properties">
   <b><a href="#credential-properties">#credential-properties</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-properties">4. Terminology</a>
    <li><a href="#ref-for-credential-properties①">10.4. Credential Properties Extension (credProps)</a> <a href="#ref-for-credential-properties②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="human-palatability">
   <b><a href="#human-palatability">#human-palatability</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-human-palatability">4. Terminology</a>
    <li><a href="#ref-for-human-palatability①">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a> <a href="#ref-for-human-palatability②">(2)</a> <a href="#ref-for-human-palatability③">(3)</a>
    <li><a href="#ref-for-human-palatability④">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="non-discoverable-credential">
   <b><a href="#non-discoverable-credential">#non-discoverable-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-non-discoverable-credential">4. Terminology</a> <a href="#ref-for-non-discoverable-credential①">(2)</a>
    <li><a href="#ref-for-non-discoverable-credential②">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a>
    <li><a href="#ref-for-non-discoverable-credential③">10.4. Credential Properties Extension (credProps)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="public-key-credential-source">
   <b><a href="#public-key-credential-source">#public-key-credential-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-credential-source">4. Terminology</a> <a href="#ref-for-public-key-credential-source①">(2)</a> <a href="#ref-for-public-key-credential-source②">(3)</a> <a href="#ref-for-public-key-credential-source③">(4)</a> <a href="#ref-for-public-key-credential-source④">(5)</a> <a href="#ref-for-public-key-credential-source⑤">(6)</a> <a href="#ref-for-public-key-credential-source⑥">(7)</a> <a href="#ref-for-public-key-credential-source⑦">(8)</a> <a href="#ref-for-public-key-credential-source⑧">(9)</a> <a href="#ref-for-public-key-credential-source⑨">(10)</a> <a href="#ref-for-public-key-credential-source①⓪">(11)</a> <a href="#ref-for-public-key-credential-source①①">(12)</a> <a href="#ref-for-public-key-credential-source①②">(13)</a> <a href="#ref-for-public-key-credential-source①③">(14)</a> <a href="#ref-for-public-key-credential-source①④">(15)</a> <a href="#ref-for-public-key-credential-source①⑤">(16)</a> <a href="#ref-for-public-key-credential-source①⑥">(17)</a> <a href="#ref-for-public-key-credential-source①⑦">(18)</a> <a href="#ref-for-public-key-credential-source①⑧">(19)</a> <a href="#ref-for-public-key-credential-source①⑨">(20)</a> <a href="#ref-for-public-key-credential-source②⓪">(21)</a>
    <li><a href="#ref-for-public-key-credential-source②①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-public-key-credential-source②②">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-public-key-credential-source②③">6.2.2. Credential Storage Modality</a> <a href="#ref-for-public-key-credential-source②④">(2)</a>
    <li><a href="#ref-for-public-key-credential-source②⑤">6.3.1. Lookup Credential Source by Credential ID Algorithm</a> <a href="#ref-for-public-key-credential-source②⑥">(2)</a>
    <li><a href="#ref-for-public-key-credential-source②⑦">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-public-key-credential-source②⑧">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-public-key-credential-source②⑨">(2)</a>
    <li><a href="#ref-for-public-key-credential-source③⓪">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-public-key-credential-source③①">10.4. Credential Properties Extension (credProps)</a>
    <li><a href="#ref-for-public-key-credential-source③②">11.5. Add Credential</a> <a href="#ref-for-public-key-credential-source③③">(2)</a> <a href="#ref-for-public-key-credential-source③④">(3)</a>
    <li><a href="#ref-for-public-key-credential-source③⑤">11.6. Get Credentials</a> <a href="#ref-for-public-key-credential-source③⑥">(2)</a>
    <li><a href="#ref-for-public-key-credential-source③⑦">11.7. Remove Credential</a> <a href="#ref-for-public-key-credential-source③⑧">(2)</a> <a href="#ref-for-public-key-credential-source③⑨">(3)</a>
    <li><a href="#ref-for-public-key-credential-source④⓪">11.8. Remove All Credentials</a> <a href="#ref-for-public-key-credential-source④①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="public-key-credential-source-type">
   <b><a href="#public-key-credential-source-type">#public-key-credential-source-type</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-credential-source-type">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-public-key-credential-source-type①">(2)</a>
    <li><a href="#ref-for-public-key-credential-source-type②">11.5. Add Credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="public-key-credential-source-id">
   <b><a href="#public-key-credential-source-id">#public-key-credential-source-id</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-credential-source-id">6.3.1. Lookup Credential Source by Credential ID Algorithm</a> <a href="#ref-for-public-key-credential-source-id①">(2)</a>
    <li><a href="#ref-for-public-key-credential-source-id②">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-public-key-credential-source-id③">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-public-key-credential-source-id④">11.5. Add Credential</a> <a href="#ref-for-public-key-credential-source-id⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="public-key-credential-source-privatekey">
   <b><a href="#public-key-credential-source-privatekey">#public-key-credential-source-privatekey</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-credential-source-privatekey">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-public-key-credential-source-privatekey①">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-public-key-credential-source-privatekey②">11.5. Add Credential</a> <a href="#ref-for-public-key-credential-source-privatekey③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="public-key-credential-source-rpid">
   <b><a href="#public-key-credential-source-rpid">#public-key-credential-source-rpid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-credential-source-rpid">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-public-key-credential-source-rpid①">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-public-key-credential-source-rpid②">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-public-key-credential-source-rpid③">11.5. Add Credential</a> <a href="#ref-for-public-key-credential-source-rpid④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="public-key-credential-source-userhandle">
   <b><a href="#public-key-credential-source-userhandle">#public-key-credential-source-userhandle</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-credential-source-userhandle">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-public-key-credential-source-userhandle①">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-public-key-credential-source-userhandle②">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-public-key-credential-source-userhandle③">(2)</a>
    <li><a href="#ref-for-public-key-credential-source-userhandle④">11.5. Add Credential</a> <a href="#ref-for-public-key-credential-source-userhandle⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="public-key-credential-source-otherui">
   <b><a href="#public-key-credential-source-otherui">#public-key-credential-source-otherui</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-credential-source-otherui">4. Terminology</a> <a href="#ref-for-public-key-credential-source-otherui①">(2)</a>
    <li><a href="#ref-for-public-key-credential-source-otherui②">6.3.2. The authenticatorMakeCredential Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="public-key-credential-source-mutable-item">
   <b><a href="#public-key-credential-source-mutable-item">#public-key-credential-source-mutable-item</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-credential-source-mutable-item">4. Terminology</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="public-key-credential-source-managing-authenticator">
   <b><a href="#public-key-credential-source-managing-authenticator">#public-key-credential-source-managing-authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-credential-source-managing-authenticator">4. Terminology</a> <a href="#ref-for-public-key-credential-source-managing-authenticator①">(2)</a> <a href="#ref-for-public-key-credential-source-managing-authenticator②">(3)</a> <a href="#ref-for-public-key-credential-source-managing-authenticator③">(4)</a>
    <li><a href="#ref-for-public-key-credential-source-managing-authenticator④">5. Web Authentication API</a> <a href="#ref-for-public-key-credential-source-managing-authenticator⑤">(2)</a>
    <li><a href="#ref-for-public-key-credential-source-managing-authenticator⑥">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="public-key-credential">
   <b><a href="#public-key-credential">#public-key-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-credential②">1. Introduction</a> <a href="#ref-for-public-key-credential③">(2)</a> <a href="#ref-for-public-key-credential④">(3)</a> <a href="#ref-for-public-key-credential⑤">(4)</a> <a href="#ref-for-public-key-credential⑥">(5)</a>
    <li><a href="#ref-for-public-key-credential⑦">1.3. Sample API Usage Scenarios</a>
    <li><a href="#ref-for-public-key-credential⑧">1.3.2. Registration Specifically with User-Verifying Platform Authenticator</a>
    <li><a href="#ref-for-public-key-credential⑨">4. Terminology</a> <a href="#ref-for-public-key-credential①⓪">(2)</a> <a href="#ref-for-public-key-credential①①">(3)</a> <a href="#ref-for-public-key-credential①②">(4)</a> <a href="#ref-for-public-key-credential①③">(5)</a> <a href="#ref-for-public-key-credential①④">(6)</a> <a href="#ref-for-public-key-credential①⑤">(7)</a> <a href="#ref-for-public-key-credential①⑥">(8)</a> <a href="#ref-for-public-key-credential①⑦">(9)</a> <a href="#ref-for-public-key-credential①⑧">(10)</a> <a href="#ref-for-public-key-credential①⑨">(11)</a>
    <li><a href="#ref-for-public-key-credential②⓪">5. Web Authentication API</a> <a href="#ref-for-public-key-credential②①">(2)</a> <a href="#ref-for-public-key-credential②②">(3)</a> <a href="#ref-for-public-key-credential②③">(4)</a>
    <li><a href="#ref-for-public-key-credential②④">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-public-key-credential②⑤">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-public-key-credential②⑥">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>
    <li><a href="#ref-for-public-key-credential②⑦">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-public-key-credential②⑧">(2)</a> <a href="#ref-for-public-key-credential②⑨">(3)</a>
    <li><a href="#ref-for-public-key-credential③⓪">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-public-key-credential③①">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a>
    <li><a href="#ref-for-public-key-credential③②">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
    <li><a href="#ref-for-public-key-credential③③">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-public-key-credential③④">5.8. Supporting Data Structures</a>
    <li><a href="#ref-for-public-key-credential③⑤">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a> <a href="#ref-for-public-key-credential③⑥">(2)</a> <a href="#ref-for-public-key-credential③⑦">(3)</a> <a href="#ref-for-public-key-credential③⑧">(4)</a>
    <li><a href="#ref-for-public-key-credential③⑨">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>
    <li><a href="#ref-for-public-key-credential④⓪">6. WebAuthn Authenticator Model</a> <a href="#ref-for-public-key-credential④①">(2)</a>
    <li><a href="#ref-for-public-key-credential④②">6.1. Authenticator Data</a> <a href="#ref-for-public-key-credential④③">(2)</a>
    <li><a href="#ref-for-public-key-credential④④">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-public-key-credential④⑤">(2)</a> <a href="#ref-for-public-key-credential④⑥">(3)</a>
    <li><a href="#ref-for-public-key-credential④⑦">6.2.2. Credential Storage Modality</a>
    <li><a href="#ref-for-public-key-credential④⑧">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-public-key-credential④⑨">6.5. Attestation</a> <a href="#ref-for-public-key-credential⑤⓪">(2)</a>
    <li><a href="#ref-for-public-key-credential⑤①">6.5.2. Attestation Statement Formats</a>
    <li><a href="#ref-for-public-key-credential⑤②">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-public-key-credential⑤③">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-public-key-credential⑤④">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-public-key-credential⑤⑤">8.6. FIDO U2F Attestation Statement Format</a>
    <li><a href="#ref-for-public-key-credential⑤⑥">9. WebAuthn Extensions</a> <a href="#ref-for-public-key-credential⑤⑦">(2)</a>
    <li><a href="#ref-for-public-key-credential⑤⑧">13.4.4. Attestation Limitations</a>
    <li><a href="#ref-for-public-key-credential⑤⑨">13.4.5. Revoked Attestation Certificates</a> <a href="#ref-for-public-key-credential⑥⓪">(2)</a>
    <li><a href="#ref-for-public-key-credential⑥①">13.4.6. Credential Loss and Key Mobility</a> <a href="#ref-for-public-key-credential⑥②">(2)</a> <a href="#ref-for-public-key-credential⑥③">(3)</a> <a href="#ref-for-public-key-credential⑥④">(4)</a> <a href="#ref-for-public-key-credential⑥⑤">(5)</a>
    <li><a href="#ref-for-public-key-credential⑥⑥">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a> <a href="#ref-for-public-key-credential⑥⑦">(2)</a> <a href="#ref-for-public-key-credential⑥⑧">(3)</a> <a href="#ref-for-public-key-credential⑥⑨">(4)</a> <a href="#ref-for-public-key-credential⑦⓪">(5)</a> <a href="#ref-for-public-key-credential⑦①">(6)</a>
    <li><a href="#ref-for-public-key-credential⑦②">14.3. Authenticator-local Biometric Recognition</a>
    <li><a href="#ref-for-public-key-credential⑦③">14.5.1. Registration Ceremony Privacy</a> <a href="#ref-for-public-key-credential⑦④">(2)</a> <a href="#ref-for-public-key-credential⑦⑤">(3)</a>
    <li><a href="#ref-for-public-key-credential⑦⑥">14.5.2. Authentication Ceremony Privacy</a> <a href="#ref-for-public-key-credential⑦⑦">(2)</a> <a href="#ref-for-public-key-credential⑦⑧">(3)</a> <a href="#ref-for-public-key-credential⑦⑨">(4)</a> <a href="#ref-for-public-key-credential⑧⓪">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="rate-limiting">
   <b><a href="#rate-limiting">#rate-limiting</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-rate-limiting">4. Terminology</a> <a href="#ref-for-rate-limiting①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="registration">
   <b><a href="#registration">#registration</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-registration">1. Introduction</a> <a href="#ref-for-registration①">(2)</a>
    <li><a href="#ref-for-registration②">1.1. Specification Roadmap</a>
    <li><a href="#ref-for-registration③">4. Terminology</a> <a href="#ref-for-registration④">(2)</a> <a href="#ref-for-registration⑤">(3)</a> <a href="#ref-for-registration⑥">(4)</a> <a href="#ref-for-registration⑦">(5)</a> <a href="#ref-for-registration⑧">(6)</a> <a href="#ref-for-registration⑨">(7)</a> <a href="#ref-for-registration①⓪">(8)</a> <a href="#ref-for-registration①①">(9)</a> <a href="#ref-for-registration①②">(10)</a>
    <li><a href="#ref-for-registration①③">6.2.3. Authentication Factor Capability</a>
    <li><a href="#ref-for-registration①④">13. Security Considerations</a>
    <li><a href="#ref-for-registration①⑤">13.4.5. Revoked Attestation Certificates</a> <a href="#ref-for-registration①⑥">(2)</a>
    <li><a href="#ref-for-registration①⑦">14.1. De-anonymization Prevention Measures</a>
    <li><a href="#ref-for-registration①⑧">14.3. Authenticator-local Biometric Recognition</a>
    <li><a href="#ref-for-registration①⑨">15. Accessibility Considerations</a>
    <li><a href="#ref-for-registration②⓪">16. Acknowledgements</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="registration-ceremony">
   <b><a href="#registration-ceremony">#registration-ceremony</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-registration-ceremony">4. Terminology</a> <a href="#ref-for-registration-ceremony①">(2)</a> <a href="#ref-for-registration-ceremony②">(3)</a>
    <li><a href="#ref-for-registration-ceremony③">7. WebAuthn Relying Party Operations</a>
    <li><a href="#ref-for-registration-ceremony④">7.1. Registering a New Credential</a> <a href="#ref-for-registration-ceremony⑤">(2)</a> <a href="#ref-for-registration-ceremony⑥">(3)</a>
    <li><a href="#ref-for-registration-ceremony⑦">10.4. Credential Properties Extension (credProps)</a> <a href="#ref-for-registration-ceremony⑧">(2)</a>
    <li><a href="#ref-for-registration-ceremony⑨">13.4.1. Security Benefits for WebAuthn Relying Parties</a>
    <li><a href="#ref-for-registration-ceremony①⓪">13.4.4. Attestation Limitations</a>
    <li><a href="#ref-for-registration-ceremony①①">14.6.2. Username Enumeration</a> <a href="#ref-for-registration-ceremony①②">(2)</a> <a href="#ref-for-registration-ceremony①③">(3)</a> <a href="#ref-for-registration-ceremony①④">(4)</a> <a href="#ref-for-registration-ceremony①⑤">(5)</a>
    <li><a href="#ref-for-registration-ceremony①⑥">15. Accessibility Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="relying-party">
   <b><a href="#relying-party">#relying-party</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-relying-party①">1. Introduction</a> <a href="#ref-for-relying-party②">(2)</a> <a href="#ref-for-relying-party③">(3)</a> <a href="#ref-for-relying-party④">(4)</a> <a href="#ref-for-relying-party⑤">(5)</a> <a href="#ref-for-relying-party⑥">(6)</a> <a href="#ref-for-relying-party⑦">(7)</a>
    <li><a href="#ref-for-relying-party⑧">1.1. Specification Roadmap</a> <a href="#ref-for-relying-party⑨">(2)</a> <a href="#ref-for-relying-party①⓪">(3)</a> <a href="#ref-for-relying-party①①">(4)</a> <a href="#ref-for-relying-party①②">(5)</a> <a href="#ref-for-relying-party①③">(6)</a> <a href="#ref-for-relying-party①④">(7)</a> <a href="#ref-for-relying-party①⑤">(8)</a>
    <li><a href="#ref-for-relying-party①⑥">1.2.3. New Device Registration</a>
    <li><a href="#ref-for-relying-party①⑦">1.2.4. Other Use Cases and Configurations</a>
    <li><a href="#ref-for-relying-party①⑧">1.3.1. Registration</a> <a href="#ref-for-relying-party①⑨">(2)</a> <a href="#ref-for-relying-party②⓪">(3)</a> <a href="#ref-for-relying-party②①">(4)</a>
    <li><a href="#ref-for-relying-party②②">1.3.2. Registration Specifically with User-Verifying Platform Authenticator</a> <a href="#ref-for-relying-party②③">(2)</a> <a href="#ref-for-relying-party②④">(3)</a>
    <li><a href="#ref-for-relying-party②⑤">1.3.3. Authentication</a> <a href="#ref-for-relying-party②⑥">(2)</a> <a href="#ref-for-relying-party②⑦">(3)</a> <a href="#ref-for-relying-party②⑧">(4)</a> <a href="#ref-for-relying-party②⑨">(5)</a>
    <li><a href="#ref-for-relying-party③⓪">1.3.5. Decommissioning</a> <a href="#ref-for-relying-party③①">(2)</a>
    <li><a href="#ref-for-relying-party③②">2.1.1. Enumerations as DOMString types</a>
    <li><a href="#ref-for-relying-party③③">4. Terminology</a> <a href="#ref-for-relying-party③④">(2)</a> <a href="#ref-for-relying-party③⑤">(3)</a> <a href="#ref-for-relying-party③⑥">(4)</a> <a href="#ref-for-relying-party③⑦">(5)</a> <a href="#ref-for-relying-party③⑧">(6)</a> <a href="#ref-for-relying-party③⑨">(7)</a> <a href="#ref-for-relying-party④⓪">(8)</a> <a href="#ref-for-relying-party④①">(9)</a> <a href="#ref-for-relying-party④②">(10)</a> <a href="#ref-for-relying-party④③">(11)</a> <a href="#ref-for-relying-party④④">(12)</a> <a href="#ref-for-relying-party④⑤">(13)</a> <a href="#ref-for-relying-party④⑥">(14)</a> <a href="#ref-for-relying-party④⑦">(15)</a> <a href="#ref-for-relying-party④⑧">(16)</a> <a href="#ref-for-relying-party④⑨">(17)</a> <a href="#ref-for-relying-party⑤⓪">(18)</a> <a href="#ref-for-relying-party⑤①">(19)</a> <a href="#ref-for-relying-party⑤②">(20)</a> <a href="#ref-for-relying-party⑤③">(21)</a> <a href="#ref-for-relying-party⑤④">(22)</a> <a href="#ref-for-relying-party⑤⑤">(23)</a> <a href="#ref-for-relying-party⑤⑥">(24)</a> <a href="#ref-for-relying-party⑤⑦">(25)</a> <a href="#ref-for-relying-party⑤⑧">(26)</a> <a href="#ref-for-relying-party⑤⑨">(27)</a> <a href="#ref-for-relying-party⑥⓪">(28)</a> <a href="#ref-for-relying-party⑥①">(29)</a> <a href="#ref-for-relying-party⑥②">(30)</a> <a href="#ref-for-relying-party⑥③">(31)</a> <a href="#ref-for-relying-party⑥④">(32)</a> <a href="#ref-for-relying-party⑥⑤">(33)</a> <a href="#ref-for-relying-party⑥⑥">(34)</a> <a href="#ref-for-relying-party⑥⑦">(35)</a> <a href="#ref-for-relying-party⑥⑧">(36)</a>
    <li><a href="#ref-for-relying-party⑥⑨">5. Web Authentication API</a> <a href="#ref-for-relying-party⑦⓪">(2)</a> <a href="#ref-for-relying-party⑦①">(3)</a> <a href="#ref-for-relying-party⑦②">(4)</a> <a href="#ref-for-relying-party⑦③">(5)</a> <a href="#ref-for-relying-party⑦④">(6)</a> <a href="#ref-for-relying-party⑦⑤">(7)</a>
    <li><a href="#ref-for-relying-party⑦⑥">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-relying-party⑦⑦">(2)</a>
    <li><a href="#ref-for-relying-party⑦⑧">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-relying-party⑦⑨">(2)</a> <a href="#ref-for-relying-party⑧⓪">(3)</a> <a href="#ref-for-relying-party⑧①">(4)</a>
    <li><a href="#ref-for-relying-party⑧②">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a> <a href="#ref-for-relying-party⑧③">(2)</a>
    <li><a href="#ref-for-relying-party⑧④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-relying-party⑧⑤">(2)</a>
    <li><a href="#ref-for-relying-party⑧⑥">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
    <li><a href="#ref-for-relying-party⑧⑦">5.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-relying-party⑧⑧">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-relying-party⑧⑨">(2)</a>
    <li><a href="#ref-for-relying-party⑨⓪">5.2.1.1. Easily accessing credential data</a> <a href="#ref-for-relying-party⑨①">(2)</a> <a href="#ref-for-relying-party⑨②">(3)</a> <a href="#ref-for-relying-party⑨③">(4)</a> <a href="#ref-for-relying-party⑨④">(5)</a> <a href="#ref-for-relying-party⑨⑤">(6)</a> <a href="#ref-for-relying-party⑨⑥">(7)</a>
    <li><a href="#ref-for-relying-party⑨⑦">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-relying-party⑨⑧">(2)</a> <a href="#ref-for-relying-party⑨⑨">(3)</a> <a href="#ref-for-relying-party①⓪⓪">(4)</a> <a href="#ref-for-relying-party①⓪①">(5)</a>
    <li><a href="#ref-for-relying-party①⓪②">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a> <a href="#ref-for-relying-party①⓪③">(2)</a> <a href="#ref-for-relying-party①⓪④">(3)</a> <a href="#ref-for-relying-party①⓪⑤">(4)</a> <a href="#ref-for-relying-party①⓪⑥">(5)</a> <a href="#ref-for-relying-party①⓪⑦">(6)</a>
    <li><a href="#ref-for-relying-party①⓪⑧">5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)</a> <a href="#ref-for-relying-party①⓪⑨">(2)</a>
    <li><a href="#ref-for-relying-party①①⓪">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a> <a href="#ref-for-relying-party①①①">(2)</a> <a href="#ref-for-relying-party①①②">(3)</a> <a href="#ref-for-relying-party①①③">(4)</a>
    <li><a href="#ref-for-relying-party①①④">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a> <a href="#ref-for-relying-party①①⑤">(2)</a> <a href="#ref-for-relying-party①①⑥">(3)</a>
    <li><a href="#ref-for-relying-party①①⑦">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a> <a href="#ref-for-relying-party①①⑧">(2)</a> <a href="#ref-for-relying-party①①⑨">(3)</a>
    <li><a href="#ref-for-relying-party①②⓪">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a> <a href="#ref-for-relying-party①②①">(2)</a> <a href="#ref-for-relying-party①②②">(3)</a> <a href="#ref-for-relying-party①②③">(4)</a> <a href="#ref-for-relying-party①②④">(5)</a> <a href="#ref-for-relying-party①②⑤">(6)</a>
    <li><a href="#ref-for-relying-party①②⑥">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a> <a href="#ref-for-relying-party①②⑦">(2)</a> <a href="#ref-for-relying-party①②⑧">(3)</a> <a href="#ref-for-relying-party①②⑨">(4)</a> <a href="#ref-for-relying-party①③⓪">(5)</a> <a href="#ref-for-relying-party①③①">(6)</a> <a href="#ref-for-relying-party①③②">(7)</a> <a href="#ref-for-relying-party①③③">(8)</a>
    <li><a href="#ref-for-relying-party①③④">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-relying-party①③⑤">5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs)</a>
    <li><a href="#ref-for-relying-party①③⑥">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-relying-party①③⑦">(2)</a> <a href="#ref-for-relying-party①③⑧">(3)</a> <a href="#ref-for-relying-party①③⑨">(4)</a> <a href="#ref-for-relying-party①④⓪">(5)</a>
    <li><a href="#ref-for-relying-party①④①">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a> <a href="#ref-for-relying-party①④②">(2)</a>
    <li><a href="#ref-for-relying-party①④③">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>
    <li><a href="#ref-for-relying-party①④④">5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)</a> <a href="#ref-for-relying-party①④⑤">(2)</a> <a href="#ref-for-relying-party①④⑥">(3)</a>
    <li><a href="#ref-for-relying-party①④⑦">5.10. Using Web Authentication within iframe elements</a>
    <li><a href="#ref-for-relying-party①④⑧">6. WebAuthn Authenticator Model</a> <a href="#ref-for-relying-party①④⑨">(2)</a> <a href="#ref-for-relying-party①⑤⓪">(3)</a> <a href="#ref-for-relying-party①⑤①">(4)</a>
    <li><a href="#ref-for-relying-party①⑤②">6.1. Authenticator Data</a>
    <li><a href="#ref-for-relying-party①⑤③">6.1.1. Signature Counter Considerations</a> <a href="#ref-for-relying-party①⑤④">(2)</a> <a href="#ref-for-relying-party①⑤⑤">(3)</a> <a href="#ref-for-relying-party①⑤⑥">(4)</a> <a href="#ref-for-relying-party①⑤⑦">(5)</a>
    <li><a href="#ref-for-relying-party①⑤⑧">6.2. Authenticator Taxonomy</a>
    <li><a href="#ref-for-relying-party①⑤⑨">6.2.2. Credential Storage Modality</a> <a href="#ref-for-relying-party①⑥⓪">(2)</a> <a href="#ref-for-relying-party①⑥①">(3)</a>
    <li><a href="#ref-for-relying-party①⑥②">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-relying-party①⑥③">(2)</a> <a href="#ref-for-relying-party①⑥④">(3)</a>
    <li><a href="#ref-for-relying-party①⑥⑤">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-relying-party①⑥⑥">(2)</a> <a href="#ref-for-relying-party①⑥⑦">(3)</a> <a href="#ref-for-relying-party①⑥⑧">(4)</a> <a href="#ref-for-relying-party①⑥⑨">(5)</a> <a href="#ref-for-relying-party①⑦⓪">(6)</a>
    <li><a href="#ref-for-relying-party①⑦①">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-relying-party①⑦②">(2)</a> <a href="#ref-for-relying-party①⑦③">(3)</a>
    <li><a href="#ref-for-relying-party①⑦④">6.4. String Handling</a>
    <li><a href="#ref-for-relying-party①⑦⑤">6.4.1. String Truncation</a> <a href="#ref-for-relying-party①⑦⑥">(2)</a>
    <li><a href="#ref-for-relying-party①⑦⑦">6.5. Attestation</a> <a href="#ref-for-relying-party①⑦⑧">(2)</a> <a href="#ref-for-relying-party①⑦⑨">(3)</a> <a href="#ref-for-relying-party①⑧⓪">(4)</a> <a href="#ref-for-relying-party①⑧①">(5)</a> <a href="#ref-for-relying-party①⑧②">(6)</a> <a href="#ref-for-relying-party①⑧③">(7)</a>
    <li><a href="#ref-for-relying-party①⑧④">6.5.3. Attestation Types</a> <a href="#ref-for-relying-party①⑧⑤">(2)</a> <a href="#ref-for-relying-party①⑧⑥">(3)</a> <a href="#ref-for-relying-party①⑧⑦">(4)</a> <a href="#ref-for-relying-party①⑧⑧">(5)</a>
    <li><a href="#ref-for-relying-party①⑧⑨">7. WebAuthn Relying Party Operations</a> <a href="#ref-for-relying-party①⑨⓪">(2)</a> <a href="#ref-for-relying-party①⑨①">(3)</a> <a href="#ref-for-relying-party①⑨②">(4)</a>
    <li><a href="#ref-for-relying-party①⑨③">7.1. Registering a New Credential</a> <a href="#ref-for-relying-party①⑨④">(2)</a> <a href="#ref-for-relying-party①⑨⑤">(3)</a> <a href="#ref-for-relying-party①⑨⑥">(4)</a> <a href="#ref-for-relying-party①⑨⑦">(5)</a> <a href="#ref-for-relying-party①⑨⑧">(6)</a> <a href="#ref-for-relying-party①⑨⑨">(7)</a> <a href="#ref-for-relying-party②⓪⓪">(8)</a> <a href="#ref-for-relying-party②⓪①">(9)</a> <a href="#ref-for-relying-party②⓪②">(10)</a> <a href="#ref-for-relying-party②⓪③">(11)</a> <a href="#ref-for-relying-party②⓪④">(12)</a> <a href="#ref-for-relying-party②⓪⑤">(13)</a> <a href="#ref-for-relying-party②⓪⑥">(14)</a> <a href="#ref-for-relying-party②⓪⑦">(15)</a> <a href="#ref-for-relying-party②⓪⑧">(16)</a> <a href="#ref-for-relying-party②⓪⑨">(17)</a> <a href="#ref-for-relying-party②①⓪">(18)</a> <a href="#ref-for-relying-party②①①">(19)</a>
    <li><a href="#ref-for-relying-party②①②">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-relying-party②①③">(2)</a> <a href="#ref-for-relying-party②①④">(3)</a> <a href="#ref-for-relying-party②①⑤">(4)</a> <a href="#ref-for-relying-party②①⑥">(5)</a> <a href="#ref-for-relying-party②①⑦">(6)</a> <a href="#ref-for-relying-party②①⑧">(7)</a> <a href="#ref-for-relying-party②①⑨">(8)</a> <a href="#ref-for-relying-party②②⓪">(9)</a> <a href="#ref-for-relying-party②②①">(10)</a> <a href="#ref-for-relying-party②②②">(11)</a> <a href="#ref-for-relying-party②②③">(12)</a>
    <li><a href="#ref-for-relying-party②②④">9. WebAuthn Extensions</a> <a href="#ref-for-relying-party②②⑤">(2)</a> <a href="#ref-for-relying-party②②⑥">(3)</a> <a href="#ref-for-relying-party②②⑦">(4)</a>
    <li><a href="#ref-for-relying-party②②⑧">9.2. Defining Extensions</a>
    <li><a href="#ref-for-relying-party②②⑨">9.3. Extending Request Parameters</a> <a href="#ref-for-relying-party②③⓪">(2)</a> <a href="#ref-for-relying-party②③①">(3)</a>
    <li><a href="#ref-for-relying-party②③②">10.1. FIDO AppID Extension (appid)</a> <a href="#ref-for-relying-party②③③">(2)</a> <a href="#ref-for-relying-party②③④">(3)</a> <a href="#ref-for-relying-party②③⑤">(4)</a> <a href="#ref-for-relying-party②③⑥">(5)</a>
    <li><a href="#ref-for-relying-party②③⑦">10.2. FIDO AppID Exclusion Extension (appidExclude)</a> <a href="#ref-for-relying-party②③⑧">(2)</a>
    <li><a href="#ref-for-relying-party②③⑨">10.3. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-relying-party②④⓪">10.4. Credential Properties Extension (credProps)</a> <a href="#ref-for-relying-party②④①">(2)</a>
    <li><a href="#ref-for-relying-party②④②">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-relying-party②④③">(2)</a> <a href="#ref-for-relying-party②④④">(3)</a> <a href="#ref-for-relying-party②④⑤">(4)</a> <a href="#ref-for-relying-party②④⑥">(5)</a> <a href="#ref-for-relying-party②④⑦">(6)</a> <a href="#ref-for-relying-party②④⑧">(7)</a> <a href="#ref-for-relying-party②④⑨">(8)</a>
    <li><a href="#ref-for-relying-party②⑤⓪">12.4. WebAuthn Extension Identifier Registrations</a>
    <li><a href="#ref-for-relying-party②⑤①">13. Security Considerations</a> <a href="#ref-for-relying-party②⑤②">(2)</a> <a href="#ref-for-relying-party②⑤③">(3)</a> <a href="#ref-for-relying-party②⑤④">(4)</a>
    <li><a href="#ref-for-relying-party②⑤⑤">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-relying-party②⑤⑥">(2)</a>
    <li><a href="#ref-for-relying-party②⑤⑦">13.3.2. Attestation Certificate and Attestation Certificate CA Compromise</a> <a href="#ref-for-relying-party②⑤⑧">(2)</a>
    <li><a href="#ref-for-relying-party②⑤⑨">13.4. Security considerations for Relying Parties</a>
    <li><a href="#ref-for-relying-party②⑥⓪">13.4.1. Security Benefits for WebAuthn Relying Parties</a> <a href="#ref-for-relying-party②⑥①">(2)</a> <a href="#ref-for-relying-party②⑥②">(3)</a> <a href="#ref-for-relying-party②⑥③">(4)</a> <a href="#ref-for-relying-party②⑥④">(5)</a> <a href="#ref-for-relying-party②⑥⑤">(6)</a>
    <li><a href="#ref-for-relying-party②⑥⑥">13.4.2. Visibility Considerations for Embedded Usage</a> <a href="#ref-for-relying-party②⑥⑦">(2)</a> <a href="#ref-for-relying-party②⑥⑧">(3)</a> <a href="#ref-for-relying-party②⑥⑨">(4)</a>
    <li><a href="#ref-for-relying-party②⑦⓪">13.4.3. Cryptographic Challenges</a>
    <li><a href="#ref-for-relying-party②⑦①">13.4.4. Attestation Limitations</a> <a href="#ref-for-relying-party②⑦②">(2)</a> <a href="#ref-for-relying-party②⑦③">(3)</a> <a href="#ref-for-relying-party②⑦④">(4)</a> <a href="#ref-for-relying-party②⑦⑤">(5)</a> <a href="#ref-for-relying-party②⑦⑥">(6)</a> <a href="#ref-for-relying-party②⑦⑦">(7)</a> <a href="#ref-for-relying-party②⑦⑧">(8)</a>
    <li><a href="#ref-for-relying-party②⑦⑨">13.4.5. Revoked Attestation Certificates</a> <a href="#ref-for-relying-party②⑧⓪">(2)</a> <a href="#ref-for-relying-party②⑧①">(3)</a>
    <li><a href="#ref-for-relying-party②⑧②">13.4.6. Credential Loss and Key Mobility</a> <a href="#ref-for-relying-party②⑧③">(2)</a> <a href="#ref-for-relying-party②⑧④">(3)</a>
    <li><a href="#ref-for-relying-party②⑧⑤">13.4.7. Unprotected account detection</a> <a href="#ref-for-relying-party②⑧⑥">(2)</a>
    <li><a href="#ref-for-relying-party②⑧⑦">14. Privacy Considerations</a>
    <li><a href="#ref-for-relying-party②⑧⑧">14.1. De-anonymization Prevention Measures</a> <a href="#ref-for-relying-party②⑧⑨">(2)</a> <a href="#ref-for-relying-party②⑨⓪">(3)</a> <a href="#ref-for-relying-party②⑨①">(4)</a> <a href="#ref-for-relying-party②⑨②">(5)</a> <a href="#ref-for-relying-party②⑨③">(6)</a> <a href="#ref-for-relying-party②⑨④">(7)</a>
    <li><a href="#ref-for-relying-party②⑨⑤">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a> <a href="#ref-for-relying-party②⑨⑥">(2)</a> <a href="#ref-for-relying-party②⑨⑦">(3)</a> <a href="#ref-for-relying-party②⑨⑧">(4)</a> <a href="#ref-for-relying-party②⑨⑨">(5)</a> <a href="#ref-for-relying-party③⓪⓪">(6)</a> <a href="#ref-for-relying-party③⓪①">(7)</a> <a href="#ref-for-relying-party③⓪②">(8)</a> <a href="#ref-for-relying-party③⓪③">(9)</a> <a href="#ref-for-relying-party③⓪④">(10)</a> <a href="#ref-for-relying-party③⓪⑤">(11)</a>
    <li><a href="#ref-for-relying-party③⓪⑥">14.3. Authenticator-local Biometric Recognition</a> <a href="#ref-for-relying-party③⓪⑦">(2)</a> <a href="#ref-for-relying-party③⓪⑧">(3)</a> <a href="#ref-for-relying-party③⓪⑨">(4)</a> <a href="#ref-for-relying-party③①⓪">(5)</a>
    <li><a href="#ref-for-relying-party③①①">14.5.1. Registration Ceremony Privacy</a> <a href="#ref-for-relying-party③①②">(2)</a> <a href="#ref-for-relying-party③①③">(3)</a>
    <li><a href="#ref-for-relying-party③①④">14.5.2. Authentication Ceremony Privacy</a> <a href="#ref-for-relying-party③①⑤">(2)</a> <a href="#ref-for-relying-party③①⑥">(3)</a>
    <li><a href="#ref-for-relying-party③①⑦">14.6. Privacy considerations for Relying Parties</a>
    <li><a href="#ref-for-relying-party③①⑧">14.6.1. User Handle Contents</a> <a href="#ref-for-relying-party③①⑨">(2)</a>
    <li><a href="#ref-for-relying-party③②⓪">14.6.2. Username Enumeration</a> <a href="#ref-for-relying-party③②①">(2)</a> <a href="#ref-for-relying-party③②②">(3)</a> <a href="#ref-for-relying-party③②③">(4)</a> <a href="#ref-for-relying-party③②④">(5)</a> <a href="#ref-for-relying-party③②⑤">(6)</a> <a href="#ref-for-relying-party③②⑥">(7)</a> <a href="#ref-for-relying-party③②⑦">(8)</a> <a href="#ref-for-relying-party③②⑧">(9)</a> <a href="#ref-for-relying-party③②⑨">(10)</a> <a href="#ref-for-relying-party③③⓪">(11)</a> <a href="#ref-for-relying-party③③①">(12)</a>
    <li><a href="#ref-for-relying-party③③②">14.6.3. Privacy leak via credential IDs</a> <a href="#ref-for-relying-party③③③">(2)</a> <a href="#ref-for-relying-party③③④">(3)</a> <a href="#ref-for-relying-party③③⑤">(4)</a> <a href="#ref-for-relying-party③③⑥">(5)</a>
    <li><a href="#ref-for-relying-party③③⑦">15. Accessibility Considerations</a> <a href="#ref-for-relying-party③③⑧">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="relying-party-identifier">
   <b><a href="#relying-party-identifier">#relying-party-identifier</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-relying-party-identifier">4. Terminology</a> <a href="#ref-for-relying-party-identifier①">(2)</a> <a href="#ref-for-relying-party-identifier②">(3)</a>
    <li><a href="#ref-for-relying-party-identifier③">5. Web Authentication API</a>
    <li><a href="#ref-for-relying-party-identifier④">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="rp-id">
   <b><a href="#rp-id">#rp-id</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-rp-id">4. Terminology</a> <a href="#ref-for-rp-id①">(2)</a> <a href="#ref-for-rp-id②">(3)</a> <a href="#ref-for-rp-id③">(4)</a> <a href="#ref-for-rp-id④">(5)</a> <a href="#ref-for-rp-id⑤">(6)</a> <a href="#ref-for-rp-id⑥">(7)</a> <a href="#ref-for-rp-id⑦">(8)</a> <a href="#ref-for-rp-id⑧">(9)</a> <a href="#ref-for-rp-id⑨">(10)</a> <a href="#ref-for-rp-id①⓪">(11)</a> <a href="#ref-for-rp-id①①">(12)</a>
    <li><a href="#ref-for-rp-id①②">5. Web Authentication API</a> <a href="#ref-for-rp-id①③">(2)</a> <a href="#ref-for-rp-id①④">(3)</a> <a href="#ref-for-rp-id①⑤">(4)</a> <a href="#ref-for-rp-id①⑥">(5)</a>
    <li><a href="#ref-for-rp-id①⑦">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-rp-id①⑧">(2)</a>
    <li><a href="#ref-for-rp-id①⑨">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-rp-id②⓪">(2)</a>
    <li><a href="#ref-for-rp-id②①">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-rp-id②②">5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)</a>
    <li><a href="#ref-for-rp-id②③">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>
    <li><a href="#ref-for-rp-id②④">6.1. Authenticator Data</a> <a href="#ref-for-rp-id②⑤">(2)</a> <a href="#ref-for-rp-id②⑥">(3)</a> <a href="#ref-for-rp-id②⑦">(4)</a> <a href="#ref-for-rp-id②⑧">(5)</a> <a href="#ref-for-rp-id②⑨">(6)</a>
    <li><a href="#ref-for-rp-id③⓪">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-rp-id③①">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-rp-id③②">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-rp-id③③">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-rp-id③④">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-rp-id③⑤">8.6. FIDO U2F Attestation Statement Format</a>
    <li><a href="#ref-for-rp-id③⑥">10.1. FIDO AppID Extension (appid)</a> <a href="#ref-for-rp-id③⑦">(2)</a> <a href="#ref-for-rp-id③⑧">(3)</a> <a href="#ref-for-rp-id③⑨">(4)</a> <a href="#ref-for-rp-id④⓪">(5)</a> <a href="#ref-for-rp-id④①">(6)</a> <a href="#ref-for-rp-id④②">(7)</a>
    <li><a href="#ref-for-rp-id④③">11.5. Add Credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="scope">
   <b><a href="#scope">#scope</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-scope②">1. Introduction</a> <a href="#ref-for-scope③">(2)</a> <a href="#ref-for-scope④">(3)</a>
    <li><a href="#ref-for-scope⑤">4. Terminology</a> <a href="#ref-for-scope⑥">(2)</a>
    <li><a href="#ref-for-scope⑦">5. Web Authentication API</a> <a href="#ref-for-scope⑧">(2)</a>
    <li><a href="#ref-for-scope⑨">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-scope①⓪">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-scope①①">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a>
    <li><a href="#ref-for-scope①②">6.1. Authenticator Data</a> <a href="#ref-for-scope①③">(2)</a>
    <li><a href="#ref-for-scope①④">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-scope①⑤">8.6. FIDO U2F Attestation Statement Format</a>
    <li><a href="#ref-for-scope①⑥">10.1. FIDO AppID Extension (appid)</a> <a href="#ref-for-scope①⑦">(2)</a>
    <li><a href="#ref-for-scope①⑧">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-scope①⑨">(2)</a> <a href="#ref-for-scope②⓪">(3)</a>
    <li><a href="#ref-for-scope②①">13.4.4. Attestation Limitations</a>
    <li><a href="#ref-for-scope②②">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised">
   <b><a href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised">#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised">4. Terminology</a> <a href="#ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised①">(2)</a> <a href="#ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised②">(3)</a> <a href="#ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised③">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="server-side-public-key-credential-source">
   <b><a href="#server-side-public-key-credential-source">#server-side-public-key-credential-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-server-side-public-key-credential-source">4. Terminology</a> <a href="#ref-for-server-side-public-key-credential-source①">(2)</a>
    <li><a href="#ref-for-server-side-public-key-credential-source②">11.5. Add Credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="server-side-credential">
   <b><a href="#server-side-credential">#server-side-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-server-side-credential">4. Terminology</a> <a href="#ref-for-server-side-credential①">(2)</a> <a href="#ref-for-server-side-credential②">(3)</a> <a href="#ref-for-server-side-credential③">(4)</a> <a href="#ref-for-server-side-credential④">(5)</a>
    <li><a href="#ref-for-server-side-credential⑤">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a> <a href="#ref-for-server-side-credential⑥">(2)</a> <a href="#ref-for-server-side-credential⑦">(3)</a> <a href="#ref-for-server-side-credential⑧">(4)</a> <a href="#ref-for-server-side-credential⑨">(5)</a>
    <li><a href="#ref-for-server-side-credential①⓪">10.4. Credential Properties Extension (credProps)</a> <a href="#ref-for-server-side-credential①①">(2)</a>
    <li><a href="#ref-for-server-side-credential①②">11.5. Add Credential</a>
    <li><a href="#ref-for-server-side-credential①③">13.4.7. Unprotected account detection</a>
    <li><a href="#ref-for-server-side-credential①④">14.6.3. Privacy leak via credential IDs</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="non-resident-credential">
   <b><a href="#non-resident-credential">#non-resident-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-non-resident-credential">4. Terminology</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="test-of-user-presence">
   <b><a href="#test-of-user-presence">#test-of-user-presence</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-test-of-user-presence">4. Terminology</a> <a href="#ref-for-test-of-user-presence①">(2)</a> <a href="#ref-for-test-of-user-presence②">(3)</a> <a href="#ref-for-test-of-user-presence③">(4)</a> <a href="#ref-for-test-of-user-presence④">(5)</a> <a href="#ref-for-test-of-user-presence⑤">(6)</a>
    <li><a href="#ref-for-test-of-user-presence⑥">6.1. Authenticator Data</a> <a href="#ref-for-test-of-user-presence⑦">(2)</a>
    <li><a href="#ref-for-test-of-user-presence⑧">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-test-of-user-presence⑨">(2)</a> <a href="#ref-for-test-of-user-presence①⓪">(3)</a>
    <li><a href="#ref-for-test-of-user-presence①①">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-test-of-user-presence①②">(2)</a>
    <li><a href="#ref-for-test-of-user-presence①③">11.2. Virtual Authenticators</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="user-consent">
   <b><a href="#user-consent">#user-consent</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-user-consent①">1. Introduction</a> <a href="#ref-for-user-consent②">(2)</a>
    <li><a href="#ref-for-user-consent③">4. Terminology</a> <a href="#ref-for-user-consent④">(2)</a>
    <li><a href="#ref-for-user-consent⑤">5. Web Authentication API</a>
    <li><a href="#ref-for-user-consent⑥">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-user-consent⑦">(2)</a> <a href="#ref-for-user-consent⑧">(3)</a>
    <li><a href="#ref-for-user-consent⑨">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>
    <li><a href="#ref-for-user-consent①⓪">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-user-consent①①">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-user-consent①②">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>
    <li><a href="#ref-for-user-consent①③">6. WebAuthn Authenticator Model</a> <a href="#ref-for-user-consent①④">(2)</a> <a href="#ref-for-user-consent①⑤">(3)</a>
    <li><a href="#ref-for-user-consent①⑥">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-user-consent①⑦">(2)</a> <a href="#ref-for-user-consent①⑧">(3)</a> <a href="#ref-for-user-consent①⑨">(4)</a>
    <li><a href="#ref-for-user-consent②⓪">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-user-consent②①">(2)</a>
    <li><a href="#ref-for-user-consent②②">10.2. FIDO AppID Exclusion Extension (appidExclude)</a> <a href="#ref-for-user-consent②③">(2)</a>
    <li><a href="#ref-for-user-consent②④">11.2. Virtual Authenticators</a> <a href="#ref-for-user-consent②⑤">(2)</a>
    <li><a href="#ref-for-user-consent②⑥">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a>
    <li><a href="#ref-for-user-consent②⑦">14.5.1. Registration Ceremony Privacy</a> <a href="#ref-for-user-consent②⑧">(2)</a>
    <li><a href="#ref-for-user-consent②⑨">14.5.2. Authentication Ceremony Privacy</a> <a href="#ref-for-user-consent③⓪">(2)</a> <a href="#ref-for-user-consent③①">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="user-handle">
   <b><a href="#user-handle">#user-handle</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-user-handle">2.2.1. Backwards Compatibility with FIDO U2F</a>
    <li><a href="#ref-for-user-handle①">4. Terminology</a>
    <li><a href="#ref-for-user-handle②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-user-handle③">(2)</a>
    <li><a href="#ref-for-user-handle④">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a> <a href="#ref-for-user-handle⑤">(2)</a>
    <li><a href="#ref-for-user-handle⑥">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a> <a href="#ref-for-user-handle⑦">(2)</a> <a href="#ref-for-user-handle⑧">(3)</a> <a href="#ref-for-user-handle⑨">(4)</a> <a href="#ref-for-user-handle①⓪">(5)</a> <a href="#ref-for-user-handle①①">(6)</a>
    <li><a href="#ref-for-user-handle①②">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a>
    <li><a href="#ref-for-user-handle①③">6.2. Authenticator Taxonomy</a>
    <li><a href="#ref-for-user-handle①④">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-user-handle①⑤">14.1. De-anonymization Prevention Measures</a>
    <li><a href="#ref-for-user-handle①⑥">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a>
    <li><a href="#ref-for-user-handle①⑦">14.4.2. Privacy of personally identifying information Stored in Authenticators</a>
    <li><a href="#ref-for-user-handle①⑧">14.6.1. User Handle Contents</a> <a href="#ref-for-user-handle①⑨">(2)</a> <a href="#ref-for-user-handle②⓪">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="user-verification">
   <b><a href="#user-verification">#user-verification</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-user-verification">4. Terminology</a> <a href="#ref-for-user-verification①">(2)</a> <a href="#ref-for-user-verification②">(3)</a> <a href="#ref-for-user-verification③">(4)</a> <a href="#ref-for-user-verification④">(5)</a> <a href="#ref-for-user-verification⑤">(6)</a> <a href="#ref-for-user-verification⑥">(7)</a> <a href="#ref-for-user-verification⑦">(8)</a> <a href="#ref-for-user-verification⑧">(9)</a> <a href="#ref-for-user-verification⑨">(10)</a> <a href="#ref-for-user-verification①⓪">(11)</a> <a href="#ref-for-user-verification①①">(12)</a>
    <li><a href="#ref-for-user-verification①②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-user-verification①③">(2)</a> <a href="#ref-for-user-verification①④">(3)</a>
    <li><a href="#ref-for-user-verification①⑤">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-user-verification①⑥">(2)</a> <a href="#ref-for-user-verification①⑦">(3)</a>
    <li><a href="#ref-for-user-verification①⑧">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a>
    <li><a href="#ref-for-user-verification①⑨">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a>
    <li><a href="#ref-for-user-verification②⓪">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-user-verification②①">5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)</a> <a href="#ref-for-user-verification②②">(2)</a> <a href="#ref-for-user-verification②③">(3)</a> <a href="#ref-for-user-verification②④">(4)</a>
    <li><a href="#ref-for-user-verification②⑤">6.1. Authenticator Data</a> <a href="#ref-for-user-verification②⑥">(2)</a>
    <li><a href="#ref-for-user-verification②⑦">6.2. Authenticator Taxonomy</a> <a href="#ref-for-user-verification②⑧">(2)</a> <a href="#ref-for-user-verification②⑨">(3)</a>
    <li><a href="#ref-for-user-verification③⓪">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-user-verification③①">(2)</a> <a href="#ref-for-user-verification③②">(3)</a> <a href="#ref-for-user-verification③③">(4)</a> <a href="#ref-for-user-verification③④">(5)</a>
    <li><a href="#ref-for-user-verification③⑤">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-user-verification③⑥">(2)</a> <a href="#ref-for-user-verification③⑦">(3)</a>
    <li><a href="#ref-for-user-verification③⑧">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-user-verification③⑨">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-user-verification④⓪">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-user-verification④①">11.2. Virtual Authenticators</a> <a href="#ref-for-user-verification④②">(2)</a> <a href="#ref-for-user-verification④③">(3)</a>
    <li><a href="#ref-for-user-verification④④">13.4.1. Security Benefits for WebAuthn Relying Parties</a>
    <li><a href="#ref-for-user-verification④⑤">14.1. De-anonymization Prevention Measures</a>
    <li><a href="#ref-for-user-verification④⑥">14.3. Authenticator-local Biometric Recognition</a> <a href="#ref-for-user-verification④⑦">(2)</a>
    <li><a href="#ref-for-user-verification④⑧">14.4.2. Privacy of personally identifying information Stored in Authenticators</a> <a href="#ref-for-user-verification④⑨">(2)</a> <a href="#ref-for-user-verification⑤⓪">(3)</a>
    <li><a href="#ref-for-user-verification⑤①">15. Accessibility Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="concept-user-present">
   <b><a href="#concept-user-present">#concept-user-present</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-user-present">4. Terminology</a>
    <li><a href="#ref-for-concept-user-present①">6.1. Authenticator Data</a> <a href="#ref-for-concept-user-present②">(2)</a> <a href="#ref-for-concept-user-present③">(3)</a>
    <li><a href="#ref-for-concept-user-present④">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-concept-user-present⑤">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-concept-user-present⑥">13.2. Physical Proximity between Client and Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="up">
   <b><a href="#up">#up</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-up">6.1. Authenticator Data</a>
    <li><a href="#ref-for-up①">6.1.2. FIDO U2F Signature Format Compatibility</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="concept-user-verified">
   <b><a href="#concept-user-verified">#concept-user-verified</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-user-verified">4. Terminology</a>
    <li><a href="#ref-for-concept-user-verified①">6.1. Authenticator Data</a> <a href="#ref-for-concept-user-verified②">(2)</a> <a href="#ref-for-concept-user-verified③">(3)</a>
    <li><a href="#ref-for-concept-user-verified④">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-concept-user-verified⑤">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-concept-user-verified⑥">14.4.2. Privacy of personally identifying information Stored in Authenticators</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="uv">
   <b><a href="#uv">#uv</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-uv">5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)</a> <a href="#ref-for-uv①">(2)</a>
    <li><a href="#ref-for-uv②">6.1. Authenticator Data</a>
    <li><a href="#ref-for-uv③">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-uv④">(2)</a> <a href="#ref-for-uv⑤">(3)</a>
    <li><a href="#ref-for-uv⑥">14.3. Authenticator-local Biometric Recognition</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="webauthn-relying-party">
   <b><a href="#webauthn-relying-party">#webauthn-relying-party</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-webauthn-relying-party①">1. Introduction</a>
    <li><a href="#ref-for-webauthn-relying-party②">1.1. Specification Roadmap</a>
    <li><a href="#ref-for-webauthn-relying-party③">1.3.1. Registration</a>
    <li><a href="#ref-for-webauthn-relying-party④">1.3.2. Registration Specifically with User-Verifying Platform Authenticator</a>
    <li><a href="#ref-for-webauthn-relying-party⑤">2.3. WebAuthn Relying Parties</a>
    <li><a href="#ref-for-webauthn-relying-party⑥">4. Terminology</a> <a href="#ref-for-webauthn-relying-party⑦">(2)</a> <a href="#ref-for-webauthn-relying-party⑧">(3)</a> <a href="#ref-for-webauthn-relying-party⑨">(4)</a>
    <li><a href="#ref-for-webauthn-relying-party①⓪">5. Web Authentication API</a>
    <li><a href="#ref-for-webauthn-relying-party①①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-webauthn-relying-party①②">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>
    <li><a href="#ref-for-webauthn-relying-party①③">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
    <li><a href="#ref-for-webauthn-relying-party①④">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-webauthn-relying-party①⑤">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-webauthn-relying-party①⑥">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a>
    <li><a href="#ref-for-webauthn-relying-party①⑦">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a>
    <li><a href="#ref-for-webauthn-relying-party①⑧">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>
    <li><a href="#ref-for-webauthn-relying-party①⑨">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-webauthn-relying-party②⓪">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>
    <li><a href="#ref-for-webauthn-relying-party②①">5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)</a>
    <li><a href="#ref-for-webauthn-relying-party②②">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-webauthn-relying-party②③">6.1. Authenticator Data</a>
    <li><a href="#ref-for-webauthn-relying-party②④">6.1.1. Signature Counter Considerations</a>
    <li><a href="#ref-for-webauthn-relying-party②⑤">6.5. Attestation</a>
    <li><a href="#ref-for-webauthn-relying-party②⑥">7. WebAuthn Relying Party Operations</a> <a href="#ref-for-webauthn-relying-party②⑦">(2)</a>
    <li><a href="#ref-for-webauthn-relying-party②⑧">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-webauthn-relying-party②⑨">8.7. None Attestation Statement Format</a>
    <li><a href="#ref-for-webauthn-relying-party③⓪">9. WebAuthn Extensions</a>
    <li><a href="#ref-for-webauthn-relying-party③①">9.2. Defining Extensions</a>
    <li><a href="#ref-for-webauthn-relying-party③②">9.3. Extending Request Parameters</a>
    <li><a href="#ref-for-webauthn-relying-party③③">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-webauthn-relying-party③④">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
    <li><a href="#ref-for-webauthn-relying-party③⑤">10.4. Credential Properties Extension (credProps)</a>
    <li><a href="#ref-for-webauthn-relying-party③⑥">12.3. WebAuthn Extension Identifier Registrations Updates</a> <a href="#ref-for-webauthn-relying-party③⑦">(2)</a>
    <li><a href="#ref-for-webauthn-relying-party③⑧">12.4. WebAuthn Extension Identifier Registrations</a> <a href="#ref-for-webauthn-relying-party③⑨">(2)</a>
    <li><a href="#ref-for-webauthn-relying-party④⓪">13. Security Considerations</a>
    <li><a href="#ref-for-webauthn-relying-party④①">13.1. Credential ID Unsigned</a>
    <li><a href="#ref-for-webauthn-relying-party④②">13.3.2. Attestation Certificate and Attestation Certificate CA Compromise</a>
    <li><a href="#ref-for-webauthn-relying-party④③">13.4.1. Security Benefits for WebAuthn Relying Parties</a>
    <li><a href="#ref-for-webauthn-relying-party④④">13.4.4. Attestation Limitations</a>
    <li><a href="#ref-for-webauthn-relying-party④⑤">14.1. De-anonymization Prevention Measures</a>
    <li><a href="#ref-for-webauthn-relying-party④⑥">14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials</a>
    <li><a href="#ref-for-webauthn-relying-party④⑦">14.3. Authenticator-local Biometric Recognition</a>
    <li><a href="#ref-for-webauthn-relying-party④⑧">14.5.1. Registration Ceremony Privacy</a>
    <li><a href="#ref-for-webauthn-relying-party④⑨">14.5.2. Authentication Ceremony Privacy</a>
    <li><a href="#ref-for-webauthn-relying-party⑤⓪">14.6.2. Username Enumeration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="web-application">
   <b><a href="#web-application">#web-application</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-web-application①">1. Introduction</a>
    <li><a href="#ref-for-web-application②">1.1. Specification Roadmap</a> <a href="#ref-for-web-application③">(2)</a>
    <li><a href="#ref-for-web-application④">11. User Agent Automation</a>
    <li><a href="#ref-for-web-application⑤">12.4. WebAuthn Extension Identifier Registrations</a>
    <li><a href="#ref-for-web-application⑥">13. Security Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="web-authentication-api">
   <b><a href="#web-authentication-api">#web-authentication-api</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-web-authentication-api">1. Introduction</a> <a href="#ref-for-web-authentication-api①">(2)</a> <a href="#ref-for-web-authentication-api②">(3)</a>
    <li><a href="#ref-for-web-authentication-api③">4. Terminology</a> <a href="#ref-for-web-authentication-api④">(2)</a> <a href="#ref-for-web-authentication-api⑤">(3)</a> <a href="#ref-for-web-authentication-api⑥">(4)</a> <a href="#ref-for-web-authentication-api⑦">(5)</a> <a href="#ref-for-web-authentication-api⑧">(6)</a> <a href="#ref-for-web-authentication-api⑨">(7)</a> <a href="#ref-for-web-authentication-api①⓪">(8)</a>
    <li><a href="#ref-for-web-authentication-api①①">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
    <li><a href="#ref-for-web-authentication-api①②">5.9. Permissions Policy integration</a>
    <li><a href="#ref-for-web-authentication-api①③">5.10. Using Web Authentication within iframe elements</a> <a href="#ref-for-web-authentication-api①④">(2)</a>
    <li><a href="#ref-for-web-authentication-api①⑤">13. Security Considerations</a>
    <li><a href="#ref-for-web-authentication-api①⑥">14.1. De-anonymization Prevention Measures</a> <a href="#ref-for-web-authentication-api①⑦">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="publickeycredential">
   <b><a href="#publickeycredential">#publickeycredential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-publickeycredential">1. Introduction</a>
    <li><a href="#ref-for-publickeycredential①">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-publickeycredential②">(2)</a> <a href="#ref-for-publickeycredential③">(3)</a> <a href="#ref-for-publickeycredential④">(4)</a> <a href="#ref-for-publickeycredential⑤">(5)</a> <a href="#ref-for-publickeycredential⑥">(6)</a> <a href="#ref-for-publickeycredential⑦">(7)</a> <a href="#ref-for-publickeycredential⑧">(8)</a>
    <li><a href="#ref-for-publickeycredential⑨">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-publickeycredential①⓪">(2)</a>
    <li><a href="#ref-for-publickeycredential①①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-publickeycredential①②">5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method</a> <a href="#ref-for-publickeycredential①③">(2)</a>
    <li><a href="#ref-for-publickeycredential①④">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a>
    <li><a href="#ref-for-publickeycredential①⑤">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
    <li><a href="#ref-for-publickeycredential①⑥">7. WebAuthn Relying Party Operations</a>
    <li><a href="#ref-for-publickeycredential①⑦">10.4. Credential Properties Extension (credProps)</a>
    <li><a href="#ref-for-publickeycredential①⑧">13.4.4. Attestation Limitations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-rawid">
   <b><a href="#dom-publickeycredential-rawid">#dom-publickeycredential-rawid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-rawid">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-dom-publickeycredential-rawid①">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-dom-publickeycredential-rawid②">10.5. Large blob storage extension (largeBlob)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-getclientextensionresults">
   <b><a href="#dom-publickeycredential-getclientextensionresults">#dom-publickeycredential-getclientextensionresults</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-getclientextensionresults">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-dom-publickeycredential-getclientextensionresults①">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-publickeycredential-getclientextensionresults②">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-dom-publickeycredential-getclientextensionresults③">9.4. Client Extension Processing</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-response">
   <b><a href="#dom-publickeycredential-response">#dom-publickeycredential-response</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-response">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-dom-publickeycredential-response①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-publickeycredential-response②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-publickeycredential-response③">7.1. Registering a New Credential</a> <a href="#ref-for-dom-publickeycredential-response④">(2)</a>
    <li><a href="#ref-for-dom-publickeycredential-response⑤">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-dom-publickeycredential-response⑥">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-identifier-slot">
   <b><a href="#dom-publickeycredential-identifier-slot">#dom-publickeycredential-identifier-slot</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-identifier-slot">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-dom-publickeycredential-identifier-slot①">(2)</a>
    <li><a href="#ref-for-dom-publickeycredential-identifier-slot②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-publickeycredential-identifier-slot③">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-clientextensionsresults-slot">
   <b><a href="#dom-publickeycredential-clientextensionsresults-slot">#dom-publickeycredential-clientextensionsresults-slot</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-clientextensionsresults-slot">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-dom-publickeycredential-clientextensionsresults-slot①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-publickeycredential-clientextensionsresults-slot②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-credentialcreationoptions-publickey">
   <b><a href="#dom-credentialcreationoptions-publickey">#dom-credentialcreationoptions-publickey</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialcreationoptions-publickey">4. Terminology</a>
    <li><a href="#ref-for-dom-credentialcreationoptions-publickey①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-credentialcreationoptions-publickey②">(2)</a> <a href="#ref-for-dom-credentialcreationoptions-publickey③">(3)</a>
    <li><a href="#ref-for-dom-credentialcreationoptions-publickey④">7.1. Registering a New Credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-credentialrequestoptions-publickey">
   <b><a href="#dom-credentialrequestoptions-publickey">#dom-credentialrequestoptions-publickey</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialrequestoptions-publickey">4. Terminology</a>
    <li><a href="#ref-for-dom-credentialrequestoptions-publickey①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-credentialrequestoptions-publickey②">(2)</a> <a href="#ref-for-dom-credentialrequestoptions-publickey③">(3)</a>
    <li><a href="#ref-for-dom-credentialrequestoptions-publickey④">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-create-slot">
   <b><a href="#dom-publickeycredential-create-slot">#dom-publickeycredential-create-slot</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-create-slot">4. Terminology</a>
    <li><a href="#ref-for-dom-publickeycredential-create-slot①">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-dom-publickeycredential-create-slot②">5.2.1.1. Easily accessing credential data</a>
    <li><a href="#ref-for-dom-publickeycredential-create-slot③">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
    <li><a href="#ref-for-dom-publickeycredential-create-slot④">5.6. Abort Operations with AbortSignal</a> <a href="#ref-for-dom-publickeycredential-create-slot⑤">(2)</a> <a href="#ref-for-dom-publickeycredential-create-slot⑥">(3)</a> <a href="#ref-for-dom-publickeycredential-create-slot⑦">(4)</a> <a href="#ref-for-dom-publickeycredential-create-slot⑧">(5)</a>
    <li><a href="#ref-for-dom-publickeycredential-create-slot⑨">5.9. Permissions Policy integration</a>
    <li><a href="#ref-for-dom-publickeycredential-create-slot①⓪">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-dom-publickeycredential-create-slot①①">(2)</a>
    <li><a href="#ref-for-dom-publickeycredential-create-slot①②">14.5.1. Registration Ceremony Privacy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-create-origin-options-sameoriginwithancestors-origin">
   <b><a href="#dom-publickeycredential-create-origin-options-sameoriginwithancestors-origin">#dom-publickeycredential-create-origin-options-sameoriginwithancestors-origin</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-create-origin-options-sameoriginwithancestors-origin">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-create-origin-options-sameoriginwithancestors-sameoriginwithancestors">
   <b><a href="#dom-publickeycredential-create-origin-options-sameoriginwithancestors-sameoriginwithancestors">#dom-publickeycredential-create-origin-options-sameoriginwithancestors-sameoriginwithancestors</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-create-origin-options-sameoriginwithancestors-sameoriginwithancestors">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="create-candidate-authenticator">
   <b><a href="#create-candidate-authenticator">#create-candidate-authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-create-candidate-authenticator">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-create-candidate-authenticator①">(2)</a> <a href="#ref-for-create-candidate-authenticator②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="effective-resident-key-requirement-for-credential-creation">
   <b><a href="#effective-resident-key-requirement-for-credential-creation">#effective-resident-key-requirement-for-credential-creation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-effective-resident-key-requirement-for-credential-creation">6.3.2. The authenticatorMakeCredential Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="effective-user-verification-requirement-for-credential-creation">
   <b><a href="#effective-user-verification-requirement-for-credential-creation">#effective-user-verification-requirement-for-credential-creation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-effective-user-verification-requirement-for-credential-creation">6.3.2. The authenticatorMakeCredential Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="create-selected-authenticator">
   <b><a href="#create-selected-authenticator">#create-selected-authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-create-selected-authenticator">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-create-selected-authenticator①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credentialcreationdata-attestationobjectresult">
   <b><a href="#credentialcreationdata-attestationobjectresult">#credentialcreationdata-attestationobjectresult</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentialcreationdata-attestationobjectresult">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-credentialcreationdata-attestationobjectresult①">(2)</a> <a href="#ref-for-credentialcreationdata-attestationobjectresult②">(3)</a> <a href="#ref-for-credentialcreationdata-attestationobjectresult③">(4)</a> <a href="#ref-for-credentialcreationdata-attestationobjectresult④">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credentialcreationdata-clientdatajsonresult">
   <b><a href="#credentialcreationdata-clientdatajsonresult">#credentialcreationdata-clientdatajsonresult</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentialcreationdata-clientdatajsonresult">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credentialcreationdata-attestationconveyancepreferenceoption">
   <b><a href="#credentialcreationdata-attestationconveyancepreferenceoption">#credentialcreationdata-attestationconveyancepreferenceoption</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentialcreationdata-attestationconveyancepreferenceoption">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credentialcreationdata-clientextensionresults">
   <b><a href="#credentialcreationdata-clientextensionresults">#credentialcreationdata-clientextensionresults</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentialcreationdata-clientextensionresults">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-credentialcreationdata-clientextensionresults①">10.4. Credential Properties Extension (credProps)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-collectfromcredentialstore-slot">
   <b><a href="#dom-publickeycredential-collectfromcredentialstore-slot">#dom-publickeycredential-collectfromcredentialstore-slot</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-collectfromcredentialstore-slot">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-discoverfromexternalsource-slot">
   <b><a href="#dom-publickeycredential-discoverfromexternalsource-slot">#dom-publickeycredential-discoverfromexternalsource-slot</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot">4. Terminology</a>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot①">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot②">5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method</a>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot③">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot④">5.6. Abort Operations with AbortSignal</a> <a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑤">(2)</a> <a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑥">(3)</a> <a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑦">(4)</a> <a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑧">(5)</a>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑨">5.9. Permissions Policy integration</a>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot①⓪">5.10. Using Web Authentication within iframe elements</a>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot①①">10.5. Large blob storage extension (largeBlob)</a>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot①②">14.5.2. Authentication Ceremony Privacy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-origin">
   <b><a href="#dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-origin">#dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-origin</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-origin">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-sameoriginwithancestors">
   <b><a href="#dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-sameoriginwithancestors">#dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-sameoriginwithancestors</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-sameoriginwithancestors">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="effective-user-verification-requirement-for-assertion">
   <b><a href="#effective-user-verification-requirement-for-assertion">#effective-user-verification-requirement-for-assertion</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-effective-user-verification-requirement-for-assertion">6.3.3. The authenticatorGetAssertion Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="assertioncreationdata-credentialidresult">
   <b><a href="#assertioncreationdata-credentialidresult">#assertioncreationdata-credentialidresult</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-assertioncreationdata-credentialidresult">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-assertioncreationdata-credentialidresult①">(2)</a> <a href="#ref-for-assertioncreationdata-credentialidresult②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="assertioncreationdata-clientdatajsonresult">
   <b><a href="#assertioncreationdata-clientdatajsonresult">#assertioncreationdata-clientdatajsonresult</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-assertioncreationdata-clientdatajsonresult">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="assertioncreationdata-authenticatordataresult">
   <b><a href="#assertioncreationdata-authenticatordataresult">#assertioncreationdata-authenticatordataresult</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-assertioncreationdata-authenticatordataresult">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="assertioncreationdata-signatureresult">
   <b><a href="#assertioncreationdata-signatureresult">#assertioncreationdata-signatureresult</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-assertioncreationdata-signatureresult">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="assertioncreationdata-userhandleresult">
   <b><a href="#assertioncreationdata-userhandleresult">#assertioncreationdata-userhandleresult</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-assertioncreationdata-userhandleresult">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-assertioncreationdata-userhandleresult①">(2)</a> <a href="#ref-for-assertioncreationdata-userhandleresult②">(3)</a> <a href="#ref-for-assertioncreationdata-userhandleresult③">(4)</a>
    <li><a href="#ref-for-assertioncreationdata-userhandleresult④">6.3.3. The authenticatorGetAssertion Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="assertioncreationdata-clientextensionresults">
   <b><a href="#assertioncreationdata-clientextensionresults">#assertioncreationdata-clientextensionresults</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-assertioncreationdata-clientextensionresults">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatorresponse">
   <b><a href="#authenticatorresponse">#authenticatorresponse</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatorresponse">5.1. PublicKeyCredential Interface</a> <a href="#ref-for-authenticatorresponse①">(2)</a>
    <li><a href="#ref-for-authenticatorresponse②">5.2. Authenticator Responses (interface AuthenticatorResponse)</a> <a href="#ref-for-authenticatorresponse③">(2)</a>
    <li><a href="#ref-for-authenticatorresponse④">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-authenticatorresponse⑤">(2)</a>
    <li><a href="#ref-for-authenticatorresponse⑥">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a> <a href="#ref-for-authenticatorresponse⑦">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorresponse-clientdatajson">
   <b><a href="#dom-authenticatorresponse-clientdatajson">#dom-authenticatorresponse-clientdatajson</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson②">5.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson③">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson④">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson⑤">5.8.1.2. Limited Verification Algorithm</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson⑥">7.1. Registering a New Credential</a> <a href="#ref-for-dom-authenticatorresponse-clientdatajson⑦">(2)</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson⑧">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatorattestationresponse">
   <b><a href="#authenticatorattestationresponse">#authenticatorattestationresponse</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatorattestationresponse">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-authenticatorattestationresponse①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-authenticatorattestationresponse②">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-authenticatorattestationresponse③">(2)</a>
    <li><a href="#ref-for-authenticatorattestationresponse④">5.2.1.1. Easily accessing credential data</a>
    <li><a href="#ref-for-authenticatorattestationresponse⑤">7. WebAuthn Relying Party Operations</a>
    <li><a href="#ref-for-authenticatorattestationresponse⑥">7.1. Registering a New Credential</a> <a href="#ref-for-authenticatorattestationresponse⑦">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorattestationresponse-gettransports">
   <b><a href="#dom-authenticatorattestationresponse-gettransports">#dom-authenticatorattestationresponse-gettransports</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-gettransports">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-gettransports①">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a> <a href="#ref-for-dom-authenticatorattestationresponse-gettransports②">(2)</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-gettransports③">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-gettransports④">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-gettransports⑤">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorattestationresponse-getauthenticatordata">
   <b><a href="#dom-authenticatorattestationresponse-getauthenticatordata">#dom-authenticatorattestationresponse-getauthenticatordata</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-getauthenticatordata">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-getauthenticatordata①">5.2.1.1. Easily accessing credential data</a> <a href="#ref-for-dom-authenticatorattestationresponse-getauthenticatordata②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorattestationresponse-getpublickey">
   <b><a href="#dom-authenticatorattestationresponse-getpublickey">#dom-authenticatorattestationresponse-getpublickey</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-getpublickey">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-getpublickey①">5.2.1.1. Easily accessing credential data</a> <a href="#ref-for-dom-authenticatorattestationresponse-getpublickey②">(2)</a> <a href="#ref-for-dom-authenticatorattestationresponse-getpublickey③">(3)</a> <a href="#ref-for-dom-authenticatorattestationresponse-getpublickey④">(4)</a> <a href="#ref-for-dom-authenticatorattestationresponse-getpublickey⑤">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorattestationresponse-getpublickeyalgorithm">
   <b><a href="#dom-authenticatorattestationresponse-getpublickeyalgorithm">#dom-authenticatorattestationresponse-getpublickeyalgorithm</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-getpublickeyalgorithm">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-getpublickeyalgorithm①">5.2.1.1. Easily accessing credential data</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorattestationresponse-attestationobject">
   <b><a href="#dom-authenticatorattestationresponse-attestationobject">#dom-authenticatorattestationresponse-attestationobject</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-attestationobject">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-attestationobject①">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-dom-authenticatorattestationresponse-attestationobject②">(2)</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-attestationobject③">5.2.1.1. Easily accessing credential data</a> <a href="#ref-for-dom-authenticatorattestationresponse-attestationobject④">(2)</a> <a href="#ref-for-dom-authenticatorattestationresponse-attestationobject⑤">(3)</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-attestationobject⑥">7.1. Registering a New Credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorattestationresponse-transports-slot">
   <b><a href="#dom-authenticatorattestationresponse-transports-slot">#dom-authenticatorattestationresponse-transports-slot</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-transports-slot">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-transports-slot①">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatorassertionresponse">
   <b><a href="#authenticatorassertionresponse">#authenticatorassertionresponse</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatorassertionresponse">4. Terminology</a>
    <li><a href="#ref-for-authenticatorassertionresponse①">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-authenticatorassertionresponse②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-authenticatorassertionresponse③">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a> <a href="#ref-for-authenticatorassertionresponse④">(2)</a>
    <li><a href="#ref-for-authenticatorassertionresponse⑤">7. WebAuthn Relying Party Operations</a>
    <li><a href="#ref-for-authenticatorassertionresponse⑥">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-authenticatorassertionresponse⑦">14.6.2. Username Enumeration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorassertionresponse-authenticatordata">
   <b><a href="#dom-authenticatorassertionresponse-authenticatordata">#dom-authenticatorassertionresponse-authenticatordata</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-authenticatordata">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-authenticatordata①">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-authenticatordata②">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorassertionresponse-signature">
   <b><a href="#dom-authenticatorassertionresponse-signature">#dom-authenticatorassertionresponse-signature</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-signature">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-signature①">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-signature②">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorassertionresponse-userhandle">
   <b><a href="#dom-authenticatorassertionresponse-userhandle">#dom-authenticatorassertionresponse-userhandle</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-userhandle">2.2.1. Backwards Compatibility with FIDO U2F</a>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-userhandle①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-userhandle②">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-userhandle③">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-dom-authenticatorassertionresponse-userhandle④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialparameters">
   <b><a href="#dictdef-publickeycredentialparameters">#dictdef-publickeycredentialparameters</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialparameters">5.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)</a> <a href="#ref-for-dictdef-publickeycredentialparameters①">(2)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialparameters②">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-dictdef-publickeycredentialparameters③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialparameters-type">
   <b><a href="#dom-publickeycredentialparameters-type">#dom-publickeycredentialparameters-type</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialparameters-type">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialparameters-type①">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialparameters-type②">5.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)</a> <a href="#ref-for-dom-publickeycredentialparameters-type③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialparameters-alg">
   <b><a href="#dom-publickeycredentialparameters-alg">#dom-publickeycredentialparameters-alg</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialparameters-alg">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-publickeycredentialparameters-alg①">5.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)</a>
    <li><a href="#ref-for-dom-publickeycredentialparameters-alg②">7.1. Registering a New Credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialcreationoptions">
   <b><a href="#dictdef-publickeycredentialcreationoptions">#dictdef-publickeycredentialcreationoptions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialcreationoptions">5.1.1. CredentialCreationOptions Dictionary Extension</a>
    <li><a href="#ref-for-dictdef-publickeycredentialcreationoptions①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dictdef-publickeycredentialcreationoptions②">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialcreationoptions③">5.8.1.2. Limited Verification Algorithm</a>
    <li><a href="#ref-for-dictdef-publickeycredentialcreationoptions④">7. WebAuthn Relying Party Operations</a>
    <li><a href="#ref-for-dictdef-publickeycredentialcreationoptions⑤">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dictdef-publickeycredentialcreationoptions⑥">13.4.3. Cryptographic Challenges</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialcreationoptions-rp">
   <b><a href="#dom-publickeycredentialcreationoptions-rp">#dom-publickeycredentialcreationoptions-rp</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-rp">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-rp①">(2)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-rp②">(3)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-rp③">(4)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-rp④">(5)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-rp⑤">(6)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-rp⑥">(7)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-rp⑦">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialcreationoptions-user">
   <b><a href="#dom-publickeycredentialcreationoptions-user">#dom-publickeycredentialcreationoptions-user</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-user">4. Terminology</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-user①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-user②">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-user③">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-user④">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-user⑤">13.4.6. Credential Loss and Key Mobility</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialcreationoptions-challenge">
   <b><a href="#dom-publickeycredentialcreationoptions-challenge">#dom-publickeycredentialcreationoptions-challenge</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-challenge">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-challenge①">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-challenge②">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-challenge③">13.4.3. Cryptographic Challenges</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialcreationoptions-pubkeycredparams">
   <b><a href="#dom-publickeycredentialcreationoptions-pubkeycredparams">#dom-publickeycredentialcreationoptions-pubkeycredparams</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams①">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams②">5.2.1.1. Easily accessing credential data</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams③">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams④">7.1. Registering a New Credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialcreationoptions-timeout">
   <b><a href="#dom-publickeycredentialcreationoptions-timeout">#dom-publickeycredentialcreationoptions-timeout</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-timeout">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-timeout①">(2)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-timeout②">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-timeout③">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-timeout④">15. Accessibility Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialcreationoptions-excludecredentials">
   <b><a href="#dom-publickeycredentialcreationoptions-excludecredentials">#dom-publickeycredentialcreationoptions-excludecredentials</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-excludecredentials">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-excludecredentials①">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-excludecredentials">10.2. FIDO AppID Exclusion Extension (appidExclude)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-excludecredentials">(2)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-excludecredentials">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-excludecredentials②">13.4.6. Credential Loss and Key Mobility</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-excludecredentials③">14.5.1. Registration Ceremony Privacy</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-excludecredentials④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialcreationoptions-authenticatorselection">
   <b><a href="#dom-publickeycredentialcreationoptions-authenticatorselection">#dom-publickeycredentialcreationoptions-authenticatorselection</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection①">(2)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection②">(3)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection③">(4)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection④">(5)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection⑤">(6)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection⑥">(7)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection⑦">(8)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection⑧">(9)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection⑨">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection①⓪">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-authenticatorselection①①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialcreationoptions-attestation">
   <b><a href="#dom-publickeycredentialcreationoptions-attestation">#dom-publickeycredentialcreationoptions-attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-attestation">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-attestation①">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-attestation②">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialcreationoptions-extensions">
   <b><a href="#dom-publickeycredentialcreationoptions-extensions">#dom-publickeycredentialcreationoptions-extensions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-extensions">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-extensions①">(2)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-extensions②">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-extensions③">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-extensions④">7.1. Registering a New Credential</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-extensions⑤">(2)</a> <a href="#ref-for-dom-publickeycredentialcreationoptions-extensions⑥">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialcreationoptions-extensions⑦">9.3. Extending Request Parameters</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialentity">
   <b><a href="#dictdef-publickeycredentialentity">#dictdef-publickeycredentialentity</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialentity">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a> <a href="#ref-for-dictdef-publickeycredentialentity①">(2)</a> <a href="#ref-for-dictdef-publickeycredentialentity②">(3)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialentity③">5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialentity④">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialentity-name">
   <b><a href="#dom-publickeycredentialentity-name">#dom-publickeycredentialentity-name</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialentity-name">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-dom-publickeycredentialentity-name①">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialentity-name②">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a> <a href="#ref-for-dom-publickeycredentialentity-name③">(2)</a> <a href="#ref-for-dom-publickeycredentialentity-name④">(3)</a> <a href="#ref-for-dom-publickeycredentialentity-name⑤">(4)</a> <a href="#ref-for-dom-publickeycredentialentity-name⑥">(5)</a> <a href="#ref-for-dom-publickeycredentialentity-name⑦">(6)</a> <a href="#ref-for-dom-publickeycredentialentity-name⑧">(7)</a>
    <li><a href="#ref-for-dom-publickeycredentialentity-name⑨">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a>
    <li><a href="#ref-for-dom-publickeycredentialentity-name①⓪">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-dom-publickeycredentialentity-name①①">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialentity-name①②">6.4. String Handling</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialrpentity">
   <b><a href="#dictdef-publickeycredentialrpentity">#dictdef-publickeycredentialrpentity</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialrpentity">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-dictdef-publickeycredentialrpentity①">(2)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrpentity②">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrpentity③">5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)</a> <a href="#ref-for-dictdef-publickeycredentialrpentity④">(2)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrpentity⑤">6.3.2. The authenticatorMakeCredential Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrpentity-id">
   <b><a href="#dom-publickeycredentialrpentity-id">#dom-publickeycredentialrpentity-id</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrpentity-id">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialrpentity-id①">(2)</a> <a href="#ref-for-dom-publickeycredentialrpentity-id②">(3)</a> <a href="#ref-for-dom-publickeycredentialrpentity-id③">(4)</a> <a href="#ref-for-dom-publickeycredentialrpentity-id④">(5)</a> <a href="#ref-for-dom-publickeycredentialrpentity-id⑤">(6)</a>
    <li><a href="#ref-for-dom-publickeycredentialrpentity-id⑥">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialrpentity-id⑦">5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)</a>
    <li><a href="#ref-for-dom-publickeycredentialrpentity-id⑧">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-dom-publickeycredentialrpentity-id⑨">(2)</a> <a href="#ref-for-dom-publickeycredentialrpentity-id①⓪">(3)</a> <a href="#ref-for-dom-publickeycredentialrpentity-id①①">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialuserentity">
   <b><a href="#dictdef-publickeycredentialuserentity">#dictdef-publickeycredentialuserentity</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialuserentity">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-dictdef-publickeycredentialuserentity①">(2)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialuserentity②">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialuserentity③">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a> <a href="#ref-for-dictdef-publickeycredentialuserentity④">(2)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialuserentity⑤">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-dictdef-publickeycredentialuserentity⑥">6.4. String Handling</a>
    <li><a href="#ref-for-dictdef-publickeycredentialuserentity⑦">14.4.2. Privacy of personally identifying information Stored in Authenticators</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialuserentity-id">
   <b><a href="#dom-publickeycredentialuserentity-id">#dom-publickeycredentialuserentity-id</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-id">4. Terminology</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-id①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-id②">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-id③">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a> <a href="#ref-for-dom-publickeycredentialuserentity-id④">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-id⑤">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-id⑥">13.4.6. Credential Loss and Key Mobility</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-id⑦">14.4.2. Privacy of personally identifying information Stored in Authenticators</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialuserentity-displayname">
   <b><a href="#dom-publickeycredentialuserentity-displayname">#dom-publickeycredentialuserentity-displayname</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-displayname">4. Terminology</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-displayname①">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-displayname②">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-displayname③">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a> <a href="#ref-for-dom-publickeycredentialuserentity-displayname④">(2)</a> <a href="#ref-for-dom-publickeycredentialuserentity-displayname⑤">(3)</a> <a href="#ref-for-dom-publickeycredentialuserentity-displayname⑥">(4)</a> <a href="#ref-for-dom-publickeycredentialuserentity-displayname⑦">(5)</a> <a href="#ref-for-dom-publickeycredentialuserentity-displayname⑧">(6)</a> <a href="#ref-for-dom-publickeycredentialuserentity-displayname⑨">(7)</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-displayname①⓪">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-displayname①①">6.4. String Handling</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-authenticatorselectioncriteria">
   <b><a href="#dictdef-authenticatorselectioncriteria">#dictdef-authenticatorselectioncriteria</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-authenticatorselectioncriteria">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-dictdef-authenticatorselectioncriteria①">(2)</a>
    <li><a href="#ref-for-dictdef-authenticatorselectioncriteria②">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a> <a href="#ref-for-dictdef-authenticatorselectioncriteria③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorselectioncriteria-authenticatorattachment">
   <b><a href="#dom-authenticatorselectioncriteria-authenticatorattachment">#dom-authenticatorselectioncriteria-authenticatorattachment</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-authenticatorattachment">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-authenticatorattachment①">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorselectioncriteria-residentkey">
   <b><a href="#dom-authenticatorselectioncriteria-residentkey">#dom-authenticatorselectioncriteria-residentkey</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-residentkey">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-authenticatorselectioncriteria-residentkey①">(2)</a>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-residentkey②">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a> <a href="#ref-for-dom-authenticatorselectioncriteria-residentkey③">(2)</a> <a href="#ref-for-dom-authenticatorselectioncriteria-residentkey④">(3)</a>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-residentkey⑤">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a> <a href="#ref-for-dom-authenticatorselectioncriteria-residentkey⑥">(2)</a>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-residentkey⑦">6.2.2. Credential Storage Modality</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorselectioncriteria-requireresidentkey">
   <b><a href="#dom-authenticatorselectioncriteria-requireresidentkey">#dom-authenticatorselectioncriteria-requireresidentkey</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-requireresidentkey">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-authenticatorselectioncriteria-requireresidentkey①">(2)</a>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-requireresidentkey②">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a> <a href="#ref-for-dom-authenticatorselectioncriteria-requireresidentkey③">(2)</a>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-requireresidentkey④">6.2.2. Credential Storage Modality</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorselectioncriteria-userverification">
   <b><a href="#dom-authenticatorselectioncriteria-userverification">#dom-authenticatorselectioncriteria-userverification</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-userverification">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-authenticatorselectioncriteria-userverification①">(2)</a> <a href="#ref-for-dom-authenticatorselectioncriteria-userverification②">(3)</a>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-userverification③">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-userverification④">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-authenticatorattachment">
   <b><a href="#enumdef-authenticatorattachment">#enumdef-authenticatorattachment</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-authenticatorattachment">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a>
    <li><a href="#ref-for-enumdef-authenticatorattachment①">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a> <a href="#ref-for-enumdef-authenticatorattachment②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorattachment-platform">
   <b><a href="#dom-authenticatorattachment-platform">#dom-authenticatorattachment-platform</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorattachment-platform">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorattachment-cross-platform">
   <b><a href="#dom-authenticatorattachment-cross-platform">#dom-authenticatorattachment-cross-platform</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorattachment-cross-platform">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-residentkeyrequirement">
   <b><a href="#enumdef-residentkeyrequirement">#enumdef-residentkeyrequirement</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-residentkeyrequirement">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a> <a href="#ref-for-enumdef-residentkeyrequirement①">(2)</a>
    <li><a href="#ref-for-enumdef-residentkeyrequirement②">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a> <a href="#ref-for-enumdef-residentkeyrequirement③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-residentkeyrequirement-discouraged">
   <b><a href="#dom-residentkeyrequirement-discouraged">#dom-residentkeyrequirement-discouraged</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-residentkeyrequirement-discouraged">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-residentkeyrequirement-discouraged①">(2)</a>
    <li><a href="#ref-for-dom-residentkeyrequirement-discouraged②">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a>
    <li><a href="#ref-for-dom-residentkeyrequirement-discouraged③">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a> <a href="#ref-for-dom-residentkeyrequirement-discouraged④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-residentkeyrequirement-preferred">
   <b><a href="#dom-residentkeyrequirement-preferred">#dom-residentkeyrequirement-preferred</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-residentkeyrequirement-preferred">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-residentkeyrequirement-preferred①">(2)</a>
    <li><a href="#ref-for-dom-residentkeyrequirement-preferred②">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a> <a href="#ref-for-dom-residentkeyrequirement-preferred③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-residentkeyrequirement-required">
   <b><a href="#dom-residentkeyrequirement-required">#dom-residentkeyrequirement-required</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-residentkeyrequirement-required">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-residentkeyrequirement-required①">(2)</a>
    <li><a href="#ref-for-dom-residentkeyrequirement-required②">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a> <a href="#ref-for-dom-residentkeyrequirement-required③">(2)</a>
    <li><a href="#ref-for-dom-residentkeyrequirement-required④">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-conveyance">
   <b><a href="#attestation-conveyance">#attestation-conveyance</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-conveyance">4. Terminology</a>
    <li><a href="#ref-for-attestation-conveyance①">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-attestation-conveyance②">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>
    <li><a href="#ref-for-attestation-conveyance③">6.5.3. Attestation Types</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-attestationconveyancepreference">
   <b><a href="#enumdef-attestationconveyancepreference">#enumdef-attestationconveyancepreference</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-attestationconveyancepreference">5.2.1.1. Easily accessing credential data</a>
    <li><a href="#ref-for-enumdef-attestationconveyancepreference">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-enumdef-attestationconveyancepreference①">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a> <a href="#ref-for-enumdef-attestationconveyancepreference②">(2)</a> <a href="#ref-for-enumdef-attestationconveyancepreference③">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-attestationconveyancepreference-none">
   <b><a href="#dom-attestationconveyancepreference-none">#dom-attestationconveyancepreference-none</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-attestationconveyancepreference-none">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>
    <li><a href="#ref-for-dom-attestationconveyancepreference-none①">6.5.3. Attestation Types</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-attestationconveyancepreference-indirect">
   <b><a href="#dom-attestationconveyancepreference-indirect">#dom-attestationconveyancepreference-indirect</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-attestationconveyancepreference-indirect">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-attestationconveyancepreference-direct">
   <b><a href="#dom-attestationconveyancepreference-direct">#dom-attestationconveyancepreference-direct</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-attestationconveyancepreference-direct">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-attestationconveyancepreference-enterprise">
   <b><a href="#dom-attestationconveyancepreference-enterprise">#dom-attestationconveyancepreference-enterprise</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-attestationconveyancepreference-enterprise">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-attestationconveyancepreference-enterprise①">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>
    <li><a href="#ref-for-dom-attestationconveyancepreference-enterprise②">6.3.2. The authenticatorMakeCredential Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialrequestoptions">
   <b><a href="#dictdef-publickeycredentialrequestoptions">#dictdef-publickeycredentialrequestoptions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialrequestoptions">5.1.2. CredentialRequestOptions Dictionary Extension</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrequestoptions①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrequestoptions②">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-dictdef-publickeycredentialrequestoptions③">(2)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrequestoptions④">5.8.1.2. Limited Verification Algorithm</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrequestoptions⑤">7. WebAuthn Relying Party Operations</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrequestoptions⑥">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrequestoptions⑦">13.4.3. Cryptographic Challenges</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrequestoptions⑧">14.6.2. Username Enumeration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrequestoptions-challenge">
   <b><a href="#dom-publickeycredentialrequestoptions-challenge">#dom-publickeycredentialrequestoptions-challenge</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-challenge">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-challenge①">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-challenge②">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-challenge③">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-challenge④">13.4.3. Cryptographic Challenges</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrequestoptions-timeout">
   <b><a href="#dom-publickeycredentialrequestoptions-timeout">#dom-publickeycredentialrequestoptions-timeout</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-timeout">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-timeout①">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-timeout②">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-timeout③">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-timeout④">15. Accessibility Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrequestoptions-rpid">
   <b><a href="#dom-publickeycredentialrequestoptions-rpid">#dom-publickeycredentialrequestoptions-rpid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-rpid">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-rpid①">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-rpid②">(3)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-rpid③">(4)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-rpid④">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-rpid⑤">10.1. FIDO AppID Extension (appid)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrequestoptions-allowcredentials">
   <b><a href="#dom-publickeycredentialrequestoptions-allowcredentials">#dom-publickeycredentialrequestoptions-allowcredentials</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials">4. Terminology</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials①">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials②">(3)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials③">(4)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials⑤">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials⑥">(3)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials⑦">(4)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials⑧">(5)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials⑨">(6)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⓪">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials①①">6.2.2. Credential Storage Modality</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials①②">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials①③">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials①④">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑤">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑥">10.1. FIDO AppID Extension (appid)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑦">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑧">10.5. Large blob storage extension (largeBlob)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑨">13.4.7. Unprotected account detection</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⓪">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials②①">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials②②">14.5.2. Authentication Ceremony Privacy</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials②③">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials②④">14.6.2. Username Enumeration</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑤">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑥">14.6.3. Privacy leak via credential IDs</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑦">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑧">(3)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑨">(4)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowcredentials③⓪">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrequestoptions-userverification">
   <b><a href="#dom-publickeycredentialrequestoptions-userverification">#dom-publickeycredentialrequestoptions-userverification</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-userverification">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-userverification①">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-userverification②">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-userverification③">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrequestoptions-extensions">
   <b><a href="#dom-publickeycredentialrequestoptions-extensions">#dom-publickeycredentialrequestoptions-extensions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-extensions">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-extensions①">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-extensions②">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-extensions③">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-extensions④">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-extensions⑤">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-extensions⑥">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-authenticationextensionsclientinputs">
   <b><a href="#dictdef-authenticationextensionsclientinputs">#dictdef-authenticationextensionsclientinputs</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientinputs">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-dictdef-authenticationextensionsclientinputs①">(2)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientinputs②">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-dictdef-authenticationextensionsclientinputs③">(2)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientinputs④">5.7. WebAuthn Extensions Inputs and Outputs</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientinputs⑤">5.7.1. Authentication Extensions Client Inputs (dictionary AuthenticationExtensionsClientInputs)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientinputs⑥">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientinputs⑦">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientinputs⑧">10.3. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientinputs⑨">10.4. Credential Properties Extension (credProps)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientinputs①⓪">10.5. Large blob storage extension (largeBlob)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-authenticationextensionsclientoutputs">
   <b><a href="#dictdef-authenticationextensionsclientoutputs">#dictdef-authenticationextensionsclientoutputs</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientoutputs">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientoutputs①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientoutputs②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientoutputs③">5.7. WebAuthn Extensions Inputs and Outputs</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientoutputs④">5.7.2. Authentication Extensions Client Outputs (dictionary AuthenticationExtensionsClientOutputs)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientoutputs⑤">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientoutputs⑥">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientoutputs⑦">10.3. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientoutputs⑧">10.4. Credential Properties Extension (credProps)</a>
    <li><a href="#ref-for-dictdef-authenticationextensionsclientoutputs⑨">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-dictdef-authenticationextensionsclientoutputs①⓪">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-collectedclientdata">
   <b><a href="#dictdef-collectedclientdata">#dictdef-collectedclientdata</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-collectedclientdata">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dictdef-collectedclientdata①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dictdef-collectedclientdata②">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-dictdef-collectedclientdata③">(2)</a> <a href="#ref-for-dictdef-collectedclientdata④">(3)</a> <a href="#ref-for-dictdef-collectedclientdata⑤">(4)</a>
    <li><a href="#ref-for-dictdef-collectedclientdata⑥">5.8.1.1. Serialization</a> <a href="#ref-for-dictdef-collectedclientdata⑦">(2)</a> <a href="#ref-for-dictdef-collectedclientdata⑧">(3)</a>
    <li><a href="#ref-for-dictdef-collectedclientdata⑨">5.8.1.2. Limited Verification Algorithm</a> <a href="#ref-for-dictdef-collectedclientdata①⓪">(2)</a>
    <li><a href="#ref-for-dictdef-collectedclientdata①①">5.8.1.3. Future development</a> <a href="#ref-for-dictdef-collectedclientdata①②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-data">
   <b><a href="#client-data">#client-data</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-data">5.2. Authenticator Responses (interface AuthenticatorResponse)</a> <a href="#ref-for-client-data①">(2)</a>
    <li><a href="#ref-for-client-data②">6. WebAuthn Authenticator Model</a> <a href="#ref-for-client-data③">(2)</a> <a href="#ref-for-client-data④">(3)</a> <a href="#ref-for-client-data⑤">(4)</a>
    <li><a href="#ref-for-client-data⑥">6.1. Authenticator Data</a> <a href="#ref-for-client-data⑦">(2)</a> <a href="#ref-for-client-data⑧">(3)</a>
    <li><a href="#ref-for-client-data⑨">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-client-data①⓪">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-client-data①①">8.6. FIDO U2F Attestation Statement Format</a>
    <li><a href="#ref-for-client-data①②">8.8. Apple Anonymous Attestation Statement Format</a>
    <li><a href="#ref-for-client-data①③">9. WebAuthn Extensions</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-tokenbinding">
   <b><a href="#dictdef-tokenbinding">#dictdef-tokenbinding</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-tokenbinding">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-dictdef-tokenbinding①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-tokenbindingstatus">
   <b><a href="#enumdef-tokenbindingstatus">#enumdef-tokenbindingstatus</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-tokenbindingstatus">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-enumdef-tokenbindingstatus①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-collectedclientdata-type">
   <b><a href="#dom-collectedclientdata-type">#dom-collectedclientdata-type</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-collectedclientdata-type">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-collectedclientdata-type①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-collectedclientdata-type②">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-dom-collectedclientdata-type③">5.8.1.1. Serialization</a> <a href="#ref-for-dom-collectedclientdata-type④">(2)</a>
    <li><a href="#ref-for-dom-collectedclientdata-type⑤">5.8.1.2. Limited Verification Algorithm</a>
    <li><a href="#ref-for-dom-collectedclientdata-type⑥">5.8.1.3. Future development</a>
    <li><a href="#ref-for-dom-collectedclientdata-type⑦">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-collectedclientdata-type⑧">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-collectedclientdata-challenge">
   <b><a href="#dom-collectedclientdata-challenge">#dom-collectedclientdata-challenge</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-collectedclientdata-challenge">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-collectedclientdata-challenge①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-collectedclientdata-challenge②">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-dom-collectedclientdata-challenge③">5.8.1.1. Serialization</a> <a href="#ref-for-dom-collectedclientdata-challenge④">(2)</a>
    <li><a href="#ref-for-dom-collectedclientdata-challenge⑤">5.8.1.3. Future development</a>
    <li><a href="#ref-for-dom-collectedclientdata-challenge⑥">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-collectedclientdata-challenge⑦">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-dom-collectedclientdata-challenge⑧">13.4.3. Cryptographic Challenges</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-collectedclientdata-origin">
   <b><a href="#dom-collectedclientdata-origin">#dom-collectedclientdata-origin</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-collectedclientdata-origin">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-collectedclientdata-origin①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-collectedclientdata-origin②">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-dom-collectedclientdata-origin③">5.8.1.1. Serialization</a> <a href="#ref-for-dom-collectedclientdata-origin④">(2)</a>
    <li><a href="#ref-for-dom-collectedclientdata-origin⑤">5.8.1.2. Limited Verification Algorithm</a>
    <li><a href="#ref-for-dom-collectedclientdata-origin⑥">5.8.1.3. Future development</a>
    <li><a href="#ref-for-dom-collectedclientdata-origin⑦">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-collectedclientdata-origin⑧">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-collectedclientdata-crossorigin">
   <b><a href="#dom-collectedclientdata-crossorigin">#dom-collectedclientdata-crossorigin</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-collectedclientdata-crossorigin">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-collectedclientdata-crossorigin①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-collectedclientdata-crossorigin②">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-dom-collectedclientdata-crossorigin③">5.8.1.1. Serialization</a> <a href="#ref-for-dom-collectedclientdata-crossorigin④">(2)</a>
    <li><a href="#ref-for-dom-collectedclientdata-crossorigin⑤">5.8.1.3. Future development</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-collectedclientdata-tokenbinding">
   <b><a href="#dom-collectedclientdata-tokenbinding">#dom-collectedclientdata-tokenbinding</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-collectedclientdata-tokenbinding">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-collectedclientdata-tokenbinding①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-collectedclientdata-tokenbinding②">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-dom-collectedclientdata-tokenbinding③">(2)</a>
    <li><a href="#ref-for-dom-collectedclientdata-tokenbinding④">7.1. Registering a New Credential</a> <a href="#ref-for-dom-collectedclientdata-tokenbinding⑤">(2)</a>
    <li><a href="#ref-for-dom-collectedclientdata-tokenbinding⑥">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-dom-collectedclientdata-tokenbinding⑦">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-tokenbinding-status">
   <b><a href="#dom-tokenbinding-status">#dom-tokenbinding-status</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-tokenbinding-status">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-dom-tokenbinding-status①">(2)</a>
    <li><a href="#ref-for-dom-tokenbinding-status②">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-tokenbinding-status③">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-tokenbindingstatus-supported">
   <b><a href="#dom-tokenbindingstatus-supported">#dom-tokenbindingstatus-supported</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-tokenbindingstatus-supported">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-tokenbindingstatus-present">
   <b><a href="#dom-tokenbindingstatus-present">#dom-tokenbindingstatus-present</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-tokenbindingstatus-present">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-dom-tokenbindingstatus-present①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-tokenbinding-id">
   <b><a href="#dom-tokenbinding-id">#dom-tokenbinding-id</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-tokenbinding-id">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a> <a href="#ref-for-dom-tokenbinding-id①">(2)</a>
    <li><a href="#ref-for-dom-tokenbinding-id②">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-tokenbinding-id③">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="collectedclientdata-json-compatible-serialization-of-client-data">
   <b><a href="#collectedclientdata-json-compatible-serialization-of-client-data">#collectedclientdata-json-compatible-serialization-of-client-data</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-collectedclientdata-json-compatible-serialization-of-client-data">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-collectedclientdata-json-compatible-serialization-of-client-data①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-collectedclientdata-json-compatible-serialization-of-client-data②">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-collectedclientdata-json-compatible-serialization-of-client-data③">(2)</a>
    <li><a href="#ref-for-collectedclientdata-json-compatible-serialization-of-client-data④">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-collectedclientdata-json-compatible-serialization-of-client-data⑤">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="collectedclientdata-hash-of-the-serialized-client-data">
   <b><a href="#collectedclientdata-hash-of-the-serialized-client-data">#collectedclientdata-hash-of-the-serialized-client-data</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data②">5.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data③">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data④">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data⑤">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data⑥">6.1.2. FIDO U2F Signature Format Compatibility</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data⑦">(2)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data⑧">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data⑨">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data①⓪">(2)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data①①">6.5.2. Attestation Statement Formats</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data①②">(2)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data①③">6.5.4. Generating an Attestation Object</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data①④">8.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data①⑤">8.3. TPM Attestation Statement Format</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data①⑥">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data①⑦">8.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data①⑧">8.6. FIDO U2F Attestation Statement Format</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data①⑨">8.8. Apple Anonymous Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="ccdtostring">
   <b><a href="#ccdtostring">#ccdtostring</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ccdtostring">5.8.1.1. Serialization</a> <a href="#ref-for-ccdtostring①">(2)</a> <a href="#ref-for-ccdtostring②">(3)</a>
    <li><a href="#ref-for-ccdtostring③">5.8.1.2. Limited Verification Algorithm</a> <a href="#ref-for-ccdtostring④">(2)</a> <a href="#ref-for-ccdtostring⑤">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-publickeycredentialtype">
   <b><a href="#enumdef-publickeycredentialtype">#enumdef-publickeycredentialtype</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-publickeycredentialtype">4. Terminology</a>
    <li><a href="#ref-for-enumdef-publickeycredentialtype①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-enumdef-publickeycredentialtype②">(2)</a> <a href="#ref-for-enumdef-publickeycredentialtype③">(3)</a>
    <li><a href="#ref-for-enumdef-publickeycredentialtype④">5.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)</a>
    <li><a href="#ref-for-enumdef-publickeycredentialtype⑤">5.8.2. Credential Type Enumeration (enum PublicKeyCredentialType)</a> <a href="#ref-for-enumdef-publickeycredentialtype⑥">(2)</a>
    <li><a href="#ref-for-enumdef-publickeycredentialtype⑦">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
    <li><a href="#ref-for-enumdef-publickeycredentialtype⑧">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-enumdef-publickeycredentialtype⑨">(2)</a> <a href="#ref-for-enumdef-publickeycredentialtype①⓪">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialtype-public-key">
   <b><a href="#dom-publickeycredentialtype-public-key">#dom-publickeycredentialtype-public-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialtype-public-key">4. Terminology</a>
    <li><a href="#ref-for-dom-publickeycredentialtype-public-key①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialtype-public-key②">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialtype-public-key③">5.8.2. Credential Type Enumeration (enum PublicKeyCredentialType)</a>
    <li><a href="#ref-for-dom-publickeycredentialtype-public-key④">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-dom-publickeycredentialtype-public-key⑤">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-dom-publickeycredentialtype-public-key⑥">11.5. Add Credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialdescriptor">
   <b><a href="#dictdef-publickeycredentialdescriptor">#dictdef-publickeycredentialdescriptor</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialdescriptor">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dictdef-publickeycredentialdescriptor①">(2)</a> <a href="#ref-for-dictdef-publickeycredentialdescriptor②">(3)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialdescriptor③">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-dictdef-publickeycredentialdescriptor④">(2)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialdescriptor⑤">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-dictdef-publickeycredentialdescriptor⑥">(2)</a> <a href="#ref-for-dictdef-publickeycredentialdescriptor⑦">(3)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialdescriptor⑧">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a> <a href="#ref-for-dictdef-publickeycredentialdescriptor⑨">(2)</a> <a href="#ref-for-dictdef-publickeycredentialdescriptor①⓪">(3)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialdescriptor①①">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-dictdef-publickeycredentialdescriptor①②">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-dictdef-publickeycredentialdescriptor">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialdescriptor-type">
   <b><a href="#dom-publickeycredentialdescriptor-type">#dom-publickeycredentialdescriptor-type</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-type">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-type①">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a> <a href="#ref-for-dom-publickeycredentialdescriptor-type②">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-type③">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-type④">10.1. FIDO AppID Extension (appid)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialdescriptor-id">
   <b><a href="#dom-publickeycredentialdescriptor-id">#dom-publickeycredentialdescriptor-id</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-id">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-id①">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-id②">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-dom-publickeycredentialdescriptor-id③">(2)</a> <a href="#ref-for-dom-publickeycredentialdescriptor-id④">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-id⑤">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-id⑥">10.1. FIDO AppID Extension (appid)</a> <a href="#ref-for-dom-publickeycredentialdescriptor-id⑦">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-id⑧">10.2. FIDO AppID Exclusion Extension (appidExclude)</a> <a href="#ref-for-dom-publickeycredentialdescriptor-id⑨">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialdescriptor-transports">
   <b><a href="#dom-publickeycredentialdescriptor-transports">#dom-publickeycredentialdescriptor-transports</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-transports">2.1.1. Enumerations as DOMString types</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-transports①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialdescriptor-transports②">(2)</a> <a href="#ref-for-dom-publickeycredentialdescriptor-transports③">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-transports④">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-publickeycredentialdescriptor-transports⑤">(2)</a> <a href="#ref-for-dom-publickeycredentialdescriptor-transports⑥">(3)</a> <a href="#ref-for-dom-publickeycredentialdescriptor-transports⑦">(4)</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-transports⑧">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a> <a href="#ref-for-dom-publickeycredentialdescriptor-transports⑨">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-transports①⓪">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-transports①①">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-authenticatortransport">
   <b><a href="#enumdef-authenticatortransport">#enumdef-authenticatortransport</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-authenticatortransport">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-enumdef-authenticatortransport①">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-enumdef-authenticatortransport②">5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
    <li><a href="#ref-for-enumdef-authenticatortransport③">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a> <a href="#ref-for-enumdef-authenticatortransport④">(2)</a>
    <li><a href="#ref-for-enumdef-authenticatortransport⑤">11.2. Virtual Authenticators</a>
    <li><a href="#ref-for-enumdef-authenticatortransport⑥">11.3. Add Virtual Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatortransport-usb">
   <b><a href="#dom-authenticatortransport-usb">#dom-authenticatortransport-usb</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatortransport-usb">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatortransport-nfc">
   <b><a href="#dom-authenticatortransport-nfc">#dom-authenticatortransport-nfc</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatortransport-nfc">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatortransport-ble">
   <b><a href="#dom-authenticatortransport-ble">#dom-authenticatortransport-ble</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatortransport-ble">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatortransport-internal">
   <b><a href="#dom-authenticatortransport-internal">#dom-authenticatortransport-internal</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatortransport-internal">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dom-authenticatortransport-internal①">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>
    <li><a href="#ref-for-dom-authenticatortransport-internal②">11.2. Virtual Authenticators</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="typedefdef-cosealgorithmidentifier">
   <b><a href="#typedefdef-cosealgorithmidentifier">#typedefdef-cosealgorithmidentifier</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-typedefdef-cosealgorithmidentifier">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-typedefdef-cosealgorithmidentifier①">(2)</a>
    <li><a href="#ref-for-typedefdef-cosealgorithmidentifier②">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-typedefdef-cosealgorithmidentifier③">(2)</a>
    <li><a href="#ref-for-typedefdef-cosealgorithmidentifier④">5.2.1.1. Easily accessing credential data</a> <a href="#ref-for-typedefdef-cosealgorithmidentifier⑤">(2)</a>
    <li><a href="#ref-for-typedefdef-cosealgorithmidentifier⑥">5.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)</a> <a href="#ref-for-typedefdef-cosealgorithmidentifier⑦">(2)</a>
    <li><a href="#ref-for-typedefdef-cosealgorithmidentifier⑧">5.8.5. Cryptographic Algorithm Identifier (typedef COSEAlgorithmIdentifier)</a> <a href="#ref-for-typedefdef-cosealgorithmidentifier⑨">(2)</a>
    <li><a href="#ref-for-typedefdef-cosealgorithmidentifier①⓪">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-typedefdef-cosealgorithmidentifier①①">6.5.1. Attested Credential Data</a>
    <li><a href="#ref-for-typedefdef-cosealgorithmidentifier①②">8.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-typedefdef-cosealgorithmidentifier①③">8.3. TPM Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-userverificationrequirement">
   <b><a href="#enumdef-userverificationrequirement">#enumdef-userverificationrequirement</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-userverificationrequirement">5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)</a>
    <li><a href="#ref-for-enumdef-userverificationrequirement①">5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-enumdef-userverificationrequirement②">5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)</a> <a href="#ref-for-enumdef-userverificationrequirement③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-userverificationrequirement-required">
   <b><a href="#dom-userverificationrequirement-required">#dom-userverificationrequirement-required</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-userverificationrequirement-required">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-userverificationrequirement-required①">(2)</a> <a href="#ref-for-dom-userverificationrequirement-required②">(3)</a>
    <li><a href="#ref-for-dom-userverificationrequirement-required③">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-userverificationrequirement-required④">(2)</a> <a href="#ref-for-dom-userverificationrequirement-required⑤">(3)</a>
    <li><a href="#ref-for-dom-userverificationrequirement-required⑥">5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-userverificationrequirement-preferred">
   <b><a href="#dom-userverificationrequirement-preferred">#dom-userverificationrequirement-preferred</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-userverificationrequirement-preferred">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-userverificationrequirement-preferred①">(2)</a>
    <li><a href="#ref-for-dom-userverificationrequirement-preferred②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-userverificationrequirement-preferred③">(2)</a>
    <li><a href="#ref-for-dom-userverificationrequirement-preferred④">5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-userverificationrequirement-discouraged">
   <b><a href="#dom-userverificationrequirement-discouraged">#dom-userverificationrequirement-discouraged</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-userverificationrequirement-discouraged">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-userverificationrequirement-discouraged①">(2)</a>
    <li><a href="#ref-for-dom-userverificationrequirement-discouraged②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-userverificationrequirement-discouraged③">(2)</a>
    <li><a href="#ref-for-dom-userverificationrequirement-discouraged④">5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="publickey-credentials-get-feature">
   <b><a href="#publickey-credentials-get-feature">#publickey-credentials-get-feature</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-publickey-credentials-get-feature">5.10. Using Web Authentication within iframe elements</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-model">
   <b><a href="#authenticator-model">#authenticator-model</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-model">4. Terminology</a> <a href="#ref-for-authenticator-model①">(2)</a>
    <li><a href="#ref-for-authenticator-model②">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-authenticator-model③">11.2. Virtual Authenticators</a>
    <li><a href="#ref-for-authenticator-model④">13.2. Physical Proximity between Client and Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-credentials-map">
   <b><a href="#authenticator-credentials-map">#authenticator-credentials-map</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-credentials-map">4. Terminology</a> <a href="#ref-for-authenticator-credentials-map①">(2)</a>
    <li><a href="#ref-for-authenticator-credentials-map②">6.3.1. Lookup Credential Source by Credential ID Algorithm</a>
    <li><a href="#ref-for-authenticator-credentials-map③">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-authenticator-credentials-map④">6.3.3. The authenticatorGetAssertion Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-signature">
   <b><a href="#attestation-signature">#attestation-signature</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-signature">4. Terminology</a>
    <li><a href="#ref-for-attestation-signature①">6. WebAuthn Authenticator Model</a> <a href="#ref-for-attestation-signature②">(2)</a> <a href="#ref-for-attestation-signature③">(3)</a> <a href="#ref-for-attestation-signature④">(4)</a>
    <li><a href="#ref-for-attestation-signature⑤">6.1. Authenticator Data</a>
    <li><a href="#ref-for-attestation-signature⑥">6.5. Attestation</a>
    <li><a href="#ref-for-attestation-signature⑦">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-attestation-signature⑧">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-attestation-signature⑨">8.2. Packed Attestation Statement Format</a> <a href="#ref-for-attestation-signature①⓪">(2)</a>
    <li><a href="#ref-for-attestation-signature①①">8.3. TPM Attestation Statement Format</a> <a href="#ref-for-attestation-signature①②">(2)</a>
    <li><a href="#ref-for-attestation-signature①③">8.6. FIDO U2F Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="assertion-signature">
   <b><a href="#assertion-signature">#assertion-signature</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-assertion-signature">1.3.3. Authentication</a>
    <li><a href="#ref-for-assertion-signature①">4. Terminology</a>
    <li><a href="#ref-for-assertion-signature②">6. WebAuthn Authenticator Model</a> <a href="#ref-for-assertion-signature③">(2)</a> <a href="#ref-for-assertion-signature④">(3)</a>
    <li><a href="#ref-for-assertion-signature⑤">6.1. Authenticator Data</a>
    <li><a href="#ref-for-assertion-signature⑥">6.1.2. FIDO U2F Signature Format Compatibility</a> <a href="#ref-for-assertion-signature⑦">(2)</a>
    <li><a href="#ref-for-assertion-signature⑧">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-assertion-signature⑨">(2)</a> <a href="#ref-for-assertion-signature①⓪">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="webauthn-signature">
   <b><a href="#webauthn-signature">#webauthn-signature</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-webauthn-signature">5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-webauthn-signature①">6. WebAuthn Authenticator Model</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-data">
   <b><a href="#authenticator-data">#authenticator-data</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-data">1.1. Specification Roadmap</a>
    <li><a href="#ref-for-authenticator-data①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-authenticator-data②">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-authenticator-data③">(2)</a> <a href="#ref-for-authenticator-data④">(3)</a>
    <li><a href="#ref-for-authenticator-data⑤">5.2.1.1. Easily accessing credential data</a> <a href="#ref-for-authenticator-data⑥">(2)</a> <a href="#ref-for-authenticator-data⑦">(3)</a> <a href="#ref-for-authenticator-data⑧">(4)</a> <a href="#ref-for-authenticator-data⑨">(5)</a>
    <li><a href="#ref-for-authenticator-data①⓪">5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-authenticator-data①①">5.7. WebAuthn Extensions Inputs and Outputs</a>
    <li><a href="#ref-for-authenticator-data①②">6. WebAuthn Authenticator Model</a> <a href="#ref-for-authenticator-data①③">(2)</a>
    <li><a href="#ref-for-authenticator-data①④">6.1. Authenticator Data</a> <a href="#ref-for-authenticator-data①⑤">(2)</a> <a href="#ref-for-authenticator-data①⑥">(3)</a> <a href="#ref-for-authenticator-data①⑦">(4)</a> <a href="#ref-for-authenticator-data①⑧">(5)</a> <a href="#ref-for-authenticator-data①⑨">(6)</a> <a href="#ref-for-authenticator-data②⓪">(7)</a> <a href="#ref-for-authenticator-data②①">(8)</a> <a href="#ref-for-authenticator-data②②">(9)</a> <a href="#ref-for-authenticator-data②③">(10)</a> <a href="#ref-for-authenticator-data②④">(11)</a>
    <li><a href="#ref-for-authenticator-data②⑤">6.1.1. Signature Counter Considerations</a> <a href="#ref-for-authenticator-data②⑥">(2)</a> <a href="#ref-for-authenticator-data②⑦">(3)</a>
    <li><a href="#ref-for-authenticator-data②⑧">6.1.2. FIDO U2F Signature Format Compatibility</a> <a href="#ref-for-authenticator-data②⑨">(2)</a> <a href="#ref-for-authenticator-data③⓪">(3)</a>
    <li><a href="#ref-for-authenticator-data③①">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-authenticator-data③②">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-authenticator-data③③">6.5. Attestation</a> <a href="#ref-for-authenticator-data③④">(2)</a>
    <li><a href="#ref-for-authenticator-data③⑤">6.5.1. Attested Credential Data</a>
    <li><a href="#ref-for-authenticator-data③⑥">6.5.2. Attestation Statement Formats</a> <a href="#ref-for-authenticator-data③⑦">(2)</a>
    <li><a href="#ref-for-authenticator-data③⑧">6.5.4. Generating an Attestation Object</a>
    <li><a href="#ref-for-authenticator-data③⑨">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-authenticator-data④⓪">8.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-data④①">9.5. Authenticator Extension Processing</a> <a href="#ref-for-authenticator-data④②">(2)</a>
    <li><a href="#ref-for-authenticator-data④③">10.3. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-authenticator-data④④">13.1. Credential ID Unsigned</a>
    <li><a href="#ref-for-authenticator-data④⑤">13.3.1. Attestation Certificate Hierarchy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="rpidhash">
   <b><a href="#rpidhash">#rpidhash</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-rpidhash">6.1. Authenticator Data</a>
    <li><a href="#ref-for-rpidhash①">6.1.2. FIDO U2F Signature Format Compatibility</a>
    <li><a href="#ref-for-rpidhash②">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-rpidhash③">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-rpidhash④">10.1. FIDO AppID Extension (appid)</a> <a href="#ref-for-rpidhash⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="flags">
   <b><a href="#flags">#flags</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-flags">5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)</a> <a href="#ref-for-flags①">(2)</a>
    <li><a href="#ref-for-flags②">6.1. Authenticator Data</a> <a href="#ref-for-flags③">(2)</a> <a href="#ref-for-flags④">(3)</a> <a href="#ref-for-flags⑤">(4)</a> <a href="#ref-for-flags⑥">(5)</a> <a href="#ref-for-flags⑦">(6)</a> <a href="#ref-for-flags⑧">(7)</a> <a href="#ref-for-flags⑨">(8)</a> <a href="#ref-for-flags①⓪">(9)</a> <a href="#ref-for-flags①①">(10)</a> <a href="#ref-for-flags①②">(11)</a>
    <li><a href="#ref-for-flags①③">6.1.2. FIDO U2F Signature Format Compatibility</a>
    <li><a href="#ref-for-flags①④">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-flags①⑤">(2)</a>
    <li><a href="#ref-for-flags①⑥">7.1. Registering a New Credential</a> <a href="#ref-for-flags①⑦">(2)</a>
    <li><a href="#ref-for-flags①⑧">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-flags①⑨">(2)</a>
    <li><a href="#ref-for-flags②⓪">14.3. Authenticator-local Biometric Recognition</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="signcount">
   <b><a href="#signcount">#signcount</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-signcount">6.1.1. Signature Counter Considerations</a> <a href="#ref-for-signcount①">(2)</a> <a href="#ref-for-signcount②">(3)</a>
    <li><a href="#ref-for-signcount③">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-signcount④">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-signcount⑤">(2)</a> <a href="#ref-for-signcount⑥">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestedcredentialdata">
   <b><a href="#attestedcredentialdata">#attestedcredentialdata</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestedcredentialdata">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-attestedcredentialdata①">5.2.1.1. Easily accessing credential data</a>
    <li><a href="#ref-for-attestedcredentialdata②">6.1. Authenticator Data</a> <a href="#ref-for-attestedcredentialdata③">(2)</a>
    <li><a href="#ref-for-attestedcredentialdata④">6.1.2. FIDO U2F Signature Format Compatibility</a>
    <li><a href="#ref-for-attestedcredentialdata⑤">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-attestedcredentialdata⑥">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-attestedcredentialdata⑦">7.1. Registering a New Credential</a> <a href="#ref-for-attestedcredentialdata⑧">(2)</a>
    <li><a href="#ref-for-attestedcredentialdata⑨">8.3. TPM Attestation Statement Format</a>
    <li><a href="#ref-for-attestedcredentialdata①⓪">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-attestedcredentialdata①①">8.6. FIDO U2F Attestation Statement Format</a> <a href="#ref-for-attestedcredentialdata①②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authdataextensions">
   <b><a href="#authdataextensions">#authdataextensions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authdataextensions">6.1. Authenticator Data</a> <a href="#ref-for-authdataextensions①">(2)</a> <a href="#ref-for-authdataextensions②">(3)</a> <a href="#ref-for-authdataextensions③">(4)</a>
    <li><a href="#ref-for-authdataextensions④">6.1.2. FIDO U2F Signature Format Compatibility</a>
    <li><a href="#ref-for-authdataextensions⑤">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-authdataextensions⑥">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-authdataextensions⑦">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-authdataextensions⑧">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-authdataextensions⑨">9.5. Authenticator Extension Processing</a> <a href="#ref-for-authdataextensions①⓪">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure">
   <b><a href="#authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure">#authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure①">6.3.3. The authenticatorGetAssertion Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="signature-counter">
   <b><a href="#signature-counter">#signature-counter</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-signature-counter">6.1. Authenticator Data</a>
    <li><a href="#ref-for-signature-counter①">6.1.1. Signature Counter Considerations</a> <a href="#ref-for-signature-counter②">(2)</a> <a href="#ref-for-signature-counter③">(3)</a> <a href="#ref-for-signature-counter④">(4)</a> <a href="#ref-for-signature-counter⑤">(5)</a> <a href="#ref-for-signature-counter⑥">(6)</a> <a href="#ref-for-signature-counter⑦">(7)</a> <a href="#ref-for-signature-counter⑧">(8)</a> <a href="#ref-for-signature-counter⑨">(9)</a> <a href="#ref-for-signature-counter①⓪">(10)</a> <a href="#ref-for-signature-counter①①">(11)</a>
    <li><a href="#ref-for-signature-counter①②">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-signature-counter①③">(2)</a> <a href="#ref-for-signature-counter①④">(3)</a> <a href="#ref-for-signature-counter①⑤">(4)</a> <a href="#ref-for-signature-counter①⑥">(5)</a> <a href="#ref-for-signature-counter①⑦">(6)</a>
    <li><a href="#ref-for-signature-counter①⑧">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-signature-counter①⑨">(2)</a> <a href="#ref-for-signature-counter②⓪">(3)</a> <a href="#ref-for-signature-counter②①">(4)</a>
    <li><a href="#ref-for-signature-counter②②">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-signature-counter②③">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-signature-counter②④">11.5. Add Credential</a> <a href="#ref-for-signature-counter②⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-type">
   <b><a href="#authenticator-type">#authenticator-type</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-type">4. Terminology</a>
    <li><a href="#ref-for-authenticator-type①">6.2. Authenticator Taxonomy</a> <a href="#ref-for-authenticator-type②">(2)</a> <a href="#ref-for-authenticator-type③">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="second-factor-platform-authenticator">
   <b><a href="#second-factor-platform-authenticator">#second-factor-platform-authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-second-factor-platform-authenticator">6.2. Authenticator Taxonomy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="user-verifying-platform-authenticator">
   <b><a href="#user-verifying-platform-authenticator">#user-verifying-platform-authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-user-verifying-platform-authenticator">1.3.2. Registration Specifically with User-Verifying Platform Authenticator</a> <a href="#ref-for-user-verifying-platform-authenticator①">(2)</a>
    <li><a href="#ref-for-user-verifying-platform-authenticator②">5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method</a> <a href="#ref-for-user-verifying-platform-authenticator③">(2)</a> <a href="#ref-for-user-verifying-platform-authenticator④">(3)</a>
    <li><a href="#ref-for-user-verifying-platform-authenticator⑤">6.2. Authenticator Taxonomy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="second-factor-roaming-authenticator">
   <b><a href="#second-factor-roaming-authenticator">#second-factor-roaming-authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-second-factor-roaming-authenticator">6.2. Authenticator Taxonomy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="first-factor-roaming-authenticator">
   <b><a href="#first-factor-roaming-authenticator">#first-factor-roaming-authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-first-factor-roaming-authenticator">1.3. Sample API Usage Scenarios</a>
    <li><a href="#ref-for-first-factor-roaming-authenticator①">6.2. Authenticator Taxonomy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-attachment-modality">
   <b><a href="#authenticator-attachment-modality">#authenticator-attachment-modality</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-attachment-modality">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-authenticator-attachment-modality①">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a> <a href="#ref-for-authenticator-attachment-modality②">(2)</a> <a href="#ref-for-authenticator-attachment-modality③">(3)</a> <a href="#ref-for-authenticator-attachment-modality④">(4)</a>
    <li><a href="#ref-for-authenticator-attachment-modality⑤">6.2. Authenticator Taxonomy</a> <a href="#ref-for-authenticator-attachment-modality⑥">(2)</a> <a href="#ref-for-authenticator-attachment-modality⑦">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="platform-authenticators">
   <b><a href="#platform-authenticators">#platform-authenticators</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-platform-authenticators">1. Introduction</a>
    <li><a href="#ref-for-platform-authenticators①">1.2.3. New Device Registration</a> <a href="#ref-for-platform-authenticators②">(2)</a> <a href="#ref-for-platform-authenticators③">(3)</a> <a href="#ref-for-platform-authenticators④">(4)</a> <a href="#ref-for-platform-authenticators⑤">(5)</a> <a href="#ref-for-platform-authenticators⑥">(6)</a>
    <li><a href="#ref-for-platform-authenticators⑦">1.3.1. Registration</a>
    <li><a href="#ref-for-platform-authenticators⑧">4. Terminology</a>
    <li><a href="#ref-for-platform-authenticators⑨">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-platform-authenticators①⓪">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-platform-authenticators①①">5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>
    <li><a href="#ref-for-platform-authenticators①②">6.2. Authenticator Taxonomy</a> <a href="#ref-for-platform-authenticators①③">(2)</a> <a href="#ref-for-platform-authenticators①④">(3)</a> <a href="#ref-for-platform-authenticators①⑤">(4)</a>
    <li><a href="#ref-for-platform-authenticators①⑥">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-platform-authenticators①⑦">(2)</a> <a href="#ref-for-platform-authenticators①⑧">(3)</a> <a href="#ref-for-platform-authenticators①⑨">(4)</a> <a href="#ref-for-platform-authenticators②⓪">(5)</a> <a href="#ref-for-platform-authenticators②①">(6)</a> <a href="#ref-for-platform-authenticators②②">(7)</a>
    <li><a href="#ref-for-platform-authenticators②③">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-platform-authenticators②④">8.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-platform-authenticators②⑤">12.1. WebAuthn Attestation Statement Format Identifier Registrations Updates</a> <a href="#ref-for-platform-authenticators②⑥">(2)</a>
    <li><a href="#ref-for-platform-authenticators②⑦">12.2. WebAuthn Attestation Statement Format Identifier Registrations</a>
    <li><a href="#ref-for-platform-authenticators②⑧">14.1. De-anonymization Prevention Measures</a>
    <li><a href="#ref-for-platform-authenticators②⑨">14.3. Authenticator-local Biometric Recognition</a>
    <li><a href="#ref-for-platform-authenticators③⓪">14.5.1. Registration Ceremony Privacy</a>
    <li><a href="#ref-for-platform-authenticators③①">14.5.3. Privacy Between Operating System Accounts</a> <a href="#ref-for-platform-authenticators③②">(2)</a>
    <li><a href="#ref-for-platform-authenticators③③">15. Accessibility Considerations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="roaming-authenticators">
   <b><a href="#roaming-authenticators">#roaming-authenticators</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-roaming-authenticators">1. Introduction</a>
    <li><a href="#ref-for-roaming-authenticators①">1.2.3. New Device Registration</a> <a href="#ref-for-roaming-authenticators②">(2)</a>
    <li><a href="#ref-for-roaming-authenticators③">1.2.4. Other Use Cases and Configurations</a>
    <li><a href="#ref-for-roaming-authenticators④">1.3.1. Registration</a>
    <li><a href="#ref-for-roaming-authenticators⑤">4. Terminology</a>
    <li><a href="#ref-for-roaming-authenticators⑥">6.2. Authenticator Taxonomy</a> <a href="#ref-for-roaming-authenticators⑦">(2)</a> <a href="#ref-for-roaming-authenticators⑧">(3)</a> <a href="#ref-for-roaming-authenticators⑨">(4)</a> <a href="#ref-for-roaming-authenticators①⓪">(5)</a> <a href="#ref-for-roaming-authenticators①①">(6)</a> <a href="#ref-for-roaming-authenticators①②">(7)</a>
    <li><a href="#ref-for-roaming-authenticators①③">6.2.1. Authenticator Attachment Modality</a> <a href="#ref-for-roaming-authenticators①④">(2)</a> <a href="#ref-for-roaming-authenticators①⑤">(3)</a> <a href="#ref-for-roaming-authenticators①⑥">(4)</a> <a href="#ref-for-roaming-authenticators①⑦">(5)</a> <a href="#ref-for-roaming-authenticators①⑧">(6)</a> <a href="#ref-for-roaming-authenticators①⑨">(7)</a> <a href="#ref-for-roaming-authenticators②⓪">(8)</a>
    <li><a href="#ref-for-roaming-authenticators②①">13.2. Physical Proximity between Client and Authenticator</a> <a href="#ref-for-roaming-authenticators②②">(2)</a>
    <li><a href="#ref-for-roaming-authenticators②③">15. Accessibility Considerations</a> <a href="#ref-for-roaming-authenticators②④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="platform-attachment">
   <b><a href="#platform-attachment">#platform-attachment</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-platform-attachment">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
    <li><a href="#ref-for-platform-attachment①">6.2. Authenticator Taxonomy</a> <a href="#ref-for-platform-attachment②">(2)</a>
    <li><a href="#ref-for-platform-attachment③">11.2. Virtual Authenticators</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="platform-credential">
   <b><a href="#platform-credential">#platform-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-platform-credential">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
    <li><a href="#ref-for-platform-credential①">6.2. Authenticator Taxonomy</a>
    <li><a href="#ref-for-platform-credential②">13.4.6. Credential Loss and Key Mobility</a>
    <li><a href="#ref-for-platform-credential③">14.5.3. Privacy Between Operating System Accounts</a> <a href="#ref-for-platform-credential④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="cross-platform-attachment">
   <b><a href="#cross-platform-attachment">#cross-platform-attachment</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-cross-platform-attachment">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
    <li><a href="#ref-for-cross-platform-attachment①">6.2. Authenticator Taxonomy</a> <a href="#ref-for-cross-platform-attachment②">(2)</a>
    <li><a href="#ref-for-cross-platform-attachment③">6.2.1. Authenticator Attachment Modality</a>
    <li><a href="#ref-for-cross-platform-attachment④">11.2. Virtual Authenticators</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="roaming-credential">
   <b><a href="#roaming-credential">#roaming-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-roaming-credential">5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)</a>
    <li><a href="#ref-for-roaming-credential①">13.4.6. Credential Loss and Key Mobility</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credential-storage-modality">
   <b><a href="#credential-storage-modality">#credential-storage-modality</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-storage-modality">6.2. Authenticator Taxonomy</a> <a href="#ref-for-credential-storage-modality①">(2)</a> <a href="#ref-for-credential-storage-modality②">(3)</a> <a href="#ref-for-credential-storage-modality③">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-side-credential-storage-modality">
   <b><a href="#client-side-credential-storage-modality">#client-side-credential-storage-modality</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-side-credential-storage-modality">4. Terminology</a>
    <li><a href="#ref-for-client-side-credential-storage-modality①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client-side-credential-storage-modality②">(2)</a>
    <li><a href="#ref-for-client-side-credential-storage-modality③">6.2. Authenticator Taxonomy</a>
    <li><a href="#ref-for-client-side-credential-storage-modality④">6.2.2. Credential Storage Modality</a> <a href="#ref-for-client-side-credential-storage-modality⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="discoverable-credential-capable">
   <b><a href="#discoverable-credential-capable">#discoverable-credential-capable</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-discoverable-credential-capable">4. Terminology</a>
    <li><a href="#ref-for-discoverable-credential-capable①">6.2. Authenticator Taxonomy</a> <a href="#ref-for-discoverable-credential-capable②">(2)</a> <a href="#ref-for-discoverable-credential-capable③">(3)</a> <a href="#ref-for-discoverable-credential-capable④">(4)</a>
    <li><a href="#ref-for-discoverable-credential-capable⑤">6.2.2. Credential Storage Modality</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="server-side-credential-storage-modality">
   <b><a href="#server-side-credential-storage-modality">#server-side-credential-storage-modality</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-server-side-credential-storage-modality">4. Terminology</a>
    <li><a href="#ref-for-server-side-credential-storage-modality①">6.2. Authenticator Taxonomy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authentication-factor-capability">
   <b><a href="#authentication-factor-capability">#authentication-factor-capability</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authentication-factor-capability">6.2. Authenticator Taxonomy</a> <a href="#ref-for-authentication-factor-capability①">(2)</a> <a href="#ref-for-authentication-factor-capability②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="multi-factor-capable">
   <b><a href="#multi-factor-capable">#multi-factor-capable</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-multi-factor-capable">6.2. Authenticator Taxonomy</a> <a href="#ref-for-multi-factor-capable①">(2)</a> <a href="#ref-for-multi-factor-capable②">(3)</a> <a href="#ref-for-multi-factor-capable③">(4)</a>
    <li><a href="#ref-for-multi-factor-capable④">6.2.3. Authentication Factor Capability</a> <a href="#ref-for-multi-factor-capable⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="single-factor-capable">
   <b><a href="#single-factor-capable">#single-factor-capable</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-single-factor-capable">6.2. Authenticator Taxonomy</a> <a href="#ref-for-single-factor-capable①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-operations">
   <b><a href="#authenticator-operations">#authenticator-operations</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-operations">4. Terminology</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-session">
   <b><a href="#authenticator-session">#authenticator-session</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-session">5.6. Abort Operations with AbortSignal</a> <a href="#ref-for-authenticator-session①">(2)</a>
    <li><a href="#ref-for-authenticator-session②">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-authenticator-session③">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-authenticator-session④">6.3.4. The authenticatorCancel Operation</a> <a href="#ref-for-authenticator-session⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credential-id-looking-up">
   <b><a href="#credential-id-looking-up">#credential-id-looking-up</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-id-looking-up">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-credential-id-looking-up①">6.3.3. The authenticatorGetAssertion Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatormakecredential">
   <b><a href="#authenticatormakecredential">#authenticatormakecredential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatormakecredential">4. Terminology</a> <a href="#ref-for-authenticatormakecredential①">(2)</a> <a href="#ref-for-authenticatormakecredential②">(3)</a> <a href="#ref-for-authenticatormakecredential③">(4)</a>
    <li><a href="#ref-for-authenticatormakecredential④">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-authenticatormakecredential⑤">(2)</a>
    <li><a href="#ref-for-authenticatormakecredential⑥">5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)</a> <a href="#ref-for-authenticatormakecredential⑦">(2)</a>
    <li><a href="#ref-for-authenticatormakecredential⑧">5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a>
    <li><a href="#ref-for-authenticatormakecredential⑨">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-authenticatormakecredential①⓪">6.1.1. Signature Counter Considerations</a> <a href="#ref-for-authenticatormakecredential①①">(2)</a>
    <li><a href="#ref-for-authenticatormakecredential①②">6.1.2. FIDO U2F Signature Format Compatibility</a>
    <li><a href="#ref-for-authenticatormakecredential①③">6.3.4. The authenticatorCancel Operation</a> <a href="#ref-for-authenticatormakecredential①④">(2)</a>
    <li><a href="#ref-for-authenticatormakecredential①⑤">9. WebAuthn Extensions</a>
    <li><a href="#ref-for-authenticatormakecredential①⑥">9.2. Defining Extensions</a>
    <li><a href="#ref-for-authenticatormakecredential①⑦">9.5. Authenticator Extension Processing</a>
    <li><a href="#ref-for-authenticatormakecredential①⑧">10.4. Credential Properties Extension (credProps)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatorgetassertion">
   <b><a href="#authenticatorgetassertion">#authenticatorgetassertion</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatorgetassertion">4. Terminology</a> <a href="#ref-for-authenticatorgetassertion①">(2)</a> <a href="#ref-for-authenticatorgetassertion②">(3)</a>
    <li><a href="#ref-for-authenticatorgetassertion③">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-authenticatorgetassertion④">(2)</a> <a href="#ref-for-authenticatorgetassertion⑤">(3)</a> <a href="#ref-for-authenticatorgetassertion⑥">(4)</a>
    <li><a href="#ref-for-authenticatorgetassertion⑦">6. WebAuthn Authenticator Model</a>
    <li><a href="#ref-for-authenticatorgetassertion⑧">6.1. Authenticator Data</a>
    <li><a href="#ref-for-authenticatorgetassertion⑨">6.1.1. Signature Counter Considerations</a> <a href="#ref-for-authenticatorgetassertion①⓪">(2)</a> <a href="#ref-for-authenticatorgetassertion①①">(3)</a> <a href="#ref-for-authenticatorgetassertion①②">(4)</a>
    <li><a href="#ref-for-authenticatorgetassertion①③">6.3.4. The authenticatorCancel Operation</a> <a href="#ref-for-authenticatorgetassertion①④">(2)</a>
    <li><a href="#ref-for-authenticatorgetassertion①⑤">9. WebAuthn Extensions</a>
    <li><a href="#ref-for-authenticatorgetassertion①⑥">9.2. Defining Extensions</a>
    <li><a href="#ref-for-authenticatorgetassertion①⑦">9.5. Authenticator Extension Processing</a>
    <li><a href="#ref-for-authenticatorgetassertion①⑧">10.1. FIDO AppID Extension (appid)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatorcancel">
   <b><a href="#authenticatorcancel">#authenticatorcancel</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatorcancel">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-authenticatorcancel①">(2)</a> <a href="#ref-for-authenticatorcancel②">(3)</a> <a href="#ref-for-authenticatorcancel③">(4)</a> <a href="#ref-for-authenticatorcancel④">(5)</a> <a href="#ref-for-authenticatorcancel⑤">(6)</a>
    <li><a href="#ref-for-authenticatorcancel⑥">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-authenticatorcancel⑦">(2)</a> <a href="#ref-for-authenticatorcancel⑧">(3)</a> <a href="#ref-for-authenticatorcancel⑨">(4)</a> <a href="#ref-for-authenticatorcancel①⓪">(5)</a>
    <li><a href="#ref-for-authenticatorcancel①①">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-authenticatorcancel①②">6.3.3. The authenticatorGetAssertion Operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-object">
   <b><a href="#attestation-object">#attestation-object</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-object">4. Terminology</a> <a href="#ref-for-attestation-object①">(2)</a> <a href="#ref-for-attestation-object②">(3)</a>
    <li><a href="#ref-for-attestation-object③">5. Web Authentication API</a>
    <li><a href="#ref-for-attestation-object④">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-attestation-object⑤">(2)</a>
    <li><a href="#ref-for-attestation-object⑥">5.2.1.1. Easily accessing credential data</a>
    <li><a href="#ref-for-attestation-object⑦">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a> <a href="#ref-for-attestation-object⑧">(2)</a>
    <li><a href="#ref-for-attestation-object⑨">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-attestation-object①⓪">(2)</a>
    <li><a href="#ref-for-attestation-object①①">6.5. Attestation</a> <a href="#ref-for-attestation-object①②">(2)</a> <a href="#ref-for-attestation-object①③">(3)</a>
    <li><a href="#ref-for-attestation-object①④">6.5.1. Attested Credential Data</a>
    <li><a href="#ref-for-attestation-object①⑤">6.5.4. Generating an Attestation Object</a> <a href="#ref-for-attestation-object①⑥">(2)</a>
    <li><a href="#ref-for-attestation-object①⑦">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-attestation-object①⑧">13.4.4. Attestation Limitations</a> <a href="#ref-for-attestation-object①⑨">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-statement">
   <b><a href="#attestation-statement">#attestation-statement</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-statement">4. Terminology</a> <a href="#ref-for-attestation-statement①">(2)</a>
    <li><a href="#ref-for-attestation-statement②">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-attestation-statement③">(2)</a>
    <li><a href="#ref-for-attestation-statement④">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-attestation-statement⑤">(2)</a> <a href="#ref-for-attestation-statement⑥">(3)</a>
    <li><a href="#ref-for-attestation-statement⑦">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a> <a href="#ref-for-attestation-statement⑧">(2)</a> <a href="#ref-for-attestation-statement⑨">(3)</a> <a href="#ref-for-attestation-statement①⓪">(4)</a> <a href="#ref-for-attestation-statement①①">(5)</a> <a href="#ref-for-attestation-statement①②">(6)</a> <a href="#ref-for-attestation-statement①③">(7)</a> <a href="#ref-for-attestation-statement①④">(8)</a>
    <li><a href="#ref-for-attestation-statement①⑤">6.2.3. Authentication Factor Capability</a>
    <li><a href="#ref-for-attestation-statement①⑥">6.5. Attestation</a> <a href="#ref-for-attestation-statement①⑦">(2)</a> <a href="#ref-for-attestation-statement①⑧">(3)</a> <a href="#ref-for-attestation-statement①⑨">(4)</a> <a href="#ref-for-attestation-statement②⓪">(5)</a> <a href="#ref-for-attestation-statement②①">(6)</a> <a href="#ref-for-attestation-statement②②">(7)</a> <a href="#ref-for-attestation-statement②③">(8)</a>
    <li><a href="#ref-for-attestation-statement②④">6.5.2. Attestation Statement Formats</a> <a href="#ref-for-attestation-statement②⑤">(2)</a> <a href="#ref-for-attestation-statement②⑥">(3)</a> <a href="#ref-for-attestation-statement②⑦">(4)</a>
    <li><a href="#ref-for-attestation-statement②⑧">6.5.3. Attestation Types</a> <a href="#ref-for-attestation-statement②⑨">(2)</a> <a href="#ref-for-attestation-statement③⓪">(3)</a> <a href="#ref-for-attestation-statement③①">(4)</a> <a href="#ref-for-attestation-statement③②">(5)</a> <a href="#ref-for-attestation-statement③③">(6)</a>
    <li><a href="#ref-for-attestation-statement③④">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-attestation-statement③⑤">8.7. None Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-statement③⑥">13.3.2. Attestation Certificate and Attestation Certificate CA Compromise</a>
    <li><a href="#ref-for-attestation-statement③⑦">13.4.1. Security Benefits for WebAuthn Relying Parties</a>
    <li><a href="#ref-for-attestation-statement③⑧">13.4.4. Attestation Limitations</a> <a href="#ref-for-attestation-statement③⑨">(2)</a> <a href="#ref-for-attestation-statement④⓪">(3)</a>
    <li><a href="#ref-for-attestation-statement④①">14.1. De-anonymization Prevention Measures</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-statement-format">
   <b><a href="#attestation-statement-format">#attestation-statement-format</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-statement-format">5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-attestation-statement-format①">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-attestation-statement-format②">6.5. Attestation</a> <a href="#ref-for-attestation-statement-format③">(2)</a> <a href="#ref-for-attestation-statement-format④">(3)</a> <a href="#ref-for-attestation-statement-format⑤">(4)</a> <a href="#ref-for-attestation-statement-format⑥">(5)</a> <a href="#ref-for-attestation-statement-format⑦">(6)</a> <a href="#ref-for-attestation-statement-format⑧">(7)</a>
    <li><a href="#ref-for-attestation-statement-format⑨">6.5.2. Attestation Statement Formats</a> <a href="#ref-for-attestation-statement-format①⓪">(2)</a> <a href="#ref-for-attestation-statement-format①①">(3)</a> <a href="#ref-for-attestation-statement-format①②">(4)</a>
    <li><a href="#ref-for-attestation-statement-format①③">6.5.4. Generating an Attestation Object</a>
    <li><a href="#ref-for-attestation-statement-format①④">7.1. Registering a New Credential</a> <a href="#ref-for-attestation-statement-format①⑤">(2)</a>
    <li><a href="#ref-for-attestation-statement-format①⑥">8.1. Attestation Statement Format Identifiers</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-type">
   <b><a href="#attestation-type">#attestation-type</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-type">6.5. Attestation</a> <a href="#ref-for-attestation-type①">(2)</a> <a href="#ref-for-attestation-type②">(3)</a> <a href="#ref-for-attestation-type③">(4)</a> <a href="#ref-for-attestation-type④">(5)</a> <a href="#ref-for-attestation-type⑤">(6)</a>
    <li><a href="#ref-for-attestation-type⑥">6.5.2. Attestation Statement Formats</a> <a href="#ref-for-attestation-type⑦">(2)</a>
    <li><a href="#ref-for-attestation-type⑧">6.5.3. Attestation Types</a> <a href="#ref-for-attestation-type⑨">(2)</a> <a href="#ref-for-attestation-type①⓪">(3)</a> <a href="#ref-for-attestation-type①①">(4)</a> <a href="#ref-for-attestation-type①②">(5)</a> <a href="#ref-for-attestation-type①③">(6)</a> <a href="#ref-for-attestation-type①④">(7)</a>
    <li><a href="#ref-for-attestation-type①⑤">8.2. Packed Attestation Statement Format</a> <a href="#ref-for-attestation-type①⑥">(2)</a>
    <li><a href="#ref-for-attestation-type①⑦">8.3. TPM Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-type①⑧">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-type①⑨">8.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-type②⓪">8.6. FIDO U2F Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-type②①">8.7. None Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-type②②">13.4.4. Attestation Limitations</a> <a href="#ref-for-attestation-type②③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attested-credential-data">
   <b><a href="#attested-credential-data">#attested-credential-data</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attested-credential-data">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-attested-credential-data①">(2)</a>
    <li><a href="#ref-for-attested-credential-data②">6.1. Authenticator Data</a> <a href="#ref-for-attested-credential-data③">(2)</a> <a href="#ref-for-attested-credential-data④">(3)</a> <a href="#ref-for-attested-credential-data⑤">(4)</a> <a href="#ref-for-attested-credential-data⑥">(5)</a> <a href="#ref-for-attested-credential-data⑦">(6)</a>
    <li><a href="#ref-for-attested-credential-data⑧">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-attested-credential-data⑨">6.5. Attestation</a> <a href="#ref-for-attested-credential-data①⓪">(2)</a>
    <li><a href="#ref-for-attested-credential-data①①">6.5.1. Attested Credential Data</a> <a href="#ref-for-attested-credential-data①②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="aaguid">
   <b><a href="#aaguid">#aaguid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-aaguid">4. Terminology</a>
    <li><a href="#ref-for-aaguid①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-aaguid②">(2)</a> <a href="#ref-for-aaguid③">(3)</a> <a href="#ref-for-aaguid④">(4)</a>
    <li><a href="#ref-for-aaguid⑤">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>
    <li><a href="#ref-for-aaguid⑥">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-aaguid⑦">8.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-aaguid⑧">8.3. TPM Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credentialidlength">
   <b><a href="#credentialidlength">#credentialidlength</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentialidlength">6.1. Authenticator Data</a> <a href="#ref-for-credentialidlength①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credentialid">
   <b><a href="#credentialid">#credentialid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentialid">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-credentialid①">6.1. Authenticator Data</a> <a href="#ref-for-credentialid②">(2)</a>
    <li><a href="#ref-for-credentialid③">7.1. Registering a New Credential</a> <a href="#ref-for-credentialid④">(2)</a> <a href="#ref-for-credentialid⑤">(3)</a> <a href="#ref-for-credentialid⑥">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credentialpublickey">
   <b><a href="#credentialpublickey">#credentialpublickey</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentialpublickey">5.2.1.1. Easily accessing credential data</a>
    <li><a href="#ref-for-credentialpublickey①">6.1. Authenticator Data</a> <a href="#ref-for-credentialpublickey②">(2)</a> <a href="#ref-for-credentialpublickey③">(3)</a>
    <li><a href="#ref-for-credentialpublickey④">6.5.1.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format</a>
    <li><a href="#ref-for-credentialpublickey⑤">7.1. Registering a New Credential</a> <a href="#ref-for-credentialpublickey⑥">(2)</a>
    <li><a href="#ref-for-credentialpublickey⑦">8.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-credentialpublickey⑧">8.3. TPM Attestation Statement Format</a>
    <li><a href="#ref-for-credentialpublickey⑨">8.4. Android Key Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="signing-procedure">
   <b><a href="#signing-procedure">#signing-procedure</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-signing-procedure">5.2.1.1. Easily accessing credential data</a>
    <li><a href="#ref-for-signing-procedure">6.5.2. Attestation Statement Formats</a>
    <li><a href="#ref-for-signing-procedure①">6.5.4. Generating an Attestation Object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-data-for-the-attestation">
   <b><a href="#authenticator-data-for-the-attestation">#authenticator-data-for-the-attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-data-for-the-attestation">8.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-data-for-the-attestation①">8.3. TPM Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-data-for-the-attestation②">8.4. Android Key Attestation Statement Format</a> <a href="#ref-for-authenticator-data-for-the-attestation③">(2)</a>
    <li><a href="#ref-for-authenticator-data-for-the-attestation④">8.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-data-for-the-attestation⑤">8.6. FIDO U2F Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="verification-procedure">
   <b><a href="#verification-procedure">#verification-procedure</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-verification-procedure">6.5.3. Attestation Types</a> <a href="#ref-for-verification-procedure①">(2)</a> <a href="#ref-for-verification-procedure②">(3)</a>
    <li><a href="#ref-for-verification-procedure③">7.1. Registering a New Credential</a> <a href="#ref-for-verification-procedure④">(2)</a> <a href="#ref-for-verification-procedure⑤">(3)</a> <a href="#ref-for-verification-procedure⑥">(4)</a>
    <li><a href="#ref-for-verification-procedure⑦">8.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-verification-procedure⑧">8.3. TPM Attestation Statement Format</a>
    <li><a href="#ref-for-verification-procedure⑨">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-verification-procedure①⓪">8.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-verification-procedure①①">8.6. FIDO U2F Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="verification-procedure-inputs">
   <b><a href="#verification-procedure-inputs">#verification-procedure-inputs</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-verification-procedure-inputs">8.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-verification-procedure-inputs①">8.3. TPM Attestation Statement Format</a>
    <li><a href="#ref-for-verification-procedure-inputs②">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-verification-procedure-inputs③">8.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-verification-procedure-inputs④">8.6. FIDO U2F Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-data-claimed-to-have-been-used-for-the-attestation">
   <b><a href="#authenticator-data-claimed-to-have-been-used-for-the-attestation">#authenticator-data-claimed-to-have-been-used-for-the-attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation">8.4. Android Key Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-trust-path">
   <b><a href="#attestation-trust-path">#attestation-trust-path</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-trust-path">6.5.2. Attestation Statement Formats</a>
    <li><a href="#ref-for-attestation-trust-path①">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-attestation-trust-path②">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-attestation-trust-path③">8.2. Packed Attestation Statement Format</a> <a href="#ref-for-attestation-trust-path④">(2)</a>
    <li><a href="#ref-for-attestation-trust-path⑤">8.3. TPM Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-trust-path⑥">8.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-trust-path⑦">8.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-trust-path⑧">8.6. FIDO U2F Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-trust-path⑨">8.7. None Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="basic-attestation">
   <b><a href="#basic-attestation">#basic-attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-basic-attestation">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-basic-attestation①">14.4.1. Attestation Privacy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="basic">
   <b><a href="#basic">#basic</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-basic">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-basic①">8.2. Packed Attestation Statement Format</a> <a href="#ref-for-basic②">(2)</a> <a href="#ref-for-basic③">(3)</a> <a href="#ref-for-basic④">(4)</a>
    <li><a href="#ref-for-basic⑤">8.4. Android Key Attestation Statement Format</a> <a href="#ref-for-basic⑥">(2)</a>
    <li><a href="#ref-for-basic⑦">8.5. Android SafetyNet Attestation Statement Format</a> <a href="#ref-for-basic⑧">(2)</a>
    <li><a href="#ref-for-basic⑨">8.6. FIDO U2F Attestation Statement Format</a> <a href="#ref-for-basic①⓪">(2)</a> <a href="#ref-for-basic①①">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="batch-attestation">
   <b><a href="#batch-attestation">#batch-attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-batch-attestation">14.4.1. Attestation Privacy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="self-attestation">
   <b><a href="#self-attestation">#self-attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-self-attestation">4. Terminology</a> <a href="#ref-for-self-attestation①">(2)</a> <a href="#ref-for-self-attestation②">(3)</a> <a href="#ref-for-self-attestation③">(4)</a>
    <li><a href="#ref-for-self-attestation④">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-self-attestation⑤">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>
    <li><a href="#ref-for-self-attestation⑥">6.5. Attestation</a> <a href="#ref-for-self-attestation⑦">(2)</a> <a href="#ref-for-self-attestation⑧">(3)</a>
    <li><a href="#ref-for-self-attestation⑨">6.5.2. Attestation Statement Formats</a>
    <li><a href="#ref-for-self-attestation①⓪">6.5.3. Attestation Types</a> <a href="#ref-for-self-attestation①①">(2)</a>
    <li><a href="#ref-for-self-attestation①②">7.1. Registering a New Credential</a> <a href="#ref-for-self-attestation①③">(2)</a> <a href="#ref-for-self-attestation①④">(3)</a>
    <li><a href="#ref-for-self-attestation①⑤">8.2. Packed Attestation Statement Format</a> <a href="#ref-for-self-attestation①⑥">(2)</a>
    <li><a href="#ref-for-self-attestation①⑦">13.4.4. Attestation Limitations</a>
    <li><a href="#ref-for-self-attestation①⑧">13.4.5. Revoked Attestation Certificates</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="self">
   <b><a href="#self">#self</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-self">8.2. Packed Attestation Statement Format</a> <a href="#ref-for-self①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-ca">
   <b><a href="#attestation-ca">#attestation-ca</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-ca">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a>
    <li><a href="#ref-for-attestation-ca①">6.5.3. Attestation Types</a> <a href="#ref-for-attestation-ca②">(2)</a>
    <li><a href="#ref-for-attestation-ca③">14.4.1. Attestation Privacy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attca">
   <b><a href="#attca">#attca</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attca">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-attca①">8.2. Packed Attestation Statement Format</a> <a href="#ref-for-attca②">(2)</a> <a href="#ref-for-attca③">(3)</a> <a href="#ref-for-attca④">(4)</a>
    <li><a href="#ref-for-attca⑤">8.3. TPM Attestation Statement Format</a> <a href="#ref-for-attca⑥">(2)</a>
    <li><a href="#ref-for-attca⑦">8.6. FIDO U2F Attestation Statement Format</a> <a href="#ref-for-attca⑧">(2)</a> <a href="#ref-for-attca⑨">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="anonymization-ca">
   <b><a href="#anonymization-ca">#anonymization-ca</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-anonymization-ca">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-anonymization-ca①">5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)</a> <a href="#ref-for-anonymization-ca②">(2)</a>
    <li><a href="#ref-for-anonymization-ca③">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-anonymization-ca④">8.8. Apple Anonymous Attestation Statement Format</a> <a href="#ref-for-anonymization-ca⑤">(2)</a>
    <li><a href="#ref-for-anonymization-ca⑥">14.4.1. Attestation Privacy</a> <a href="#ref-for-anonymization-ca⑦">(2)</a> <a href="#ref-for-anonymization-ca⑧">(3)</a> <a href="#ref-for-anonymization-ca⑨">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="anonca">
   <b><a href="#anonca">#anonca</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-anonca">6.5.3. Attestation Types</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="none">
   <b><a href="#none">#none</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-none">6.5. Attestation</a> <a href="#ref-for-none①">(2)</a>
    <li><a href="#ref-for-none②">6.5.3. Attestation Types</a>
    <li><a href="#ref-for-none③">7.1. Registering a New Credential</a> <a href="#ref-for-none④">(2)</a>
    <li><a href="#ref-for-none⑤">8.7. None Attestation Statement Format</a> <a href="#ref-for-none⑥">(2)</a>
    <li><a href="#ref-for-none⑦">13.4.4. Attestation Limitations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-statement-format-identifier">
   <b><a href="#attestation-statement-format-identifier">#attestation-statement-format-identifier</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-statement-format-identifier">6.5.2. Attestation Statement Formats</a>
    <li><a href="#ref-for-attestation-statement-format-identifier①">6.5.4. Generating an Attestation Object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="android-key-attestation-certificate-extension-data">
   <b><a href="#android-key-attestation-certificate-extension-data">#android-key-attestation-certificate-extension-data</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-android-key-attestation-certificate-extension-data">8.4. Android Key Attestation Statement Format</a> <a href="#ref-for-android-key-attestation-certificate-extension-data①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="webauthn-extensions">
   <b><a href="#webauthn-extensions">#webauthn-extensions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-webauthn-extensions">5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)</a>
    <li><a href="#ref-for-webauthn-extensions①">5.7. WebAuthn Extensions Inputs and Outputs</a>
    <li><a href="#ref-for-webauthn-extensions②">5.7.1. Authentication Extensions Client Inputs (dictionary AuthenticationExtensionsClientInputs)</a>
    <li><a href="#ref-for-webauthn-extensions③">5.7.2. Authentication Extensions Client Outputs (dictionary AuthenticationExtensionsClientOutputs)</a>
    <li><a href="#ref-for-webauthn-extensions④">5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs)</a>
    <li><a href="#ref-for-webauthn-extensions⑤">5.7.4. Authentication Extensions Authenticator Outputs (CDDL type AuthenticationExtensionsAuthenticatorOutputs)</a>
    <li><a href="#ref-for-webauthn-extensions⑥">8.1. Attestation Statement Format Identifiers</a>
    <li><a href="#ref-for-webauthn-extensions⑦">9. WebAuthn Extensions</a> <a href="#ref-for-webauthn-extensions⑧">(2)</a> <a href="#ref-for-webauthn-extensions⑨">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="registration-extension">
   <b><a href="#registration-extension">#registration-extension</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-registration-extension">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-registration-extension①">5.7. WebAuthn Extensions Inputs and Outputs</a>
    <li><a href="#ref-for-registration-extension②">9. WebAuthn Extensions</a> <a href="#ref-for-registration-extension③">(2)</a> <a href="#ref-for-registration-extension④">(3)</a> <a href="#ref-for-registration-extension⑤">(4)</a> <a href="#ref-for-registration-extension⑥">(5)</a> <a href="#ref-for-registration-extension⑦">(6)</a>
    <li><a href="#ref-for-registration-extension⑧">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
    <li><a href="#ref-for-registration-extension⑨">10.3. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-registration-extension①⓪">10.4. Credential Properties Extension (credProps)</a> <a href="#ref-for-registration-extension①①">(2)</a>
    <li><a href="#ref-for-registration-extension①②">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-registration-extension①③">(2)</a> <a href="#ref-for-registration-extension①④">(3)</a> <a href="#ref-for-registration-extension①⑤">(4)</a> <a href="#ref-for-registration-extension①⑥">(5)</a> <a href="#ref-for-registration-extension①⑦">(6)</a> <a href="#ref-for-registration-extension①⑧">(7)</a>
    <li><a href="#ref-for-registration-extension①⑨">12.3. WebAuthn Extension Identifier Registrations Updates</a>
    <li><a href="#ref-for-registration-extension②⓪">12.4. WebAuthn Extension Identifier Registrations</a> <a href="#ref-for-registration-extension②①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authentication-extension">
   <b><a href="#authentication-extension">#authentication-extension</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authentication-extension">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-authentication-extension①">5.7. WebAuthn Extensions Inputs and Outputs</a>
    <li><a href="#ref-for-authentication-extension②">9. WebAuthn Extensions</a> <a href="#ref-for-authentication-extension③">(2)</a> <a href="#ref-for-authentication-extension④">(3)</a> <a href="#ref-for-authentication-extension⑤">(4)</a> <a href="#ref-for-authentication-extension⑥">(5)</a> <a href="#ref-for-authentication-extension⑦">(6)</a>
    <li><a href="#ref-for-authentication-extension⑧">10.1. FIDO AppID Extension (appid)</a>
    <li><a href="#ref-for-authentication-extension⑨">10.3. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-authentication-extension①⓪">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-authentication-extension①①">(2)</a> <a href="#ref-for-authentication-extension①②">(3)</a> <a href="#ref-for-authentication-extension①③">(4)</a> <a href="#ref-for-authentication-extension①④">(5)</a> <a href="#ref-for-authentication-extension①⑤">(6)</a>
    <li><a href="#ref-for-authentication-extension①⑥">12.3. WebAuthn Extension Identifier Registrations Updates</a> <a href="#ref-for-authentication-extension①⑦">(2)</a>
    <li><a href="#ref-for-authentication-extension①⑧">12.4. WebAuthn Extension Identifier Registrations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-extension">
   <b><a href="#client-extension">#client-extension</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-extension">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-client-extension①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-client-extension②">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-client-extension③">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-client-extension④">9. WebAuthn Extensions</a>
    <li><a href="#ref-for-client-extension⑤">9.2. Defining Extensions</a>
    <li><a href="#ref-for-client-extension⑥">9.4. Client Extension Processing</a>
    <li><a href="#ref-for-client-extension⑦">10.4. Credential Properties Extension (credProps)</a>
    <li><a href="#ref-for-client-extension⑧">10.5. Large blob storage extension (largeBlob)</a>
    <li><a href="#ref-for-client-extension⑨">12.4. WebAuthn Extension Identifier Registrations</a> <a href="#ref-for-client-extension①⓪">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-extension">
   <b><a href="#authenticator-extension">#authenticator-extension</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-extension">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-authenticator-extension①">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-authenticator-extension②">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-authenticator-extension③">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-authenticator-extension④">9. WebAuthn Extensions</a> <a href="#ref-for-authenticator-extension⑤">(2)</a> <a href="#ref-for-authenticator-extension⑥">(3)</a>
    <li><a href="#ref-for-authenticator-extension⑦">9.2. Defining Extensions</a> <a href="#ref-for-authenticator-extension⑧">(2)</a>
    <li><a href="#ref-for-authenticator-extension⑨">9.3. Extending Request Parameters</a>
    <li><a href="#ref-for-authenticator-extension①⓪">9.5. Authenticator Extension Processing</a>
    <li><a href="#ref-for-authenticator-extension①①">11.1.1. Authenticator Extension Capabilities</a> <a href="#ref-for-authenticator-extension①②">(2)</a> <a href="#ref-for-authenticator-extension①③">(3)</a>
    <li><a href="#ref-for-authenticator-extension①④">11.2. Virtual Authenticators</a> <a href="#ref-for-authenticator-extension①⑤">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="extension-identifier">
   <b><a href="#extension-identifier">#extension-identifier</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-extension-identifier">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-extension-identifier①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-extension-identifier②">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-extension-identifier③">6.1. Authenticator Data</a>
    <li><a href="#ref-for-extension-identifier④">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-extension-identifier⑤">(2)</a>
    <li><a href="#ref-for-extension-identifier⑥">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-extension-identifier⑦">(2)</a>
    <li><a href="#ref-for-extension-identifier⑧">9. WebAuthn Extensions</a> <a href="#ref-for-extension-identifier⑨">(2)</a>
    <li><a href="#ref-for-extension-identifier①⓪">9.2. Defining Extensions</a>
    <li><a href="#ref-for-extension-identifier①①">9.3. Extending Request Parameters</a> <a href="#ref-for-extension-identifier①②">(2)</a> <a href="#ref-for-extension-identifier①③">(3)</a> <a href="#ref-for-extension-identifier①④">(4)</a>
    <li><a href="#ref-for-extension-identifier①⑤">9.4. Client Extension Processing</a> <a href="#ref-for-extension-identifier①⑥">(2)</a>
    <li><a href="#ref-for-extension-identifier①⑦">9.5. Authenticator Extension Processing</a> <a href="#ref-for-extension-identifier①⑧">(2)</a>
    <li><a href="#ref-for-extension-identifier①⑨">11.2. Virtual Authenticators</a>
    <li><a href="#ref-for-extension-identifier②⓪">11.3. Add Virtual Authenticator</a> <a href="#ref-for-extension-identifier②①">(2)</a>
    <li><a href="#ref-for-extension-identifier②②">12.3. WebAuthn Extension Identifier Registrations Updates</a>
    <li><a href="#ref-for-extension-identifier②③">12.4. WebAuthn Extension Identifier Registrations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-extension-input">
   <b><a href="#client-extension-input">#client-extension-input</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-extension-input">5.7.1. Authentication Extensions Client Inputs (dictionary AuthenticationExtensionsClientInputs)</a>
    <li><a href="#ref-for-client-extension-input①">7.1. Registering a New Credential</a>
    <li><a href="#ref-for-client-extension-input②">7.2. Verifying an Authentication Assertion</a>
    <li><a href="#ref-for-client-extension-input③">9. WebAuthn Extensions</a> <a href="#ref-for-client-extension-input④">(2)</a> <a href="#ref-for-client-extension-input⑤">(3)</a> <a href="#ref-for-client-extension-input⑥">(4)</a>
    <li><a href="#ref-for-client-extension-input⑦">9.2. Defining Extensions</a>
    <li><a href="#ref-for-client-extension-input⑧">9.3. Extending Request Parameters</a> <a href="#ref-for-client-extension-input⑨">(2)</a> <a href="#ref-for-client-extension-input①⓪">(3)</a> <a href="#ref-for-client-extension-input①①">(4)</a> <a href="#ref-for-client-extension-input①②">(5)</a> <a href="#ref-for-client-extension-input①③">(6)</a>
    <li><a href="#ref-for-client-extension-input①④">9.4. Client Extension Processing</a> <a href="#ref-for-client-extension-input①⑤">(2)</a> <a href="#ref-for-client-extension-input①⑥">(3)</a> <a href="#ref-for-client-extension-input①⑦">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-extension-input">
   <b><a href="#authenticator-extension-input">#authenticator-extension-input</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-extension-input">5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs)</a>
    <li><a href="#ref-for-authenticator-extension-input①">6.3.2. The authenticatorMakeCredential Operation</a> <a href="#ref-for-authenticator-extension-input②">(2)</a>
    <li><a href="#ref-for-authenticator-extension-input③">6.3.3. The authenticatorGetAssertion Operation</a> <a href="#ref-for-authenticator-extension-input④">(2)</a>
    <li><a href="#ref-for-authenticator-extension-input⑤">9. WebAuthn Extensions</a> <a href="#ref-for-authenticator-extension-input⑥">(2)</a> <a href="#ref-for-authenticator-extension-input⑦">(3)</a> <a href="#ref-for-authenticator-extension-input⑧">(4)</a> <a href="#ref-for-authenticator-extension-input⑨">(5)</a> <a href="#ref-for-authenticator-extension-input①⓪">(6)</a>
    <li><a href="#ref-for-authenticator-extension-input①①">9.2. Defining Extensions</a>
    <li><a href="#ref-for-authenticator-extension-input①②">9.3. Extending Request Parameters</a> <a href="#ref-for-authenticator-extension-input①③">(2)</a> <a href="#ref-for-authenticator-extension-input①④">(3)</a> <a href="#ref-for-authenticator-extension-input①⑤">(4)</a>
    <li><a href="#ref-for-authenticator-extension-input①⑥">9.4. Client Extension Processing</a>
    <li><a href="#ref-for-authenticator-extension-input①⑦">9.5. Authenticator Extension Processing</a> <a href="#ref-for-authenticator-extension-input①⑧">(2)</a> <a href="#ref-for-authenticator-extension-input①⑨">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-extension-processing">
   <b><a href="#client-extension-processing">#client-extension-processing</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-extension-processing">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-client-extension-processing①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client-extension-processing②">(2)</a>
    <li><a href="#ref-for-client-extension-processing③">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client-extension-processing④">(2)</a>
    <li><a href="#ref-for-client-extension-processing⑤">9. WebAuthn Extensions</a> <a href="#ref-for-client-extension-processing⑥">(2)</a> <a href="#ref-for-client-extension-processing⑦">(3)</a> <a href="#ref-for-client-extension-processing⑧">(4)</a>
    <li><a href="#ref-for-client-extension-processing⑨">9.2. Defining Extensions</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-extension-output">
   <b><a href="#client-extension-output">#client-extension-output</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-extension-output">5.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-client-extension-output①">5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client-extension-output②">(2)</a>
    <li><a href="#ref-for-client-extension-output③">5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-client-extension-output④">(2)</a>
    <li><a href="#ref-for-client-extension-output⑤">5.7.2. Authentication Extensions Client Outputs (dictionary AuthenticationExtensionsClientOutputs)</a>
    <li><a href="#ref-for-client-extension-output⑥">7.1. Registering a New Credential</a> <a href="#ref-for-client-extension-output⑦">(2)</a>
    <li><a href="#ref-for-client-extension-output⑧">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-client-extension-output⑨">(2)</a>
    <li><a href="#ref-for-client-extension-output①⓪">9. WebAuthn Extensions</a> <a href="#ref-for-client-extension-output①①">(2)</a> <a href="#ref-for-client-extension-output①②">(3)</a> <a href="#ref-for-client-extension-output①③">(4)</a>
    <li><a href="#ref-for-client-extension-output①④">9.2. Defining Extensions</a> <a href="#ref-for-client-extension-output①⑤">(2)</a> <a href="#ref-for-client-extension-output①⑥">(3)</a>
    <li><a href="#ref-for-client-extension-output①⑦">9.4. Client Extension Processing</a> <a href="#ref-for-client-extension-output①⑧">(2)</a> <a href="#ref-for-client-extension-output①⑨">(3)</a>
    <li><a href="#ref-for-client-extension-output②⓪">10.5. Large blob storage extension (largeBlob)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-extension-processing">
   <b><a href="#authenticator-extension-processing">#authenticator-extension-processing</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-extension-processing">6.3.2. The authenticatorMakeCredential Operation</a>
    <li><a href="#ref-for-authenticator-extension-processing①">6.3.3. The authenticatorGetAssertion Operation</a>
    <li><a href="#ref-for-authenticator-extension-processing②">9. WebAuthn Extensions</a>
    <li><a href="#ref-for-authenticator-extension-processing③">9.2. Defining Extensions</a>
    <li><a href="#ref-for-authenticator-extension-processing④">9.5. Authenticator Extension Processing</a>
    <li><a href="#ref-for-authenticator-extension-processing⑤">11.1.1. Authenticator Extension Capabilities</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-extension-output">
   <b><a href="#authenticator-extension-output">#authenticator-extension-output</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-extension-output">5.7. WebAuthn Extensions Inputs and Outputs</a>
    <li><a href="#ref-for-authenticator-extension-output①">5.7.4. Authentication Extensions Authenticator Outputs (CDDL type AuthenticationExtensionsAuthenticatorOutputs)</a>
    <li><a href="#ref-for-authenticator-extension-output②">6.1. Authenticator Data</a>
    <li><a href="#ref-for-authenticator-extension-output③">7.1. Registering a New Credential</a> <a href="#ref-for-authenticator-extension-output④">(2)</a>
    <li><a href="#ref-for-authenticator-extension-output⑤">7.2. Verifying an Authentication Assertion</a> <a href="#ref-for-authenticator-extension-output⑥">(2)</a>
    <li><a href="#ref-for-authenticator-extension-output⑦">9. WebAuthn Extensions</a> <a href="#ref-for-authenticator-extension-output⑧">(2)</a> <a href="#ref-for-authenticator-extension-output⑨">(3)</a> <a href="#ref-for-authenticator-extension-output①⓪">(4)</a>
    <li><a href="#ref-for-authenticator-extension-output①①">9.2. Defining Extensions</a> <a href="#ref-for-authenticator-extension-output①②">(2)</a> <a href="#ref-for-authenticator-extension-output①③">(3)</a>
    <li><a href="#ref-for-authenticator-extension-output①④">9.3. Extending Request Parameters</a>
    <li><a href="#ref-for-authenticator-extension-output①⑤">9.4. Client Extension Processing</a>
    <li><a href="#ref-for-authenticator-extension-output①⑥">9.5. Authenticator Extension Processing</a>
    <li><a href="#ref-for-authenticator-extension-output①⑦">10.3. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-authenticator-extension-output①⑧">11.2. Virtual Authenticators</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="appid">
   <b><a href="#appid">#appid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-appid">3. Dependencies</a>
    <li><a href="#ref-for-appid①">7.2. Verifying an Authentication Assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticationextensionsclientinputs-appid">
   <b><a href="#dom-authenticationextensionsclientinputs-appid">#dom-authenticationextensionsclientinputs-appid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticationextensionsclientinputs-appid">10.1. FIDO AppID Extension (appid)</a> <a href="#ref-for-dom-authenticationextensionsclientinputs-appid①">(2)</a> <a href="#ref-for-dom-authenticationextensionsclientinputs-appid②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticationextensionsclientinputs-appidexclude">
   <b><a href="#dom-authenticationextensionsclientinputs-appidexclude">#dom-authenticationextensionsclientinputs-appidexclude</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticationextensionsclientinputs-appidexclude">10.2. FIDO AppID Exclusion Extension (appidExclude)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="user-verification-method">
   <b><a href="#user-verification-method">#user-verification-method</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-user-verification-method">11.1.1. Authenticator Extension Capabilities</a>
    <li><a href="#ref-for-user-verification-method①">11.2. Virtual Authenticators</a> <a href="#ref-for-user-verification-method②">(2)</a>
    <li><a href="#ref-for-user-verification-method③">11.3. Add Virtual Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="typedefdef-uvmentry">
   <b><a href="#typedefdef-uvmentry">#typedefdef-uvmentry</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-typedefdef-uvmentry">10.3. User Verification Method Extension (uvm)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="typedefdef-uvmentries">
   <b><a href="#typedefdef-uvmentries">#typedefdef-uvmentries</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-typedefdef-uvmentries">10.3. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-typedefdef-uvmentries①">11.2. Virtual Authenticators</a>
    <li><a href="#ref-for-typedefdef-uvmentries②">11.3. Add Virtual Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credprops">
   <b><a href="#credprops">#credprops</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credprops">1.3.3. Authentication</a>
    <li><a href="#ref-for-credprops①">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a> <a href="#ref-for-credprops②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-credentialpropertiesoutput">
   <b><a href="#dictdef-credentialpropertiesoutput">#dictdef-credentialpropertiesoutput</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-credentialpropertiesoutput">10.4. Credential Properties Extension (credProps)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticationextensionsclientoutputs-credprops">
   <b><a href="#dom-authenticationextensionsclientoutputs-credprops">#dom-authenticationextensionsclientoutputs-credprops</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticationextensionsclientoutputs-credprops">10.4. Credential Properties Extension (credProps)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-credentialpropertiesoutput-rk">
   <b><a href="#dom-credentialpropertiesoutput-rk">#dom-credentialpropertiesoutput-rk</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialpropertiesoutput-rk">5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)</a>
    <li><a href="#ref-for-dom-credentialpropertiesoutput-rk①">10.4. Credential Properties Extension (credProps)</a> <a href="#ref-for-dom-credentialpropertiesoutput-rk②">(2)</a> <a href="#ref-for-dom-credentialpropertiesoutput-rk③">(3)</a> <a href="#ref-for-dom-credentialpropertiesoutput-rk④">(4)</a> <a href="#ref-for-dom-credentialpropertiesoutput-rk⑤">(5)</a> <a href="#ref-for-dom-credentialpropertiesoutput-rk⑥">(6)</a> <a href="#ref-for-dom-credentialpropertiesoutput-rk⑦">(7)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credentialpropertiesoutput-resident-key-credential-property">
   <b><a href="#credentialpropertiesoutput-resident-key-credential-property">#credentialpropertiesoutput-resident-key-credential-property</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentialpropertiesoutput-resident-key-credential-property">10.4. Credential Properties Extension (credProps)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credentialpropertiesoutput-client-side-discoverable-credential-property">
   <b><a href="#credentialpropertiesoutput-client-side-discoverable-credential-property">#credentialpropertiesoutput-client-side-discoverable-credential-property</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentialpropertiesoutput-client-side-discoverable-credential-property">10.4. Credential Properties Extension (credProps)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="largeblob">
   <b><a href="#largeblob">#largeblob</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-largeblob">10.5. Large blob storage extension (largeBlob)</a>
    <li><a href="#ref-for-largeblob①">11.1.1. Authenticator Extension Capabilities</a>
    <li><a href="#ref-for-largeblob②">11.5. Add Credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-largeblobsupport">
   <b><a href="#enumdef-largeblobsupport">#enumdef-largeblobsupport</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-largeblobsupport">10.5. Large blob storage extension (largeBlob)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-largeblobsupport-required">
   <b><a href="#dom-largeblobsupport-required">#dom-largeblobsupport-required</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-largeblobsupport-required">10.5. Large blob storage extension (largeBlob)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-largeblobsupport-preferred">
   <b><a href="#dom-largeblobsupport-preferred">#dom-largeblobsupport-preferred</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-largeblobsupport-preferred">10.5. Large blob storage extension (largeBlob)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-authenticationextensionslargeblobinputs">
   <b><a href="#dictdef-authenticationextensionslargeblobinputs">#dictdef-authenticationextensionslargeblobinputs</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-authenticationextensionslargeblobinputs">10.5. Large blob storage extension (largeBlob)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticationextensionslargeblobinputs-support">
   <b><a href="#dom-authenticationextensionslargeblobinputs-support">#dom-authenticationextensionslargeblobinputs-support</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticationextensionslargeblobinputs-support">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-support①">(2)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-support②">(3)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-support③">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticationextensionslargeblobinputs-read">
   <b><a href="#dom-authenticationextensionslargeblobinputs-read">#dom-authenticationextensionslargeblobinputs-read</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticationextensionslargeblobinputs-read">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-read①">(2)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-read②">(3)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-read③">(4)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-read④">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticationextensionslargeblobinputs-write">
   <b><a href="#dom-authenticationextensionslargeblobinputs-write">#dom-authenticationextensionslargeblobinputs-write</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticationextensionslargeblobinputs-write">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-write①">(2)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-write②">(3)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-write③">(4)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-write④">(5)</a> <a href="#ref-for-dom-authenticationextensionslargeblobinputs-write⑤">(6)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticationextensionsclientoutputs-largeblob">
   <b><a href="#dom-authenticationextensionsclientoutputs-largeblob">#dom-authenticationextensionsclientoutputs-largeblob</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticationextensionsclientoutputs-largeblob">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-dom-authenticationextensionsclientoutputs-largeblob①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-authenticationextensionslargebloboutputs">
   <b><a href="#dictdef-authenticationextensionslargebloboutputs">#dictdef-authenticationextensionslargebloboutputs</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-authenticationextensionslargebloboutputs">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-dictdef-authenticationextensionslargebloboutputs①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticationextensionslargebloboutputs-supported">
   <b><a href="#dom-authenticationextensionslargebloboutputs-supported">#dom-authenticationextensionslargebloboutputs-supported</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticationextensionslargebloboutputs-supported">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-dom-authenticationextensionslargebloboutputs-supported①">(2)</a> <a href="#ref-for-dom-authenticationextensionslargebloboutputs-supported②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticationextensionslargebloboutputs-blob">
   <b><a href="#dom-authenticationextensionslargebloboutputs-blob">#dom-authenticationextensionslargebloboutputs-blob</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticationextensionslargebloboutputs-blob">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-dom-authenticationextensionslargebloboutputs-blob①">(2)</a> <a href="#ref-for-dom-authenticationextensionslargebloboutputs-blob②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticationextensionslargebloboutputs-written">
   <b><a href="#dom-authenticationextensionslargebloboutputs-written">#dom-authenticationextensionslargebloboutputs-written</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticationextensionslargebloboutputs-written">10.5. Large blob storage extension (largeBlob)</a> <a href="#ref-for-dom-authenticationextensionslargebloboutputs-written①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-extension-capabilities">
   <b><a href="#authenticator-extension-capabilities">#authenticator-extension-capabilities</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-extension-capabilities">11.1.1. Authenticator Extension Capabilities</a> <a href="#ref-for-authenticator-extension-capabilities①">(2)</a> <a href="#ref-for-authenticator-extension-capabilities②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="virtual-authenticators">
   <b><a href="#virtual-authenticators">#virtual-authenticators</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-virtual-authenticators">11.1. WebAuthn WebDriver Extension Capability</a> <a href="#ref-for-virtual-authenticators①">(2)</a>
    <li><a href="#ref-for-virtual-authenticators②">11.2. Virtual Authenticators</a> <a href="#ref-for-virtual-authenticators③">(2)</a> <a href="#ref-for-virtual-authenticators④">(3)</a> <a href="#ref-for-virtual-authenticators⑤">(4)</a> <a href="#ref-for-virtual-authenticators⑥">(5)</a> <a href="#ref-for-virtual-authenticators⑦">(6)</a> <a href="#ref-for-virtual-authenticators⑧">(7)</a> <a href="#ref-for-virtual-authenticators⑨">(8)</a> <a href="#ref-for-virtual-authenticators①⓪">(9)</a> <a href="#ref-for-virtual-authenticators①①">(10)</a>
    <li><a href="#ref-for-virtual-authenticators①②">11.3. Add Virtual Authenticator</a> <a href="#ref-for-virtual-authenticators①③">(2)</a>
    <li><a href="#ref-for-virtual-authenticators①④">11.4. Remove Virtual Authenticator</a> <a href="#ref-for-virtual-authenticators①⑤">(2)</a> <a href="#ref-for-virtual-authenticators①⑥">(3)</a>
    <li><a href="#ref-for-virtual-authenticators①⑦">11.5. Add Credential</a> <a href="#ref-for-virtual-authenticators①⑧">(2)</a> <a href="#ref-for-virtual-authenticators①⑨">(3)</a>
    <li><a href="#ref-for-virtual-authenticators②⓪">11.6. Get Credentials</a> <a href="#ref-for-virtual-authenticators②①">(2)</a>
    <li><a href="#ref-for-virtual-authenticators②②">11.7. Remove Credential</a> <a href="#ref-for-virtual-authenticators②③">(2)</a> <a href="#ref-for-virtual-authenticators②④">(3)</a>
    <li><a href="#ref-for-virtual-authenticators②⑤">11.8. Remove All Credentials</a> <a href="#ref-for-virtual-authenticators②⑥">(2)</a> <a href="#ref-for-virtual-authenticators②⑦">(3)</a>
    <li><a href="#ref-for-virtual-authenticators②⑧">11.9. Set User Verified</a> <a href="#ref-for-virtual-authenticators②⑨">(2)</a> <a href="#ref-for-virtual-authenticators③⓪">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="virtual-authenticator-database">
   <b><a href="#virtual-authenticator-database">#virtual-authenticator-database</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-virtual-authenticator-database">11.3. Add Virtual Authenticator</a>
    <li><a href="#ref-for-virtual-authenticator-database①">11.4. Remove Virtual Authenticator</a> <a href="#ref-for-virtual-authenticator-database②">(2)</a>
    <li><a href="#ref-for-virtual-authenticator-database③">11.5. Add Credential</a>
    <li><a href="#ref-for-virtual-authenticator-database④">11.6. Get Credentials</a>
    <li><a href="#ref-for-virtual-authenticator-database⑤">11.7. Remove Credential</a>
    <li><a href="#ref-for-virtual-authenticator-database⑥">11.8. Remove All Credentials</a>
    <li><a href="#ref-for-virtual-authenticator-database⑦">11.9. Set User Verified</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatorid">
   <b><a href="#authenticatorid">#authenticatorid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatorid">11.3. Add Virtual Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="add-virtual-authenticator">
   <b><a href="#add-virtual-authenticator">#add-virtual-authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-add-virtual-authenticator">11.3. Add Virtual Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-configuration">
   <b><a href="#authenticator-configuration">#authenticator-configuration</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-configuration">11.3. Add Virtual Authenticator</a> <a href="#ref-for-authenticator-configuration①">(2)</a> <a href="#ref-for-authenticator-configuration②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="remove-virtual-authenticator">
   <b><a href="#remove-virtual-authenticator">#remove-virtual-authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-remove-virtual-authenticator">11.4. Remove Virtual Authenticator</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="add-credential">
   <b><a href="#add-credential">#add-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-add-credential">11.5. Add Credential</a>
    <li><a href="#ref-for-add-credential①">11.6. Get Credentials</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credential-parameters">
   <b><a href="#credential-parameters">#credential-parameters</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-parameters">11.5. Add Credential</a>
    <li><a href="#ref-for-credential-parameters①">11.6. Get Credentials</a> <a href="#ref-for-credential-parameters②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="get-credentials">
   <b><a href="#get-credentials">#get-credentials</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-get-credentials">11.6. Get Credentials</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="remove-credential">
   <b><a href="#remove-credential">#remove-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-remove-credential">11.7. Remove Credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="remove-all-credentials">
   <b><a href="#remove-all-credentials">#remove-all-credentials</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-remove-all-credentials">11.8. Remove All Credentials</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="set-user-verified">
   <b><a href="#set-user-verified">#set-user-verified</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-set-user-verified">11.9. Set User Verified</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="ui-redressing">
   <b><a href="#ui-redressing">#ui-redressing</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ui-redressing">5.10. Using Web Authentication within iframe elements</a>
    <li><a href="#ref-for-ui-redressing①">13.4.2. Visibility Considerations for Embedded Usage</a>
   </ul>
  </aside>
<script>/* script-dfn-panel */

document.body.addEventListener("click", function(e) {
    var queryAll = function(sel) { return [].slice.call(document.querySelectorAll(sel)); }
    // Find the dfn element or panel, if any, that was clicked on.
    var el = e.target;
    var target;
    var hitALink = false;
    while(el.parentElement) {
        if(el.tagName == "A") {
            // Clicking on a link in a <dfn> shouldn't summon the panel
            hitALink = true;
        }
        if(el.classList.contains("dfn-paneled")) {
            target = "dfn";
            break;
        }
        if(el.classList.contains("dfn-panel")) {
            target = "dfn-panel";
            break;
        }
        el = el.parentElement;
    }
    if(target != "dfn-panel") {
        // Turn off any currently "on" or "activated" panels.
        queryAll(".dfn-panel.on, .dfn-panel.activated").forEach(function(el){
            el.classList.remove("on");
            el.classList.remove("activated");
        });
    }
    if(target == "dfn" && !hitALink) {
        // open the panel
        var dfnPanel = document.querySelector(".dfn-panel[data-for='" + el.id + "']");
        if(dfnPanel) {
            dfnPanel.classList.add("on");
            var rect = el.getBoundingClientRect();
            dfnPanel.style.left = window.scrollX + rect.right + 5 + "px";
            dfnPanel.style.top = window.scrollY + rect.top + "px";
            var panelRect = dfnPanel.getBoundingClientRect();
            var panelWidth = panelRect.right - panelRect.left;
            if(panelRect.right > document.body.scrollWidth && (rect.left - (panelWidth + 5)) > 0) {
                // Reposition, because the panel is overflowing
                dfnPanel.style.left = window.scrollX + rect.left - (panelWidth + 5) + "px";
            }
        } else {
            console.log("Couldn't find .dfn-panel[data-for='" + el.id + "']");
        }
    } else if(target == "dfn-panel") {
        // Switch it to "activated" state, which pins it.
        el.classList.add("activated");
        el.style.left = null;
        el.style.top = null;
    }

});
</script>
<script>/* script-mdn-anno */

            document.body.addEventListener("click", (e) => {
                if(e.target.closest(".mdn-anno-btn")) {
                    e.target.closest(".mdn-anno").classList.toggle("wrapped");
                }
            });
            </script>
