Re: [webauthn] basicIntegrity in SafetyNet documentation not sufficiently defined

FYI this is a link to the Android Compatibility testing.

Someone from Google should comment, but in looking at saftyNet attestations for other things my conclusion was that ctsProfileMatch is required to trust the attestation.   A device that docent have that can't really be trusted.   basicIntegrity is a best effort to provide some integrity checks on uncertified devices, and not something that we should be using as a security attestation, it is in my opinion not really better than nothing as it is more likely to provide a false sense of security.  

I believe there are some large asian manufacturers that don't have CTS certification or license GMS so those would not be able to have a trusted soft authenticator, if they support NFC or BT people have other options.  

I think what we have checking ctsProfileMatch and ignoring basicIntegrity is fine.  
Better defining basicIntegrity for uncertified devices is not going to help anyone.

John B.

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at using your GitHub account

Received on Friday, 8 September 2017 22:22:40 UTC