Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15586

WebAuthn Registration Tree Node Feature Enhancement: FIDO2 - TPM attestation

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: webauthn
    • Support Ticket IDs:

      Description

      • Using Windows Hello through FIDO2, a case scenario is to use Windows Tablets with Windows Hello sign-on.
      • To meet security requirements, a check of the TPM attestation certificate is made. However, TPM attestation in the FR registration module is not currently supported. As Windows Hello only supports TPM attestation it is necessary to disable attestation in order to register a device. This has security implications and means the model of TPM in use cannot be identified (this is one approach to verify a discrete hardware TPM). 

        Attachments

          Activity

            People

            • Assignee:
              david.luna@forgerock.com David Luna
              Reporter:
              alex.belovski Alex Belovski
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: