Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15867

WebAuthn Registration Tree Node Feature Enhancement (FIDO2 - TPM attestation) Through The Movement Of The Attestation Data Out To The Shared State For Verification By Custom Nodes

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.0.0
    • Component/s: webauthn
    • Support Ticket IDs:

      Description

      Background: spin off from OPENAM-15586

      • Using Windows Hello through FIDO2, a case scenario is to use Windows Tablets with Windows Hello sign-on.
      • To meet security requirements, a check of the TPM attestation certificate is made. However, TPM attestation in the FR registration module is not currently supported. As Windows Hello only supports TPM attestation it is necessary to disable attestation in order to register a device. This has security implications and means the model of TPM in use cannot be identified (this is one approach to verify a discrete hardware TPM)
      • One method would be: the movement of the attestation data out to the shared state for verification by custom nodes

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                david.luna@forgerock.com David Luna
                Reporter:
                alex.stan Alexandru Stan [X] (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: