Background: spin off from
- Using Windows Hello through FIDO2, a case scenario is to use Windows Tablets with Windows Hello sign-on.
- To meet security requirements, a check of the TPM attestation certificate is made. However, TPM attestation in the FR registration module is not currently supported. As Windows Hello only supports TPM attestation it is necessary to disable attestation in order to register a device. This has security implications and means the model of TPM in use cannot be identified (this is one approach to verify a discrete hardware TPM)
- One method would be: the movement of the attestation data out to the shared state for verification by custom nodes