Authenticator Attestation (Full Basic / Surrogate Basic)
The FIDO UAF specification defines multiple authenticator attestation mechanisms.
The Nevis Mobile Authentication solutions support the following mechanisms:
Surrogate Basic Attestation
Surrogate Basic Attestation is the default mechanism used and is supported by both Android and iOS authenticators. The attestation is self-signed, using the private key that corresponds to the public key included in the attestation object.
This approach ensures broad compatibility across platforms, requiring only secure hardware to store the key material.
Full Basic Attestation
Full Basic Attestation is supported exclusively by the Android SDK. It uses a hardware-stored key in the Trusted Execution Environment (TEE) to sign the attestation object, which is then verified against Google’s root certificates stored in the backend’s metadata file.
The primary advantage of Full Basic Attestation is its ability to guarantee that the key material resides in secure, certified hardware, which is verified during the registration process.
While Full Basic Attestation provides significant security benefits on Android, it has drawbacks, particularly a reduced pool of supported devices.
Device Compatibility
Full Basic Attestation is only compatible with Android devices that have Google-certified TEEs. While the majority of Android devices meet this requirement, there are notable exceptions:
- Huawei devices, which lack Google-certified hardware due to trade restrictions.
- Certain (older) models from other vendors within the fragmented Android ecosystem.
Because of this diversity, a comprehensive list of unsupported devices cannot be provided.
Verification Levels
The Nevis product supports multiple verification levels for Full Basic Attestation:
- Default: Verifies that the key material is stored in Google-certified hardware.
- Strict: Enforces additional checks, increasing security at the cost of further narrowing the pool of supported devices:
- Boot state is verified.
- The device bootloader is locked.
- The Keymaster version is 2 or newer.
- The Keymaster security level is either TEE or StrongBox.
Comparison
The table below compares the two attestation mechanisms in the Nevis Mobile Authentication SDK:
| Surrogate Basic | Full Basic | |
|---|---|---|
| Android | ✅ | ✅ |
| iOS | ✅ | ❌ |
| Attestation signature | Self-signed | TEE certificate |
| Secure hardware proof | ❌ | ✅ |
| Mobile device requirements | Secure hardware (TEE/Secure Enclave) | Google-certified secure hardware |
| Android OS version | 7+ | 8+ |
| iOS OS version | 12.4+ | ❌ |
| Nevis Identity Suite version | 2.202105.x+ | 7.2411.0.x+ |
| Mobile SDK version | all | 3.8.x+ |
Additional Resources
- Authenticator attestation is controlled via policies, the policy configuration examples show you how to configure the different attestation mechanisms.
- The Full Basic Attestation verification level is controlled via nevisFIDO instance configuration.