Windows hello hardware attestation statement

[Cyril Labbe]

Hi,

from a website, I'm starting a webauthn attestation ceremony with the following parameters (attestation: direct):

{

    "rp": {

        "name": "Website",

        "id": "website.com"

    },

    "pubKeyCredParams": [

        {

            "type": "public-key",

            "alg": -8

        },

        {

            "type": "public-key",

            "alg": -7

        },

        {

            "type": "public-key",

            "alg": -46

        },

        {

            "type": "public-key",

            "alg": -35

        },

        {

            "type": "public-key",

            "alg": -36

        },

        {

            "type": "public-key",

            "alg": -257

        },

        {

            "type": "public-key",

            "alg": -258

        },

        {

            "type": "public-key",

            "alg": -259

        },

        {

            "type": "public-key",

            "alg": -37

        },

        {

            "type": "public-key",

            "alg": -38

        },

        {

            "type": "public-key",

            "alg": -39

        }

    ],

    "challenge": "nyexjKT3hE-lN84z26osk9h0gE0_1vfCD8OVF3iYCQ8",

    "attestation": "direct",

    "user": {

        "name": "111111111",

        "id": "OTc2AmZlMzk3ZjNmMTY3NDQyM2JiNTI4YTBjNzZmMTM=",

        "displayName": "John Doe"

    },

    "authenticatorSelection": {

        "requireResidentKey": false,

        "userVerification": "required",

        "authenticatorAttachment": "platform"

    },

    "excludeCredentials": [

        ....

    ],

    "timeout": 60000

}

When on a corporate laptop with windows 10 and windows hello hardware authenticator, I'm getting confusing responses depending on the browser. 

• on Chrome (latest) and Edge (latest), I get a "packed" attestation statement self signed (and so an empty trust path), which fails server side because in the Fido MDS, this authenticator is referenced supporting only ATTESTATION_BASIC_FULL, not ATTESTATION_BASIC_SURROGATE
• on firefox (latest), the attestation format is simplfy "none" (whereas the requested option asked for direct attestation)

All these authenticator responses include the aaguid 08987058-CADC-4B81-B6E1-30DE50DCBE96 wich is the windows hello hardware authenticator's one (https://docs.microsoft.com/fr-fr/microsoft-edge/dev-guide/windows-integration/web-authentication)

I don't get why the response varies depending on the browser (firefox does not call for the actual platform authenticator?)

I don't get why windows hello hardware authenticator might use a self signed attestation. Is it possible that it's using Windows TPM < 2.0 and thus cannot access a private certificate? 

Any help is welcome.

Thank you by advance.