Skip to main content

Nonce generation

This section defines how nonces are generated. Relying Party must decide which approach to use when nonces are generated.

A nonce is a one-time value that ties an attestation token to a specific request. Without a nonce, an attacker who captured a valid token once could replay it forever.

Nonce generation strategies

The Relying Party and the Mobile Device must agree on a strategy. The choice determines:

  • which API calls the RP makes,
  • whether the device contributes its own nonce part, and
  • how the nonce is generated.

There are two approaches on nonce generation:

  • Session approach - Attestation API generates and tracks the server nonce on behalf of the RP (see Session approach)
  • Sessionless approach - Nonce generation is fully controlled by the RP (see Sessionless approach).