Skip to main content

Session approach

In the session approach, the Attestation API generates and tracks the server nonce on behalf of the RP. The session reference returned by the API enforces single-use. The RP and Device may decide to also generate device nonce. In that case, the final nonce is computed on device and Attestation API.

Properties:

  • The Attestation API enforces single-use — a session can only be verified once.
  • The Attestation API controls the expiration of attestation session.
  • The RP holds only the session reference between calls; the actual server nonce is never stored at RP.
  • Two API calls per attestation (init + verify).