Is android safety net nonce equivalent to web authnn's challenge?

213 views Asked by At

How similar is android SafetyNet to Web Authnn? Is the challenge passed to the WebAutnn's authenticator to generate an attestation object equivalent to the nonce that is passed to Android SafetyNet? Can I use a nonce with WebAuthnn as the challenge?

1

There are 1 answers

0
mackie On

This is probably the relevant part of the spec:

https://www.w3.org/TR/webauthn/#cryptographic-challenges

Given that SafetyNet has similar goals and assuming the resulting values are compatible (i.e. at least 16 bytes) it's probably safe to say that you could use values generated the same way for both.

That said, this documentation suggests that it's up to you to generate the nonce anyway:

https://developer.android.com/training/safetynet/attestation#obtain-nonce

Follow the guidance in both of those docs and you can't go far wrong.