PublicKeyCredentials Webauthn "internal" authentication missing userHandle on Android (Android Saftynet)

Attestation (with various formats such as android-safetynet) and usernameless flows are two completely separate concepts. You can have usernameless flows without attestation (format none).

Attestation allows you to verify the authenticator itself - whether the authenticator actually is an iPhone, Yubikey or (non-rooted) Android device, and properties like how key material is stored or what the false positive rate of the fingerprint scanner is. For more details see https://fidoalliance.org/fido-technotes-the-truth-about-attestation/ and https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651

In WebAuthn level 1 usernameless registration (with requireResidentKey: true) was allowed to continue even if the user agent doesn't support this (see authenticatorMakeCredential operation step 20). In level 2 a few things changed:

  • resident keys are now referred to as client-side discoverable credentials,
  • requireResidentKey boolean was changed to the residentKey enum, but stiull supported for backwards compatibility,
  • the authenticatorMakeCredential operation was changed to return an error in step 4 if client-side discoverable credentials are not supported,
  • the credProps extension was added to determine if a client-side discoverable credential was created, either at the request of the RP or because the authenticator chose to (step 7.4).

Usernameless authentication (with an empty allowCredentials array) at the time of writing is not supported on Android using Chrome 97. This has been a known issue for a while.