diff --git a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
index c5aa26c0..10056e72 100644
--- a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
+++ b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
@@ -876,6 +876,11 @@ private static Verified verifyStateless(final Certificate[] certificates,
             attestKey = true;
         } catch (final Attestation.KeyDescriptionMissingException e) {}
 
+        // enforce attest key for new pairings with devices supporting it
+        if (!hasPersistentKey && attestationVersion >= 100 && !attestKey) {
+            throw new GeneralSecurityException("missing per-pairing attest key for device supporting it");
+        }
+
         for (int i = 2; i < certificates.length; i++) {
             try {
                 new Attestation((X509Certificate) certificates[i]);