From a891b208b19d9174b6d2f376cdf16eca6c5925ff Mon Sep 17 00:00:00 2001
From: Stefan Jacobi <stefan.jacobi@adesso.de>
Date: Wed, 27 Mar 2024 13:48:43 +0100
Subject: [PATCH] enhance(webauthn): change default attestation mode

* change default attestation mode from 'none' to 'direct' for better AAGUID handling in windows

Closes: #1381
---
 backend/handler/webauthn.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/handler/webauthn.go b/backend/handler/webauthn.go
index ba693835f..2b5cdfe5e 100644
--- a/backend/handler/webauthn.go
+++ b/backend/handler/webauthn.go
@@ -50,7 +50,7 @@ func NewWebauthnHandler(cfg *config.Config, persister persistence.Persister, ses
 		RPDisplayName:         cfg.Webauthn.RelyingParty.DisplayName,
 		RPID:                  cfg.Webauthn.RelyingParty.Id,
 		RPOrigins:             cfg.Webauthn.RelyingParty.Origins,
-		AttestationPreference: protocol.PreferNoAttestation,
+		AttestationPreference: protocol.PreferDirectAttestation,
 		AuthenticatorSelection: protocol.AuthenticatorSelection{
 			RequireResidentKey: &f,
 			ResidentKey:        protocol.ResidentKeyRequirementDiscouraged,
@@ -113,7 +113,7 @@ func (h *WebauthnHandler) BeginRegistration(c echo.Context) error {
 			ResidentKey:        protocol.ResidentKeyRequirementRequired,
 			UserVerification:   protocol.UserVerificationRequirement(h.cfg.Webauthn.UserVerification),
 		}),
-		webauthn.WithConveyancePreference(protocol.PreferNoAttestation),
+		webauthn.WithConveyancePreference(protocol.PreferDirectAttestation),
 		// don't set the excludeCredentials list, so an already registered device can be re-registered
 	)