Device Attestation
Cryptographically verify that authentication requests originate from genuine, secure devices.
What Is Device Attestation?
Device attestation is a security mechanism that cryptographically proves a request comes from a genuine, unmodified device running the authentic AffirmID app. This protects against sophisticated attacks that try to impersonate legitimate devices.
Genuine Device
Confirms the device is a real Apple or Android device, not an emulator or modified hardware.
Secure Boot
Verifies the device booted with a trusted operating system and hasn't been tampered with.
App Integrity
Confirms the AffirmID app is the genuine version from the official app store.
Hardware Security
Checks for hardware-backed keystore and secure enclave availability.
Platform Support
iOS
App Attest & DeviceCheck
- iOS 14.0 and later
- Hardware-backed attestation
- Fraud risk signals via DeviceCheck
Android
Play Integrity API
- Android 5.0 and later
- Device, app, and account integrity
- Google Play licensing verification
Implementation
Enabling Attestation
Attestation is enabled by default for all authentication requests. You can configure the enforcement level:
// Configure attestation in your organization settings
await affirmid.settings.update({
attestation: {
// 'enforce' - Reject requests from unattested devices
// 'warn' - Allow but flag unattested requests
// 'off' - Disable attestation checks
mode: 'enforce',
// Minimum acceptable integrity level
minimumIntegrity: 'basic', // 'basic' | 'device' | 'strong'
// Block specific risk signals
blockRootedDevices: true,
blockEmulators: true,
blockDebugMode: true,
}
});Checking Attestation Results
The authentication result includes detailed attestation information:
const result = await affirmid.auth.waitForResult(request.id);
console.log(result.attestation);
// {
// verified: true,
// platform: 'ios',
// integrity: {
// deviceIntegrity: true, // Genuine device
// appIntegrity: true, // Genuine app
// accountIntegrity: true, // (Android) Licensed account
// },
// risks: [], // Any detected risk signals
// timestamp: '2024-01-15T12:00:30Z'
// }Threats Mitigated
| Threat | Description | Blocked |
|---|---|---|
| Rooted/Jailbroken Devices | Devices with modified OS that could expose credentials | |
| Emulators & Simulators | Virtual devices that could be used for automated attacks | |
| Repackaged Apps | Modified app versions that might steal authentication tokens | |
| Hooking Frameworks | Tools like Frida or Xposed that modify app behavior at runtime | |
| Debugging Attacks | Attempts to extract data by attaching debuggers to the app |
Handling Attestation Failures
const result = await affirmid.auth.waitForResult(request.id);
if (!result.attestation.verified) {
// Attestation failed - handle based on risks detected
const risks = result.attestation.risks;
if (risks.includes('rooted_device')) {
// Device is rooted/jailbroken
return res.status(403).json({
error: 'Rooted devices are not supported for security reasons'
});
}
if (risks.includes('emulator')) {
// Running on emulator
return res.status(403).json({
error: 'Please use a physical device'
});
}
// Log for investigation
await logSecurityEvent({
userId: result.userId,
event: 'attestation_failure',
risks: risks
});
}User Communication
When blocking users due to attestation failures, provide clear guidance on how to resolve the issue. Common fixes include updating the OS, reinstalling the app from official stores, or using a different device.
Best Practices
Start with warn mode
Monitor attestation results before enforcing to understand your user base.
Log all failures
Track attestation failures to detect attack patterns.
Consider user impact
Some legitimate users may have older devices that don't support attestation.
Use risk-based approach
Require stricter attestation for high-value transactions.