diff --git a/src/Attestation/Format/None.php b/src/Attestation/Format/None.php
index ba95e40..cab9b1b 100644
--- a/src/Attestation/Format/None.php
+++ b/src/Attestation/Format/None.php
@@ -25,6 +25,11 @@ public function getCertificatePem() {
      * @param string $clientDataHash
      */
     public function validateAttestation($clientDataHash) {
+        // §8.7: attStmt must be an empty CBOR map for "none" format.
+        if (\count($this->_attestationObject['attStmt']) > 0) {
+            throw new WebAuthnException('invalid none attestation: attStmt must be empty', WebAuthnException::INVALID_DATA);
+        }
+
         return true;
     }