zlacker

[parent] [thread] 3 comments
1. hoover+(OP)[view] [source] 2024-12-27 16:01:40
Attestation is still a thing. You can still limit it to the Apple or Google platform authenticator.
replies(2): >>lxgr+E7 >>growse+OO
2. lxgr+E7[view] [source] 2024-12-27 16:51:26
>>hoover+(OP)
Have you recently tried it?

Attestation was most definitely removed from Apple's implementation.

For Google, there's still a (relatively obscure) way to get a non-synchronizing/non-discoverable credential (which is then by definition not a passkey!), which then supports attestation, but that's Chrome+Android specific and wouldn't work on e.g. Chrome on Windows or macOS.

3. growse+OO[view] [source] 2024-12-27 21:52:16
>>hoover+(OP)
I think Apple deliberately don't add any attestation data in their implementation, precisely to stop services detecting (and filtering) on the fact that it's an apple-made authenticator.
replies(1): >>lxgr+6X
◧◩
4. lxgr+6X[view] [source] [discussion] 2024-12-27 23:08:27
>>growse+OO
I'm not sure if that's the only reason: Notably, they used to support attestation back when they didn't synchronize passkeys via iCloud Keychain, as did Google for Android.

They basically had two choices once they did introduce synchronization: Keep attestations around, but specifically mark synchronized credentials as "not strongly device-bound" (and risk existing relying parties not looking for that flag and drawing incorrect conclusions from receiving such an attestation statement), or get rid of it entirely.

I suspect that they opted for the latter mostly because it would require a lot of work with the FIDO and WebAuthN working groups to introduce that mechanism, not out of a selfless desire to avoid a future "big tech lock-in" (where everybody allows exactly Apple and Google passkeys, but nothing else), but I could definitely see the latter consideration also playing a role.

[go to top]