zlacker

[parent] [thread] 1 comments
1. growse+(OP)[view] [source] 2024-12-27 21:52:16
I think Apple deliberately don't add any attestation data in their implementation, precisely to stop services detecting (and filtering) on the fact that it's an apple-made authenticator.
replies(1): >>lxgr+i8
2. lxgr+i8[view] [source] 2024-12-27 23:08:27
>>growse+(OP)
I'm not sure if that's the only reason: Notably, they used to support attestation back when they didn't synchronize passkeys via iCloud Keychain, as did Google for Android.

They basically had two choices once they did introduce synchronization: Keep attestations around, but specifically mark synchronized credentials as "not strongly device-bound" (and risk existing relying parties not looking for that flag and drawing incorrect conclusions from receiving such an attestation statement), or get rid of it entirely.

I suspect that they opted for the latter mostly because it would require a lot of work with the FIDO and WebAuthN working groups to introduce that mechanism, not out of a selfless desire to avoid a future "big tech lock-in" (where everybody allows exactly Apple and Google passkeys, but nothing else), but I could definitely see the latter consideration also playing a role.

[go to top]