Are there any resources that list the meta data used in TouchID attestation? I would like to only allow TouchID as the FIDO2 method and want to block the other FIDO2 methods.
TouchID Attestation
Add a Comment
Replies
The legacy device-bound platform authenticator has been replaced by passkeys in macOS Ventura and iOS 16. Passkeys do not provide an attestation statement, as the attestation model currently defined in WebAuthn wasn't designed with syncing credentials in mind.
Posted
by
Share this post
Copied to Clipboard
-
@garrett-davidson - would you be able to expand on the statement "the attestation model currently defined in WebAuthn wasn't designed with syncing credentials in mind." a bit?
The WebAuthn spec outlines support for "roaming authenticators" and "roaming credentials" https://www.w3.org/TR/webauthn-1/#roaming-authenticators
Also, during each authentication ceremony, you may attach AuthenticatorData specific to that transaction https://www.w3.org/TR/webauthn-1/#iface-authenticatorassertionresponse
-
Attestation was designed to attest to a specific device, exclusively at the point of creation, with a specific set of security properties. It doesn't make sense for synced credentials for a number of reasons, including syncing to devices with different security properties, changes in security properties that happen after key creation, security properties of the sync fabric, sharing the passkey, or exporting to other passkey providers. We're working hard with W3C and FIDO to solve these problems.