get webauthn attestation statement on Safari

Hello,

I'm not able to get the webauthn attestation statement using the option (attestation.direct) on Safari. The answer I get is a fmt of none and a aaguid of zeros.

The same code works on Chrome and I was able to get a none zero aaguid and a packed fmt attestation.

Can you explain why this does not work on Safari ?

Thank you.

Replies

Assuming you're using a version of Safari with passkeys, this is expected behavior. Attestation statements are intended to attest to the security properties of the device where the credential lives, as the spec was written with device-bound credentials in mind. In a world where the credential can sync to devices with different security properties, a one-shot attestation during registration can't provide any meaningful promises about all of the devices where the passkey can be used. There's ongoing work in the spec to try to improve this, but keep in mind that passkeys are replacements for passwords, and passwords don't have attestation either 🙂.

  • Thank you for your answer. Can I disable passkeys on Safari in order to use the traditional behavior of webauthn? I don't want credential to be synced and want to use attestation as a proof of the device's authenticator.

Add a Comment

Hi, Thanks for the confirmation about the attStmt.

Looks like the flow for RP during Passkey enrollment is,

  1. Check for isUserVerifyingPlatformAuthenticatorAvailable to show the Passkey enroll button
  2. Take the user through an enrollment and then reject the enrollment if it has an attStmt(implying it is a non syncing platform authenticator and thus not a Passkey)?

Understand providing this signal is being discussed at the spec level as u mentioned but meanwhile double checking to make sure there is no better way to figure out Passkeys without taking the user through a enrollment.

  • There is a better way! There's a merged PR to the WebAuthn spec that will be included in the upcoming WebAuthn L3. It specifies two new "backup state" bits in the authenticatorData field: to indicate whether a credential "can be" backed up, and whether it "is" backed up. Passkeys on Apple platforms have already adopted this and always set both bits to true.

Add a Comment