Can we turn off passkeys for webauthn?

We've got a security solution based on Webauthn where we use "attestation":"direct" when creating credentials. This attestation is then verified by our servers for extra security. When testing the solution using iOS16, we are asked if we want to back up our key and then we are not getting any attestation info.

As far as I've understood, iOS16 starts using Passkeys, which can be backed up and therefore attestation does not make sense. But our solution is very specifically locked to a single device, so the backing up of the keys is not necessary, but we do need to be certain we're on the correct device.

So: Are there any properties that can be sent to navigator.credentials.create that will tell Safari to use something else than passkeys, allowing us to get an attestation? Or do you have any other solution that will give us the same level of assurance as the attestation statement?

Post not yet marked as solved Up vote post of dawhale Down vote post of dawhale
1.3k views
Posted by
dawhale
Reply
Add a Comment

Replies

There is no attestation for passkeys and in ios16. Here is a quote (time 20:12) from WWDC https://developer.apple.com/videos/play/wwdc2022/10092/?time=1212

Finally, passkeys are replacing Safari's legacy platform authenticator. Existing credentials will still work and still be bound to the device they were created on, but new platform credentials will be created as passkeys. They can be differentiated from legacy credentials during registration, as passkeys will not provide an attestation statement.

So if you are trying to create keys in ios16, they will be created as passkeys and you don't get any attestation.

Posted by
gulshan.mandal
Up vote reply of gulshan.mandal Down vote reply of gulshan.mandal
Add a Comment