Few Passkey questions

  1. Is there a way to detect if the Passkey used for authentication came from the same device orthey used a Passkey from a different device by scanning a QR code.
  2. Does Apple Passkeys support https://www.w3.org/TR/webauthn-2/#signature-counter. In my testing its 0 always. If there are plans to implement it, will it be per device count or per user.
  3. Is there any plans for supporting cross domain Passkey usage if they RP owns multiple domains. Looks like spec has support for at least authentication within an iFrame https://w3c.github.io/webauthn/#sctn-iframe-guidance . Any plans to support this in WebKit.
Up vote post of arunThottaSuresh Down vote post of arunThottaSuresh
1.2k views
Posted by
arunThottaSuresh
Reply
Add a Comment

Accepted Reply

  1. Yes, you can look at the transport for the assertion. The cross-device flow uses the transport "hybrid".
  2. Per the linked section of the spec, "The signature counter's purpose is to aid Relying Parties in detecting cloned authenticators." With passkeys, replication is a core feature, so signCount doesn't really make sense.
  3. Apple doesn't comment on future plans. WebKit currently supports cross-origin same-domain iframes, but not cross-domain iframes.
Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Post marked as solved

  • Can you please provide links to this in the documentation? Every library for webauthn seems to include a counter and it's required and I haven't seen a counter or the lack thereof addressed anywhere in documentation.

    notdevin
Add a Comment

Replies

  1. Yes, you can look at the transport for the assertion. The cross-device flow uses the transport "hybrid".
  2. Per the linked section of the spec, "The signature counter's purpose is to aid Relying Parties in detecting cloned authenticators." With passkeys, replication is a core feature, so signCount doesn't really make sense.
  3. Apple doesn't comment on future plans. WebKit currently supports cross-origin same-domain iframes, but not cross-domain iframes.
Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Post marked as solved

  • Can you please provide links to this in the documentation? Every library for webauthn seems to include a counter and it's required and I haven't seen a counter or the lack thereof addressed anywhere in documentation.

    notdevin
Add a Comment