Invalid AuthenticatorAttachment information in authentication response during cross-device authentication

Scenario

  1. Use Safari browser on macOS and trigger Webauthn authentication
  2. Select QR code authentication flows
  3. Use Android phone's passkey (with play service beta) and scan the QR code
  4. Perform UV on Android device
  5. Check the authentication response coming from the Safari on macOS

Issue The authenticatorAttachment in the response is "platform".

Expected behavior The authenticatorAttachment should be "cross-platfrom". According to the spec (https://w3c.github.io/webauthn/#dom-publickeycredential-authenticatorattachment), the value should be "cross-platform" since the attachment modality at the time of authenitcation is "cross-platfrom" rather than "platform". Without "cross-platform", RP cannot decide and guide for the user to register the "platform" authenticator on the macOS.

I just checked this issue with Safari (16.2) on macOS (13.1). Also, you can refer related issue on the fido-dev-group: https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/XvDWBH6PhQ0

Up vote post of KieunShin Down vote post of KieunShin
935 views
Posted by
KieunShin
Reply

  • Hi

    Is this acknowledged as a bug? If so, how cna I follow it's development? If not, is there another way to identify that a "cross device flow" was performed?

    Thanks!

    lgoncalves
Add a Comment

Replies

Please file this through Feedback Assistant. Feel free to share your feedback number here so we can take a look :)

Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Add a Comment

Hi,

I'm facing the same situation. Is this acknowledged as a bug? If so, how can I track any developments? If not, how can a "cross device floe" be identified?

Thanks!

Posted by
lgoncalves
Up vote reply of lgoncalves Down vote reply of lgoncalves
Add a Comment