Why doesnt Apple allow BE BS flags to be false in AutoFill credential provider's attestation response?

It appears that for a successful registration of a passkey to a relying party using passkey autofill provider, the BE BS bits/flags in the attestation response need to be set to true. Please refer FLAGS byte of authData field part of attestationObject mentioned here - https://www.w3.org/TR/webauthn-2/#sctn-attestation.

If those flags are set to false, the RP rejects saying - "The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client."

What are the implications of having those flags set to true? Does it make the generated passkey syncable across devices using same apple id? If yes, is there at all anyway possible by which a generated passkey can be made device bound, basically can be generated and used only on a single iPhone/iOS device?

Also, is there a plan to ever make those flags to be set to false in a future iOS release?

Also, what does it mean in the credential provider popup where it says - "Available where <app-name> is installed." in the below screenshot?

Up vote post of letsbondiway1986 Down vote post of letsbondiway1986
570 views
Posted by
letsbondiway1986
Reply
Add a Comment

Replies

Excellent question! Unfortunately there is no short answer, but I’ll do my best to summarize it :)

Passkeys are designed to be a replacement for passwords. One of the key criteria for successfully replacing passwords for everyone is being just as available and straightforward as passwords are. A credential that only works on a single device, which is vulnerable to theft/loss/damage/deletion/getting left behind when you upgrade devices/being in the other room when you want to sign in/etc. is a major regression from the usability of passwords. Passkeys are also a very young and technically nuanced technology. Having some credentials work differently than others in subtle ways can undermine consumer trust and understanding in passkeys a whole.

Being available and usable, and most importantly trusted and safe, on all of your devices is a requirement for a password replacement to succeed at scale, which is why the BE and BS flags are required for the passkey API. Apps using this API are expected to provide some form of sync, which is indicated in the user interface with the “Available where <app-name> is installed” subtitle.

Posted by
garrett-davidson
Post not yet marked as solved Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Add a Comment

Thanks @garrett-davidson for letting know and summarizing it well. Have a follow-up question on the same - When you say "Apps using this API are expected to provide some form of sync", what happens if a passkey manager app does not provide sync? I am sure Apple doesnt back the passkeys up in iCloud, right? I guess it is just a recommendation?

Thanks again!

Posted by
letsbondiway1986
Up vote reply of letsbondiway1986 Down vote reply of letsbondiway1986
Add a Comment