In these threads, it was clarified that Credential Provider Extensions must set both Backup Eligible (BE) and Backup State (BS) flags to 1 in authenticator data:
However, I'm developing a passkey manager that intentionally stores credentials only on the local device. My implementation uses:
- kSecAttrAccessibleWhenUnlockedThisDeviceOnly for keychain items
- kSecAttrTokenIDSecureEnclave for private keys
- No iCloud sync or backup
These credentials are, by definition, single-device credentials. According to the WebAuthn specification, they should be represented with BE=0, BS=0.
Currently, I'm forced to set BE=1, BS=1 to make the extension work, which misrepresents the actual backup status to relying parties. This is problematic because:
- Servers using BE/BS flags for security policies will incorrectly classify these as synced passkeys
- Users who specifically want device-bound credentials for higher security cannot get accurate flag representation
Request: Please allow Credential Provider Extensions to return credentials with BE=0, BS=0 for legitimate device-bound passkey implementations.
Environment: macOS 26.2 (25C56), Xcode 26.2 (17C52)