Can a third-party credential provider participate in the FIDO2 hybrid (cross-device) transport as the authenticator?

Question

Created 1d

Replies 1

Boosts 0

Participants 2

Hey there,

I'm trying to building an iOS credential provider (ASCredentialProviderExtension, iOS 17+) that manages passkeys backed by keys generated in the Secure Enclave, attested via App Attest.

My question is about the cross-device (FIDO2 hybrid / "passkey on a nearby device") flow, where a phone authenticates a sign-in initiated on a separate client device (e.g. a laptop browser).

Specifically,

Can a third-party credential provider serve as the authenticator in this flow, signing with its own key — or is the cross-device role reserved for iCloud Keychain?
If it can, does the OS handle the BLE advertisement and tunnel/handshake on the provider's behalf? I ask because it seems like CBPeripheralManager.startAdvertising(_:) will not emit raw bytes, so an app can't emit a CTAP hybrid advert itself.
If neither is supported, is there any supported API — including MDM-managed/supervised-device capabilities — for an app to act as a cross-device FIDO2 authenticator with a non-iCloud-Keychain key?

Thanks!

Answer 1

Systems Engineer OP

Apple

4h

All enabled credential provider extensions get Hybrid support for free through the system's implementation of Hybrid; there is no need to implement it yourself. Once your extension is enabled, it will be offered in all places that passkeys can be used across the system. If you're trying to do something with Hybrid that's not supported by the system, please let us know!

Also a couple things to be aware of:

A device-bound credential is not a passkey and cannot be returned as part of a credential provider extension. Apple first introduced the term passkey in 2021, defining it as a synced credential.
WebAuthn attestation is not supported for passkeys outside of a few MDM-managed contexts, though using AppAttest out of band is fine.