[coldpie]

This is fine for corporate settings, where the data is not owned by the user but by the company. But it's completely unacceptable for managing one's own personal account. What do I do if I do not trust proprietary software to manage my ability to log in to online services? How can this be compatible with open source passkey providers?

The spec failing to distinguish between these two cases is a major flaw and completely kills passkey viability for personal accounts until they resolve it.

[WorldMaker]

Apple has stated very publicly and in multiple places/ways that Consumer Passkeys will never include attestation data on Apple hardware. That's not "the spec", but it is still currently a big enough moat to protect Consumer usage of passkeys away from Corporate needs, given most Consumer apps/websites probably want iOS/iPadOS/macOS (in decreasing interest) users today.

[coldpie]

> Apple has stated very publicly and in multiple places/ways that Consumer Passkeys will never include attestation data on Apple hardware.

I'm interested in reading more about this. Do you have some links? I did some quick searching of the terms you mentioned and nothing obvious came up.

[WorldMaker]

Yeah, it's unfortunate we live in an age where searching for things is harder and less likely to turn up the results from even a couple months ago.

Some quick bits and pieces from my own searching just now:

Apple's documentation on Passkey attestation is entirely under "declarative configuration", their terminology for mobile device management (MDM) corporate tools: https://support.apple.com/guide/deployment/passkey-attestati...

It is noticeably absent from, for instance, AuthenticationServices documentation: https://developer.apple.com/documentation/authenticationserv...

On non-attestation Passkey responses intentionally send an empty AAGUID for privacy/Apple's belief in the spec's suggestion to send an empty AAGUID:

> iCloud Keychain is one of the few (maybe the only?) passkey authenticator that currently follows the spec and will use an all-zero AAGUID.

From: https://developer.apple.com/forums/thread/739004

On the technical side of limitations of attestation for consumer Passkeys (due to iCloud Keychain sync):

> Passkeys do not provide an attestation statement, as the attestation model currently defined in WebAuthn wasn't designed with syncing credentials in mind.

> Attestation was designed to attest to a specific device, exclusively at the point of creation, with a specific set of security properties. It doesn't make sense for synced credentials for a number of reasons, including syncing to devices with different security properties, changes in security properties that happen after key creation, security properties of the sync fabric, sharing the passkey, or exporting to other passkey providers. We're working hard with W3C and FIDO to solve these problems.

From: https://developer.apple.com/forums/thread/708982

(I believe some of the problems being solved in that one in 2022 is referring to how we got the "uvi" and "uvm" extensions to Passkeys, neither of which is in attestation data nor attested in any way, and both designed for a general semblance of user privacy: https://www.w3.org/TR/webauthn-1/#sctn-uvi-extension)

I believe the juiciest quotes I'm looking for are buried in WWDC videos and I can't find a transcript search tool just yet.

[parliament32]

Excellent writeup. This is the true kicker:

> Passkeys do not provide an attestation statement, as the attestation model currently defined in WebAuthn wasn't designed with syncing credentials in mind.

On any platform, attestation and "syncing" are effectively opposites. Either you're getting attestation that the auth comes from a secure application and on secure hardware (read: non-exportable in-TPM crypto material), or not.

As usual, it's a tug-of-war between security and convenience.

[eikenberry]

Attestation is only about security if there are ways for people to handle it themselves. Think of them like certs where anyone can buy one or get one for free using lets-encrypt. I should be able to attest my own keys in a similar way. If I cannot then they are not really about security but about control and lock-in.