Is there a way to detect if the Passkey used for authentication came from the same device orthey used a Passkey from a different device by scanning a QR code.
Does Apple Passkeys support https://www.w3.org/TR/webauthn-2/#signature-counter. In my testing its 0 always. If there are plans to implement it, will it be per device count or per user.
Is there any plans for supporting cross domain Passkey usage if they RP owns multiple domains. Looks like spec has support for at least authentication within an iFrame https://w3c.github.io/webauthn/#sctn-iframe-guidance . Any plans to support this in WebKit.
Post
Replies
Boosts
Views
Activity
As per the WebAuthN spec for Privacy, the authenticator shouldn't disclose the availability of keys on the device(although as a trusted RP knowing this info will be greatly help optimizing UI for end user) https://w3c.github.io/webauthn/#sctn-assertion-privacy
But seems like I can guess the availability of keys by doing an assertion request with this option https://developer.apple.com/documentation/authenticationservices/asauthorizationcontroller/requestoptions/3994648-preferimmediatelyavailablecreden
Although the error code is generic, based on timing information like if it returned immediately instead of opening the QR code fallback, I can guess the availability of a key.
Wanted to clarify that WebAuthN APIs don't function on WKWebView and SFSafariViewController within native apps. The only option for native apps is the native ASAuthorizationPublicKeyCredentials... APIs.
The only exception being the native Apps with web browser entitlement as per this webKit change https://bugs.webkit.org/attachment.cgi?id=453655&action=prettypatch.