Hello,
I'm not able to get the webauthn attestation statement using the option (attestation.direct) on Safari. The answer I get is a fmt of none and a aaguid of zeros.
The same code works on Chrome and I was able to get a none zero aaguid and a packed fmt attestation.
Can you explain why this does not work on Safari ?
Thank you.
Assuming you're using a version of Safari with passkeys, this is expected behavior. Attestation statements are intended to attest to the security properties of the device where the credential lives, as the spec was written with device-bound credentials in mind. In a world where the credential can sync to devices with different security properties, a one-shot attestation during registration can't provide any meaningful promises about all of the devices where the passkey can be used. There's ongoing work in the spec to try to improve this, but keep in mind that passkeys are replacements for passwords, and passwords don't have attestation either 🙂.
Hi, Thanks for the confirmation about the attStmt.
Looks like the flow for RP during Passkey enrollment is,
Understand providing this signal is being discussed at the spec level as u mentioned but meanwhile double checking to make sure there is no better way to figure out Passkeys without taking the user through a enrollment.