- Is there a way to detect if the Passkey used for authentication came from the same device orthey used a Passkey from a different device by scanning a QR code.
- Does Apple Passkeys support https://www.w3.org/TR/webauthn-2/#signature-counter. In my testing its 0 always. If there are plans to implement it, will it be per device count or per user.
- Is there any plans for supporting cross domain Passkey usage if they RP owns multiple domains. Looks like spec has support for at least authentication within an iFrame https://w3c.github.io/webauthn/#sctn-iframe-guidance . Any plans to support this in WebKit.
- Yes, you can look at the transport for the assertion. The cross-device flow uses the transport
"hybrid"
. - Per the linked section of the spec, "The signature counter's purpose is to aid Relying Parties in detecting cloned authenticators." With passkeys, replication is a core feature, so signCount doesn't really make sense.
- Apple doesn't comment on future plans. WebKit currently supports cross-origin same-domain iframes, but not cross-domain iframes.