Hi Kosuke,
This web application was created when Apple supported only the Developer
Release of FIDO/WebAuthn. At the time, Apple was sending an "apple"
attestation that could be verified as originating from an Apple device
(MacBook or iPhone); as such it could be classified as a "Restricted"
policy.
However, when Passkey became a release feature, we realized that Apple
devices did not send any attestation during registration (they were
sending "none").
Unfortunately, it appears our engineers updated the "Restricted-Apple"
policy on the back-end to include "none" attestation in addition to
"apple" attestation, but did NOT update the visible policy definition in
the web application that only shows "apple". We apologize for this
misleading behavior and will correct it this week.
However, if you test out a new web application we created that
integrates Citrix environments leveraging SAML SSO, you will find that
within this web application's Key Management page, you will see a
Passkey show up as an "Unknown Authenticator" while an Apple device
using an older operating system (such as a MacBook with macOS Big Sur v
11.6.4) shows up as a Platform Authenticator when used with TouchID. You
can find the new web application, leveraging the new FIDO Alliance UX
Guidelines at:
https://citrixgateway.strongkey.com.
RPs expecting to use Apple devices with Passkeys currently are not going
to get the signals they need with standard FIDO/WebAuthn protocols -
since they devices do not send any attestations. I imagine, Apple gets
proprietary signals when you accept storing the Passkey within iCloud;
consequently, they can afford to assume the risk of storing your private
key in their cloud (assuming you trust them with your private key) - but
any other RP that does not have access to those proprietary signals is
flying blind.
We will need to wait and see what happens with WebAuthn Level-3 is
standardized. If the specification provides a mechanism to create a
device-resident credential WITH an attestation that does NOT rely on a
Passkey authentication, then there may be a secure path for RPs. Until
then, all an independent FIDO Server supplier like StrongKey can do is
provide a signal to RPs that an Unknown Authenticator was used within
the registration process and let the RP make a decision on what they
want to do. If the FIDO policy is set to reject Authenticators without
an attestation, then the only recourse is for the RP to provide a signal
to the user that they are using a device/Security Key whose security
attributes cannot be determined using industry standards, and as such
the registration is being rejected.
Hope that helps.
Arshad