How do deal with passkeys as a L2 RP?

Johnny Clark

unread,

Nov 15, 2023, 4:12:59 AM11/15/23

to FIDO Dev (fido-dev)

Hi all,

I am currently working on implementing the Level 2 (L2) specification as a Relying Party and have come across a point that I need some clarification on.

As you may know, both Apple and Android have introduced the backup and multi-device use of passkeys, a feature not included in the L2 spec. However, I noticed this/similar functionality appears in the draft of the Level 3 (L3) specifications.

My assumption is that Apple and Android may have preemptively implemented this feature based on the L3 draft. I am writing to inquire if anyone can confirm this assumption or provide any additional insight into how this feature has been implemented.

Specifically, are the authenticators implemented by those offering passkeys sending the Backup Eligible (BE) and Backup Selected (BS) flags in the authenticator response during attestation or assertion as per the L3 draft spec? Are counters being sent? Could I get a lower counter value if the credential is synced to another authenticator?

Any insights and information you can provide on this matter would be greatly appreciated.

thanks

Johnny

Arshad Noor

unread,

Nov 15, 2023, 2:25:49 PM11/15/23

to fido...@fidoalliance.org, 126...@gmail.com

Based on my experience of working with FIDO for nearly a decade, I can tell you that relying upon a DRAFT specification to implement a production application is risky. There is a good chance that the DRAFT will change before it becomes a Recommended standard. In fact, even after it becomes a standard, you may not be able to implement features defined in the Level-3 spec - the history of Transaction Confirmation from the Level-1 spec is a cautionary tale.

Secondly, not all browsers are likely to implement all capabilities of a spec. As you can see, Apple chose to do something completely different from the Level-2 spec that took many years to settle; Mozilla Firefox only recently implemented the UV implementation to prompt for a PIN.

If you are building an application in a regulated industry (banking, healthcare, etc.), then you should technically be depending on Level-2 - it is the current standard on the books. It took many people multiple years to publish a white paper that shows how to implement one of the most stringent fintech regulations in the world: How FIDO Standards Meet PSD2's Regulatory Technical Standards Requirements on Strong Customer Authentication. Unfortunately, the DRAFT Level-3 spec has sown confusion in the market about whether W3C can/will force browsers to preserve Level-2 APIs to support RPs who may have built production applications following such guidance from the FIDO Alliance and the W3C. You can try sending e-mails to the W3C to get an official answer from them, but given what companies have done in the last year (in stark contrast to the existing Level-2 standard), good luck with that!

Arshad Noor
StrongKey

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7fd884de-6ddc-4697-8838-4fd4589644b2n%40fidoalliance.org.

Tim Cappalli

unread,

Nov 15, 2023, 3:13:05 PM11/15/23

to Johnny Clark, FIDO Dev (fido-dev)

Specifically, are the authenticators implemented by those offering passkeys sending the Backup Eligible (BE) and Backup Selected (BS) flags in the authenticator response during attestation or assertion as per the L3 draft spec?

When BE is 0, the authenticator is signaling that this is a device-bound passkey (called a single-device credential in the spec). Typically you'd verify the attestation by looking up the AAGUID in a trusted source, such as the FIDO Metadata Service.

When BE is 1, the authenticator is signaling that this is a synced passkey, e.g. a credential that can be backed up (called a multi-device credential in the spec). Most authenticators currently set BS to 1, but there may be cases in the future where this is used to signal an issue with a passkey or that it is in the process of being deleting. passkeys.dev will be updated with guidance if that were to happen.

Are counters being sent?

Counters are typically always 0 for synced passkeys (multi-device credentials).

Could I get a lower counter value if the credential is synced to another authenticator?

See above

--

Johnny Clark

unread,

Nov 15, 2023, 4:03:58 PM11/15/23

to FIDO Dev (fido-dev)

Thank you all for your responses thus far, it has added some clarity.

My understanding from the L3 draft is that the generating authenticator decides the BE value. This implies as an RP we have no influence on whether the credential is a single-device credential or multi-device credential and authenticator 'policy' determines as to whether or not any credential generated by the authenticator is backup eligible.

Is it fair to say that it is impossible as of now for me as an RP to request the creation a single-device credential using any authenticator supporting/generating multi-device credentials i.e. passkeys?

thanks again.

Johnny

Tim Cappalli

unread,

Nov 15, 2023, 5:13:04 PM11/15/23

to Johnny Clark, FIDO Dev (fido-dev)

WebAuthn L2 does not provide any capability to request a specific authenticator and there is no change between L2 and L3 in that regard.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/04a1ade3-aee0-43a5-861c-729218e10f5dn%40fidoalliance.org.

Arshad Noor

unread,

Nov 15, 2023, 9:11:53 PM11/15/23

to Tim Cappalli, Johnny Clark, FIDO Dev (fido-dev)

With an appropriate policy module, it is possible to configure a FIDO
policy that allows for registering credentials only from a specific
Authenticator (or a specific set of Authenticators). The user may try to
"fake" the registration with anything they want, but the policy will
reject everything that is non-conformant.

You can get a demo of this at https://demo.strongkey.com - choose the
FIDO Policy demo in the top row.

Arshad Noor
StrongKey

> being deleting. passkeys.dev <http://passkeys.dev/> will be updated

> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7fd884de-6ddc-4697-8838-4fd4589644b2n%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7fd884de-6ddc-4697-8838-4fd4589644b2n%40fidoalliance.org?utm_medium=email&utm_source=footer>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org

> <mailto:fido-dev+u...@fidoalliance.org>.

> To view this discussion on the web visit

> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/04a1ade3-aee0-43a5-861c-729218e10f5dn%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/04a1ade3-aee0-43a5-861c-729218e10f5dn%40fidoalliance.org?utm_medium=email&utm_source=footer>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org

> <mailto:fido-dev+u...@fidoalliance.org>.

> To view this discussion on the web visit

> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/PH0PR00MB11500632D6C5A8C5328A6F9F95B1A%40PH0PR00MB1150.namprd00.prod.outlook.com <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/PH0PR00MB11500632D6C5A8C5328A6F9F95B1A%40PH0PR00MB1150.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer>.

Johnny Clark

unread,

Nov 16, 2023, 5:22:55 AM11/16/23

to FIDO Dev (fido-dev)

Thank you for clarifying my questions. Much appreciated.

Johnny

Reply all

Reply to author

Forward