Detecting cross device authentication

[hetin k]

Hi All,

From my understanding, Cross device authentication is available at both registration and authentication ceremony. is there any possible way to detect whether user employed  cross device authentication at both registration and authentication ceremony as relying party?

Thanks

[Shane Weeden]

You can check authenticatorAttachment in the webauthn response. If cross-device was used, it *should* say “cross-platform”.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b1f9a6fe-813d-47c6-83b2-b534381d5170n%40fidoalliance.org.

[hetin k]

Hi shane,

I checked with mac and ios right now, it return authenticatorAttachment as "Platform".

[Shane Weeden]

What browser were you using? If Safari, see what happens if you use Safari and an Android phone (enrolled in the passkey beta), or Chrome Canary on the Mac and your iPhone? I suggest this because the purpose of this attribute is to help decide if you want to lead the user into a solicited registration of the platform authenticator (to complete the cross-ecosystem workflow and give the user something simpler next time they login on the current platform). When using Safari on Mac, and iOS as the phone, it’s kinda pointless because a Safari-accessible passkey already exists and the user could have used that instead of pulling out their iPhone. Perhaps (I don’t know) this is an Apple optimisation to set it to “platform” so you don’t bother re-enrolling in passkey unnecessarily?

[Shane Weeden]

What browser were you using? If Safari, see what happens if you use Safari and an Android phone (enrolled in the passkey beta), or Chrome Canary on the Mac and your iPhone? I suggest this because the purpose of this attribute is to help decide if you want to lead the user into a solicited registration of the platform authenticator (to complete the cross-ecosystem workflow and give the user something simpler next time they login on the current platform). When using Safari on Mac, and iOS as the phone, it’s kinda pointless because a Safari-accessible passkey already exists and the user could have used that instead of pulling out their iPhone. Perhaps (I don’t know) this is an Apple optimisation to set it to “platform” so you don’t bother re-enrolling in passkey unnecessarily?

[Ki-Eun Shin]

With the Safari on macOS and Android passkey (play service beta), Safari returns authenticatorAttachment as "Platform". So, with current implementation, we cannot guide the user to register the passkey on their device (in this example., macOS). I think this is the bug or intention from Apple. 

[Adam Langley]

On Friday, November 18, 2022 at 11:50:08 PM UTC-8 shin...@gmail.com wrote:

With the Safari on macOS and Android passkey (play service beta), Safari returns authenticatorAttachment as "Platform". So, with current implementation, we cannot guide the user to register the passkey on their device (in this example., macOS). I think this is the bug or intention from Apple. 

Thanks for the report. I've just tested it and you're correct: the attachment is wrong on iOS at least. I'll forward this to Apple.

Cheers

AGL