webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard
verified publisher icon w3c

Discovery of migrated credentials

Open sbweeden opened this issue 2 months ago • 2 comments

Description

We are starting to see real world deployments of credential exchange, allowing passkeys to be transferred or copied between passkey providers. Apple, Dashlane and Bitwarden already have offerings and these were demonstrated at Authenticate 2025.

RPs capture an AAGUID at registration time and use it to assist with user self care (USC) interfaces to display passkey providers icons and descriptions. These are static and become stale following use of a passkey from a new provider after a credential exchange event.

To provide more meaningful USC experiences, RPs should be able to discover at least the AAGUID of the passkey provider on navigator.credentials.get calls as well.

Several options exist and some have been previously proposed for how this might be done, including:

  • Attestation on get
  • An extension (perhaps an authenticator extension, or something extending the current credProps client extension)
  • Perhaps something conveyed in ClientData (if the client knows what passkey provider it is interacting with)

Initially would like to hear from browser vendors on the art of the possible here and ensure we formally cover this topic during the L4 work.

One ask is that the signal be as reliable as possible- if it can be signed as part of the authentication response that would be preferred over an unsigned client extension.

Related Links

sbweeden avatar Oct 14 '25 20:10 sbweeden

@sbweeden we already committed to addressing this in L4 at the last TPAC: #2157.

timcappalli avatar Oct 14 '25 22:10 timcappalli

One ask is that the signal be as reliable as possible- if it can be signed as part of the authentication response that would be preferred over an unsigned client extension.

This is I think worth spending a little bit of time on. The credProps path from last year still seems sensible to me a year later. But I also like Shane's idea of adding the AAGUID to part of the data that the signature is generated over during auth to give a bit of tamper resistance to AAGUID's conveyance. Not for using it for policy, but just a modicum of trust that the authenticator was able to convey its unattested identity.

MasterKale avatar Oct 14 '25 22:10 MasterKale