Why do some platforms not support attestation for passkeys?

Vincent Delitz

Vincent

Created: February 3, 2025

Updated: February 3, 2025

Do you want to learn more?

Read full blog post

Why Do Some Platforms Not Support Attestation for Passkeys?#

Attestation is a mechanism in WebAuthn that allows relying parties to verify the origin and authenticity of an authenticator (such as a passkey). However, some platforms do not support attestation for passkeys due to privacy concerns, technical limitations, and interoperability considerations.

Reasons Why Attestation May Not Be Supported#

  1. Privacy Concerns

    • Attestation can reveal the exact make and model of a device or authenticator, potentially exposing user information.
    • Platforms aiming for privacy-first authentication may disable attestation to avoid tracking risks.
  2. Interoperability and User Experience

    • Enforcing attestation could limit the types of authenticators that can be used.
    • Some platforms prefer flexibility over strict device verification, ensuring broader compatibility across devices and passkey providers.
  3. Reliance on Cloud-Synced Passkeys

    • Many first-party passkey providers (e.g., Apple iCloud Keychain, Google Password Manager) store passkeys in cloud-based vaults and sync them across devices.
    • Since cloud-stored passkeys are not tied to a single hardware authenticator, attestation may not be feasible or necessary.
Substack Icon

Subscribe to our Passkeys Substack for the latest news, insights and strategies.

Subscribe
  1. Security Trade-Offs

    • While attestation helps validate an authenticator’s origin, it is not mandatory for achieving strong security.
    • Relying parties can still enforce security measures like device-bound passkeys and biometric authentication without attestation.
  2. Platform Policies and Implementation Choices

    • Some operating systems or authentication providers may choose not to support attestation due to their security architecture and policies.
    • For example, Apple’s passkey implementation does not support attestation, prioritizing user privacy over attestation-based device verification.

Impact of Missing Attestation#

  • Less Granular Device Control: Organizations relying on attestation to enforce device-specific security policies may face challenges.
  • Increased Flexibility: Users can authenticate seamlessly across devices, improving the user experience.
  • Alternative Security Measures Needed: Relying parties may need to use risk-based authentication or client-side security controls instead of attestation.

Conclusion#

Not all platforms support passkey attestation due to privacy concerns, cloud-based storage models, and the need for cross-device compatibility. While attestation provides additional security, it is not a mandatory requirement for phishing-resistant authentication. Organizations should balance security needs with user experience when implementing passkeys.

Do you want to learn more?

Read full blog post

Share this article


LinkedInTwitterFacebook

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.


We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour

Start for free