Why do some platforms not support attestation for passkeys?

Why Do Some Platforms Not Support Attestation for Passkeys?#

Attestation is a mechanism in WebAuthn that allows relying parties to verify the origin and authenticity of an authenticator (such as a passkey). However, some platforms do not support attestation for passkeys due to privacy concerns, technical limitations, and interoperability considerations.

Reasons Why Attestation May Not Be Supported#

1. Privacy Concerns

   • Attestation can reveal the exact make and model of a device or authenticator, potentially exposing user information.
   • Platforms aiming for privacy-first authentication may disable attestation to avoid tracking risks.

2. Interoperability and User Experience

   • Enforcing attestation could limit the types of authenticators that can be used.
   • Some platforms prefer flexibility over strict device verification, ensuring broader compatibility across devices and passkey providers.

3. Reliance on Cloud-Synced Passkeys

   • Many first-party passkey providers (e.g., Apple iCloud Keychain, Google Password Manager) store passkeys in cloud-based vaults and sync them across devices.
   • Since cloud-stored passkeys are not tied to a single hardware authenticator, attestation may not be feasible or necessary.

4. Security Trade-Offs

   • While attestation helps validate an authenticator’s origin, it is not mandatory for achieving strong security.
   • Relying parties can still enforce security measures like device-bound passkeys and biometric authentication without attestation.

5. Platform Policies and Implementation Choices

   • Some operating systems or authentication providers may choose not to support attestation due to their security architecture and policies.
   • For example, Apple’s passkey implementation does not support attestation, prioritizing user privacy over attestation-based device verification.

Impact of Missing Attestation#

• Less Granular Device Control: Organizations relying on attestation to enforce device-specific security policies may face challenges.
• Increased Flexibility: Users can authenticate seamlessly across devices, improving the user experience.
• Alternative Security Measures Needed: Relying parties may need to use risk-based authentication or client-side security controls instead of attestation.

Conclusion#

Not all platforms support passkey attestation due to privacy concerns, cloud-based storage models, and the need for cross-device compatibility. While attestation provides additional security, it is not a mandatory requirement for phishing-resistant authentication. Organizations should balance security needs with user experience when implementing passkeys.

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →