--- url: 'https://www.corbado.com/faq/why-some-platforms-do-not-support-attestation-for-passkeys' title: 'Why do some platforms not support attestation for passkeys?' description: 'Learn why some platforms do not support attestation for passkeys and how this impacts security and authentication strategies. ' lang: 'en' keywords: 'passkey attestation, WebAuthn attestation, attestation support' --- # Why do some platforms not support attestation for passkeys? ## Why Do Some Platforms Not Support Attestation for Passkeys? [Attestation](https://www.corbado.com/glossary/attestation) is a mechanism in **WebAuthn** that allows relying parties to verify the origin and authenticity of an [authenticator](https://www.corbado.com/glossary/authenticator) (such as a passkey). However, **some platforms do not support attestation for passkeys** due to **privacy concerns, technical limitations, and interoperability considerations**. ### Reasons Why Attestation May Not Be Supported 1. **Privacy Concerns** - [Attestation](https://www.corbado.com/glossary/attestation) can reveal the **exact make and model of a device or authenticator**, potentially exposing user information. - Platforms aiming for **privacy-first authentication** may disable [attestation](https://www.corbado.com/glossary/attestation) to **avoid tracking risks**. 2. **Interoperability and User Experience** - Enforcing attestation could **limit the types of authenticators** that can be used. - Some platforms prefer **flexibility over strict device verification**, ensuring **broader compatibility** across devices and [passkey providers](https://www.corbado.com/blog/passkey-providers). 3. **Reliance on Cloud-Synced Passkeys** - Many **first-party passkey providers** (e.g., Apple [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain), [Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager)) store passkeys in **cloud-based vaults** and sync them across devices. - Since **cloud-stored passkeys** are not tied to a single hardware [authenticator](https://www.corbado.com/glossary/authenticator), attestation may not be feasible or necessary. 4. **Security Trade-Offs** - While attestation helps validate an [authenticator](https://www.corbado.com/glossary/authenticator)’s origin, it is not **mandatory** for achieving strong security. - **Relying parties** can still enforce security measures like **device-bound passkeys and biometric authentication** without attestation. 5. **Platform Policies and Implementation Choices** - Some operating systems or authentication providers may choose **not to support attestation** due to their **security architecture and policies**. - For example, **Apple’s passkey implementation does not support attestation**, prioritizing **user privacy** over attestation-based device verification. ### Impact of Missing Attestation - **Less Granular Device Control**: Organizations relying on attestation to enforce **device-specific security policies** may face challenges. - **Increased Flexibility**: Users can authenticate **seamlessly across devices**, improving the **user experience**. - **Alternative Security Measures Needed**: Relying parties may need to **use risk-based authentication** or **client-side security controls** instead of attestation. ### Conclusion Not all platforms support **passkey attestation** due to **privacy concerns, cloud-based storage models, and the need for cross-device compatibility**. While attestation provides additional security, it is not a **mandatory requirement** for **phishing-resistant** authentication. Organizations should **balance security needs with user experience** when implementing passkeys. ## Read the full article