Passkey Providers: Different Types, AAGUID & Adoption

1. Introduction

When using passkeys or working in the field of passkey implementation, one component becomes pretty important: the passkey provider. However, even though its a crucial part in the passkey ecosystem, many people have only a rough understanding of passkey providers or do not know the difference between a first-party passkey provider , third-party passkey provider andpasskey authentication provider.

This blog post aims to shed light onto it. Whether you're a software developer, a product manager, or simply curious about the latest in web security, understanding the role and types of passkey providers is essential. By demystifying this topic, we seek to empower people with the knowledge to understand passkeys confidently.

2. What is a Passkey Provider?

A passkey provider plays a fundamental role in the ecosystem of passkey-based authentication, acting as the bridge between users' devices and the secure, seamless access to relying parties (online services). But what exactly is a passkey provider, especially as there is no official definition and youll find different interpretations online?

The following definition reflects our understanding and is not claimed to be the only accurate definition.

A passkey provider is essentially any entity that enables the creation, management, and use of passkeys. Through our research, we identified two main categories under which passkey providers can be classified: first- / third- passkey providers and passkey authentication providers.

Become part of our Passkeys Community for updates and support.

Join

2.1 First- & Third-Party Passkey Providers

This category includes entities capable of generating a passkey on the client side (on the users device). When a passkey is created through these platforms, it is managed and stored securely, often in the cloud of an operating system manufacturer (e.g., iCloud Keychain, Google Password Manager) or in a third-party password manager (e.g. KeePassXC, 1Password, Dashlane see more below).

Operating systems that enable passkey creation and management natively are considered first-party passkey providers. In contrast, third-party password managers that integrate with the platform through APIs are referred to as third-party passkey providers.

One first-party or third-party passkey provider has the same Authenticator Attestation Globally Unique Identifiers (AAGUIDs), which help to improve the user experience (e.g. in account settings to distinguish passkeys easier). Sometimes they might have multiple AAGUIDs, which all belong to the same first- or third- party passkey provider.

Passkey providers on an iOS 17.4 device

Passkey providers on an Android 14 device

Android's Credential Manager API

2.2 Passkey Authentication Providers

The second category encompasses authentication providers that developers can integrate into their applications to handle all aspects of passkey management. So, these are providers working more on the server-side (vs. the client-side from above). This definition would also include solutions like Corbado, which offer authentication solutions centered around passkeys to websites and apps. Consequently, these passkey providers should be more accurately described as passkey authentication providers , differentiating them from the above mentioned first- and third-party passkey providers.

In the next sections of this blog post, we will use the term "passkey providers" to refer to first and third-party passkey providers, in accordance with our definition.

3. Identify Passkey Providers via the AAGUID

As users begin to adopt passkeys for various relying parties, managing them effectively emerges as a significant challenge. This is also true for users who utilize multiple passkeys for a single account, as differentiating these passkeys for editing or deletion purposes can be complex for a relying party. Despite the convenience and security that passkeys offer, there's a potential issue if a user loses one of their passkeys. Fortunately, they can still access their account on the relying party using alternative passkeys. To assist users in identifying specific passkeys, some resources suggest to metadata, such as the dates of creation and last use to a passkey in the account settings. Additionally, it is recommended to utilize user agents or client hints to automatically name and categorize passkeys upon creation. However, native Android or iOS apps as well as third-party passkey providers, may not utilize user agents, or they dont add information indicating that a passkey has been generated by a third-party passkey provider. This limitation highlights the need for improved methods to help users manage their passkeys efficiently, regardless of the platform or provider.

Taken from W3C's WebAuthn specification

To facilitate this passkey management, developers can make use of the Authenticator Attestation Globally Unique Identifier (AAGUID). The AAGUID is a unique identifier assigned to the model of the authenticator, not its specific instance. It is embedded within the public key credential's authenticator data, offering a way for relying parties to identify the passkey provider. This capability is crucial in helping users and relying parties navigate the passkey landscape, ensuring that each passkey can be accurately associated with its creation source.

For example, if a passkey is created using Google Password Manager on an Android device, the relying party can receive an AAGUID specific to Google Password Manager. By referencing this AAGUID, the relying party can then mark the passkey accordingly, simplifying management and identification for the user. Moreover, relying parties can prevent creating multiple passkeys for the same passkey provider by using the WebAuthn server option excludeCredentials. This further improves the passkeys UX as each passkey provider will only have one passkey, thus avoiding user confusion.

{
  "attestation": "none",
  "authenticatorSelection": {
    "residentKey": "preferred",
    "userVerification": "preferred"
  },
  "challenge": "6V61d0VM5bNTPxWSsrv7YKz0o4awe0ryoDh1V44RPRn6-mBQwv98BTRws6nMrBhEggGn7-tk1bl3YNSwc0oZpA",
  "excludeCredentials": [
    {
      "id": "1kBn2dmhv5JhuFxqeco1khCBCUBLlWYqZmFtdDujH5pM",
      "transports": [
        "internal"
      ],
      "type": "public-key"
    }
  ],
  "extensions": {
    "credProps": true
  },
  "pubKeyCredParams": [
    {
      "alg": -7,
      "type": "public-key"
    },
    {
      "alg": -257,
      "type": "public-key"
    }
  ],
  "rp": {
    "id": "Passkey Demo",
    "name": "passkeys.eu"
  },
  "user": {
    "displayName": "Test Name",
    "id": "ZG1sdVkyVnxe3SFJsYzNR",
    "name": "Test Name"
  }
}

To determine the passkey provider using an AAGUID, relying parties can refer to a community-sourced repository of AAGUIDs. This repository provides the necessary mappings to identify the passkey provider by name and, potentially, by icon, helping to provide a more intuitive user interface for passkey management. However, it's important to note that some passkey providers might use a generic AAGUID ("00000000-0000-0000-0000-0000000000000") intentionally, representing an unknown or generic provider.

Retrieving the AAGUID is straightforward with most WebAuthn libraries. For instance, when using SimpleWebAuthn on the server-side, developers can extract the AAGUID from the registration information to match it with a known provider, enhancing the user's ability to manage their passkeys with greater ease (taken from Google's "Determine the passkey provider with AAGUID").

// Import a list of AAGUIDs from a JSON file
import aaguids from './aaguids.json' with { type: 'json' };
// ...
// Use SimpleWebAuthn handy function to verify the registration request.
const { verified, registrationInfo } = await verifyRegistrationResponse({
  response: credential,
  expectedChallenge,
  expectedOrigin,
  expectedRPID,
  requireUserVerification: false,
});
// ...
const { aaguid } = registrationInfo;
const provider_name = aaguids[aaguid]?.name || 'Unknown';

While AAGUIDs offer a powerful tool for passkey management, they should be used with caution. The integrity of an AAGUID depends on the attestation process, which validates the authenticity of the passkey provider. Without a valid attestation signature, AAGUIDs could potentially be manipulated. As of March 2024, it's noteworthy that passkeys on some platforms do not support attestation, highlighting the need for careful consideration in their use.

In the following, you find a non-exhaustive list of first- and third-party passkey providers for Android apps, iOS apps and web apps using very common passkey operating system versions and browsers:

4. List of Passkey Providers for Android, iOS & Web

In the following, you find some of the third-party passkey providers popups to create / save a passkey:

4.1 1Password

See the full 1Password analysis here.

4.2 Bitwarden

4.3 Dashlane

See the full Dashlane analysis here.

4.4 Enpass

4.5 KeePassXC

See the full KeePassXC analysis here.

4.6 Keeper

4.7 NordPass

4.8 Proton

5. Conclusion

Central to the deployment and management of passkeys is the role of passkey providers, entities that not only facilitate the creation and management of passkeys but also ensure their seamless integration across various platforms and devices.

Understanding what a passkey provider is, including the distinction between first-party and third-party providers, as well as the critical role of the Authenticator Attestation Globally Unique Identifier (AAGUID) was the goal of this blog posts. The use of AAGUIDs, as discussed, offers a promising solution, enabling a more straightforward identification and management of passkeys.

Besides, we have analyzed which first- and third-party passkey providers currently exists for Android, iOS and Windows helping users also to find a suitable third-party passkey provider or their device of choice

For developers and product managers, the insights into passkey providers and their management not only guide the technical implementation of passkey authentication but also align with the broader goal of enhancing user experience and security.