Why do some platforms not support attestation for passkeys?

Attestation is a mechanism in WebAuthn that allows relying parties to verify the origin and authenticity of an authenticator (such as a passkey). However, some platforms do not support attestation for passkeys due to privacy concerns, technical limitations, and interoperability considerations.

1. Privacy Concerns

   • Attestation can reveal the exact make and model of a device or authenticator, potentially exposing user information.
   • Platforms aiming for privacy-first authentication may disable attestation to avoid tracking risks.

2. Interoperability and User Experience

   • Enforcing attestation could limit the types of authenticators that can be used.
   • Some platforms prefer flexibility over strict device verification, ensuring broader compatibility across devices and passkey providers.

3. Reliance on Cloud-Synced Passkeys

   • Many first-party passkey providers (e.g., Apple iCloud Keychain, Google Password Manager) store passkeys in cloud-based vaults and sync them across devices.
   • Since cloud-stored passkeys are not tied to a single hardware authenticator, attestation may not be feasible or necessary.

4. Security Trade-Offs

   • While attestation helps validate an authenticator’s origin, it is not mandatory for achieving strong security.
   • Relying parties can still enforce security measures like device-bound passkeys and biometric authentication without attestation.

5. Platform Policies and Implementation Choices

   • Some operating systems or authentication providers may choose not to support attestation due to their security architecture and policies.
   • For example, Apple’s passkey implementation does not support attestation, prioritizing user privacy over attestation-based device verification.

• Less Granular Device Control: Organizations relying on attestation to enforce device-specific security policies may face challenges.
• Increased Flexibility: Users can authenticate seamlessly across devices, improving the user experience.
• Alternative Security Measures Needed: Relying parties may need to use risk-based authentication or client-side security controls instead of attestation.

Not all platforms support passkey attestation due to privacy concerns, cloud-based storage models, and the need for cross-device compatibility. While attestation provides additional security, it is not a mandatory requirement for phishing-resistant authentication. Organizations should balance security needs with user experience when implementing passkeys.