authenticationwebauthnpasskey

Does WebAuthn support finding out where passkeys are stored?


When I was trying out creating passkeys for my Google account, I was surprised to see that it knew where my passkey was stored (1Password, iCloud Keychain, security key etc).

Now, I have been studying the WebAuthn protocol for some time now, and have even looked at the protocol extensions, but I couldn't find anywhere a way to obtain information on what kind of a passkey the user is registering.

Is this supported by WebAuthn? I think it would be a nice alternative to requiring the user to provide a nickname for their passkeys.


Solution

  • The attested credential data that is returned when creating a WebAuthn credential contains an AAGUID, which is an opaque 16-byte value. It is often all zeros but, if not, it identifies the make & model of a security key, or else a passkey provider.

    Some values for passkey providers are listed at https://github.com/passkeydeveloper/passkey-authenticator-aaguids/blob/main/aaguid.json