fid03
Official FIDO2 documentation says otherwise: "passkeys" can either be device-bound or syncable. Here's a brief overview of FIDO2 terms, created by the FIDO Alliance and WICA: https://passkeys.dev/docs/reference/terms/#passkey
I was a bit inaccurate, let me clarify.
Passkeys can be device-bound yes, but that doesn't make device-bound FIDO2 public key credentials and passkeys the same. Passkeys must be discoverable. Non-discoverable FIDO2 public key credentials can provide attestations, while discoverable FIDO2 public key credentials (passkeys) generally do not, due to privacy considerations.
From the spec:
[Passkey] A Client-side discoverable Public Key Credential Source, or Discoverable Credential for short, is a public key credential source that is discoverable and usable in authentication ceremonies where the Relying Party does not provide any credential IDs, i.e., the Relying Party invokes navigator.credentials.get() with an empty allowCredentials argument. This means that the Relying Party does not necessarily need to first identify the user.
I actually made the exact same interpretation as you, and I myself recently argued that non-discoverable FIDO2 public key credentials are passkeys. I then spoke directly to one of the WebAauthn specification editors, who explained that I was wrong, and that the definition on that page also was wrong, due to it not including the discoverability of the credential.
I then informed passkey.dev of this discrepancy months ago and asked for the definition to be updated.
There are several third-party ones such as Passchain. If I follow your reasoning, I should also be able to store the BankID credentials on "roaming authenticators" such as Yubikeys, which I can't.
If that's the case with Passchain I'm very glad to hear that. Please let me know if you've tried using BankID with biometrics via Passchain.
If the "packed" attestation format was allowed, all that would stop you is the client-side authenticatorAttachment: "platform" selection, which filters away roaming authenticators.
What? The WebAuthn specification isn't just about "syncable passkeys". Where are you getting this from? Or are you saying that the FIDO Alliance pretends that it is?
I never claimed it was all about syncable passkeys. But, between level 2 and level 3 (IIRC) of the webauthn spec the focus became less about attestable high-assurance authentication, and more about passkeys and treating passkeys as a password replacement, focusing on increasing adoption.
As a concrete example of this, Apple completely dropped support for attestable non-discoverable device-bound credentials in iOS16, even though they fully supported it in iOS15. Google kept the support.
Please explain where you're getting this from.
These parameter options are explained in the spec.
I think you might've missed the more recent comments about this issue being resolved? The statement in the OP about BankID banning GrapheneOS was an assumption, perhaps or perhaps not a reasonable one but it did seem to create some attention towards the issue.
I'm just clarifying.