Direct Attestation

[bugnuker]

When using the lib and setting attestation to direct, we are getting back a self-attestation.

Are there plans to use Safari or iOS to sign the attestation for this library instead of self-attestation?

[acoutts]

I've been researching this a lot lately, writing my own similar implementation in dart. From what I've found android has the option of using the KeyStore attestation: https://developer.android.com/training/articles/security-key-attestation

But I can't find anything on iOS. The closest I've been able to imagine is if you were to use AppAttest to get an attestation and include the client data hash so it can be verified after by the RP.

[acoutts]

I've looked at using passkeys too. While that conveniently implements the webauthn standard and you can simply feed it the standard request classes, without having to implement anything about credential storage, the problem is more a UX one because it requires several taps and modal sheets to login every time the app opens.

You could try using the special safari web view for webauthn and that would handle the credential part but again it's not a great UX to open a webview every time the app opens just to sign an assertion to login again.

It seems like we don't have a good out of the box solution from apple yet for native mobile to use the Secure Enclave as a crypto authenticator in webauthn.

[daviorze]

I'm trying to integrate this library to use in iOS17 and create a Passkeys authenticator. It is possible?