This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello,
Is it correct that right now, when any passkey-provider like our MS-authenticator-app prepares the passkey registration ceremony response with attestation, iOS strips off the attestation before handing over response-assertion to the client.
Does this stripping off of attestation have to do anything with the BS and BE flags that are populated by passkey-provider ? Meaning, is it correct statement that iOS removes the attestation blob from the response if the BE and BS flags are set to zero ??
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @testuser7,
Thank you for posting your query on Microsoft Q&A.
It is correct that iOS devices strip off the attestation from the response-assertion provided by passkey providers, such as the Microsoft Authenticator app, as part of their privacy-preserving measures. Currently, for passkeys in Microsoft Authenticator, we do not support attestation.
Regarding the BS and BE flags, these flags indicate whether the passkey registration ceremony is being performed in a secure environment. If the BS and BE flags are set to zero, it means that the passkey registration ceremony is not being performed in a secure environment. However, this does not necessarily mean that the attestation blob will be stripped from the response-assertion.
In summary, iOS devices do not support attestation for passkey registration ceremonies, and the removal of attestation from the response-assertion is not directly related to the BS and BE flags.
Please refer to the following documentation for more information:
Hope this includes all the information that you were looking for.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks,
Raja Pothuraju.
Excellent @Raja Pothuraju I think you are to the point so no question except that the two links that you suggested are not opening up.
Hello @testuser7,
Thank you for your response.
Yes, the links that I shared are not opening due to some reason. I am sharing the links again below.
Please remember to "Accept Answer", so that others in the community facing similar issues can easily find the solution.
Thanks,
Raja Pothuraju.
Thanks @Raja Pothuraju I have been through both links in the past. Do you have any formal, official link from Apple explaining about the stripping off of attestation ?
Just for reference to show the clients.
Hello @testuser7,
Thank you for your response.
I was unable to find exact documentation on this from the Apple documentation except forum document. To get help with this, I request you please check with the Apple support team for official documentation from them.
If you have already contacted Apple support, please let us know the update on it so that others in the community facing similar issues can easily find the solution.
Thanks,
Raja Pothuraju.