Discovery of migrated credentials #2340
Description
Description
We are starting to see real world deployments of credential exchange, allowing passkeys to be transferred or copied between passkey providers. Apple, Dashlane and Bitwarden already have offerings and these were demonstrated at Authenticate 2025.
RPs capture an AAGUID at registration time and use it to assist with user self care (USC) interfaces to display passkey providers icons and descriptions. These are static and become stale following use of a passkey from a new provider after a credential exchange event.
To provide more meaningful USC experiences, RPs should be able to discover at least the AAGUID of the passkey provider on navigator.credentials.get calls as well.
Several options exist and some have been previously proposed for how this might be done, including:
- Attestation on get
- An extension (perhaps an authenticator extension, or something extending the current credProps client extension)
- Perhaps something conveyed in ClientData (if the client knows what passkey provider it is interacting with)
Initially would like to hear from browser vendors on the art of the possible here and ensure we formally cover this topic during the L4 work.
One ask is that the signal be as reliable as possible- if it can be signed as part of the authentication response that would be preferred over an unsigned client extension.