How do you check the Backup Eligibility Flag, or Backup State flag?

[anthonyryan1]

With Google and Apple now synchronizing private keys between devices. There is now a Backup Eligibility and Backup State flag in the specification.

https://w3c.github.io/webauthn/#backup-eligibility
https://w3c.github.io/webauthn/#backup-state

How would one go about checking for that flag with this library?

It could be useful from a UI perspective to know a private key will be available from many devices. (e.g. Label it as an "Google Passkey" instead of a "Pixel 5a Passkey").

[Spomky]

Hi,

At the moment, there is no convenient method to get these two values, but it should still be possible.
Both AuthenticatorAssertionResponseValidator::check and AuthenticatorAttestationResponseValidator::check methods emit an event in case of Assertion/Attestation validation success. This event contains the authenticator response and allows the access to the authenticator data

• Attestation ceremony: the authenticator data is in AuthenticatorAttestationResponse->getAttestationObject()->getAuthData()
• Assertion ceremony: the authenticator data is in AuthenticatorAssertionResponse->getAuthenticatorData()

With the authenticator data object, you can call ->getReservedForFutureUse2(), which returns the flag bits 3, 4 and 5.
The BE and BS flags are at bits 3 and 4 respectively.

I will add methods for simplifying this.

[Spomky]

FYI, it is now implemented in the next minor version 4.7.x and it works fine.
I prepared the demo application available at https://webauthn.spomky-labs.com/ and it is able to detect the credential type 🎉