Determine the passkey provider with AAGUID

Relying parties (RPs) can determine which passkey provider a passkey is created by by examining AAGUID of the associated public key credential.

Challenges with passkey management

One of the benefits of using passkeys is they can allow users to create multiple passkeys for a single account. With this flexibility along with passkey's robustness, even if the user is locked out of the account by losing one of their passkeys, they can still sign in to the relying party using alternative passkeys.

The challenge for users who manage multiple passkeys on an RP is to identify the right passkey when they need to edit or delete a specific one among others. A good example is when a user wants to remove an unused passkey. RPs are recommended to attach information about the passkey such as creation date and last-used date in the passkey list. This helps users find a specific passkey.

RPs can also allow users to name a passkey as soon as they are created or later, but many users don't. Ideally, passkeys are named automatically reflecting the signals sent from the client or information included in the public key credential.

Browsers provide a user agent string relying parties can use to name passkeys, but platforms such as Android, iOS or desktop browsers with extension capabilities allow creating a passkey by third-party password managers and the user agent string does not necessarily represent who is the actual passkey provider.

With the Authenticator Attestation Globally Unique Identifier (AAGUID), included in the public key credential returned on a passkey registration, RPs can determine the passkey provider and use it for users to easily find the right passkey.

Determine the passkey provider with AAGUID

AAGUID is a unique number that identifies the model of the authenticator (not the specific instance of the authenticator). AAGUID can be found as part of a public key credential's authenticator data.

Attestation object layout illustrating the included authenticator data (containing attested credential data) and the attestation statement.
AAGUID can be found in the authenticator data.

RPs can use AAGUID to identify the passkey provider. For example, if a user creates a passkey on an Android device using Google Password Manager, the RP will receive an AAGUID of "ea9b8d66-4d01-1d21-3ce4-b6b48cb575d4". The RP can annotate the passkey in the passkey list to indicate that it was created on Google Password Manager.

Passkey settings within security settings page show detailed information about each passkey.
An example passkey management UI.

To map an AAGUID to a passkey provider, RPs can use a community sourced repository of AAGUIDs. By looking up the AAGUID on the list, the passkey provider name and its icon svg data text can be found.

Retrieving the AAGUID is a feature most WebAuthn libraries provide. The following example shows server side registration code using SimpleWebAuthn:

// Import a list of AAGUIDs from a JSON file
import aaguids from './aaguids.json' with { type: 'json' };

...

 // Use SimpleWebAuthn handy function to verify the registration request.
const { verified, registrationInfo } = await verifyRegistrationResponse({
  response: credential,
  expectedChallenge,
  expectedOrigin,
  expectedRPID,
  requireUserVerification: false,
});

...

const { aaguid } = registrationInfo;
const provider_name = aaguids[aaguid]?.name || 'Unknown';

Conclusion

AAGUID is a unique string that identifies the passkey provider that created a passkey. RPs can use AAGUID to make it easier for users to manage their passkeys. A community sourced repository of AAGUIDs can be used to map AAGUIDs to passkey providers.