Mosaic lets you control which passkeys are allowed in your application based on passkey type, attestation status, and authenticator model, and restrict passkeys by AAGUID using an allowlist or blocklist.
These controls are especially important in highly regulated environments, such as banks and financial institutions, where you may need to limit which authenticators can be used and require stronger proof of authenticator provenance.
Attestation is a WebAuthn mechanism that allows an authenticator to prove its identity and provenance during registration. When attestation is provided, Mosaic can verify the authenticator’s make and model by validating the attestation certificate chain against the FIDO Metadata Service (MDS).
Mosaic can enforce attestation for device-bound passkeys. When enforcement is enabled, device-bound passkeys must provide a valid attestation object that can be verified against the FIDO MDS. Synced passkeys are excluded because most sync providers, such as Apple and Google, do not return attestation data.
Passkeys differ in how they are stored and recovered:
Synced passkeys are backed up and synchronized across a user’s devices through a provider, such as Apple iCloud Keychain or Google Password Manager. They improve usability, but are not limited to the original device.
Device-bound passkeys are tied to a single device and cannot be exported or synced. This includes hardware security keys, TPM-backed platform authenticators, and similar devices. They provide stronger device-level guarantees, but if the device is lost, the credential is lost as well.
Mosaic classifies passkeys as synced or device-bound on a best-effort basis using WebAuthn backup eligibility signals when available.
An AAGUID (Authenticator Attestation GUID) is a unique identifier assigned to an authenticator model by its manufacturer. Mosaic can use the AAGUID to allow or block specific authenticator models.
You can configure an allow list or a block list, but not both at the same time. An allow list limits registration and authentication to the specified AAGUIDs, while a block list denies the specified AAGUIDs.
Each setting can affect registration, authentication, or both. Some settings are retroactive, meaning they also apply to passkeys that were registered before the setting changed.
| Setting | Blocks new registrations | Blocks sign-in with existing passkeys | Retroactive |
|---|---|---|---|
| Allow synced passkeys | Yes | Yes | Yes — previously registered synced passkeys stop working |
| Attestation preference | No | No | No — controls what Mosaic requests at registration; set to Direct and locked when enforcement is enabled |
| Enforce attestation | Yes, if no valid attestation | No | No — existing unattested passkeys remain valid |
| AAGUID block list | Yes | Yes | Yes — previously registered passkeys with blocked AAGUIDs stop working |
| AAGUID allow list | Yes, if not in list | Yes, if not in list | Yes — previously registered passkeys not in the allow list stop working |
When Enforce attestation is enabled, Mosaic may re-validate passkeys that provided attestation at registration on a daily basis. Passkeys registered without attestation are not invalidated only because enforcement is enabled later.
Disabling synced passkeys or enabling AAGUID restrictions can immediately lock out users who rely on affected credentials. Review your registered user base before applying these changes in production.
These settings are available in the Admin Portal under Authentication Methods > Passkeys, in the Passkey attestation section. See Customize login methods.
You can also configure them through the Login Preferences API using the webauthn_api object.