passkeys in the Authenticator app regarding attestation

Hello jgeisler​ 

From what I understand, the observed behavior aligns with the WebAuthn/FIDO2 cross-device authentication model used by Microsoft Authenticator.

The confusion likely comes from the documentation mixing different concepts:

• cross-device registration
• cross-device authentication
• attestation enforcement

The QR code + Bluetooth LE flow is part of the official cross-device authentication mechanism. In this scenario, the private key remains stored on the mobile device (device-bound) and only signs the authentication challenge remotely after BLE proximity validation.

Microsoft documentation indicates that when attestation is enabled, restrictions mainly apply to cross-device registration, and in some pages it also mentions cross-device authentication. However, behavior may vary depending on the current implementation, tenant policy configuration, and how the passkey was originally registered.

So based on your test results, this does not appear to be a bypass. It is most likely the expected cross-device authentication behavior supported by Microsoft Authenticator, even when the passkey itself remains device-bound.