Backup-eligible and backup-state flags

Two bits in authData's flags byte answer a question that used to be unanswerable from the server side: could this credential disappear if the user loses their device?

What the four combinations mean in practice

BEBSTypical exampleRecovery implication
00 A hardware security key (YubiKey, etc.) Single point of failure — lose the key, lose the credential. Users need a second registered authenticator as a fallback.
10 A brand-new synced passkey, moments after creation, before cloud sync finishes Eligible but not yet safe — momentary window right after registration.
11 An iCloud Keychain or Google Password Manager passkey, fully synced Recoverable on any device signed into the same account — this is the "passkeys just work across my devices" case.
01 Not a valid combination per the spec

Reading the bits

Both flags live in the same single byte as UP and UV — bit 3 (0x08) is BE, bit 4 (0x10) is BS.

const flagsByte = view.getUint8(offset);
offset += 1;
const flags: AuthDataFlags = {
  up: (flagsByte & 0x01) !== 0, // bit 0: user present
  uv: (flagsByte & 0x04) !== 0, // bit 2: user verified
  be: (flagsByte & 0x08) !== 0, // bit 3: backup-eligible
  bs: (flagsByte & 0x10) !== 0, // bit 4: backup-state (currently backed up)
  at: (flagsByte & 0x40) !== 0, // bit 6: attested credential data included
  ed: (flagsByte & 0x80) !== 0, // bit 7: extension data included
};
// 

Check your own credential's flags

This reads BE/BS fresh from a real ceremony — see the flag list in the Inspector below. For the flags of every credential you've registered in this session at a glance, see Credential management.