Backup-eligible and backup-state flags
Two bits in authData's flags byte answer a question that used to
be unanswerable from the server side: could this credential disappear if the
user loses their device?
- BE (backup-eligible) — set at registration time, permanently. It means the authenticator is willing to sync this credential to a backup service (iCloud Keychain, Google Password Manager, a password manager extension). It does not mean it's backed up yet — only that it's allowed to be.
- BS (backup-state) — whether it actually has been backed up, as of this specific ceremony. BS can only be true if BE is true, and — unlike BE — can flip from false to true later, once sync actually completes.
What the four combinations mean in practice
| BE | BS | Typical example | Recovery implication |
|---|---|---|---|
| 0 | 0 | A hardware security key (YubiKey, etc.) | Single point of failure — lose the key, lose the credential. Users need a second registered authenticator as a fallback. |
| 1 | 0 | A brand-new synced passkey, moments after creation, before cloud sync finishes | Eligible but not yet safe — momentary window right after registration. |
| 1 | 1 | An iCloud Keychain or Google Password Manager passkey, fully synced | Recoverable on any device signed into the same account — this is the "passkeys just work across my devices" case. |
| 0 | 1 | Not a valid combination per the spec | — |
Reading the bits
Both flags live in the same single byte as UP and UV — bit 3 (0x08) is BE, bit 4 (0x10) is BS.
const flagsByte = view.getUint8(offset);
offset += 1;
const flags: AuthDataFlags = {
up: (flagsByte & 0x01) !== 0, // bit 0: user present
uv: (flagsByte & 0x04) !== 0, // bit 2: user verified
be: (flagsByte & 0x08) !== 0, // bit 3: backup-eligible
bs: (flagsByte & 0x10) !== 0, // bit 4: backup-state (currently backed up)
at: (flagsByte & 0x40) !== 0, // bit 6: attested credential data included
ed: (flagsByte & 0x80) !== 0, // bit 7: extension data included
};
// Check your own credential's flags
This reads BE/BS fresh from a real ceremony — see the flag list in the Inspector below. For the flags of every credential you've registered in this session at a glance, see Credential management.