In case the new credential provider extension is in use, the client on an iOS device will be using a third-party authenticator. Is Apple still setting both of the bits to true? This does not seem to be the correct behavior. Shouldn't the client platform interfere with the communications between the RP and the authenticator? Isn't this what the specification requires of the client? Thanks!

Thank you for confirming that these features are not yet available! There are reasons why such information and/or extensions are included in the standard draft. To be compliant to the standard, these really should be supported. Otherwise, we might as well just use the platform authenticators, as we won't be able to realize the full potential of the standard. In the interest of promoting the adoption of passkey standard, the platform vendors should step up the efforts to be a true enabler.