My team is very interested in integrating the new automatic passkey upgrade functionality into our app. Our app does not currently use passwords, but instead to log in utilizes phone number and SMS code verification (along with email code verification if the device is unknown). While watching the session on automatic passkey upgrades, it is noted that the system/credential manager checks to ensure that a password was just autofilled for the same account before allowing an automatic passkey upgrade. Since our app does not use passwords, does this mean we are ineligible for taking advantage of automatic passkey upgrades? Or, is there something else we can do to ensure the upgrade goes through?

Hello, I have a fully functional webauthn relying party that uses passkeys and I am trying to implement an iOS sdk for it. On the server, the AASA file is valid and well served at /.well-known/assetlinks.json. I verified its validity with branch.io and that it is indeed cached by Apple's CDN (https://app-site-association.cdn-apple.com/a/v1/service.domain.com), but even will all these I still get the following error when installing the app on a device and starting the passkey ceremony: Passkey authorization failed. Error: The operation couldn’t be completed. Application with identifier TEAM.com.APP is not associated with domain service.domain.com So I then checked the system log when installing the app on my iPhone, and under the swcd process (which is apparently responsible of fetching the AASA file) I found the following error: swcd: Domain is invalid. Will not attempt a download. The issue that I have is that my domain is actually an IDN, it has a special character in it. But everywhere I have used it, I converted it to ASCII (punycode). With this conversion, Apple's CDN is able to fetch the AASA file, and the passkey ceremony works fine on a browser. So I don't understand how the device (both iPhone or Mac) finds this domain to be invalid? In the app's entitlements, I added the capability for an associated domain, with webcredentials:service.domain.com with the domain name converted to ASCII (punycode) and developer mode doesn't address this issue as it appears when the app is installed (and is not related to Apple's CDN). The last thing I tried was to add the domain with special characters in the app's entitlements (for webcredentials:) but then Xcode was unable to install the app on the device, and gave the following error: Failed to verify code signature (A valid provisioning profile for this executable was not found.) which happened only with a special character in the domain in the app's entitlements. All this leaves me kind of in a dead end, I understand Xcode or iOS/macOS has a hard time with IDNs and special characters (so do I), but I have no idea on how to solve this (without changing the domain name), so I would really appreciate any help. Thanks in advance. PS: I tested all this previously with another domain without special characters and it was working. It also had dashes ('-') in it and the new domain converted to ASCII is basically a regular domain with '-' in it so I suppose there is some kind of conversion made from ASCII back to special characters and that then, the domain is considered as invalid, but this doesn't really help me a lot... PS2: My devices are running on iOS 17.4.1 and macOS 14.4.1 with Xcode 15.2

~5% of our users when downloading the iOS application from the Apple Store for the first time are unable to enrol a Passkey and experience an error saying the application is not associated with [DOMAIN]. The error message thrown by the iOS credentials API is "The operation couldn't be completed. Application with identifier [APPID] is not associated with domain [DOMAIN]" We have raised this via the developer support portal with case id: 102315543678 Question: Why does the AASA file fail to fetch on app install and is there anything that can be done to force the app to fetch the file? Can this bug be looked at urgently as it is impacting security critical functionality? Other Debugging Observations We have confirmed that our AASA file is correctly formatted and hosted on the Apple CDN. Under normal circumstances the association is created on install and Passkey enrolment works as intended. We have observed that when customers uninstall/reinstall the app this often, but not always, resolves the issue. We also know this issue can resolve itself overtime without any intervention. We have ruled out network (e.g VPN) issues and have reproduced the issue across a number of different network configurations. We have ruled out the Keychain provider and have reproduced it across a variety of different providers and combinations of. We observed this across multiple versions of the iOS operating system and iPhone hardware including the latest hardware and iOS version.

My team is currently working on implementing passkeys and wanted to better understand the various errors that can be thrown both when creating and logging in with a passkey. To my understanding, after invoking the passkey request via the authorization controller, if an error occurs, the authorizationController(controller:didCompleteWithError:) delegate method will be called. The error will be a ASAuthorizationError, and there are a few codes listed here. The docs are a bit vague about when each of these errors can occur and what the difference is between them, so I am posting this in the hopes of gaining more clarity. The errors for which we'd like some clarification are: failed This is pretty generic, how might this code be different than the other failure reasons, and what could cause it to be thrown either for creation or for authorization? invalidResponse Does this mean that the system received an invalid response from the Relying Party? notHandled What might cause the authorization request not to be handled? notInteractive What does it mean for the authorization request to not be interactive? Does this mean that none of the specified credentialIDs are available? Finally, is it possible for both creation and authorization to throw all of these errors, or are there some that are exclusive? Any help would be appreciated, thank you.

I have two AppleID's. I use one with my Apple developer account and the other is my primary AppleID that I mainly use for everything else. In the past, I have used them on separate MacBooks, but I am now trying to consolidate everything onto one MacBook. I have created a Passkey for my Apple.com store account and that works well. However, when I try to log into an Apple developer related site (e.g. developer.apple.com), it initially offers to use my personal Passkey with an option to use different AppleID. When I select "use a different AppleID" and select my developer AppleID, it only offers to allow me to log in with a password or with a QR code using a Passkey on a different device. Is it possible to set up a Passkey for my Apple developer account on the same MacBook that already has a Passkey set up for my Apple Store account? If so, what is the process to create it? If it helps, both of my AppleID's are members of the same Family. Thanks.

I have two AppleID's. I use one with my Apple Developer account and the other is my primary AppleID that I mainly use for everything else. In the past, I have used them on separate MacBooks, but I am now trying to consolidate everything onto one MacBook. I have created a Passkey for my Apple.com store account and that works well. However, when I try to log into an Apple developer related site (e.g. developer.apple.com), it initially offers to use my personal Passkey with an option to use a different AppleID. When I select "use a different AppleID" and select my developer AppleID, it only allows me to log in with a password or with a QR code using a Passkey on a different device. Is it possible to set up a Passkey for my Apple developer account on the same MacBook that already has a passkey set up for my Apple store account? If so, what is the process to create it. If it helps, both of my AppleID's are members of the same Family. Thanks.

I am a simple mac seller ,i buy broken laptops from people and repair them to sell so one day one my customer asked to show him video of 4 my laptops after he got only video all became iCloud LOCK Summary - my case numbers are 102302104385 + Case Number: 102309395011 my story is simple the customer asked me about video of the Macbook , because as he told me  , he was need a confirmation about how are laptops are looks like   i do not see any suspicious action here  , customer just want me to show him the laptop like online   So i did it - just send him video - and that is all  then he asked to send video about 3 more Macbooks after it he asked me to Use Erase All Content and Settings so i was sure that there will be no problem  - because i just replaced the motherboard    two weeks ago - so what can be wrong    so when i did it - the Macbook asked if the apple server let him activation  and it was refused   Somehow person who get the video about laptop did a copy of a signal that apple laptop send to apple activation server  and connected  it to his apple id  and after it enabled FMI FMD  - but all time my laptops was turned off But i have video confirmation in my cases that all laptops are without any Apple Id and have new and fresh mac os so after it i was not able to pass the activation because i was scammed and unknown person connected 4 my laptops to unknown account , so after that i was not able to pass the activation  so in fact they are all bricked now   he asked me to pay 1000 $ i told apple about it and they  answer me that it is just my fairy tail and it is not possible   i told them that there is a hole in security and identification of apple devices during enabling FMI FMD  but as i see they do not care - i think it must about 100 same cases  or 1000 - maybe after it they will take care about it  so now i wonder if there any more victims who have the same problem  ? or check here at youtube ServisTT also i and apple support did full apple diagnostic about all devices - i want apple to compare mac addresses and other mac information with the signal that was emulated with the scammer to prove my words - because the scammer was at different location and his emulation device or software was different between my original one macbook Steps to reproduce https://www.youtube.com/watch?v=58AgEcZvrYg&t=98s or check here at youtube ServisTT Expected results i want apple to compare mac addresses and other mac information with the signal that was emulated with the scammer to prove my words - because the scammer was at different location and his emulation device was different between my original one also if you find out that he used Hardware UUID - so why not to mask it or hide or make enable to see only with the password 
 Actual results NO ONE TRUST ME AND NO ONE WANT TO HELP ME

I did implement "ASCredentialProviderViewController" class for my password manager in order to support passkey recently. Passkey registration and assertion works correctly but remote fullfilling is not working as expected. Use case: The user wants to sign in with passkey on some computer A QRCode is displayed and the user scan the QRCode Apple Authentication bottom sheet is opened and the client can pick my app as a provider ISSUE HERE: my app doesn't receive the passkey request parameters and is not able to generate the assertion answer I was hoping the following functions to be called but it's not the case: prepareCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier], requestParameters: ASPasskeyCredentialRequestParameters) prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest) => Please, how can my app receive the passkey request parameters in order to generate the assertion answer in this situation?

We implemented passkeys Autofill feature in iOS 16.6. Later verified in iOS 17.0 as well. But when we upgraded to iOS 17.5, the available passkeys autofill prompt is disappeared now. No code changes were done from our side. Also upgraded to iOS 17.5.1 and checked, still doesn’t show the prompt on the keyboard. For autofill we are calling 'performAutoFillAssistedRequests()' API on our ASAuthorizationController after fetching assertion options response from our Relying-Party. Our textFields content type is set to ‘username’. Additional Info: Before making the performAutoFillAssistedRequests() API call, when we click on the ‘Passwords’ icon on keyboard, it only shows the passwords saved on iPhone. But after making the call, we can see available passkeys as well in the list. We are making the fetch assertion options response call on textField delegate after typing more than two characters. I already raised a bug in Feedback Assistant on this - FB13809196. I attached a video and sysdiag file there.

Hello, I run a website that's using FIDO for user logins. A lot of our users set up their device-bound passkeys back when they were on iOS 15. Now that they're moving to iOS 16, I'm trying to figure out what happens with those passkeys. Here's my question: When these users upgrade to iOS 16 and start using other devices, how does iOS handle their existing passkeys? Do they see both the old device-bound and the new synced passkeys in the UI, or does it somehow merge them? This might not be an issue in the latest iOS 17, but I'm interested in knowing if it could occur in earlier versions like iOS 16. I'm aiming to make this transition to synced passkeys as smooth as possible for my users and just want to make sure I understand the UX changes that come with iOS 16. Thanks!

Hello, I'm currently integrating a feature in our app that allows customers to set up a passkey. Once set up, users are prompted to use their passkey at the sign-in page. For users without a registered passkey, we ensure that the passkey assertion request fails silently to maintain a smooth login experience, using preferImmediatelyAvailableCredentials effectively for this purpose. However, we've noticed that when users are employing third-party password managers like 1Password or Bitwarden, they encounter a QR code fallback. Discussions with 1Password have revealed that iOS does not currently extend preferImmediatelyAvailableCredentials to these services. I would appreciate any advice on how to harmonize the behavior between iCloud Keychain and third-party password providers to ensure a consistent user experience.

We are implementing a 3rd party Passkeys Manager app for ios. In the ios app in the CredentialProviderViewController I've implemented: func prepareCredentialList( for serviceIdentifiers: [ASCredentialServiceIdentifier] ) func provideCredentialWithoutUserInteraction( for credentialRequest: ASCredentialRequest ) func prepareInterfaceToProvideCredential( for credentialRequest: ASCredentialRequest ) func prepareInterface( forPasskeyRegistration registrationRequest: ASCredentialRequest ) When testing on webpages like webauthn.io and webauthn.me , our app shows up as one of the options for creating a passkey. We are getting the calls in prepareInterface() and handling it as advised here https://developer.apple.com/documentation/authenticationservices/ascredentialproviderviewcontroller/4172626-prepareinterface/ However the registration is failing. I understand that in this function, we need to create a passkey using a crypto library and then call completeRegistrationRequest(using:completionHandler:) The documentation on this is scant so it is hard to debug for this reason. Need help fixing this issue. What could we be missing? Is there any sample code for overriding these functions? Any recommendations on the crypto library for generating passkeys When the passkeys have been generated, how do we pass it back to the system? Thank you, Jaydip.

We’ve observed a couple of concerning alterations in the passkey registration and authentication behaviour in iOS 17.4.1: During passkey registration, “excludeCredentials” property is ignored. Existing passkey is silently overwritten and no error is reported from navigator.credentials.create (both, Safari and Chrome). However, according to W3 spec when “excludeCredentials” is present in the PublicKeyCredentialCreationOptions - “The client is requested to return an error if the new credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.” PublicKeyCredentialCreationOptions we use: "credCreateOptions": { "rp": { "name": "RP name" }, "user": { "name": "username", "id": "abcd" }, "challenge": "56elsKE5pKgEECg-fJpLl3gF33ACRSVBl00Mn03JAIk", "pubKeyCredParams": [ { "type": "public-key", "alg": -7 } ], "excludeCredentials": [ { "type": "public-key", "id": “abcd” } ], "authenticatorSelection": { "authenticatorAttachment": "platform", "userVerification": "required" }, "hints": [ "client-device" ], "attestation": "direct", "extensions": null } } This behaviour is different from what is observed on iOS 17.3.1 where the registration call to navigator.credentials.create with the same options produces the following error: “At least one credential matches an entry of the excludeCredentials list in the platform attached authenticator” During passkey login flow, iOS 17.4.1 ignores "hints": [ "client-device" ] According to https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create#client-device, hints specify what authentication UI the user-agent should provide for the user. “client-device” requests the user authenticates using their own device, such as a phone. Here’s our PublicKeyCredentialRequestOption: "credRequestOptions": { "challenge": "xk_wd1BaVue7mOZ-UM_KVj6Z4AmGxf12_7H1Gilq01I", "timeout": 300000, "allowCredentials": [ { "type": "public-key", "id": “abcd”, "transports": [ "internal" ] } ], "userVerification": "required", "hints": [ "client-device" ], "extensions": null } } However, iOS 17.4.1 gives user an option to sign in with another device . On iOS 17.3.1, the request to navigator.credentials.get with the same same PublicKeyCredentialRequestOption presents the UI screen without the “Sign In with Another Device” option. Is that a bug on iOS 17.4.1 or intended behaviour? This does not follow the official specs and different from the other platforms like Android. Is there any documentation around this change on iOS 17.4.1? That would be helpful.

I have registered and created passkey with credentials.create function in apple device with software 17.4.1 in Safari browser. When I clean the cache in safari and try to log in, it force me to register again and after that I had two passkeys on my device. It should be like this ? Why Safari is related to Passkeys ?

Hello, we are planning to migrate an app that uses iCloud documents to store some documents that the user can upload/download and modify. In the official overview of App Transfer here, there are information related to CloudKit Containers and KVS but nothing related to iCloud Documents. The content of iCloud Documents is accessed using FileManager.default.url(forUbiquityContainerIdentifier: containerID) where the containerID has the form iCloud.com.things.things, even if in the official documentation it is written that the identifier must be prefixed with the Team ID. With this ID the storage works properly and we never experienced problems. Do you know if migrating an app with this functionality can be problematic? Do you know if the Team ID is somehow used even if not explicitly passed in the call to the function? Thank you and have a nice day!

Hi, Does anyone have a good reference list of all capabilities that are unavailable in an iMessage App vs a regular App? In particular, I'm trying to figure out whether I can 1) request a signature via passkey, and 2) send a POST request to an HTTP endpoint. Asking because I haven't been able to find code references or live apps for either. Any pointers would be greatly appreciated! Regards, Lyron

In the new macOS and iOS updates (14.4 and 17.4 respectively), something has changed in regards to passkey creation: Any passkey created from Safari doesn't have any transports + the authenticatorAttachment is always set to platform, irrespective of whether a cross-platform authentication method is utilized, such as a hardware security key. All passkeys saved in iCloud Keychain created from any browser have an authenticatorAttachment always set to platform + empty authenticator transports. authenticatorAttachment always set to platform According to the WebAuthn specification (Section 5.4.5), the authenticatorAttachment descriptor plays a crucial role in guiding the client (browser or platform) to create or use an authenticator of a specific type. The options are platform for a built-in authenticator or cross-platform for a roaming authenticator. Some relying parties mandate a cross-platform method for the first passkey or as second authentication factor. This is to ensure users do not find themselves locked out when they try to sign in from a device that doesn't have access to the non-roaming webauthn credential. Unfortunately, the current implementation in Sonoma 14.4 forces the authenticatorAttachment to platform, thus preventing the creation of passkeys that comply with such policies on websites. For comparison, browsers like Chrome correctly return a cross-platform authenticatorAttachment when a hardware security key is used, and the same used to happen on previous macOS and iOS versions from Safari. Authenticator transports missing The absence of transport data (WebAuthn Section 5.8.4) for all passkeys created via Safari and iCloud Keychain passkeys created from all browsers further complicates the scenario. The transport hint is crucial for informing relying parties about the preferred transport method for the authenticator, be it USB, NFC, BLE, HYBRID or internal. This omission could lead to inefficiencies and a diminished user experience, as the system cannot optimize the authentication process based on the authenticators available to the user. These issues jeopardize the utility and adoption of passkeys across various platforms and browsers, a primary goal of WebAuthn and FIDO2 for widespread secure authentication practices. What is the rationale behind this choice and is there any workaround to be considered? Thanks for all the help and clarification!

Safari is allowing users to create multiple passkeys despite setting the excludeCredentials in PublicKeyCredentialCreationOptions (https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create#excludecredentials). I also included appidExclude(https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/WebAuthn_extensions#appidexclude) but it was still allowing me to create multiple passkeys on the same iCloud account. This does not happen in other browsers. Can anyone point me to any documentation regarding this? Much appreciated https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/WebAuthn_extensions#appidexclude https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create#excludecredentials

It seems cross-device passkey authentication isn't supported by the Simulator, is that right? I can't tell if it's the simulator not supporting it, or my app/server failing. My app, running in the Simulator, presents a QR code during sign-in flow. I scan that with my phone, and it just spins "connecting…". Can anyone confirm that the Simulator just doesn't support this? What are my options for testing this flow? I guess I need another device not sign in to my AppleID.

I'm working my way through adding passkey support to my app. At app launch, I'd like to test to see if the user has already created a passkey for the service, and if not, immediately present the account creation UI. Is there an API call I can make to see if the user already has a credential? From the examples I’ve found, it seems I should just try to sign in, and I’ll get an error callback if there are no stored credentials. Is that right?