[tags:wwdc20-10229]

Hello, we trying to develop passwordless flow in the browser, but when we invoke navigator.credentials.create, it resolves an empty object {}. We acquired options from StrongKey server and parsed them in navigator options as was shown on wwdc20-10670 demo. An excerpt of source code is below: { ttpublicKey: { ttttrp: {name: queryParams.rpName}, ttttuser: { ttttttname: queryParams.userName, ttttttid: toUint8Array(queryParams.userId), ttttttdisplayName: queryParams.displayName tttt}, ttttpubKeyCredParams: [{type: public-key, alg: -7}], ttttchallenge: toUint8Array(queryParams.challenge), ttttauthenticatorSelection: {authenticatorAttachment: platform,}, ttttattestation: direct tt} } The user is requested to proceed with TouchID/FaceID/etc. and everything looks as expected, but the returned value is empty. We have tested the flow in the latest Chrome, Safari and Safari for iOS. Has anyone encountered this behavior as well?

Hi, I did not get from the Meet Face ID and Touch ID for the web session if it would be available in WKWebView? I'm highly interested in this feature! Thanks

When going to «Settings > Safari > Clear logs and website data» to e.g. clear all cookies than all Webauthn registrations done for all sites with Safari is deleted. This makes Safari for all websites unusable. All websites still lists e.g. the iPhone as Webauthn enabled, while in reality it has been deleted on the device. Is this somehow by-design by Apple? No users will understand this and this will cause sign in support to all websites, so cannot understand this implementation. Did not find any comments, discussions or bugs about this. Is there not many aware of this yet?

We've seen some great examples and demos for webauthn on the desktop on big sur. I still am not able to use webauthn on iOS 14 beta 2. Are there any particular restrictions which we have to aware off? Any flags to toggle to enable this for testing? Vishy

Feature detection in Safari 14 (running on macOS Big Sur on Intel MacBook Pro) is returning false. Tested this in localhost and HTTPS served pages with no luck. As per the Meet Face ID and Touch ID for the web session, it is supposed to be available. PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable().then(console.log) // resolves to false Is the feature available? Is there anything that has to be installed or enabled explicitly?

Questions about FIDO 2 attestation verification in iOS 14 I am currently implementing the FIDO 2 verification logic according to the url below. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server My question is about aaguid and credentialId. According to the url the aaguid is An App Attest–specific constan. And the length of credentialId is 32 bytes. [Question] The aaguid delivered from safari was 16 zero bytes. Is it correct to be passed by this value? The length of credentialId is 20 bytes, not 32 bytes. Is this correct? [Test Env.] iOS 14 beta 8 attestationObject : o2NmbXRlYXBwbGVnYXR0U3RtdKJjYWxnJmN4NWOCWQJGMIICQjCCAcmgAwIBAgIGAXR3IfJrMAoGCCqGSM49BAMCMEgxHDAaBgNVBAMME0FwcGxlIFdlYkF1dGhuIENBIDExEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3JuaWEwHhcNMjAwOTEwMDgxOTA3WhcNMjAwOTExMDgyOTA3WjCBkTFJMEcGA1UEAwxAY2E1ZjZjYTQwZTE5OTQ0MTQzZjgzMjRlZTE3ZTliZjM2YmI4Nzk4YTllM2YzOWE4MjM4YjkwNWU3YTdmYmJlMTEaMBgGA1UECwwRQUFBIENlcnRpZmljYXRpb24xEzARBgNVBAoMCkFwcGxlIEluYy4xEzA

Questions about FIDO 2 attestation verification in iOS 14 I am currently implementing the FIDO 2 verification logic according to the url below. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server My question is about aaguid and credentialId. According to the url the aaguid is An App Attest–specific constan. And the length of credentialId is 32 bytes. [Question] The aaguid delivered from safari was 16 zero bytes. Is it correct to be passed by this value? The length of credentialId is 20 bytes, not 32 bytes. Is this correct? [Test Env.] iOS 14 beta 8 attestationObject : o2NmbXRlYXBwbGVnYXR0U3RtdKJjYWxnJmN4NWOCWQJGMIICQjCCAcmgAwIBAgIGAXR3IfJrMAoGCCqGSM49BAMCMEgxHDAaBgNVBAMME0FwcGxlIFdlYkF1dGhuIENBIDExEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3JuaWEwHhcNMjAwOTEwMDgxOTA3WhcNMjAwOTExMDgyOTA3WjCBkTFJMEcGA1UEAwxAY2E1ZjZjYTQwZTE5OTQ0MTQzZjgzMjRlZTE3ZTliZjM2YmI4Nzk4YTllM2YzOWE4MjM4YjkwNWU3YTdmYmJlMTEaMBgGA1UECwwRQUFBIENlcnRpZmljYXRpb24xEzARBgNVBAoMCkFwcGxlIEluYy4xEzA

When i setup navigator.credentials.create() everything works as expected (Safari asks for touch-id) and the credentials are created and saved. Later when performing the login using navigator.credentials.get() I am not able to force safari to ask for touchId. Instead it only wants a security key. return { ttpublicKey: { ttchallenge:sampleChallenge, ttauthenticatorSelection: { authenticatorAttachment: 'platform'}, ttattestation: 'direct', tttimeout: 15000, ttallowCredentials:[ tttt{ tttttttype:'public-key', ttttttid:sampleId, tttttttransports:['internal'] tttt} tt] } } This is almost the same code as used in the wwdc video, except that I added authenticatorSelection, attestation and timeout. In credentials.create() I noticed that authenticatorAttachment=platform is important to force touchId. But in credentials.get() this did not help. Has anyone already built a full demo that is working for ios? I wonder also why the code from the shiny demo app from the wwdc video is not available for download somewhere! This

Is it planned to support the residential key feature of Webauthn/Fido? This would allow to authenticate a user without knowing his identity to provide the credential id.

Hi, Using the https://developer.apple.com/documentation/devicecheck I should be able to leverage the attest APIs to verify the integrity of my apps. However, I am constantly getting an unknownSystemFailure when attempting to attestKey(_:). This is after key pair generation and clientDataHash for the challenge. Please refer to the code sample. Would appreciate any feedback on how to get this to work. let service = DCAppAttestService.shared guard service.isSupported else { return } service.generateKey { (keyId, error) in if error != nil { print((error!.localizedDescription)) return } print(keyId!) let challenge = r6ctg89rt3948tc497tn4379.data(using: .utf8) let hash = Data(SHA256.hash(data: challenge!)) service.attestKey(keyId!, clientDataHash: hash) { (attestationObject, error) in if error != nil { print((error!.localizedDescription)) return } print(attestationObject?.debugDescription) } }

For some actions on my Mac I can authenticate myself with Apple Watch, things like authorising installation or making a payment. Will this API allow the creation of an experience like this if a user doesn't have a Touch Id/Face Id compatible device? Thanks

I want to add it to my website mikulabeutl.com - https://www.example.com/ but also be able let Android users use it, any guide?

I'm using Safari Technology Preview 109 on the MacOS 11 beta, on a 16 MacBook Pro. Unfortunately, I am unable to get the browser to ask for Touch ID. Instead, Safari will always ask for a security key: Do you want to allow “localhost” to start using a security key to sign in? Insert your security key and activate it to continue. I have the Web Authentication and When Authentication Local Authenticator experimental features enabled. The web server is running on localhost. I'm using the code as shown in wwdc20-10670, except I'm not using attestation. I've never had a security key connected to this Mac either. My code is this: const challengeBuffer = Uint8Array.from(XXXXXX, c => c.charCodeAt(0)) const options = { tpublicKey: { ttrp: { name: localhost }, ttuser: { tttname: user.email, tttid: Uint8Array.from(String(user.id), c => c.charCodeAt(0)), tttdisplayName: user.displayName tt}, ttpubKeyCredParams: [{ type: public-key, alg: -7 }], ttchallenge: challengeBuffer, ttauthenticatorSelection: { tttauthenticat

From how I understood the new APIs in the video, it sounds to me like the Face/Touch ID authentication can only be used on services that implement an automatic sign-out for the user to enhance security. But I didn't quite get if this new API will also be useful for situations where a user actively signs out or has his browser setup to delete all cookies from time to time. From how I understood it, the user needs to be known to the website already via some cookie when the user visits the website to show the Sign in with Face/Touch ID button. If the user was anonymously visiting the website, there would be no way to actually use Face/Touch ID to sign in, is this correct? So as I understand it, the API doesn't actually provide a secure and convenient way to sign in, instead it merely provides a way to re-sign in. Please correct me if I'm wrong. A pointer to the API I might have misunderstood would also help clarify this.

How do I validate the attestation? I think the root certificate is necessary. How to get the certificate? Also where is the reference about fmt:apple? https://developer.apple.com/videos/play/wwdc2020/10670/ Around 11:02-