Passkeys in iCloud Keychain

RSS for tag

Use public-key-based credentials using the WebAuthn standard that are synced with iCloud Keychain.

Posts under Passkeys in iCloud Keychain tag

77 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

Unable to register or use passkeys via Safari Web Extension
There does not appear to be any way to use or create iCloud passkeys with a Safari Web Extension, either using the navigator.credentials API in an extension origin webpage such as the popover, or using the AuthenticationServices framework in the SafariWebExtensionHandler. I've setup an associated domain for my plugin, and I know it works for the host application. But I get errors trying to do so in the web extension target. createCredentialRegistrationRequests results in the following error: Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier <ID> is not associated with domain <RPID> The other problem, assuming the entitlement works correctly for the web extension, is that there is no NSWindow to use as the presentation target from the SafariWebExtensionHandler. Trying to use the navigator.credentials.create JS API (which is the preferred method, frankly, in a web extension) results in the following error: NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission. Chrome has a great solution for this that I believe should be adopted by Safari. If an extension has host permissions for a relying party it wants to claim, or if it has an associated domain entitlement for it, webauthn operations should be allowed.
0
0
143
1w
if I skip passkey setup, how long will lapse before I am asked by the OS to register for passkey again
I am currently unable to enable passkey in my app so I am having to tell my users to skip the prompts for using passkey. We have noticed that after a few times of this the OS will stop asking the user to register their passkey. The question is, how long does this last before the OS asks you to use passkey again? Is it permanent until you re-install the app? Just looking for a time frame if anyone knows.
0
0
308
1w
How to programmatically stop passkey in my app
I am using Auth0 as a login manager for our app. The way Auth0 handles login is that their SDK will create a web view where the login is actually handled. Once the login is finished the session will end and the app will gain control. We are not set up for passkeys in their system and can't set up quickly to do that. Unfortunately with the new iOS "passkey is the primary login" way iOS is set up now, users are asked to use passkey when it's not supported on the backend. I don't have direct control of the login screens. Is there any way, at the app level, to tell the app to not use passkeys so that it quits showing up as an option for the users? I can't find any documentation on doing this. How can I stop passkey in my app entirely?
0
0
139
1w
PRF Extension Not Supported in Safari's Cross-Device WebAuthn Flow
Safari 18.0.1 on macOS 15.01 doesn't support the Passkey PRF extension during cross-device WebAuthn authentication when using QR code scanning, while it works correctly with iCloud passkeys. Steps to Reproduce: Clone and setup: git clone https://github.com/quocle108/passkey-prf-test yarn yarn start Test iCloud Passkey Flow: Open http://localhost:3000 in Safari Open DevTools (Cmd+Option+I) Click "Register" Choose "Passkey on iCloud" Expected console output: PRF supported: true Test Cross-Device Flow: Click "Register" Choose "Phone/Tablet" Scan QR with mobile device Expected: PRF supported: true PRF extension should be supported in cross-device flow, matching iCloud passkey behavior. Actual: PRF supported: false Cross-device flow returns empty extension results. Verify in Chrome Repeat steps 2-3 in Chrome Both flows return proper PRF extension results: PRF supported: true Test Environment: Browser: Safari 18.1.1 , Chrome 131.0.6778.70 OS: macOS 15.01 Mobile: iOS 18.x / Galaxy Note9 Android 10 Test repo: https://github.com/quocle108/passkey-prf-test
1
1
203
1w
Passkey PRF inconsistency between apple devices
Test Scenario: Initial Setup: Register a passkey on Chrome (MacBook) with cross-platform option The passkey syncs to iPhone via iCloud Both devices share same iCloud account Authentication Tests: Chrome on MacBook: Using hybrid transport (QR code with iPhone) → PRF output A Using platform authenticator → PRF output B (different) Safari on MacBook: Only uses platform authenticator → PRF output B Expected Behavior: When using same credential ID and salt, PRF output should be consistent across browsers/devices
2
1
246
2w
Conditional Display of Passkey Provider in macOS \ iOS
Hello, I've developed a macOS app with an AutoFill Credential Provider extension that functions as a passkey provider. In the registration flow, I want my app to appear as a passkey provider only when specific conditions are met. Is there a way to inspect the request from the web before the passkey provider selection list is displayed to the user, determine whether my app can handle it, and then use that result to instruct the OS on whether to include my app in the passkey provider selection list? Alternatively, is there a way to predefine conditions that must be met before my app is offered as a passkey provider in the selection list? Thanks!
2
0
216
3w
Automatic passkey upgrade not working
Seeing the following error when attempting automatic passkey upgrade - [Warning] NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission. We're trying to enable Automatic passkey upgrade (https://developer.apple.com/videos/play/wwdc2024/10125/?time=38) for our website but it's not working from our testing on iOS 18.2 and 18.3 Beta Safari. The flow on our website looks like: the customers use autofill to fill out email and password on the sign-in page (abc.com/signin) PublicKeyCredential.getClientCapabilities is called to check if conditionalCreate supported. land on another page of our website (abc.com/pageX), which calls navigator.credentials.create with mediation conditional (Right after sign-in). We checked that we followed the steps in above video: Allow automatic passkey upgrades is enabled, mediation is set to conditional and password autofill is used to signed in. However, Safari threw an error [Warning] NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission. Can Apple help guide us if anything is missed here?
0
1
348
Jan ’25
Passkey Registration Fails with “UnexpectedRPIDHash” on iOS — Domain & Associated Domains Confirmed Correct
I’m implementing Passkey registration on iOS using ASAuthorizationPlatformPublicKeyCredentialProvider. On the server side, I’m using a WebAuthn library that throws the error UnexpectedRPIDHash: Unexpected RP ID hash during verifyRegistrationResponse(). Domain: pebblepath.link (publicly routable, valid SSL certificate, no warnings in Safari) Associated Domains in Xcode**: webcredentials:pebblepath.link AASA file: { "applinks": { "apps": [] }, "webcredentials": { "apps": [ "H33XH8JMV6.com.reactivex.pebblepath" ] } } Xcode Configuration: Team ID: H33XH8JMV6 Bundle ID: com.reactivex.pebblepath Associated Domains: webcredentials:pebblepath.link Logs: iOS clientDataJSON shows "origin": "https://pebblepath.link". Server logs confirm expectedOrigin = "https://pebblepath.link" and expectedRPID = "pebblepath.link". Despite this, the server library still errors out: finishRegistration error: UnexpectedRPIDHash. I’ve verified that: The domain has a valid CA-signed SSL cert (no Safari warnings). The AASA file is reachable at https://pebblepath.link/.well-known/apple-app-site-association. The app’s entitlements match H33XH8JMV6.com.reactivex.pebblepath. I’ve removed old passkeys from Settings → Passwords on the device and retried fresh. I’m testing on a real device with iOS 16+; I am using a Development provisioning profile, but that shouldn’t cause an RP ID mismatch as long as the domain is valid. Every log indicates that the domain and origin match exactly, but the WebAuthn library still throws UnexpectedRPIDHash, implying iOS is embedding a different (or unrecognized) RP ID hash in the credential. Has anyone else encountered this with iOS passkeys and a valid domain/AASA setup? Is there an extra step needed to ensure iOS recognizes the domain for passkey registration? Any guidance or insights would be greatly appreciated!
1
0
336
Jan ’25
Getting ASAuthorizationError 1004 (notInteractive) when testing web credential sharing with Apple sample app
Using both the Apple sample app for passkeys (link below) and another barebones sample app from github (link below), we are getting this same error when trying to retrieve a user's passkey that has been created from our website associated with the sample app: ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)" Error: ["NSLocalizedFailureReason": Unable to verify webcredentials association of TEAMID.com.company.product with domain app.company.com. Please try again in a few seconds.] Note I have replaced TEAMID, the bundle id and the website id here, but the values match our site association file, which has this content: { "webcredentials": { "apps": [ "TEAMID.com.company.product" ] } } and is hosted at: https://app.company.com/.well-known/apple-app-site-association (returned with Content-Type: application/json header) The enum values for ASAuthorizationError.Code I believe are: canceled: 1000 failed: 1001 invalidResponse: 1002 notHandled: 1003 notInteractive: 1004 unknown: 1005 Thus we are getting notInteractive, which according to another forum post here, we should not be seeing. With both sample apps, I've made sure the request to perform authentication is triggered from a button press by the user. Can someone please help us figure out why we are getting this error? Xcode version: 16.2 MacOS version: 15.2 iOS version: 18.2 iPhone model: iPhone SE (MHGT3X/A) Link for Apple sample app: https://developer.apple.com/documentation/authenticationservices/connecting_to_a_service_with_passkeys Link for Github sample app: https://github.com/hansemannn/iOS16-Passkeys-Sample
2
0
356
Dec ’24
Can't login apple site with passkeys for so long time
I recently updated to iOS 18.1.1 and macOS 15.1.1, but I'm unable to log into Apple's official sites, such as https://account.apple.com/ or https://appstoreconnect.apple.com/login, using passkeys. I'm located in mainland China, and I also can't reset the passkeys through the Password application, as there are no Apple passkeys listed in the Password -> Passkeys section. Is anyone else experiencing this issue? The error message: Can't verify your account. Try again or continue with password. ps:no Apple Support Community members answer this question, so I post this issue here
0
0
324
Dec ’24
How Can I Enable NFC Functionality in an Apple Wallet Pass?
Hello, I am working on an Apple Wallet pass with NFC functionality but have been facing issues with getting it to work. The pass gets added to Wallet, but the NFC feature does not seem to activate. Could someone provide a detailed, step-by-step process to properly enable NFC in an Apple Wallet pass? Here is what I have done so far: 1. Set up a Pass Type ID and Certificates: I have registered a Pass Type ID in my Apple Developer account. I have generated and installed the required certificates (Pass Type ID certificate and WWDR certificate). 2. Adding the NFC Field: Added the following nfc field to my pass.json file: { "formatVersion": 1, "passTypeIdentifier": "pass.com.example.mypass", "serialNumber": "123456", "teamIdentifier": "TEAMID12345", "webServiceURL": "https://example.com/api/passes", "authenticationToken": "my_secure_token", "nfc": { "message": "Tap to unlock door", "encryptionPublicKey": "MY_ENCRYPTION_PUBLIC_KEY", "payload": "encrypted_nfc_payload" }, "organizationName": "My Company", "description": "NFC-Enabled Access Pass", "logoText": "My NFC Pass", "foregroundColor": "rgb(255, 255, 255)", "backgroundColor": "rgb(0, 0, 0)", "barcode": { "format": "PKBarcodeFormatQR", "message": "https://example.com", "messageEncoding": "iso-8859-1" } } 3. Tested the Pass: The pass is added to Wallet, but NFC functionality is not working. When the nfc field is removed, the pass works fine without NFC. Questions: 1. Could you provide a comprehensive list of required steps to enable NFC in an Apple Wallet pass, including any specific details on encryption, payload, and public key formatting? 2. Are there any additional configurations or settings that I might be missing? 3. Is there any official documentation or specific tools recommended for testing NFC-enabled passes? Any guidance or solutions to enable NFC in this pass would be greatly appreciated. Thank You
1
0
461
2w
Passkey Associated domain error 1004
iOS18.1.1 macOS15.1.1 xcode16.1 Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Unable to verify webcredentials association of ********** with domain ******************. Please try again in a few seconds." Our domain must query with VPN, so I set webcredentials:qa.ejeokvv.com?mode=developer following: "If you use a private web server, which is unreachable from the public internet, while developing your app, enable the alternate mode feature to bypass the CDN and connect directly to your server. To do this, add a query string to your associated domains entitlement, as shown in the following example: :?mode= " but it still not working, even after I set mode=developer. Please help!!!!
2
2
440
Dec ’24
How to Remove an Old Email-Associated Passkey from Apple Servers?
I noticed that when logging in to idmsa.apple.com, my old email address still appears as an option, even though I’ve updated my Apple ID to a new email. I understand that passkeys rely on a public-private key pair, with the public key stored on the server (e.g., idmsa.apple.com) and the private key saved locally in iCloud Keychain. Could you please clarify: 1. How can I request Apple to delete the public key associated with my old email address from their servers? 2. Is there a way for users to manage or update server-side passkeys without contacting Apple support? 3. Does this behavior affect my account security in any way? Any advice or insights would be greatly appreciated!
0
1
401
Nov ’24
Is there a way to hide the 'Save to another device' option during iOS WebAuthn registration?
Hello, I am currently implementing a biometric authentication registration flow using WebAuthn. I am using ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest, and I would like to know if there is a way to hide the "Save to another device" option that appears during the registration process. Specifically, I want to guide users to save the passkey only locally on their device, without prompting them to save it to iCloud Keychain or another device. If there is a way to hide this option or if there is a recommended approach to achieve this, I would greatly appreciate your guidance. Also, if this is not possible due to iOS version or API limitations, I would be grateful if you could share any best practices for limiting user options in this scenario. If anyone has experienced a similar issue, your advice would be very helpful. Thank you in advance.
0
0
396
Nov ’24
How to utilize each field of WebAuthn Options for implementation on iOS?
Hello, I am currently working on implementing credential registration for biometric authentication using WebAuthn in an iOS app. I am using ASAuthorizationPlatformPublicKeyCredentialProvider to create a credential registration request based on the data retrieved from the WebAuthn options endpoint. At the moment, I am only using user.id, user.name, and challenge from the options response, and I am unsure how to utilize the other fields effectively. I would greatly appreciate advice on how to use the following fields: **Fields I would like to use: ** rp (Relying Party) I am retrieving id and name, but I am not sure how best to pass and utilize these fields. Is there an explicit way to use them? authenticatorSelection How can I set requireResidentKey and userVerification in ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest? Also, what are the specific benefits of using these fields? timeout Is there a way to reflect the timeout value in the credential registration request, and what would be the best way to handle this information in iOS? attestation The attestation field can contain values such as none or direct. How should I reflect this in the credential registration request for iOS? I would appreciate a sample implementation or guidance on the benefits of setting this field. extensions If I want to customize the authentication flow using the extensions field, how can I appropriately reflect this in iOS? For instance, how can I utilize extensions like credProps? pubKeyCredParams Regarding pubKeyCredParams, which is a list of supported public key algorithms, I am unsure how to use it to select an appropriate algorithm in iOS. How should I incorporate this information into the request? excludeCredentials I understand that setting excludeCredentials can prevent duplicate registration, but I am not sure how to use past credential information to set it effectively. Any advice on this would be appreciated. **Current Code ** Currently, I have implemented the following code, but I am struggling to understand how to add and configure the fields mentioned above. let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider( relyingPartyIdentifier: "www.example.com" ) let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest( challenge: challenge, name: userId, userID: userIdData ) let authController = ASAuthorizationController(authorizationRequests: [registrationRequest]) authController.delegate = self authController.presentationContextProvider = self authController.performRequests() In addition to the above code, I would be grateful if anyone could advise on how to configure fields like rp, authenticatorSelection, attestation, extensions, and pubKeyCredParams as well. Furthermore, I would appreciate any insights into the benefits of setting each of these fields in iOS, and any security considerations to be aware of. If anyone has experience with this, your guidance would be extremely helpful. Thank you very much in advance!
1
0
372
Nov ’24
Whether non-Apple Store mac apps can use passkey?
Our desktop app for macos will be released in 2 channels appstore dmg package on our official website for users to download and install Now when we debug with passkey, we find that the package name of the appstore can normally arouse passkey, but the package name of the non-App Store can not arouse the passkey interface I need your help. Thank you
1
0
554
Oct ’24
List of Relay Servers for Passkeys
My organization routes all device traffic through a network security device that performs TLS intercept (SSL inspection). As might be expected, this breaks passkey Cross-Device Authentication (CDA) functionality, since the thumbprints don't match end-to-end between the authenticator (iPhone) and the client (laptop). As soon as I disable the VPN tunnel through our security device, the passkey login works as expected. The security team is willing to exclude the relay servers from SSL inspection, but we are unable to find a list of the relevant endpoints. Is there a list of Apple relay servers that are used for passkey tunnelling? We can review the network logs to find the traffic, but I'd prefer an authoritative list. For full context: we are using device-bound passkeys via Microsoft Authenticator to login to Entra but, as I understand it, the passkey is still handled via Apple's standard passkey infrastructure and APIs. Thanks!
0
0
296
Oct ’24