There does not appear to be any way to use or create iCloud passkeys with a Safari Web Extension, either using the navigator.credentials API in an extension origin webpage such as the popover, or using the AuthenticationServices framework in the SafariWebExtensionHandler.
I've setup an associated domain for my plugin, and I know it works for the host application. But I get errors trying to do so in the web extension target.
createCredentialRegistrationRequests results in the following error:
Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier <ID> is not associated with domain <RPID>
The other problem, assuming the entitlement works correctly for the web extension, is that there is no NSWindow to use as the presentation target from the SafariWebExtensionHandler.
Trying to use the navigator.credentials.create JS API (which is the preferred method, frankly, in a web extension) results in the following error:
NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.
Chrome has a great solution for this that I believe should be adopted by Safari. If an extension has host permissions for a relying party it wants to claim, or if it has an associated domain entitlement for it, webauthn operations should be allowed.
Passkeys in iCloud Keychain
RSS for tagUse public-key-based credentials using the WebAuthn standard that are synced with iCloud Keychain.
Posts under Passkeys in iCloud Keychain tag
77 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
I am currently unable to enable passkey in my app so I am having to tell my users to skip the prompts for using passkey. We have noticed that after a few times of this the OS will stop asking the user to register their passkey. The question is, how long does this last before the OS asks you to use passkey again? Is it permanent until you re-install the app? Just looking for a time frame if anyone knows.
I am using Auth0 as a login manager for our app. The way Auth0 handles login is that their SDK will create a web view where the login is actually handled. Once the login is finished the session will end and the app will gain control. We are not set up for passkeys in their system and can't set up quickly to do that. Unfortunately with the new iOS "passkey is the primary login" way iOS is set up now, users are asked to use passkey when it's not supported on the backend. I don't have direct control of the login screens. Is there any way, at the app level, to tell the app to not use passkeys so that it quits showing up as an option for the users? I can't find any documentation on doing this. How can I stop passkey in my app entirely?
Safari 18.0.1 on macOS 15.01 doesn't support the Passkey PRF extension during cross-device WebAuthn authentication when using QR code scanning, while it works correctly with iCloud passkeys.
Steps to Reproduce:
Clone and setup:
git clone https://github.com/quocle108/passkey-prf-test
yarn
yarn start
Test iCloud Passkey Flow:
Open http://localhost:3000 in Safari
Open DevTools (Cmd+Option+I)
Click "Register"
Choose "Passkey on iCloud"
Expected console output: PRF supported: true
Test Cross-Device Flow:
Click "Register"
Choose "Phone/Tablet"
Scan QR with mobile device
Expected: PRF supported: true
PRF extension should be supported in cross-device flow, matching iCloud passkey behavior.
Actual: PRF supported: false
Cross-device flow returns empty extension results.
Verify in Chrome
Repeat steps 2-3 in Chrome
Both flows return proper PRF extension results: PRF supported: true
Test Environment:
Browser: Safari 18.1.1 , Chrome 131.0.6778.70
OS: macOS 15.01
Mobile: iOS 18.x / Galaxy Note9 Android 10
Test repo: https://github.com/quocle108/passkey-prf-test
Test Scenario:
Initial Setup:
Register a passkey on Chrome (MacBook) with cross-platform option
The passkey syncs to iPhone via iCloud
Both devices share same iCloud account
Authentication Tests:
Chrome on MacBook:
Using hybrid transport (QR code with iPhone) → PRF output A
Using platform authenticator → PRF output B (different)
Safari on MacBook:
Only uses platform authenticator → PRF output B
Expected Behavior:
When using same credential ID and salt, PRF output should be consistent across browsers/devices
Hi team, if I log into my app on Safari and try to enroll/challenge MFA security key option, I will be able to see this pop-up that gives me the option to pick either passkeys or external security keys
However, my team member who's using the same version of safari, can only see the external security key option
Why is this?
Hello,
I've developed a macOS app with an AutoFill Credential Provider extension that functions as a passkey provider. In the registration flow, I want my app to appear as a passkey provider only when specific conditions are met.
Is there a way to inspect the request from the web before the passkey provider selection list is displayed to the user, determine whether my app can handle it, and then use that result to instruct the OS on whether to include my app in the passkey provider selection list?
Alternatively, is there a way to predefine conditions that must be met before my app is offered as a passkey provider in the selection list?
Thanks!
Seeing the following error when attempting automatic passkey upgrade - [Warning] NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.
We're trying to enable Automatic passkey upgrade (https://developer.apple.com/videos/play/wwdc2024/10125/?time=38) for our website but it's not working from our testing on iOS 18.2 and 18.3 Beta Safari.
The flow on our website looks like:
the customers use autofill to fill out email and password on the sign-in page (abc.com/signin)
PublicKeyCredential.getClientCapabilities is called to check if conditionalCreate supported.
land on another page of our website (abc.com/pageX), which calls navigator.credentials.create with mediation conditional (Right after sign-in).
We checked that we followed the steps in above video: Allow automatic passkey upgrades is enabled, mediation is set to conditional and password autofill is used to signed in. However, Safari threw an error [Warning] NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.
Can Apple help guide us if anything is missed here?
I’m implementing Passkey registration on iOS using ASAuthorizationPlatformPublicKeyCredentialProvider. On the server side, I’m using a WebAuthn library that throws the error UnexpectedRPIDHash: Unexpected RP ID hash during verifyRegistrationResponse().
Domain: pebblepath.link (publicly routable, valid SSL certificate, no warnings in Safari)
Associated Domains in Xcode**: webcredentials:pebblepath.link
AASA file:
{
"applinks": { "apps": [] },
"webcredentials": {
"apps": [
"H33XH8JMV6.com.reactivex.pebblepath"
]
}
}
Xcode Configuration:
Team ID: H33XH8JMV6
Bundle ID: com.reactivex.pebblepath
Associated Domains: webcredentials:pebblepath.link
Logs:
iOS clientDataJSON shows "origin": "https://pebblepath.link".
Server logs confirm expectedOrigin = "https://pebblepath.link" and expectedRPID = "pebblepath.link".
Despite this, the server library still errors out: finishRegistration error: UnexpectedRPIDHash.
I’ve verified that:
The domain has a valid CA-signed SSL cert (no Safari warnings).
The AASA file is reachable at https://pebblepath.link/.well-known/apple-app-site-association.
The app’s entitlements match H33XH8JMV6.com.reactivex.pebblepath.
I’ve removed old passkeys from Settings → Passwords on the device and retried fresh.
I’m testing on a real device with iOS 16+; I am using a Development provisioning profile, but that shouldn’t cause an RP ID mismatch as long as the domain is valid.
Every log indicates that the domain and origin match exactly, but the WebAuthn library still throws UnexpectedRPIDHash, implying iOS is embedding a different (or unrecognized) RP ID hash in the credential.
Has anyone else encountered this with iOS passkeys and a valid domain/AASA setup? Is there an extra step needed to ensure iOS recognizes the domain for passkey registration?
Any guidance or insights would be greatly appreciated!
Using both the Apple sample app for passkeys (link below) and another barebones sample app from github (link below), we are getting this same error when trying to retrieve a user's passkey that has been created from our website associated with the sample app:
ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)"
Error: ["NSLocalizedFailureReason": Unable to verify webcredentials association of TEAMID.com.company.product with domain app.company.com. Please try again in a few seconds.]
Note I have replaced TEAMID, the bundle id and the website id here, but the values match our site association file, which has this content:
{
"webcredentials": {
"apps": [ "TEAMID.com.company.product" ]
}
}
and is hosted at:
https://app.company.com/.well-known/apple-app-site-association
(returned with Content-Type: application/json header)
The enum values for ASAuthorizationError.Code I believe are:
canceled: 1000
failed: 1001
invalidResponse: 1002
notHandled: 1003
notInteractive: 1004
unknown: 1005
Thus we are getting notInteractive, which according to another forum post here, we should not be seeing. With both sample apps, I've made sure the request to perform authentication is triggered from a button press by the user. Can someone please help us figure out why we are getting this error?
Xcode version: 16.2
MacOS version: 15.2
iOS version: 18.2
iPhone model: iPhone SE (MHGT3X/A)
Link for Apple sample app:
https://developer.apple.com/documentation/authenticationservices/connecting_to_a_service_with_passkeys
Link for Github sample app:
https://github.com/hansemannn/iOS16-Passkeys-Sample
I recently updated to iOS 18.1.1 and macOS 15.1.1, but I'm unable to log into Apple's official sites, such as https://account.apple.com/ or https://appstoreconnect.apple.com/login, using passkeys. I'm located in mainland China, and I also can't reset the passkeys through the Password application, as there are no Apple passkeys listed in the Password -> Passkeys section. Is anyone else experiencing this issue?
The error message:
Can't verify your account. Try again or continue with password.
ps:no Apple Support Community members answer this question, so I post this issue here
Hello,
I am working on an Apple Wallet pass with NFC functionality but have been facing issues with getting it to work. The pass gets added to Wallet, but the NFC feature does not seem to activate.
Could someone provide a detailed, step-by-step process to properly enable NFC in an Apple Wallet pass? Here is what I have done so far:
1. Set up a Pass Type ID and Certificates:
I have registered a Pass Type ID in my Apple Developer account.
I have generated and installed the required certificates (Pass Type ID certificate and WWDR certificate).
2. Adding the NFC Field:
Added the following nfc field to my pass.json file:
{
"formatVersion": 1,
"passTypeIdentifier": "pass.com.example.mypass",
"serialNumber": "123456",
"teamIdentifier": "TEAMID12345",
"webServiceURL": "https://example.com/api/passes",
"authenticationToken": "my_secure_token",
"nfc": {
"message": "Tap to unlock door",
"encryptionPublicKey": "MY_ENCRYPTION_PUBLIC_KEY",
"payload": "encrypted_nfc_payload"
},
"organizationName": "My Company",
"description": "NFC-Enabled Access Pass",
"logoText": "My NFC Pass",
"foregroundColor": "rgb(255, 255, 255)",
"backgroundColor": "rgb(0, 0, 0)",
"barcode": {
"format": "PKBarcodeFormatQR",
"message": "https://example.com",
"messageEncoding": "iso-8859-1"
}
}
3. Tested the Pass:
The pass is added to Wallet, but NFC functionality is not working.
When the nfc field is removed, the pass works fine without NFC.
Questions:
1. Could you provide a comprehensive list of required steps to enable NFC in an Apple Wallet pass, including any specific details on encryption, payload, and public key formatting?
2. Are there any additional configurations or settings that I might be missing?
3. Is there any official documentation or specific tools recommended for testing NFC-enabled passes?
Any guidance or solutions to enable NFC in this pass would be greatly appreciated.
Thank You
iOS18.1.1 macOS15.1.1 xcode16.1 Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Unable to verify webcredentials association of ********** with domain ******************. Please try again in a few seconds."
Our domain must query with VPN, so I set webcredentials:qa.ejeokvv.com?mode=developer
following:
"If you use a private web server, which is unreachable from the public internet, while developing your app, enable the alternate mode feature to bypass the CDN and connect directly to your server. To do this, add a query string to your associated domains entitlement, as shown in the following example:
:?mode=
"
but it still not working, even after I set mode=developer.
Please help!!!!
I noticed that when logging in to idmsa.apple.com, my old email address still appears as an option, even though I’ve updated my Apple ID to a new email. I understand that passkeys rely on a public-private key pair, with the public key stored on the server (e.g., idmsa.apple.com) and the private key saved locally in iCloud Keychain.
Could you please clarify:
1. How can I request Apple to delete the public key associated with my old email address from their servers?
2. Is there a way for users to manage or update server-side passkeys without contacting Apple support?
3. Does this behavior affect my account security in any way?
Any advice or insights would be greatly appreciated!
Hi everyone,
I'm looking for a way to configure Passkey on iOS so that authentication is only possible using FaceID or TouchID. Specifically, I want to disable the use of passcodes and QR codes for authentication. Additionally, is there a method to detect if the authentication was done using a passcode or QR code?
Thanks for your help!
Hello, I am currently implementing a biometric authentication registration flow using WebAuthn. I am using ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest, and I would like to know if there is a way to hide the "Save to another device" option that appears during the registration process.
Specifically, I want to guide users to save the passkey only locally on their device, without prompting them to save it to iCloud Keychain or another device.
If there is a way to hide this option or if there is a recommended approach to achieve this, I would greatly appreciate your guidance.
Also, if this is not possible due to iOS version or API limitations, I would be grateful if you could share any best practices for limiting user options in this scenario.
If anyone has experienced a similar issue, your advice would be very helpful. Thank you in advance.
Hello, I am currently working on implementing credential registration for biometric authentication using WebAuthn in an iOS app. I am using ASAuthorizationPlatformPublicKeyCredentialProvider to create a credential registration request based on the data retrieved from the WebAuthn options endpoint.
At the moment, I am only using user.id, user.name, and challenge from the options response, and I am unsure how to utilize the other fields effectively. I would greatly appreciate advice on how to use the following fields:
**Fields I would like to use:
**
rp (Relying Party)
I am retrieving id and name, but I am not sure how best to pass and utilize these fields. Is there an explicit way to use them?
authenticatorSelection
How can I set requireResidentKey and userVerification in ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest? Also, what are the specific benefits of using these fields?
timeout
Is there a way to reflect the timeout value in the credential registration request, and what would be the best way to handle this information in iOS?
attestation
The attestation field can contain values such as none or direct. How should I reflect this in the credential registration request for iOS? I would appreciate a sample implementation or guidance on the benefits of setting this field.
extensions
If I want to customize the authentication flow using the extensions field, how can I appropriately reflect this in iOS? For instance, how can I utilize extensions like credProps?
pubKeyCredParams
Regarding pubKeyCredParams, which is a list of supported public key algorithms, I am unsure how to use it to select an appropriate algorithm in iOS. How should I incorporate this information into the request?
excludeCredentials
I understand that setting excludeCredentials can prevent duplicate registration, but I am not sure how to use past credential information to set it effectively. Any advice on this would be appreciated.
**Current Code
**
Currently, I have implemented the following code, but I am struggling to understand how to add and configure the fields mentioned above.
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(
relyingPartyIdentifier: "www.example.com"
)
let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest(
challenge: challenge,
name: userId,
userID: userIdData
)
let authController = ASAuthorizationController(authorizationRequests: [registrationRequest])
authController.delegate = self
authController.presentationContextProvider = self
authController.performRequests()
In addition to the above code, I would be grateful if anyone could advise on how to configure fields like rp, authenticatorSelection, attestation, extensions, and pubKeyCredParams as well. Furthermore, I would appreciate any insights into the benefits of setting each of these fields in iOS, and any security considerations to be aware of.
If anyone has experience with this, your guidance would be extremely helpful. Thank you very much in advance!
Our desktop app for macos will be released in 2 channels
appstore
dmg package on our official website for users to download and install
Now when we debug with passkey, we find that the package name of the appstore can normally arouse passkey, but the package name of the non-App Store can not arouse the passkey interface
I need your help. Thank you
I once changed my Apple ID. Before changing it, I had set up a passkey for the Apple ID website. After changing my Apple ID, whenever I log in to Apple ID, it still shows my previous Apple ID. Additionally, the passkey for the Apple ID website is not present in my 'Passwords' app, so I am unable to delete it.
My organization routes all device traffic through a network security device that performs TLS intercept (SSL inspection). As might be expected, this breaks passkey Cross-Device Authentication (CDA) functionality, since the thumbprints don't match end-to-end between the authenticator (iPhone) and the client (laptop). As soon as I disable the VPN tunnel through our security device, the passkey login works as expected.
The security team is willing to exclude the relay servers from SSL inspection, but we are unable to find a list of the relevant endpoints. Is there a list of Apple relay servers that are used for passkey tunnelling? We can review the network logs to find the traffic, but I'd prefer an authoritative list.
For full context: we are using device-bound passkeys via Microsoft Authenticator to login to Entra but, as I understand it, the passkey is still handled via Apple's standard passkey infrastructure and APIs.
Thanks!