Passkeys in iCloud Keychain

how to prioritise domain used to save password for app

I've an app which uses associated domains capability to enable universal links and password saving. Both features are working, except for one tiny detail. There are two domains associated with the app. Primary domain is the one commonly used to access the web app and the secondary domain is added due to historic reasons and handling universal links to older domain. When user sign in to the app using username and password it always gets saved against the secondary domain name and not the primary one. I tried changing the order in which the domains are defined in the entitlements file but no joy. I even tried adding webcredentials key to ASA file under both domains and that didn't work as well. Is there a way to direct iOS to prefer one domain over the other so that credential gets saved against the primary domain?

Posted

by

aswin_sk

When Passkeys in iCloud Keychain will become officially available on macOS?

Right now users need to enable passkeys from Safari by enabling the developer mode in order to use them in applications. From the docs: In macOS, choose Safari > Preferences, click the Advanced tab, and select the “Show Develop menu in menu bar” option. Then choose the Develop > Enable Syncing Platform Authenticator menu in Safari. Is Apple planning to enable it by default in later releases of macOS? Are there any official applications already using this feature in their applications?

Passkeys in iCloud Keychain

Posted

by

asmbaty

Sharing Passes across platforms?

Are passkeys sharable across platforms? Can shared passes be revoked? And what is the mechanism for resetting a passkey?

Posted

by

lbutlr

Meet passkeys

Many thx to Garrett Davidson for his exceptional WWDC2022 presentation: https://developer.apple.com/videos/play/wwdc2022/10092/ Basic question, how is the the private key for a passkey stored on a local device (let's say within the Edge or Chrome browser)? Is it in an encrypted cookie? If so, how is the local encryption done?

Posted

by

MDuffy215

Challenge in Autofill

The video says that we should call signOn() as soon as possible even before the user focuses the username text field (e.g. in viewDidLoad). This method is supposed to obtain a challenge from the server and create authorization provider, request & controller and eventually call: controller.performAutoFillAssistedRequests(). But that means that the challenge from the server is needed before the username is known so... How can the server know which public key should it use to construct the challenge?

Posted

by

ladislav.lenart

Passkeys Adoption

Excellent work on Passkeys. For context, I’m soon to release a Password Manager app that is built specifically for Apple devices only (iOS, iPadOS, macOS). A user’s vault items are encrypted on their own device and synced end-to-end encrypted via their own private iCloud database. As you’d expect, the app requires the user to enter their master password to unlock their vaults, and allows them to optionally enable Touch or Face ID for a passwordless unlock experience. In this scenario where there is no third-party server involved, and auth takes place on-device only, is there any meaningful way an app like this can or should take advantage of Passkeys? The only thing I can think of so far would be to allow the user to use a Passkey instead of a master password to unlock their vault. But aside from the convenience factor for the user in terms of UX, I’m not entirely sure I understand if there would be any major security advantage in doing so, over the app’s existing auth/unlock flow?

Posted

by

codecomet

Option to disable sharing of Passkeys?

We're excited about the introduction of Passkeys at our bank. One thing we try to discourage though, is the sharing of banking credentials. Is there a way to disable a Passkey from being sharable when it is created?

Posted

by

jdoxey_anz

Fetching Certificate Chain for Secret Key (used for encrypting data in the keychain) stored inside Secure Enclave

I want to fetch the certificate chain related to the secret key (used for encrypting data in the keychain) stored inside the secure enclave of any iPhone device. This certificate chain will be used to verify that the user is connected using a valid iPhone device.

Posted

by

VirajL

Set up iCloud Keychain

This document, "Set up iCloud Keychain" https://support.apple.com/en-us/HT204085 contains this statement, "create an iCloud Security Code—six digits, complex alphanumerics, or randomly generated". Is six digits the design limit? Can a more complex iCloud Security Code be set? Thx! P.S. This forum is way better than Stack Overflow!

Passkeys in iCloud Keychain

Posted

by

MDuffy215

Passkey Implementation with Java

Hey! I currently run all my sites off SpringBoot (Java). How would I go about implementing support for Passkeys within SpringBoot? I'm looking for a library or any method of doing this. Thank you!

Posted

by

RayrnondX

Do Passkeys support the usage of client extensions?

Don't currently see a means of generating a registration/authentication request with this, do Passkeys currently support the handling/processing of client extensions as defined by WebAuthn? If so, is there a reference list of supported client extensions by Passkey? In particular, do Passkeys support creation of 'payment' credentials? https://www.w3.org/TR/secure-payment-confirmation/#sctn-payment-extension-registration extension

Posted

by

mervyn.ong

TouchID Attestation

Are there any resources that list the meta data used in TouchID attestation? I would like to only allow TouchID as the FIDO2 method and want to block the other FIDO2 methods.

Posted

by

schne1der

WebAuthn re-authentication failure in iOS 15.5

We are seeing a difference in WebAuthn behavior between Safari desktop and mobile in iOS 15.5. If a user logs out of our site but keeps the session alive by having Safari remain open, upon logging in they are unable to re-authenticate using WebAuthn in iOS 15.5 The error we're seeing is: "User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events." Observations: This works in Safari desktop. It worked in Safari iOS prior to iOS 15.5 Reloading the page in iOS 15.5 allows it to work normally. Something about the JavaScript environment seems to prevent WebAuthn re-authentication without reloading the page. Why is the behavior different between desktop, iOS 15.5, and previous versions of iOS? Any insight or suggested work-around would be appreciated. What are we missing?

Posted

by

peter_at_trusona

PassKeys PublicKey

Hi, I've been looking at the Shiny PassKey example App. There are the following lines: // The attestationObject contains the user's new public key to store and use for subsequent sign-ins. let attestationObject = credentialRegistration.rawAttestationObject The attestationObject is raw bytes and certainly doesn't look big enough to contain a public key. I was expecting to see a public key, can anyone confirm if a public key is accessible? The help also says: This object contains the public key. If you request it, it also contains the attestation statement. This statement too, seems slightly wrong, it's an attestation from the get go The help links off to this site: https://www.w3.org/TR/webauthn-2/#attestation-object Can anyone shed any light on this, it's quite confusing

Passkeys in iCloud Keychain

Posted

by

ChrisAtWork

Am I allowed to save Credit Card info in the iCloud Keychain?

I'm trying to do some form of autofill for a WKWebview on iOS and don't want to save CC info to our servers so I was wondering if I'm allowed to save it to the keychain if the user chooses to let us. I know at least one app seems to be doing something along those lines but I wanted to know if it's against ToS.

Posted

by

whippenb

Problems with integrating passkeys

Hi all. I'm trying to add passkeys as an authentication method to my app but I'm running into a problem. Based on the new passkey implementation we need to create a challenge every time a user visits the login page. Two questions: If we incorporate passkeys, we will need to create a challenge on the server and store it every time a user even visits the login page. This would make it extremely easy for attackers to DDOS us and fill up our database. Our current solution to this is exclusively IP-based throttling. Is there a better solution recommended by Apple? Ideally we would get the usernames/public keys/credential IDs of the passkeys before the user goes through biometrics to actually use the passkey. That way we could only issue challenges associated with those accounts. Is there a way to do this via the Apple APIs?

Posted

by

iosdeveloper123

Posts under Passkeys in iCloud Keychain tag