Post not yet marked as solved
Garritt,
Kudos for leadership on making Apple PassKeys a reality.
would like to consult with Apple security/privacy/authentication teams about new anon/auth tools for web security and device logins generally. concepts are shared in uspto pending patent app 17/572336, for which notice of allowance has issued.
thanks,
timo
founder and seo
PoKos Communications Corp.
603.491.9792 (m)
Post not yet marked as solved
How to make an APP offer to save access credentials in the iCloud keychain
Hey all, so I currently have a passkey provider application on iOS that works for every RP except for google.
I found this post here saying the AttestationObject needs to be an ordered dictionary and can confirm on https://webauthn.me/debugger that my object is an ordered dictionary in the correct format.
However, google fails to create the key every time saying generically the passkey can't be saved at this time.
I'm just curious if there is something unique about google, like are they maybe whitelisting providers? Or do they require something extra that I need to send?
I can't find any other information for why google wouldn't work while everyone else does.
Thanks in advance for any help!
I'm developing an iOS app that contains a Credential Provider Extension, and I want it to support passkeys. I've set the ProvidesPasskeys key to YES in the Info.plist of the extension, and in the CredentialProviderViewController I've implemented:
func prepareCredentialList(
for serviceIdentifiers: [ASCredentialServiceIdentifier]
)
func provideCredentialWithoutUserInteraction(
for credentialRequest: ASCredentialRequest
)
func prepareInterfaceToProvideCredential(
for credentialRequest: ASCredentialRequest
)
func prepareInterface(
forPasskeyRegistration registrationRequest: ASCredentialRequest
)
Standard password autofill suggestions that I have added to the system store are presented to me when I arrive to the corresponding login page, and the autofill flow succeeds via my extension. When I attempt to create a new passkey on my iPhone, whether it be in Safari on a website that supports passkeys (e.g. google.com) or within a native app that supports the creation of passkeys (e.g. PayPal), I am not given the option to create a passkey using my extension. The only option that is provided to me is the builtin Keychain option. On the "Settings->Passwords->Password Options" page I have "AutoFill Passwords and Passkeys" switch on and in the section titled "USE PASSWORDS AND PASSKEYS FROM:". I have selected both my app and "iCloud Passwords & Keychain". If I uncheck "iCloud Passwords & Keychain" and then attempt to create a passkey then I am shown a system sheet which tells me to go to the settings page to "choose how to manage passkeys".
Any ideas on how to troubleshoot this situation?
Thanks very much!
-Jeremy
Hi all, I'm trying to create a passkey provider application and I can consistently register a passkey through
'prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest)' everywhere that accepts passkeys.
However, when I attempt to then use that passkey to sign in with 'provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest)'
My code will work on some sites.. and not others.
For instance: https://passkey.org/ and https://webauthn.io/ both work flawlessly.
But if I then try to do the same with Github, Uber, or Coinbase (really any application "in the wild") the assertion portion fails with a generic error like "This passkey can't be used anymore."
I've debugged every request and response object line by line and can't find a single difference between a site that works, and one that doesn't.. Does anyone know why this could be the case?
Here's my assertion code:
guard let request: ASPasskeyCredentialRequest = credentialRequest as? ASPasskeyCredentialRequest else { return }
// Following specs from here: https://www.w3.org/TR/webauthn/#sctn-signature-attestation-types
let hashedRp: [UInt8] = Array(SHA256.hash(data: Data(request.credentialIdentity.serviceIdentifier.identifier.data(using: .utf8) ?? Data([]))))
let flags:[UInt8] = [29] // 00011101 - only one that seems to work
let counter:[UInt8] = [0, 0, 0, 1] // just for testing, always the first for now until this works
let authData = hashedRp + flags + counter
let signature = try privateKey.signature( for: Data(authData + request.clientDataHash) )
let response: ASPasskeyAssertionCredential = ASPasskeyAssertionCredential(
userHandle: Data(request.credentialIdentity.user.utf8),
relyingParty: request.credentialIdentity.serviceIdentifier.identifier,
signature: signature.derRepresentation,
clientDataHash: request.clientDataHash,
authenticatorData: Data(authData),
credentialID: Data(credentialId.utf8)
)
extensionContext.completeAssertionRequest(using: response)
Any help would be very appreciated as I've been stuck on this for a while now.
Post not yet marked as solved
What is the difference between ASPasskeyCredentialIdentity.userName and ASPasskeyCredentialIdentity.user ?
From https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-displayname there should be only displayName.
Post not yet marked as solved
*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: 'Application tried to present modally a view controller <_SFAppAutoFillPasswordViewController: 0x106e22ee0> that is already being presented by <UIKeyboardHiddenViewController_Autofill: 0x106e25a10>.'
IOS16(not sure other OS version could reproduce this or not) click on textfield, then keyboard shows(with a key button above), click key button, it crashes randomly.
Post not yet marked as solved
// Example configuration: com.apple.configuration.security.passkey.attestation
{
"Type": "com.apple.configuration.security.passkey.attestation",
"Identifier": "B1DC0125-D380-433C-913A-89D98D68BA9C",
"ServerToken": "8EAB1785-6FC4-4B4D-BD63-1D1D2A085106",
"Payload": {
"AttestationIdentityAssetReference": "88999A94-B8D6-481A-8323-BF2F029F4EF9",
"RelyingParties": [
"www.example.com"
]
}
}
Post not yet marked as solved
Hey Apple team (and eskimo 🙏),
Our FinTech app uses iCloud Keychain shared web credentials to store a secure encryption password in iCloud Keychain.
Some of our new users seem to run into an issue where the app fails to successfully create a shared web credential.
All users are required to have the following two settings enabled:
Settings --> Passwords --> Password Options --> Autofill from iCloud Passwords & Keychain
Settings --> Apple D - -> iCloud - -> Passwords and Keychain --> 'Sync this iPhone'
The issue appears to resolve itself when the user restarts their iPhone. We've had this bug 3 times now and would like to understand the root cause.
We have a couple hypotheses:
iOS is failing to verify that the domain for the shared web credential is valid via <domain>/.well-known/apple-app-site-association (and then restarting triggers reverification)
Users were on a version of iOS where it was bugged (and then restarting finally completed an update to a new version). We've verified that the bug happened on 17.0.2 with one user (until they updated and it fixed itself)
Post not yet marked as solved
I'm trying to implement passkeys in my multiplatform (iOS/macOS) app, and it works on iOS, but on macOS I get the following errors:
ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)"
Passkey authorization failed. Error: The operation couldn’t be completed. Application with identifier <identifier omitted> is not associated with domain <domain omitted>
The associated domain is correctly configured, since it works on iOS. Adding ?mode=developer also doesn't resolve the problem.
Post not yet marked as solved
I developed an app that implements autofill extension with ASCredentialProviderViewController to provide passkeys.
while it works smoothly on internal connections (e.g. register to webauthn.io on the same device where my app is installed), it fails when i'm scanning QR code on another device.
I suspect it's a problem with the flags of the passkey attestation object as the only difference between the 2 requests (internal and hybrid) I've found is that the userVerificationPreference is changed from preferred (internal) to required (hybrid).
i sent those flags (both on hybrid and internal connection):
binary rep: 01011101
decimal rep: 93
is anyone has a clue what goes wrong?
Post not yet marked as solved
Hi all,
Trying to create a Passkeys registration in my app.
This is the implementation I have:
ASAuthorizationPlatformPublicKeyCredentialProvider *provider = [[ASAuthorizationPlatformPublicKeyCredentialProvider alloc] initWithRelyingPartyIdentifier:[[jsonDict objectForKey:@"rp"] objectForKey:@"id"]];
ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest *request = [provider createCredentialRegistrationRequestWithChallenge: [jsonDict objectForKey:@"challenge"] name:[[jsonDict objectForKey:@"user"] objectForKey:@"name"] userID:[[jsonDict objectForKey:@"user"] objectForKey:@"id"]];
ASAuthorizationController *controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:[NSArray arrayWithObject:request]];
controller.delegate = self;
controller.presentationContextProvider = self;
[controller performRequests];
But I get this error:
Remote proxy object error handler invoked with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application."
Connection to agent service interrupted with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application."
ASAuthorizationController credential request failed with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application."
And this is the NSError I get in authorizationController:didCompleteWithError:
authorizationController error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" UserInfo={NSDebugDescription=connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent}
Everything is defined right (associated domains in project and .well-known).
Any reason I can't continue?
Edit: I'm with iOS 17.0 (21A5248v) and Xcode-Beta (15A5160n) if it matters.
Thanks
Hello,
We recently noticed that the passkeys that our application registers in the ASCredentialIdentityStore are removed after a while and we have to register them again.
Do you have any ideas? Or is it possible that this happens automatically even though the application is terminated?
Post not yet marked as solved
Hi!
Is there any way to automate passkey testcases for safari?
Does safari provide any emulated authenticator? The way we have virtual authenticator in chrome in developer tools.
If no, can you please suggest a way to automate passkey testing using safari?
Thank you!
Post not yet marked as solved
It appears that for a successful registration of a passkey to a relying party using passkey autofill provider, the BE BS bits/flags in the attestation response need to be set to true. Please refer FLAGS byte of authData field part of attestationObject mentioned here - https://www.w3.org/TR/webauthn-2/#sctn-attestation.
If those flags are set to false, the RP rejects saying - "The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client."
What are the implications of having those flags set to true? Does it make the generated passkey syncable across devices using same apple id? If yes, is there at all anyway possible by which a generated passkey can be made device bound, basically can be generated and used only on a single iPhone/iOS device?
Also, is there a plan to ever make those flags to be set to false in a future iOS release?
Also, what does it mean in the credential provider popup where it says - "Available where is installed." in the below screenshot?
Post not yet marked as solved
I'm trying to implement passkey authenticator on iOS.
while register works perfectly I'm still struggling with authenticating.
let's say this is the code I'm using to authenticate:
override func provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest){
guard let req: ASPasskeyCredentialRequest = credentialRequest as? ASPasskeyCredentialRequest else { return }
let hashedRp = hashRP(req.credentialIdentity.serviceIdentifier.identifier)
do {
let privateKey: P256.Signing.PrivateKey = try P256.Signing.PrivateKey(derRepresentation: Data(base64Encoded: CredentialProviderViewController.base64PrivateString) ?? Data([]))
let ad = hashedRp + [29, 0, 0, 0, 0]
let sig = try privateKey.signature(
for: SHA256.hash(data: Data(ad + req.clientDataHash))
)
let res: ASPasskeyAssertionCredential = ASPasskeyAssertionCredential(
userHandle: Data(hashedRp[0..<16]),
relyingParty: req.credentialIdentity.serviceIdentifier.identifier,
signature: sig.rawRepresentation,
clientDataHash: req.clientDataHash,
authenticatorData: Data(ad),
credentialID: Data(hashedRp[0..<16])
)
extensionContext.completeAssertionRequest(using: res)
} catch {}
}
this will produce:
authentication failed: 1 validation error for authenticationCredential __root__ string argument should contain only ascii characters.
what am i doing wrong?
Post not yet marked as solved
Hello everybody,
I'm trying to implement passkey provider for iOS device.
I'm in the register phase of the passkey.
Let's say this is my code to register request, what am I doing wrong?:
import SwiftCBOR
class CredentialProviderViewController: ASCredentialProviderViewController {
.
.
.
func generatePublicKeyCborEncoded() -> Data {
let privateKey = P256.Signing.PrivateKey()
let publicKey = privateKey.publicKey.x963Representation
let decoded: [CBOR: CBOR] = [
CBOR.init(integerLiteral: 1): CBOR.init(integerLiteral: 2),
CBOR.init(integerLiteral: 3): CBOR.init(integerLiteral: -7),
CBOR.init(integerLiteral: -1): CBOR.init(integerLiteral: 1),
CBOR.init(integerLiteral: -2): CBOR.byteString(publicKey[1..<33].map { $0 }),
CBOR.init(integerLiteral: -3): CBOR.byteString(publicKey[33..<65].map { $0 })
]
return Data(CBOR.encode(decoded))
}
@IBAction func onRegister(_ sender: UIButton) {
NSLog("onRegister called 1")
guard let request = newRegistrationRequest as? ASPasskeyCredentialRequest else {return}
let attObj: Data = generatePublicKeyCborEncoded()
let passkey: ASPasskeyRegistrationCredential = ASPasskeyRegistrationCredential(
relyingParty: request.credentialIdentity.serviceIdentifier.identifier,
clientDataHash: request.clientDataHash,
credentialID: Data([67, 92, 125, 254, 60, 232, 238, 248, 14, 107, 245, 21, 85, 130, 40, 54],
attestationObject: attObj
)
extensionContext.completeRegistrationRequest(using: passkey){ endedWell in
NSLog("onRegister called \(endedWell ? "" : "not") ended well")
}
}
}
Post not yet marked as solved
I am trying to implement a third party passkey credential provider and I have been able to successfully setup the project for that. Below is a sample code which I am using -
let passkeyRegistrationCredential = ASPasskeyRegistrationCredential(relyingParty: self.request?.credentialIdentity.serviceIdentifier.identifier ?? "", clientDataHash: self.request?.clientDataHash ?? Data(), credentialID: Data(credentialId), attestationObject: Data(attestationBytes)
self.extensionContext.completeRegistrationRequest(using: passkeyRegistrationCredential)
The attestationBytes object that I am generating and sending back to RP seems to work only if I set the "fmt" to "none", which basically requires "attStmt" to be sent as an empty value as per WebAuthn spec - https://www.w3.org/TR/webauthn-2/#sctn-none-attestation
When trying to set the "fmt" to "packed" in attestation object and creating a self signed "attStmt" consisting of "alg" and "sig" key-values referring - https://www.w3.org/TR/webauthn-2/#sctn-packed-attestation, it does not seem to work. The RP throws an error. I do not have "x5c" object as that supposedly is not mandatory in case of self attestation. I have "authData" also as part of the response properly setup.
Is it not possible to use packed attestation or am I missing something in creating the attestation object? Also, does Apple modify the response being sent in the background before sending to RP if packed fmt is used?
Post not yet marked as solved
After upgrading iOS from 17 to 17.1, the list of passkeys registered to the ASCredentialIdentityStore is not displayed in the Safari QuickType bar. (Google Chrome browser is ok)
Post not yet marked as solved
Hi everyone, I'm working on the verification of the PassKey signature for the integration of PassKey into our product.
I've implemented the verification of P256 signature and it's correctly verifying the passkey signature.
However, I want to know if Apple's Passkey signature is doing a malleability check
(if the signature's S value is <= N / 2).
If this is the case for Apple's passkey, I'm planning to also include this in the service for the signature verification to ensure a higher security level from the Passkey.
Can anyone please help to answer this question? I checked documentation and many articles but this wasn't stated in the documents.
Thank you for your answer in advance.
timoplatt.
