We are trying to implement the new feature that was introduced in iOS 17, Passkeys Autofill Provider. We've created a new 'AutoFill Credential Provider' target and embedded it into our host app. We've implemented the 'CredentialProviderViewController,' which is inherited from 'ASCredentialProviderViewController.' When we go to 'https://webauthn.io' to trigger the passkeys view, everything is working as expected when we press 'Register.' The function 'override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest)' is called, but... We know that we need to call 'self.extensionContext.completeRegistrationRequest(using:)' but we don't know how to construct the response. We didn't find any examples or explanations of how to use this API. Can someone help us with this? Thank you.

When passkey authentication failed, we need to use corresponding logic to handle user cancellation and no credential error respectively. Does Apple have a plan to use different errorcodes to distinguish these two types of errors? refer to : https://developer.apple.com/forums/thread/735867?answerId=762182022#762182022

Hello, I used the new "Autofill Passkey" feature in my app, and all the registration steps were done well, Finally credential is registered in WebAuthn. But the problem is that when I tap on the "GetAssertion" button, instead of showing my autofill extension UI, a QR code is displayed and the function "prepareInterfaceToProvideCredentialForRequest" is not called. what is the problem? (The app is installed on the iPhone with iOS 17)

We are trying to support Passkey Management in our app with the latest iOS 17 Passkey Autofill. During this process, we have a few doubts and queries: First, we have configured the AutoFill extension for external passkey management Next we used the 'prepareInterface(forPasskeyRegistration:' delegate for passkey generation We are facing an issue on creating the attestationObject for ‘ASPasskeyRegistrationCredential’. Here, we’re not sure if we need to create the attestationObject [if so any documentation or help regarding this] or is there any API to get the attestationObject which we are missing. override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest) { let request = registrationRequest as! ASPasskeyCredentialRequest let passkeyRegistration = ASPasskeyRegistrationCredential(relyingParty: request.credentialIdentity.serviceIdentifier.identifier, clientDataHash: request.clientDataHash, credentialID: Data(UUID().uuidString.utf8), attestationObject: "????") extensionContext.completeRegistrationRequest(using: passkeyRegistration) } Even we have tried passing the hardcoded attestationObject[we used the existing attestationObject received using icloud keychain] , still we got empty ‘ClientDataJSON’ on ‘authorizationController(controller:’ delegate.

I have two logins for one website, so two different accounts with different email addresses. For both accounts I have stored a passkey for the login. If I now use the passkey for account 1 and login successfully, account 2 is selected for me the next time I would like to log in and I then have manually to select account 1 in order to log in with it again. To me it would make much more sense if the system would always use/suggest the last used account/passkey. My system: macOS Monterey Version 12.6.8 (21G725) Safari Version 16.6 (17615.3.12.11.3, 17615)

Apple's passkeys page at - https://developer.apple.com/passkeys/ now says - Passkeys can now be synced using external providers What is that supposed to mean and how it can be implemented? Are there any APIs provided by the iOS SDK for the same?

It appears that this method from ASCredentialProviderViewController is not being called at all. I am unable to trigger it. Ref func prepareCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier], requestParameters: ASPasskeyCredentialRequestParameters) I expected it to be triggered when RP has a list of allowCredentials, but I still get: override func prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) Am I missing something?

I suspect this is an issue with Google’s passkey implementation, but it might not be, and if there is a solution I suspect this post will be useful for all other third-party passkey providers encountering the same issue. I have implemented Passkeys in our password manger using the new APIs introduced in iOS17. Passkey attestation and assertion works as expected with every service we’ve tested that supports Passkeys (I.e Webauthn.io, GitHub, etc). However the only service that doesn‘t work is Google. I can create a passkey for Google using iCloud Keychain just fine, but for some reason, although my app successfully creates the passkey, Google is rejecting it. I suspect this is a security measure on Google’s side, but it will be a UX nightmare for users of third-party passkey managers on iOS 17, as they won’t be able to create or sign in with a passkey for Google (which will probably be the number 1 use-case for using passkeys). When using iCloud Keychain to create a passkey, unlike other services, I noticed that Google actually recognises that I’ve used iCloud Keychain to create the Passkey, and labels the Passkey with “iCloud Keychain”. Is Apple sending some additional identifying info in their attestation statement that I’m not sending? If not, how is Google able to identify the passkey provider (in this case “iCloud Keychain”) by name? Could it be that Google has somehow whitelisted iCloud Keychain for Passkey creation, while disallowing third-party providers? Assuming it is the latter, unfortunately there is no way to reach out to Google about this. I suspect Apple would need to advocate on the behalf of third-party providers running on apple platforms, that they be allowed to provide passkeys for Google sign in. Its a shame to hit this type of road block so close to the iOS 17 release candidate.

Looks like a security flow in ASCredentialProviderViewController Register a new Passkey on foo.example.com Now iOS 17 (RC) will suggest and permit to select the Passkey to login in bar.example.com, which is agains specs From specs: For example, given a Relying Party whose origin is https://login.example.com:1337, then the following RP IDs are valid: login.example.com (default) and example.com, but not m.login.example.com and not com. Also looks like a bug, in this method: func prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) If I've registered my Passkey for RP foo.example.com and trying to login to bar.example.com (the bug). In ASCredentialRequest.credentialIdentity.serviceIdentifier.identifier is foo.example.com but I am trying to login to bar.example.com, from this we can't understand on what RP is this Passkey used and can't restrict the use of Passkey in case it is used on a wrong RP. P.S: iCloud Passkeys works as expected.

Does the passkey created using third party provider model get synced to iCloud Keychain? If yes, can we avoid that using the attestation object somehow to have it ties to the device where it was created? Being new to this domain, I am not sure if I am asking a right question.

what could be the reason that we after saving and deleting the same list of [ASPasskeyCredentialIdentity], the credential still show up in the OS UI (quick type bar or when tapping the password key icon on top of the keyboard). does that mean the remove operation fail? but our log indicate that the removeCredentialIdentities completion closure succeed without error. and for the ASPasskeyCredentialIdentity initialization, we fill in the parameters from the same object, so we believe the id parameter shall be the same (which identify the same ASPasskeyCredentialIdentity to be saved and removed) what could be the reason that it is still showing up in the OS UI? is this a know issue?

Everything was working well in the beta version of iOS 17 and the registration and login were done correctly. However, after installing the public(release) version of iOS 17, the functions "completeRegistrationRequest" and "completeAssertionRequest" do not work properly and their completion result is false. and I faced the "Operation failed" error in the "webauthn" website. What's wrong?

I can't import into keychain. I can't drop and drag. I have it turned on in iCloud. I tried creating a second keychain and it still doesn't work.

Hey there I'm facing problem with create passkey .pkpass, the problem is I've to create a passkey using certificate created by macOS then upload on the appstore then import to the key chain then I can create a .pkpass but I wanna create it in my Django server for my customers when ever customer create their digital business card. when I created in my another MacBook where that certificate not imported the .pkpass is not going to create, and if I create it on any way it is not going to open. please help me how I can create it for my each customer on server dynamically.

Hi, I am currently implementing the ability to allow users to add a Passkey to their account by using the webuathn api. My current issue is that I would like to identify what type of device/authenticator the user has used to create their passkey so that we can automatically set a nickname for the passkey for the user to help the user experience (E.g. if a user has setup a passkey on an Apple device, we would auto set the nickname as iCloud Keychain so its clear to the user that the passkey is not specific to just the device they set it up on). After some reading, it seems like when trying to create a new passkey via an Apple device, it will not send a populated attestation with any sort of attestation statement, aaguid, fmt etc... and this is what I have been seeing in my testing of my implementation. My question is, instead of using an aaguid, is there an alternative way to identify that the user has created a passkey via iCloud Keychain? I can see that when creating a passkey to my Google account via my iPhone/Macbook, they seem to be able to identify when a passkey is created on an Apple Device and labels it automatically as ("iCloud Keychain") and this applies to both doing it via platform and cross-platform. I essentially want to be able to achieve this but I'm not sure how this can be done.

Hi Everyone, Context: I'm working on allowing my app to log in using passkeys/security keys. It all works great on a device but it doesn't when I try to log in using the simulator. Problem: On the simulator, I can go until the simulator presents the QR code so another device can sign the challenge but the device can't establish a connection with the simulator. I'm assuming the connection can't be established because the simulator does not support Bluetooth, which is a requirement for passkeys. Question I'm bound to only develop on a real device from now on? Or is there a way to make passkeys work with the simulator? Thanks in advance! Screenshots Simulator Device

hi, i got an error in xcode when implmenting passkeys [WebAuthn] Request cancelled after error: The operation couldn’t be completed. Application with identifier TEAM_ID.au.myjourneymaker is not associated with domain myjourneymaker.au.a

I have many questions about iOS passkey. I'm using my app extension to implement something similar to an iCloud passkey authenticator. I securely store my self-generated keys in the Secure Enclave (SE). I'd like to know how to make the extension execute the prepareInterfaceToProvideCredentialForRequest method instead of provideCredentialWithoutUserInteractionForIdentity. I need to display a UI to obtain my key. Please provide assistance. Thank you.

Hello! We are trying to add passkeys support to our iOS application. Following this documentation Supporting Passkeys, we get the following error: authorizationController(controller:didCompleteWithError:): The operation couldn’t be completed. Application with identifier X is not associated with domain X. We have the associated domains configured, and an AASA tool shows that everything is correctly set up, and the identifier is associated with the domain. We are using Xcode 15. Any idea on how to solve this problem is greatly appreciated!

Hi, I created a proof of concept app that leverages ASAuthorizationController to authenticate using FIDO2 security keys and passkeys. I get an auth challenge from an internal provider, and leverage the above API(s) to authenticate. Basically the same use case as the following (using existing account): https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_security_key_authentication_using_physical_keys#3761984 Initially it worked fine, I got a pop-up with a user prompt. However, after canceling one of the requests (can't remember whether I force-closed the window or just clicked Cancel) I get an error on every subsequent request: response: {"error":"The operation couldn’t be completed. Request already in progress for specified application identifier."} log stream | grep fido2 output: 2023-10-17 16:52:52.740329+0100 0x3f329d Default 0x7d21c1 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.1, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, }, 2023-10-17 16:52:52.750530+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=402.3441, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, accessing={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, requesting={TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer}, }, 2023-10-17 16:52:52.750603+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] requestor: TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer is checking access for accessor TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 2023-10-17 16:52:52.803355+0100 0x3f32ad Default 0x0 376 0 launchservicesd: [com.apple.launchservices:cas] CHECKIN:0x0-0xa50a50 49962 com.meta.fido2macos.localDevelopment 2023-10-17 16:52:52.818560+0100 0x3f1eb0 Default 0x7c91e2 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.meta.fido2macos.localdevelopment token: f50000004b pid: 994 2023-10-17 16:52:52.846529+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.xctest.FakeForceTouchDevice object: com.meta.fido2macos.localDevelopment token: 1c00000023 pid: 49962 2023-10-17 16:52:52.866484+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.nsquiet_safe_quit_give_reason object: com.meta.fido2macos.localDevelopment token: 1f00000020 pid: 49962 2023-10-17 16:52:53.027489+0100 0x3f329d Error 0x7d21c8 404 0 tccd: [com.apple.TCC:access] TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement 2023-10-17 16:52:53.027604+0100 0x3f329d Default 0x7d21c8 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.2, attribution={accessing={TCCDProcess: identifier=com.knollsoft.Rectangle, pid=1134, auid=501, euid=501, binary_path=/Applications/Rectangle.app/Contents/MacOS/Rectangle}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, }, 2023-10-17 16:52:53.059785+0100 0x3f2257 Default 0x7d21c7 77540 0 AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Received connection from V9WTTPBFK9.com.meta.fido2macos.localDevelopment I also tried calling ASAuthorizationController::cancel (https://developer.apple.com/documentation/authenticationservices/asauthorizationcontroller/3950923-cancel) in random places but that didn't help either. Happy to follow up more details / code if necessary. Thanks! Similar issue: https://developer.apple.com/forums/thread/723850