After upgrading iOS from 17 to 17.1, the list of passkeys registered to the ASCredentialIdentityStore is not displayed in the Safari QuickType bar. (Google Chrome browser is ok)

Hi everyone, I'm working on the verification of the PassKey signature for the integration of PassKey into our product. I've implemented the verification of P256 signature and it's correctly verifying the passkey signature. However, I want to know if Apple's Passkey signature is doing a malleability check (if the signature's S value is <= N / 2). If this is the case for Apple's passkey, I'm planning to also include this in the service for the signature verification to ensure a higher security level from the Passkey. Can anyone please help to answer this question? I checked documentation and many articles but this wasn't stated in the documents. Thank you for your answer in advance.

Hi, we want to implement passkey in our password manager, but we can not find documentation how to create passkey and save in our database? Can some one help?

We recently shipped option to sign up/in using passkeys. Everything was working as expected and we didn't have any issues with passing app store review process. Recently, when submitting new build with not passkey related updates, we got rejected due to the error, which apple reviewer faced during passkey creation. From our logs we can see that issue is about Associated Domains and webcredentials configuration: The operation couldn’t be completed. Application with identifier X is not associated with domain Y. The thing is that it is configured properly. AASA file is returned properly both from our server and from apple's CDN. Feature is 100% working on all our testing devices and we never got this error reported from any user. The only issue about that is received from reviewer device, which is iPad Air 5th generation on iOS 17.1.1 I was trying to reproduce the error in many ways, but I wasn't able to. Is it possible that the error is faced only by apple reviewers due to some specific environment setup they use? Or maybe TestFlight installs manage AASA files checking in some different way? I found something about that in one thread on apple developer forum: https://developer.apple.com/forums/thread/108339 but not sure if it can be related. Any help/guidance will be very appreciated, thanks!

hello, I want to use the latest addition in security i.e., passkeys across apple ecosystem. I have 2 iPhones (D1 and D2) I have created passkey from D1 for some RP (eg. walmart.com) D1 has a screen-lock using index-finger. The passkey is successfully stored in my iCloudKeyChain Now I go to D2 The screen-lock in D2 is made up of middle-finger. I configure my iCloudKeyChain on D2 using same apple-id If I want to bring the same passkey on D2 that I stored from D1 in iCloudKeyChain , am I required to provide screen unlock finger-print of D1 i.e., index-finger ?? Thanks.

Hello We have a react native iOS app and we are having issues with password autofill. We have read some documentation on "associated domains" but cant find anything specific to our issue. We don't currently have a website with login. Is that necessary to utilize password auto fill? Thanks for any help

Firstly massive thank you to the Passkeys team at Apple for opening up the APIs to allow third-party password manager apps to save and autofill Passkeys in iOS 17! I wasn't expecting this so soon. Incredible work. I have successfully implemented the new methods on ASCredentialProviderViewController, up to the point where our app's extension is now being presented when a user is prompted to "Create a passkey?". However two things are not entirely clear to me from this point on: When the user chooses our app to create a password by tapping "Continue", the prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) method is called. Should I be handling passkey creation within this method? Really at this point I was expecting prepareInterface(forPasskeyRegistration: to be called instead. Are new passkeys automatically generated and returned by AuthenticationServices during this flow, or is it down to the developer to generate a new passkey here? I ask because the documentation for prepareInterface(forPasskeyRegistration: seems to imply the former, stating: "This method will present your extension's UI for user authentication before creating the passkey." Thanks again.

Does the passkey created using third party provider model get synced to iCloud Keychain? If yes, can we avoid that using the attestation object somehow to have it ties to the device where it was created? Being new to this domain, I am not sure if I am asking a right question.

If I prefer for Google to not have access to my data, passwords, and passkeys when possible. Then what is exactly access when using devices via Matter? Does any data pass through even when not using Google services?

We're doing some disaster recovery management / risk management and a point-of-failure for our app is if we lose access to our bundle id. From my understanding, secure keychain items are scoped to your bundle ID as well as iCloud files stored under the app with 'hidden' scope. Losing our bundle ID is a scenario we want to eliminate completely from our threat/disaster modelling. Is this a realistic concern we should have?

I updated the app bundle ID of my app in my associated domains file on my server which can be viewed using the Apple CDN at (https://app-site-association.cdn-apple.com/a/v1/myApp.app) and on my server at (https://myApp.app/.well-known/apple-app-site-association). All I did was update the app Bundle ID of my app in Xcode and likewise in the associated domains file, and now it is no longer working and I'm getting the error Application with identifier ABCDE12345.app.myApp.MyApp is not associated with domain myApp.app. This error is thrown when attempting to use the webcredentials portion of the associated domain file for logging in via Passkey. I've waited for 6 days to let the changes propagate through the CDN but the issue is persisting. Strangely enough, it has worked a few times since I changed it but almost always fails. This intermittent behavior leads me to believe it might be something up with the CDN? The only thing I changed about my appID was the domain, e.g. ABCDE12345.io.oldDomain.MyApp to ABCDE12345.app.myApp.MyApp. My file is structured as so: { "applinks": { "apps": [], "details": [ { "appID": "ABCDE12345.app.myApp.MyApp", "components": [ ... ] } ] }, "webcredentials": { "apps": [ "ABCDE12345.app.myApp.MyApp" ] } } Likewise I updated the entitlements in my app to webcredentials:myApp.app from webcredentials:oldDomain.io and similarly for the appLinks. I've tried deleting the app, restarting Xcode, clean builds, all that jazz to no avail. Any advice you have for remedying this would be greatly appreciated. This has brought my beta to a halt because no one can log in or sign up. Thank you.

Hey, I'm looking for some help with ASAuthorizationController and passkeys. It seems that wildcards in applinks for subdomains break passkeys for the main domain. The app has the following entries in entitlements: webcredentials: mydomain.com applinks: mydomain.com applinks: *.mydomain.com mydomain.com is a placeholder for the actual domain The AASA file is hosted only at mydomain.com and contains a correctly formatted "webcredentials" entry. { "webcredentials": { "apps": [ "app-id-corretly-formatted" ] }, "applinks": { "apps": [], "details": [ // ... ] } } When I use ASAuthorizationController with the domain mydomain.com, it reports the following error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier X is not associated with domain mydomain.com" UserInfo={NSLocalizedFailureReason=Application with identifier X is not associated with domain mydomain.com If I remove the following line from the entitlements "applinks: *.mydomain.com", it works as expected: webcredentials: mydomain.com applinks: mydomain.com It appears that the problem is with the wildcard in the subdomains. Has someone experienced this issue?

Hey, I'm looking for some help with ASAuthorizationController and passkeys. It seems that wildcards in applinks used for subdomains break passkeys for the main domain. The app has the following entries in entitlements (where mydomain.com is a placeholder for the actual domain): webcredentials: mydomain.com applinks: mydomain.com applinks: *.mydomain.com The AASA file is hosted only at mydomain.com and contains a correctly formatted webcredentials entry: { "webcredentials": { "apps": [ "app-id-corretly-formatted" ] }, "applinks": { "apps": [], "details": [ // ... ] } } When I use ASAuthorizationController with the domain mydomain.com, it reports the following error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier X is not associated with domain mydomain.com" UserInfo={NSLocalizedFailureReason=Application with identifier X is not associated with domain mydomain.com If I remove the following line from the entitlements applinks: *.mydomain.com, it works as expected: webcredentials: mydomain.com applinks: mydomain.com It appears that the problem is with the wildcard in the subdomains. Has someone experienced this issue?

I have by accident linked 5 certificates to my Pass Type ID. 5 is the limit and I am struggling to get one removed. Can I delete the Pass Type ID and create a new one? Will this break the app I have in production using the Pass Certificate? Thank you

Hi, I've been looking at the Shiny PassKey example App. There are the following lines: // The attestationObject contains the user's new public key to store and use for subsequent sign-ins.    let attestationObject = credentialRegistration.rawAttestationObject The attestationObject is raw bytes and certainly doesn't look big enough to contain a public key. I was expecting to see a public key, can anyone confirm if a public key is accessible? The help also says: This object contains the public key. If you request it, it also contains the attestation statement. This statement too, seems slightly wrong, it's an attestation from the get go The help links off to this site: https://www.w3.org/TR/webauthn-2/#attestation-object Can anyone shed any light on this, it's quite confusing

Hi, I created a proof of concept app that leverages ASAuthorizationController to authenticate using FIDO2 security keys and passkeys. I get an auth challenge from an internal provider, and leverage the above API(s) to authenticate. Basically the same use case as the following (using existing account): https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_security_key_authentication_using_physical_keys#3761984 Initially it worked fine, I got a pop-up with a user prompt. However, after canceling one of the requests (can't remember whether I force-closed the window or just clicked Cancel) I get an error on every subsequent request: response: {"error":"The operation couldn’t be completed. Request already in progress for specified application identifier."} log stream | grep fido2 output: 2023-10-17 16:52:52.740329+0100 0x3f329d Default 0x7d21c1 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.1, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, }, 2023-10-17 16:52:52.750530+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=402.3441, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, accessing={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, requesting={TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer}, }, 2023-10-17 16:52:52.750603+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] requestor: TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer is checking access for accessor TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 2023-10-17 16:52:52.803355+0100 0x3f32ad Default 0x0 376 0 launchservicesd: [com.apple.launchservices:cas] CHECKIN:0x0-0xa50a50 49962 com.meta.fido2macos.localDevelopment 2023-10-17 16:52:52.818560+0100 0x3f1eb0 Default 0x7c91e2 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.meta.fido2macos.localdevelopment token: f50000004b pid: 994 2023-10-17 16:52:52.846529+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.xctest.FakeForceTouchDevice object: com.meta.fido2macos.localDevelopment token: 1c00000023 pid: 49962 2023-10-17 16:52:52.866484+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.nsquiet_safe_quit_give_reason object: com.meta.fido2macos.localDevelopment token: 1f00000020 pid: 49962 2023-10-17 16:52:53.027489+0100 0x3f329d Error 0x7d21c8 404 0 tccd: [com.apple.TCC:access] TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement 2023-10-17 16:52:53.027604+0100 0x3f329d Default 0x7d21c8 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.2, attribution={accessing={TCCDProcess: identifier=com.knollsoft.Rectangle, pid=1134, auid=501, euid=501, binary_path=/Applications/Rectangle.app/Contents/MacOS/Rectangle}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, }, 2023-10-17 16:52:53.059785+0100 0x3f2257 Default 0x7d21c7 77540 0 AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Received connection from V9WTTPBFK9.com.meta.fido2macos.localDevelopment I also tried calling ASAuthorizationController::cancel (https://developer.apple.com/documentation/authenticationservices/asauthorizationcontroller/3950923-cancel) in random places but that didn't help either. Happy to follow up more details / code if necessary. Thanks! Similar issue: https://developer.apple.com/forums/thread/723850

hi, i got an error in xcode when implmenting passkeys [WebAuthn] Request cancelled after error: The operation couldn’t be completed. Application with identifier TEAM_ID.au.myjourneymaker is not associated with domain myjourneymaker.au.a

Hello! We are trying to add passkeys support to our iOS application. Following this documentation Supporting Passkeys, we get the following error: authorizationController(controller:didCompleteWithError:): The operation couldn’t be completed. Application with identifier X is not associated with domain X. We have the associated domains configured, and an AASA tool shows that everything is correctly set up, and the identifier is associated with the domain. We are using Xcode 15. Any idea on how to solve this problem is greatly appreciated!