Hello, when I attempted to use the passkey, the method - (void)prepareCredentialListForServiceIdentifiers:(NSArray<ASCredentialServiceIdentifier *> *)serviceIdentifiers requestParameters:(ASPasskeyCredentialRequestParameters *)requestParameters API_AVAILABLE(ios(17.0), macos(14.0)) API_UNAVAILABLE(watchos, tvos); didn't execute. Are there any specific prerequisites for this method to run? I would appreciate your assistance. Thank you.

Hello, We recently noticed that the passkeys that our application registers in the ASCredentialIdentityStore are removed after a while and we have to register them again. Do you have any ideas? Or is it possible that this happens automatically even though the application is terminated?

I have by accident linked 5 certificates to my Pass Type ID. 5 is the limit and I am struggling to get one removed. Can I delete the Pass Type ID and create a new one? Will this break the app I have in production using the Pass Certificate? Thank you

Hey, I'm looking for some help with ASAuthorizationController and passkeys. It seems that wildcards in applinks for subdomains break passkeys for the main domain. The app has the following entries in entitlements: webcredentials: mydomain.com applinks: mydomain.com applinks: *.mydomain.com mydomain.com is a placeholder for the actual domain The AASA file is hosted only at mydomain.com and contains a correctly formatted "webcredentials" entry. { "webcredentials": { "apps": [ "app-id-corretly-formatted" ] }, "applinks": { "apps": [], "details": [ // ... ] } } When I use ASAuthorizationController with the domain mydomain.com, it reports the following error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier X is not associated with domain mydomain.com" UserInfo={NSLocalizedFailureReason=Application with identifier X is not associated with domain mydomain.com If I remove the following line from the entitlements "applinks: *.mydomain.com", it works as expected: webcredentials: mydomain.com applinks: mydomain.com It appears that the problem is with the wildcard in the subdomains. Has someone experienced this issue?

Hey, I'm looking for some help with ASAuthorizationController and passkeys. It seems that wildcards in applinks used for subdomains break passkeys for the main domain. The app has the following entries in entitlements (where mydomain.com is a placeholder for the actual domain): webcredentials: mydomain.com applinks: mydomain.com applinks: *.mydomain.com The AASA file is hosted only at mydomain.com and contains a correctly formatted webcredentials entry: { "webcredentials": { "apps": [ "app-id-corretly-formatted" ] }, "applinks": { "apps": [], "details": [ // ... ] } } When I use ASAuthorizationController with the domain mydomain.com, it reports the following error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier X is not associated with domain mydomain.com" UserInfo={NSLocalizedFailureReason=Application with identifier X is not associated with domain mydomain.com If I remove the following line from the entitlements applinks: *.mydomain.com, it works as expected: webcredentials: mydomain.com applinks: mydomain.com It appears that the problem is with the wildcard in the subdomains. Has someone experienced this issue?

Hello We have a react native iOS app and we are having issues with password autofill. We have read some documentation on "associated domains" but cant find anything specific to our issue. We don't currently have a website with login. Is that necessary to utilize password auto fill? Thanks for any help

hello, I want to use the latest addition in security i.e., passkeys across apple ecosystem. I have 2 iPhones (D1 and D2) I have created passkey from D1 for some RP (eg. walmart.com) D1 has a screen-lock using index-finger. The passkey is successfully stored in my iCloudKeyChain Now I go to D2 The screen-lock in D2 is made up of middle-finger. I configure my iCloudKeyChain on D2 using same apple-id If I want to bring the same passkey on D2 that I stored from D1 in iCloudKeyChain , am I required to provide screen unlock finger-print of D1 i.e., index-finger ?? Thanks.

I updated the app bundle ID of my app in my associated domains file on my server which can be viewed using the Apple CDN at (https://app-site-association.cdn-apple.com/a/v1/myApp.app) and on my server at (https://myApp.app/.well-known/apple-app-site-association). All I did was update the app Bundle ID of my app in Xcode and likewise in the associated domains file, and now it is no longer working and I'm getting the error Application with identifier ABCDE12345.app.myApp.MyApp is not associated with domain myApp.app. This error is thrown when attempting to use the webcredentials portion of the associated domain file for logging in via Passkey. I've waited for 6 days to let the changes propagate through the CDN but the issue is persisting. Strangely enough, it has worked a few times since I changed it but almost always fails. This intermittent behavior leads me to believe it might be something up with the CDN? The only thing I changed about my appID was the domain, e.g. ABCDE12345.io.oldDomain.MyApp to ABCDE12345.app.myApp.MyApp. My file is structured as so: { "applinks": { "apps": [], "details": [ { "appID": "ABCDE12345.app.myApp.MyApp", "components": [ ... ] } ] }, "webcredentials": { "apps": [ "ABCDE12345.app.myApp.MyApp" ] } } Likewise I updated the entitlements in my app to webcredentials:myApp.app from webcredentials:oldDomain.io and similarly for the appLinks. I've tried deleting the app, restarting Xcode, clean builds, all that jazz to no avail. Any advice you have for remedying this would be greatly appreciated. This has brought my beta to a halt because no one can log in or sign up. Thank you.

We're doing some disaster recovery management / risk management and a point-of-failure for our app is if we lose access to our bundle id. From my understanding, secure keychain items are scoped to your bundle ID as well as iCloud files stored under the app with 'hidden' scope. Losing our bundle ID is a scenario we want to eliminate completely from our threat/disaster modelling. Is this a realistic concern we should have?

If I prefer for Google to not have access to my data, passwords, and passkeys when possible. Then what is exactly access when using devices via Matter? Does any data pass through even when not using Google services?

We recently shipped option to sign up/in using passkeys. Everything was working as expected and we didn't have any issues with passing app store review process. Recently, when submitting new build with not passkey related updates, we got rejected due to the error, which apple reviewer faced during passkey creation. From our logs we can see that issue is about Associated Domains and webcredentials configuration: The operation couldn’t be completed. Application with identifier X is not associated with domain Y. The thing is that it is configured properly. AASA file is returned properly both from our server and from apple's CDN. Feature is 100% working on all our testing devices and we never got this error reported from any user. The only issue about that is received from reviewer device, which is iPad Air 5th generation on iOS 17.1.1 I was trying to reproduce the error in many ways, but I wasn't able to. Is it possible that the error is faced only by apple reviewers due to some specific environment setup they use? Or maybe TestFlight installs manage AASA files checking in some different way? I found something about that in one thread on apple developer forum: https://developer.apple.com/forums/thread/108339 but not sure if it can be related. Any help/guidance will be very appreciated, thanks!

It appears that for a successful registration of a passkey to a relying party using passkey autofill provider, the BE BS bits/flags in the attestation response need to be set to true. Please refer FLAGS byte of authData field part of attestationObject mentioned here - https://www.w3.org/TR/webauthn-2/#sctn-attestation. If those flags are set to false, the RP rejects saying - "The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client." What are the implications of having those flags set to true? Does it make the generated passkey syncable across devices using same apple id? If yes, is there at all anyway possible by which a generated passkey can be made device bound, basically can be generated and used only on a single iPhone/iOS device? Also, is there a plan to ever make those flags to be set to false in a future iOS release? Also, what does it mean in the credential provider popup where it says - "Available where is installed." in the below screenshot?

Hi, we want to implement passkey in our password manager, but we can not find documentation how to create passkey and save in our database? Can some one help?

I am trying to implement a third party passkey credential provider and I have been able to successfully setup the project for that. Below is a sample code which I am using - let passkeyRegistrationCredential = ASPasskeyRegistrationCredential(relyingParty: self.request?.credentialIdentity.serviceIdentifier.identifier ?? "", clientDataHash: self.request?.clientDataHash ?? Data(), credentialID: Data(credentialId), attestationObject: Data(attestationBytes) self.extensionContext.completeRegistrationRequest(using: passkeyRegistrationCredential) The attestationBytes object that I am generating and sending back to RP seems to work only if I set the "fmt" to "none", which basically requires "attStmt" to be sent as an empty value as per WebAuthn spec - https://www.w3.org/TR/webauthn-2/#sctn-none-attestation When trying to set the "fmt" to "packed" in attestation object and creating a self signed "attStmt" consisting of "alg" and "sig" key-values referring - https://www.w3.org/TR/webauthn-2/#sctn-packed-attestation, it does not seem to work. The RP throws an error. I do not have "x5c" object as that supposedly is not mandatory in case of self attestation. I have "authData" also as part of the response properly setup. Is it not possible to use packed attestation or am I missing something in creating the attestation object? Also, does Apple modify the response being sent in the background before sending to RP if packed fmt is used?

Hi! Is there any way to automate passkey testcases for safari? Does safari provide any emulated authenticator? The way we have virtual authenticator in chrome in developer tools. If no, can you please suggest a way to automate passkey testing using safari? Thank you!

After upgrading iOS from 17 to 17.1, the list of passkeys registered to the ASCredentialIdentityStore is not displayed in the Safari QuickType bar. (Google Chrome browser is ok)

Hello everybody, I'm trying to implement passkey provider for iOS device. I'm in the register phase of the passkey. Let's say this is my code to register request, what am I doing wrong?: import SwiftCBOR class CredentialProviderViewController: ASCredentialProviderViewController { . . . func generatePublicKeyCborEncoded() -> Data { let privateKey = P256.Signing.PrivateKey() let publicKey = privateKey.publicKey.x963Representation let decoded: [CBOR: CBOR] = [ CBOR.init(integerLiteral: 1): CBOR.init(integerLiteral: 2), CBOR.init(integerLiteral: 3): CBOR.init(integerLiteral: -7), CBOR.init(integerLiteral: -1): CBOR.init(integerLiteral: 1), CBOR.init(integerLiteral: -2): CBOR.byteString(publicKey[1..<33].map { $0 }), CBOR.init(integerLiteral: -3): CBOR.byteString(publicKey[33..<65].map { $0 }) ] return Data(CBOR.encode(decoded)) } @IBAction func onRegister(_ sender: UIButton) { NSLog("onRegister called 1") guard let request = newRegistrationRequest as? ASPasskeyCredentialRequest else {return} let attObj: Data = generatePublicKeyCborEncoded() let passkey: ASPasskeyRegistrationCredential = ASPasskeyRegistrationCredential( relyingParty: request.credentialIdentity.serviceIdentifier.identifier, clientDataHash: request.clientDataHash, credentialID: Data([67, 92, 125, 254, 60, 232, 238, 248, 14, 107, 245, 21, 85, 130, 40, 54], attestationObject: attObj ) extensionContext.completeRegistrationRequest(using: passkey){ endedWell in NSLog("onRegister called \(endedWell ? "" : "not") ended well") } } }

Hi everyone, I'm working on the verification of the PassKey signature for the integration of PassKey into our product. I've implemented the verification of P256 signature and it's correctly verifying the passkey signature. However, I want to know if Apple's Passkey signature is doing a malleability check (if the signature's S value is <= N / 2). If this is the case for Apple's passkey, I'm planning to also include this in the service for the signature verification to ensure a higher security level from the Passkey. Can anyone please help to answer this question? I checked documentation and many articles but this wasn't stated in the documents. Thank you for your answer in advance.

I'm trying to implement passkey authenticator on iOS. while register works perfectly I'm still struggling with authenticating. let's say this is the code I'm using to authenticate: override func provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest){ guard let req: ASPasskeyCredentialRequest = credentialRequest as? ASPasskeyCredentialRequest else { return } let hashedRp = hashRP(req.credentialIdentity.serviceIdentifier.identifier) do { let privateKey: P256.Signing.PrivateKey = try P256.Signing.PrivateKey(derRepresentation: Data(base64Encoded: CredentialProviderViewController.base64PrivateString) ?? Data([])) let ad = hashedRp + [29, 0, 0, 0, 0] let sig = try privateKey.signature( for: SHA256.hash(data: Data(ad + req.clientDataHash)) ) let res: ASPasskeyAssertionCredential = ASPasskeyAssertionCredential( userHandle: Data(hashedRp[0..<16]), relyingParty: req.credentialIdentity.serviceIdentifier.identifier, signature: sig.rawRepresentation, clientDataHash: req.clientDataHash, authenticatorData: Data(ad), credentialID: Data(hashedRp[0..<16]) ) extensionContext.completeAssertionRequest(using: res) } catch {} } this will produce: authentication failed: 1 validation error for authenticationCredential __root__ string argument should contain only ascii characters. what am i doing wrong?

I developed an app that implements autofill extension with ASCredentialProviderViewController to provide passkeys. while it works smoothly on internal connections (e.g. register to webauthn.io on the same device where my app is installed), it fails when i'm scanning QR code on another device. I suspect it's a problem with the flags of the passkey attestation object as the only difference between the 2 requests (internal and hybrid) I've found is that the userVerificationPreference is changed from preferred (internal) to required (hybrid). i sent those flags (both on hybrid and internal connection): binary rep: 01011101 decimal rep: 93 is anyone has a clue what goes wrong?