Hi, When attempting to perform a credential registration, I constantly get the error Application with identifier <...> is not associated with domain <domain> I've verified the following: The file is present on the required URL path https://123.com/.well-known/apple-app-site-association { "webcredentials": { "apps": [ "<PREFIX>.bundleID" ] } } Added the Capabilities to my domain Confirmed that the CA is valid and there are no redirects. Am I missing something? My device is able to properly access the file

When trying to build an AR app to my Iphone 11 with Xcode (13.2.1) using Mac OS 12.1 the build fails. Codesign wants me to use the Apple Development keychain. No matter which password I use it fails.

Hi devs!!! Calling createCredentialRegistrationRequestWithChallenge returns the following error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" UserInfo={NSDebugDescription=connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent} What can be the potential reason?

Hi, I've been looking at the Shiny PassKey example App. There are the following lines: // The attestationObject contains the user's new public key to store and use for subsequent sign-ins.    let attestationObject = credentialRegistration.rawAttestationObject The attestationObject is raw bytes and certainly doesn't look big enough to contain a public key. I was expecting to see a public key, can anyone confirm if a public key is accessible? The help also says: This object contains the public key. If you request it, it also contains the attestation statement. This statement too, seems slightly wrong, it's an attestation from the get go The help links off to this site: https://www.w3.org/TR/webauthn-2/#attestation-object Can anyone shed any light on this, it's quite confusing

*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: 'Application tried to present modally a view controller <_SFAppAutoFillPasswordViewController: 0x106e22ee0> that is already being presented by <UIKeyboardHiddenViewController_Autofill: 0x106e25a10>.' IOS16(not sure other OS version could reproduce this or not) click on textfield, then keyboard shows(with a key button above), click key button, it crashes randomly.

There is no excludedCredentials parameter on the platform authenticator creation interface of Native API. ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest. The excludedCredentials parameter is used to prevent the inconsistency between the public keys managed on RP and the private keys managed on authenticator. In particular, a passkey is created for each RPID and user_id. If a user tries to re-register a passkey with the same RPID and user_id, the existing passkey will be overwritten. But there is no way for RP to detect it. This can be confusing for the user as they might see multiple credentials on the RP, but only one on the authenticator. By the way, there is the excludedCredentials parameter on the security key interface. ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest I’d like to know if there is a way to specify excludedCredentials on the platform authenticator interface also like the security key interface. Or, is there any way to prevent the credential inconsistency between RP and platform authenticator?

Firstly massive thank you to the Passkeys team at Apple for opening up the APIs to allow third-party password manager apps to save and autofill Passkeys in iOS 17! I wasn't expecting this so soon. Incredible work. I have successfully implemented the new methods on ASCredentialProviderViewController, up to the point where our app's extension is now being presented when a user is prompted to "Create a passkey?". However two things are not entirely clear to me from this point on: When the user chooses our app to create a password by tapping "Continue", the prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) method is called. Should I be handling passkey creation within this method? Really at this point I was expecting prepareInterface(forPasskeyRegistration: to be called instead. Are new passkeys automatically generated and returned by AuthenticationServices during this flow, or is it down to the developer to generate a new passkey here? I ask because the documentation for prepareInterface(forPasskeyRegistration: seems to imply the former, stating: "This method will present your extension's UI for user authentication before creating the passkey." Thanks again.

Hi all, Trying to create a Passkeys registration in my app. This is the implementation I have: ASAuthorizationPlatformPublicKeyCredentialProvider *provider = [[ASAuthorizationPlatformPublicKeyCredentialProvider alloc] initWithRelyingPartyIdentifier:[[jsonDict objectForKey:@"rp"] objectForKey:@"id"]]; ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest *request = [provider createCredentialRegistrationRequestWithChallenge: [jsonDict objectForKey:@"challenge"] name:[[jsonDict objectForKey:@"user"] objectForKey:@"name"] userID:[[jsonDict objectForKey:@"user"] objectForKey:@"id"]]; ASAuthorizationController *controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:[NSArray arrayWithObject:request]]; controller.delegate = self; controller.presentationContextProvider = self; [controller performRequests]; But I get this error: Remote proxy object error handler invoked with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." Connection to agent service interrupted with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." ASAuthorizationController credential request failed with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." And this is the NSError I get in authorizationController:didCompleteWithError: authorizationController error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" UserInfo={NSDebugDescription=connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent} Everything is defined right (associated domains in project and .well-known). Any reason I can't continue? Edit: I'm with iOS 17.0 (21A5248v) and Xcode-Beta (15A5160n) if it matters. Thanks

Hi everyone! Will iOS platform authenticator have support for PRF passkeys extension? https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension As far as I know current implementation doesn't as we don't have access to private part of generated keys to perform some crypto operations

Hi everyone, I guess this is a long shot but I thought I might ask. Is it possible for app clips to invoke Passkey Auth? In this example I'm designing a POC for a checkout flow where the 3DS challenge is triggering the Bank App Clip and allows the user to authenticate using passkey. Much appreciated!

I understand that during the CTAP process with a Passkey, a key agreement takes place when scanning the QR code and sending Bluetooth advertisements. Is the Diffie-Hellman algorithm used for the key agreement during this process?

For MacOS user accounts, can Passkey be used to login to desktop systems (i.e systems wo biometrics authentication; iMac, Mac mini, Studio, Pro ) accounts? If not available, is this part of the future roadmap?

I keep getting the following error when trying to run Passkey sign in on macOS. Told not to present authorization sheet: Error Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=1 "(null)" The same piece of code is working as expected on iOS. Some more info: The association file and entitlements are correct and validated as everything is working on iOS. The app is built on SwiftUI and use the same codebase for macOS and iOS Validated that the presentation anchor is also correct on macOS because other SSO login works with the same presentation anchor. Not sure where the problem is. Followed https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys/ to get the integration.

We are working on implementing FIDO2 with passkeys and its works fine in the consumer with Apple ID. On the Enterprise level we can't able to make it because corp device don't have option to enable Apple ID and its disabled by MDM as per policy. is there any alternate approach where corp device can use FIDO authentication without using Apple ID? thanks

I'm implementing passkeys by following the example from the Food Truck sample project. I have nearly everything working, but there's one problem. I'm using the AuthorizationController environment value and passing that to my login and register functions, but when I call authorizationController.performAutoFillAssistedRequest, I don't see or know of any way to cancel it, so if the user tries to type in their username instead of use the autofill suggestion, the second (non-autofill) request throws the error, The operation couldn’t be completed. Request already in progress for specified application identifier. I know that ASAuthorizationController has a cancel() function, but is there any way to do this with AuthorizationController?

Hi. I'm trying to develop a passkey app connected with a Webauthn server. There is a problem in the process of creating the Attestation Object. Since I am assigned 8445 port, I need to upload the /.well-known/ directory to that port. In the WebAuthn specification, the RPID should not include the port number. (https://www.w3.org/TR/webauthn-2/#relying-party-identifier) When initializing an ASAuthorizationPlatformPublicKeyCredentialProvider object, if I add the port number to RPID, the passkey UI will work and ASAuthorization object will be checked. But, I don't get authentication from webauthn server because the Attestation Obj is generated with RPID which contains port. Is there any way to specify the port number to check the "well-known" directory? Or is it only possible on port 443? I checked the post, but there is no more feedback, so I'm asking a question. (https://developer.apple.com/forums/thread/730028)

Hi, Is it possible to use top level domain registered passkey(example.com) to authenticate against the subdomains (my.example.com)?

I initiated the Passkey CTAP process after establishing an internet connection on my smartphone (authentication device) using Wi-Fi. Once the client PC and the smartphone established a TCP connection and were in the midst of the CTAP process, I attempted to switch the internet connection to a different Wi-Fi network or transition to mobile data. As a result, I was unable to log in with the Passkey. (There was no observable change on the client PC screen; it did not transition to a success/failure screen, leading me to believe that no packets were transmitted.) I initially thought that performing a network handover after the TCP connection might have caused the connection to be severed, resulting in the absence of packet transmission. However, I discovered that if I established the authentication device's internet connection using mobile data and then, in the middle of the CTAP process, turned off the mobile data to automatically switch back to Wi-Fi, the Passkey login process succeeded. What is the reason behind this outcome? Can you explain the technical factors that contribute to this behavior?

As the description in the demo, if there is no credentials, will receive the same error code (ASAuthorizationErrorCanceled) as if the user canceled. In this case, Is there a way to distinguish whether the error is canceled by the user or no credentials? if authorizationError.code == .canceled { // Either the system doesn't find any credentials and the request ends silently, or the user cancels the request. // This is a good time to show a traditional login form, or ask the user to create an account. } else { // Another ASAuthorization error. // Note: The userInfo dictionary contains useful information. logger.error("Error: \((error as NSError).userInfo)") } }

I'm trying to implement passkeys in my app. I successfully get to the dialog in iOS simulator to register with a Passkey and I can also read the result and see all the right things in credentialRegistration.rawClientDataJSON. The one thing that's not working is when decoding the rawAttestationObject (which should be CBOR as I understand), I find all data defined in the spec (aaguid, credentialIdLength, credentialId) except for the credentialPublicKey! The rawAttestationObject basically ends after the credentialId. I see this both when decoding the rawAttestationObject manually as well as when using WebAuthn libraries on the server, which will give me an "Unexpected end of CBOR data" error. Any ideas why the rawAttestationObject does not contain the public key? For reference, here is the initialization of the Passkey request: let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.domain) let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest(challenge: challenge, name: name, userID: userID) let authController = ASAuthorizationController(authorizationRequests: [ registrationRequest ]) authController.performRequests() And here is how I handle the result: case let credentialRegistration as ASAuthorizationPlatformPublicKeyCredentialRegistration: let rawAttestationObject = credentialRegistration.rawAttestationObject!.base64EncodedString() let credentialID = credentialRegistration.credentialID.base64EncodedString() let rawClientDataJSON = credentialRegistration.rawClientDataJSON.base64EncodedString() let response: PasskeysResponse = [ "attestationObject": rawAttestationObject, "credentialId": credentialID, "clientDataJson": rawClientDataJSON, ] Here is an example for a decoded attestation object: { "rpIdHash": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYmW4=", "flags": { "userPresent": false, "userVerified": false, "backupEligibility": true, "backupState": true, "attestedCredentialData": true, "extensionData": false }, "signCount": 425116148, "aaguid": "20318e2d-77fa-f54d-bed7-ba15ccd3fade", "credentialId": "1B1KJf6uYF0AAAAAAAAAAAAAAAAAAAAAAAAAAAAUQW65BAqkeKqu97vbc0Se5R1F3Y+lAQIDJiABIVggtdSX2ZAHsBxU4ja1xP6hCZGUXgUCb6Ipau3stU8rrz4iWCBwhOBWOgwT4yKRnU1hA11thC8+CvjmrCkfq//648cwHg==", "credentialPublicKey": "" } As you can see, it looks all good except for the "credentialPublicKey": "" part.