Meet passkeys

RSS for tag

Discuss the WWDC22 Session Meet passkeys

Posts under wwdc2022-10092 tag

67 Posts

Post

Replies

Boosts

Views

Activity

Reset passkeys
Hi, I referred to the documentation for reset passkeys - https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys#4047465 , this method createCredentialRegistrationRequest seems to be an instance of ASAuthorizationSecurityKeyPublicKeyCredentialRegistration and returns a registration request of the the type ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest, is this correct? When i tried to integrate the same, it gave "No algorithms specified for ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest" from iOS. So, i tried replacing the registration request with ASAuthorizationPlatformPublicKeyCredentialProvider with same params as expected for createCredentialRegistrationRequest with challenge, username and userId, but it ended up creating one more passkey which I could see in settings. It created new passkey though I expected this to replace existing. is this expected? Also, will this registration request expected to replace ALL passkeys created for this user for this domain or just 1 passkeys matching the user and domain? Please let me know if I missed out anything. Thanks for your help
2
0
1.7k
Jun ’23
[WebAuthn] support for Large Blob extension
WebKit PR #9891 added support for the WebAuthn Large Blob extension in the browser. (Hooray!) Does Apple plan to add support for this extension (or similar, such as PRF) in MacOS and iOS platform authenticators? If so, where can we track this? More context: I've been developing with these extensions using other authenticators. After #9891 I hoped my native platform authenticator on Macbook Pro M1 (with Safari Preview Release 170 on Ventura 13.4) might support largeBlob. But after testing it seems I was mistaken. Thanks!
2
0
2.0k
Jun ’23
Passkeys implementation: presentationContextProvider
Hi! 👋 Recently, we added the passkeys feature to our SPM package/demo application. We based our solution on the Apple's sample implementation. However, after some time, we noticed that the ASAuthorizationController.presentationContextProvider configuration is not required. Moreover, the ASAuthorizationControllerPresentationContextProviding.presentationAnchor(for:) method never gets called. We're wondering if there are any unwanted side effects that could be caused by removing this part of the code. We were not able to find any, as everything works the same way as before we removed the presentationContextProvider-related code. However, we're guessing that there must be a good reason why it is included in the demo app 🤔 Also, we're curious about how it works under the hood. Does it use the currently visible UIWindow by default?
1
1
690
May ’23
Passkey against local server with self-signed certificate
Hey! Is it possible to test passkeys against a locally running server in simulator with self-signed certificate? As far as I can tell, the certificate is trusted on the Simulator and Safari has no trouble communicating with the server or fetching the apple-app-site-association file. The error I'm getting is ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)" Error: ["NSLocalizedFailureReason": Application with identifier FAKETEAMID.com.example.apple-samplecode.Shiny is not associated with domain webauthn-api.local] When running the Shiny example app. There is an apple-app-site-association available in https://webauthn-api.local:7001/.well-known/apple-app-site-association: { "webcredentials": { "apps": [ "FAKETEAMID.com.example.apple-samplecode.Shiny" ] } } And in the Associated Domains, I've added: webcredentials:webauthn-api.local:7001?mode=developer I saw here https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_associated-domains that to use a local server with the apple-app-site-association, one should add ?mode=developer to the entitlement. However, looking at the logs for the server, the simulator does not seem to ever attempt fetching /.well-known/apple-app-site-association file, so the developer mode does not seem to have any effect. Is the developer mode supposed to work with webcredentials service. Documentation linked above doesn't make any exclusions for that.
7
0
5.3k
Apr ’23
Help with Passkeys & KeyChain
Hello all, I have a standard sign up form on my iOS app with the typical username and password fields. I'm using SwiftUI and have marked my TextField with the correct .textContentType. TextField("Username", text: $username) .padding() .background(Color(.systemGray6)) .cornerRadius(8) .padding(.bottom, 10) .textContentType(.username) I created this function inside the same swift file that I use to handle my registrations and signins. func fetchChallenge(completion: @escaping (Data?) -> Void) { let url = URL(string: "https://www.myurl.com/api/generate_challenge.php")! URLSession.shared.dataTask(with: url) { data, response, error in if let data = data, error == nil { completion(data) } else { completion(nil) } }.resume() } This is what this server file looks like. <?php header('Content-Type: application/json'); header('Access-Control-Allow-Origin: *'); function generate_challenge() { $randomBytes = openssl_random_pseudo_bytes(32); return base64_encode($randomBytes); } $challenge = generate_challenge(); $response = array("challenge" => $challenge); echo json_encode($response); ?> My first question would be, is this what the new PassKey is expecting as a challenge? It says it should be unique each time, so I'm assuming that it doesn't need to be saved to the database. Is that correct? Or would this be considered to be the public key? Next, how can I use the examply Shiny PassKey code in SwiftUI to call my functions and use passkeys and keychain? e.g. My custom functions.... func signInWithV1(username: String, password: String) func signUpWithV1(userName: String, password: String) My server is a linux server running nginx. I just can't seem to find anything on how to properly do this on the server side. I'm not sure what to save to the database and how you would integrate the above functions into the authorizationController and how to properly verifiy the let variables in the example code that I found from the Shiny Project. If anyone has time to explain this I would be extrememly grateful! I'm assuming that I can't just use the Shiny code as is since it says that I need to Verify stuff inside the authorizationController. As of right now, my app simply saves the username and password to my database and I do checks to ensure the username and password is how I want it on the server side and the same when they login. However, nothing is saved to the keychain or passkey as of right now. Thanks in advance to anyone who takes the time to explain this in detail! I would be very grateful!!
1
0
1k
Apr ’23
PassKeys & App Implementation
Hello all, First post in the forums! I hope this question has not been answered already and I missed it. If it has, I apologize in advance. I downloaded the Shiny demo code. I updated the AccountManager to use my domain. I placed the required file on my server in the .well-known folder. Here is my code. Note: I replaced example with my real domain. { "applinks": { "details": [ { "appIDs": [ "CC8JC8QC9K.com.example.Shiny" ], } ] }, "webcredentials": { "apps": [ "CC8JC8QC9K.com.example.Shiny" ] } } One thing I'm not clear on is what applinks are and if it is even needed for this service or not. In either case, I went ahead and included it. I added webcredentials:example.com to the Associated domains section under Signing Capabilities for my target. Again, example is replaced with my domain. I also included applinks:example.com since I don't fully understand the importance of that just yet. I have enabled Associated Domain for the app in my developer account and imported the AuthenticationServices framework into the project. When I run the app I get the following errors. 2023-03-30 15:57:43.005597-0500 Shiny[64202:1563051] [Authorization] ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1001 "(null)" 2023-03-30 15:57:43.007370-0500 Shiny[64202:1562730] Request canceled. I also noticed this in the sample code. // Fetch the challenge from the server. The challenge needs to be unique for each request. let challenge = Data() Am I supposed to be doing something on my server? If so, where? I'm just not grasping why an Apple service such as this even relies on the developer's server to begin with. A couple of final things to mention just in case it is relevant. I have a wildcard domain. My site uses a www redirect. I do use https:// What am I missing? Any help would be greatly appreciated!
1
0
1.3k
Mar ’23
Question about passkey fido ctap protocol
I've watched a video about Meet passkeys and I have a question. After key agreement have happened, the two devices connect to a relay server picked by the phone. I understand that the key agreement local part uses Bluetooth. After then, the FIDO CTAP operation does not use Bluetooth? Does it uses Transmission Control Protocol? What happens if I turn off Bluetooth, after the key agreement is finished? Can you explain in more detail how FIDO CTAP operates and how client and authenticator exchange information after two devices connect to a relay server?
1
0
1.7k
Mar ’23
There are no matching passkeys saved in your iCloud Keychain for domain
I have an App that supports PassKeys, end-to-end tests work fine. I also have a website that allows registration of PassKeys. However, whenever I try to sign in to the website, I get the QR code popup, then I get use my phone to scan the QR code, a few seconds later I get: There are no matching passkeys saved in your iCloud Keychain for https://example.com I can clearly see passwords stored in my iCloud Keychain, and they work for the app, why aren't they being found?
3
0
4.5k
Mar ’23
Authenticator Attestation Global Unique Identifier (AAGUID) for Passkeys in iOS App and Safari from mac
Hi, The Authenticator Attestation Global Unique Identifier (AAGUID) for Safari and also, from iOS App is zero’ed out, is this expected to stay this way, can this be considered an ideal differentiator between Passkeys from Apps in iOS/Safari from Mac and other webAuth N Credentials generated from other platform Authenticators as Chrome/Yubico and other vendors happen to send different values. is this value expected to change in future?
1
0
2.8k
Mar ’23
Prevent Re-enrollment for same RP and same user Id - Multiple passkeys for same user
Hi, Is there a guideline from Apple to prevent re-enrollment from same RP and same user Id so that we dont create multiple passkeys for same user account, We have a use case within app to create Passkeys on successful Login, but currently there is no API[ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest] available to pass excludedCredentials for the user Id sent by RP[https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials] so that iOS can avoid creating new Passkeys for same User Id and same RP. If we end up creating multiple Passkeys for same RP and same User Id,basically RP has to maintain all Passkeys's publickey and credIds at their end, leading to authentication complexity. Also,Due to re-enrollment for same user with same RP, this leads to authentication failures[as user might choose diff Passkey-CredId from Modal than the one for which Challenge is requested for] until RP supports truly discoverable credentials. We could say to replace Passkeys during subsequent creation but it would invalidate passkeys already shared to others or in sync'ed devices on web[that might work based off of storedCredId] which would be already creating passkeys or adopt webAuthN on different browsers and create new credential there as well. But, ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest has excludedCredentials though.
2
0
1.4k
Mar ’23
Requesting Autofill from app for Passkeys created from web in Safari
Hi, We have a usecase where our website uses safari and has adopted webAuthN, say enrollment has happened in web using Safari and thus, passkeys for that user account User A in Website A has been created. We have an App for the same website, so, when we enable autofill and adopt passkeys for authentication, Since the passkeys are icloud keychain sync'ed, Either autofill or through Modal, we would receive all Passkeys created in website A as domain is same in App entitlements as well. For passkeys created through App, as recommended in webAuthN approach, we store the cred Id/username so as to fetch the challenge using that populate the same in AutoFill but for Passkeys created in web, though the success delegate method has ASAuthorizationPlatformPublicKeyCredentialAssertion object, it does not have challenge passed to it at first place as most passwordless providers require User Id as an attribute to generate challenge. We had SecrequestSharedWebCredential which could retrieve us credentials and thus, with the user name for this scenario but has been deprecated from iOS14. is there any alternate way to fetch atleast the user Id for the domain from iCloud Keychain?
1
0
955
Mar ’23
Decoding rawattestationData and rawauthenticatorData in Swift
Hi, I tried verifying the rawattestationData and rawAuthenticatorData using third party libraries, but am not able to decode information in both rawAttestationData and rawAuthenticatorData, for ex, in rawAttestationObject, always authData decoding is returning nil. For ex, this string representation of rawattestationdata : a363666d74646e6f6e656761747453746d74a06861757468446174615898d3a03fad282d25bfb82046633c2ae488dbf8e554c515bfe205512879f29c30c25d00000000000000000000000000000000000000000014f8f898d67027d0552f7fd2524e4ffec6debdede9a5010203262001215820fd8a8445e56a6888027b814c5ef51b9ad323d24bfb8725704fe2cdef76b87bbf2258202452a529b55374d20b26a3753167083f7ebc7404db731210f70fab1db757b7d4 returns { "fmt": "none", "attStmt": {}, "authData": h'd3a03fad282d25bfb82046633c2ae488dbf8e554c515bfe205512879f29c30c25d00000000000000000000000000000000000000000014f8f898d67027d0552f7fd2524e4ffec6debdede9a5010203262001215820fd8a8445e56a6888027b814c5ef51b9ad323d24bfb8725704fe2cdef76b87bbf2258202452a529b55374d20b26a3753167083f7ebc7404db731210f70fab1db757b7d4', } in CBOR playground but whenever i try with any third party lib for decoding authData, it returns me nil. and am not able to decode authdata in any CBOR playground online as well, Is there a recommendation or example implementation in swift for decoding cbor rawattestationData and rawauthenticatorData for verification?
1
0
1.2k
Feb ’23
More user friendly passkey authentication
If RP have already identified the user somehow, RP would include allow credential for the authentication. In case of identified user only has single passkey (which means the transport is internal), and the user tries to authenticate, the allow credential only has one credential entry with internal transport. In this case, I'm thinking that RP is clearly indicates which credential is expected, then browsers or platforms might directly prompt Face ID or Touch ID without showing modal sheet which introduces additional user steps. For other cases, I understand why passkey modal sheet is needed, but in this case, it would be better to present Face ID or Touch ID prompt without modal UI.
1
0
751
Feb ’23
Setting up development environment for Passkey
Hi, I would like to create my own personal use case to test out the Passkey service. I have downloaded the Shiny app from the Apple website to begin with, but it says you need an associated domain to connect it to your website. I don't have a domain right now and whatever website I build will be run on a local host. Can I use a local host or an ip address as the associated domain, or do I need to purchase a domain to get the passkey up and running?
0
0
800
Feb ’23
webcredentials not working, but universal links do
Hey, I've tried everything and I'm stuck. I wanted to test passkeys with the shiny example app. I did everything as it should be, universal links are actually working. But not the webcredential part. My website is philippmheck.com look it up, its nothing on there yet :D. I also did the webcredential with ?mode=developer. Oh and I tested it with the https://branch.io/resources/aasa-validator/, it says everything is fine. Regards Philipp Heck
2
0
2.3k
Jan ’23
Why isn't safari web browser prompting to save a passkey?
Hi there - I have an existing webauthn implementation and I am trying to test out what changes are required to start leveraging Passkeys for our customers through iCloud Keychain. Right now when the user is prompted to register a credential on our site they are prompted with Do you want to allow [relying party] to use Touch ID? However I see that on Passkey demo sites like webauthn.io the prompt looks like Do you want to save a passkey for [username]? Passkeys are saved in your iCloud Keychain and are available for sign in on all your devices. Does anyone know why my implementation is not prompting to save a passkey? Interestingly, my implementation does result in a passkey prompt for Chrome on Mac.
0
0
1.2k
Jan ’23
Passkey username autofill doesn't show up
I'm trying to implement Passkey support for my app and was able to implement the registration and modal login flow. However, the username autofill just doesn't show up. I also tested with Shiny demo app and got the same result. Is there anything I need to do for it to work? So far: Domain entitlement is added and working (registration and modal login works) Registered Passkey shows up correctly in Settings > Passwords Password Options > Autofill Passwords is on and set to autofill from Keychain Checked that the input field has textContextType: username Checked that performAutoFillAssistedRequests() was called before the input is focused Tested on simulator (XCode 14.1, iOS 16.1) and iPhone 12 (iOS 16.1.1). Both were not showing autofill (no QuickType bar).
1
0
2.2k
Jan ’23
Credential compare on server "AttestationObject invalid CBOR"
Hello developers, I'm trying to use the following library (https://github.com/passwordless-lib/fido2-net-lib) with passkeys on iOS. Every time I try to complete the registration I get a CBOR error from the library with the following response: "AttestationObject invalid CBOR (Declared Definite Length of CBOR Data Item Overs Available Buffer Size.)" I already spoke to the developer of the library on GitHub (https://github.com/passwordless-lib/fido2-net-lib/issues/357) Every time I've tried, the AttestationObject from the ASAuthorizationPlatformPublicKeyCredentialRegistration response is malformed. A CBOR verification in a web decoder also ends with an invalid CBOR object (verification error: CBOR Decode - Unexpected data: 0x36) When I try to verify on a site that uses passkeys, it works. Is there a fix for this, or is Apple removing something from the AttestationObject in the ASAuthorizationPlatformPublicKeyCredentialRegistration response?
1
0
1.5k
Jan ’23
Reset passkeys
Hi, I referred to the documentation for reset passkeys - https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys#4047465 , this method createCredentialRegistrationRequest seems to be an instance of ASAuthorizationSecurityKeyPublicKeyCredentialRegistration and returns a registration request of the the type ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest, is this correct? When i tried to integrate the same, it gave "No algorithms specified for ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest" from iOS. So, i tried replacing the registration request with ASAuthorizationPlatformPublicKeyCredentialProvider with same params as expected for createCredentialRegistrationRequest with challenge, username and userId, but it ended up creating one more passkey which I could see in settings. It created new passkey though I expected this to replace existing. is this expected? Also, will this registration request expected to replace ALL passkeys created for this user for this domain or just 1 passkeys matching the user and domain? Please let me know if I missed out anything. Thanks for your help
Replies
2
Boosts
0
Views
1.7k
Activity
Jun ’23
[WebAuthn] support for Large Blob extension
WebKit PR #9891 added support for the WebAuthn Large Blob extension in the browser. (Hooray!) Does Apple plan to add support for this extension (or similar, such as PRF) in MacOS and iOS platform authenticators? If so, where can we track this? More context: I've been developing with these extensions using other authenticators. After #9891 I hoped my native platform authenticator on Macbook Pro M1 (with Safari Preview Release 170 on Ventura 13.4) might support largeBlob. But after testing it seems I was mistaken. Thanks!
Replies
2
Boosts
0
Views
2.0k
Activity
Jun ’23
Passkeys implementation: presentationContextProvider
Hi! 👋 Recently, we added the passkeys feature to our SPM package/demo application. We based our solution on the Apple's sample implementation. However, after some time, we noticed that the ASAuthorizationController.presentationContextProvider configuration is not required. Moreover, the ASAuthorizationControllerPresentationContextProviding.presentationAnchor(for:) method never gets called. We're wondering if there are any unwanted side effects that could be caused by removing this part of the code. We were not able to find any, as everything works the same way as before we removed the presentationContextProvider-related code. However, we're guessing that there must be a good reason why it is included in the demo app 🤔 Also, we're curious about how it works under the hood. Does it use the currently visible UIWindow by default?
Replies
1
Boosts
1
Views
690
Activity
May ’23
Passkey against local server with self-signed certificate
Hey! Is it possible to test passkeys against a locally running server in simulator with self-signed certificate? As far as I can tell, the certificate is trusted on the Simulator and Safari has no trouble communicating with the server or fetching the apple-app-site-association file. The error I'm getting is ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)" Error: ["NSLocalizedFailureReason": Application with identifier FAKETEAMID.com.example.apple-samplecode.Shiny is not associated with domain webauthn-api.local] When running the Shiny example app. There is an apple-app-site-association available in https://webauthn-api.local:7001/.well-known/apple-app-site-association: { "webcredentials": { "apps": [ "FAKETEAMID.com.example.apple-samplecode.Shiny" ] } } And in the Associated Domains, I've added: webcredentials:webauthn-api.local:7001?mode=developer I saw here https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_associated-domains that to use a local server with the apple-app-site-association, one should add ?mode=developer to the entitlement. However, looking at the logs for the server, the simulator does not seem to ever attempt fetching /.well-known/apple-app-site-association file, so the developer mode does not seem to have any effect. Is the developer mode supposed to work with webcredentials service. Documentation linked above doesn't make any exclusions for that.
Replies
7
Boosts
0
Views
5.3k
Activity
Apr ’23
Help with Passkeys & KeyChain
Hello all, I have a standard sign up form on my iOS app with the typical username and password fields. I'm using SwiftUI and have marked my TextField with the correct .textContentType. TextField("Username", text: $username) .padding() .background(Color(.systemGray6)) .cornerRadius(8) .padding(.bottom, 10) .textContentType(.username) I created this function inside the same swift file that I use to handle my registrations and signins. func fetchChallenge(completion: @escaping (Data?) -> Void) { let url = URL(string: "https://www.myurl.com/api/generate_challenge.php")! URLSession.shared.dataTask(with: url) { data, response, error in if let data = data, error == nil { completion(data) } else { completion(nil) } }.resume() } This is what this server file looks like. <?php header('Content-Type: application/json'); header('Access-Control-Allow-Origin: *'); function generate_challenge() { $randomBytes = openssl_random_pseudo_bytes(32); return base64_encode($randomBytes); } $challenge = generate_challenge(); $response = array("challenge" => $challenge); echo json_encode($response); ?> My first question would be, is this what the new PassKey is expecting as a challenge? It says it should be unique each time, so I'm assuming that it doesn't need to be saved to the database. Is that correct? Or would this be considered to be the public key? Next, how can I use the examply Shiny PassKey code in SwiftUI to call my functions and use passkeys and keychain? e.g. My custom functions.... func signInWithV1(username: String, password: String) func signUpWithV1(userName: String, password: String) My server is a linux server running nginx. I just can't seem to find anything on how to properly do this on the server side. I'm not sure what to save to the database and how you would integrate the above functions into the authorizationController and how to properly verifiy the let variables in the example code that I found from the Shiny Project. If anyone has time to explain this I would be extrememly grateful! I'm assuming that I can't just use the Shiny code as is since it says that I need to Verify stuff inside the authorizationController. As of right now, my app simply saves the username and password to my database and I do checks to ensure the username and password is how I want it on the server side and the same when they login. However, nothing is saved to the keychain or passkey as of right now. Thanks in advance to anyone who takes the time to explain this in detail! I would be very grateful!!
Replies
1
Boosts
0
Views
1k
Activity
Apr ’23
PassKeys & App Implementation
Hello all, First post in the forums! I hope this question has not been answered already and I missed it. If it has, I apologize in advance. I downloaded the Shiny demo code. I updated the AccountManager to use my domain. I placed the required file on my server in the .well-known folder. Here is my code. Note: I replaced example with my real domain. { "applinks": { "details": [ { "appIDs": [ "CC8JC8QC9K.com.example.Shiny" ], } ] }, "webcredentials": { "apps": [ "CC8JC8QC9K.com.example.Shiny" ] } } One thing I'm not clear on is what applinks are and if it is even needed for this service or not. In either case, I went ahead and included it. I added webcredentials:example.com to the Associated domains section under Signing Capabilities for my target. Again, example is replaced with my domain. I also included applinks:example.com since I don't fully understand the importance of that just yet. I have enabled Associated Domain for the app in my developer account and imported the AuthenticationServices framework into the project. When I run the app I get the following errors. 2023-03-30 15:57:43.005597-0500 Shiny[64202:1563051] [Authorization] ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1001 "(null)" 2023-03-30 15:57:43.007370-0500 Shiny[64202:1562730] Request canceled. I also noticed this in the sample code. // Fetch the challenge from the server. The challenge needs to be unique for each request. let challenge = Data() Am I supposed to be doing something on my server? If so, where? I'm just not grasping why an Apple service such as this even relies on the developer's server to begin with. A couple of final things to mention just in case it is relevant. I have a wildcard domain. My site uses a www redirect. I do use https:// What am I missing? Any help would be greatly appreciated!
Replies
1
Boosts
0
Views
1.3k
Activity
Mar ’23
Question about passkey fido ctap protocol
I've watched a video about Meet passkeys and I have a question. After key agreement have happened, the two devices connect to a relay server picked by the phone. I understand that the key agreement local part uses Bluetooth. After then, the FIDO CTAP operation does not use Bluetooth? Does it uses Transmission Control Protocol? What happens if I turn off Bluetooth, after the key agreement is finished? Can you explain in more detail how FIDO CTAP operates and how client and authenticator exchange information after two devices connect to a relay server?
Replies
1
Boosts
0
Views
1.7k
Activity
Mar ’23
There are no matching passkeys saved in your iCloud Keychain for domain
I have an App that supports PassKeys, end-to-end tests work fine. I also have a website that allows registration of PassKeys. However, whenever I try to sign in to the website, I get the QR code popup, then I get use my phone to scan the QR code, a few seconds later I get: There are no matching passkeys saved in your iCloud Keychain for https://example.com I can clearly see passwords stored in my iCloud Keychain, and they work for the app, why aren't they being found?
Replies
3
Boosts
0
Views
4.5k
Activity
Mar ’23
Authenticator Attestation Global Unique Identifier (AAGUID) for Passkeys in iOS App and Safari from mac
Hi, The Authenticator Attestation Global Unique Identifier (AAGUID) for Safari and also, from iOS App is zero’ed out, is this expected to stay this way, can this be considered an ideal differentiator between Passkeys from Apps in iOS/Safari from Mac and other webAuth N Credentials generated from other platform Authenticators as Chrome/Yubico and other vendors happen to send different values. is this value expected to change in future?
Replies
1
Boosts
0
Views
2.8k
Activity
Mar ’23
Prevent Re-enrollment for same RP and same user Id - Multiple passkeys for same user
Hi, Is there a guideline from Apple to prevent re-enrollment from same RP and same user Id so that we dont create multiple passkeys for same user account, We have a use case within app to create Passkeys on successful Login, but currently there is no API[ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest] available to pass excludedCredentials for the user Id sent by RP[https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials] so that iOS can avoid creating new Passkeys for same User Id and same RP. If we end up creating multiple Passkeys for same RP and same User Id,basically RP has to maintain all Passkeys's publickey and credIds at their end, leading to authentication complexity. Also,Due to re-enrollment for same user with same RP, this leads to authentication failures[as user might choose diff Passkey-CredId from Modal than the one for which Challenge is requested for] until RP supports truly discoverable credentials. We could say to replace Passkeys during subsequent creation but it would invalidate passkeys already shared to others or in sync'ed devices on web[that might work based off of storedCredId] which would be already creating passkeys or adopt webAuthN on different browsers and create new credential there as well. But, ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest has excludedCredentials though.
Replies
2
Boosts
0
Views
1.4k
Activity
Mar ’23
Requesting Autofill from app for Passkeys created from web in Safari
Hi, We have a usecase where our website uses safari and has adopted webAuthN, say enrollment has happened in web using Safari and thus, passkeys for that user account User A in Website A has been created. We have an App for the same website, so, when we enable autofill and adopt passkeys for authentication, Since the passkeys are icloud keychain sync'ed, Either autofill or through Modal, we would receive all Passkeys created in website A as domain is same in App entitlements as well. For passkeys created through App, as recommended in webAuthN approach, we store the cred Id/username so as to fetch the challenge using that populate the same in AutoFill but for Passkeys created in web, though the success delegate method has ASAuthorizationPlatformPublicKeyCredentialAssertion object, it does not have challenge passed to it at first place as most passwordless providers require User Id as an attribute to generate challenge. We had SecrequestSharedWebCredential which could retrieve us credentials and thus, with the user name for this scenario but has been deprecated from iOS14. is there any alternate way to fetch atleast the user Id for the domain from iCloud Keychain?
Replies
1
Boosts
0
Views
955
Activity
Mar ’23
Decoding rawattestationData and rawauthenticatorData in Swift
Hi, I tried verifying the rawattestationData and rawAuthenticatorData using third party libraries, but am not able to decode information in both rawAttestationData and rawAuthenticatorData, for ex, in rawAttestationObject, always authData decoding is returning nil. For ex, this string representation of rawattestationdata : a363666d74646e6f6e656761747453746d74a06861757468446174615898d3a03fad282d25bfb82046633c2ae488dbf8e554c515bfe205512879f29c30c25d00000000000000000000000000000000000000000014f8f898d67027d0552f7fd2524e4ffec6debdede9a5010203262001215820fd8a8445e56a6888027b814c5ef51b9ad323d24bfb8725704fe2cdef76b87bbf2258202452a529b55374d20b26a3753167083f7ebc7404db731210f70fab1db757b7d4 returns { "fmt": "none", "attStmt": {}, "authData": h'd3a03fad282d25bfb82046633c2ae488dbf8e554c515bfe205512879f29c30c25d00000000000000000000000000000000000000000014f8f898d67027d0552f7fd2524e4ffec6debdede9a5010203262001215820fd8a8445e56a6888027b814c5ef51b9ad323d24bfb8725704fe2cdef76b87bbf2258202452a529b55374d20b26a3753167083f7ebc7404db731210f70fab1db757b7d4', } in CBOR playground but whenever i try with any third party lib for decoding authData, it returns me nil. and am not able to decode authdata in any CBOR playground online as well, Is there a recommendation or example implementation in swift for decoding cbor rawattestationData and rawauthenticatorData for verification?
Replies
1
Boosts
0
Views
1.2k
Activity
Feb ’23
More user friendly passkey authentication
If RP have already identified the user somehow, RP would include allow credential for the authentication. In case of identified user only has single passkey (which means the transport is internal), and the user tries to authenticate, the allow credential only has one credential entry with internal transport. In this case, I'm thinking that RP is clearly indicates which credential is expected, then browsers or platforms might directly prompt Face ID or Touch ID without showing modal sheet which introduces additional user steps. For other cases, I understand why passkey modal sheet is needed, but in this case, it would be better to present Face ID or Touch ID prompt without modal UI.
Replies
1
Boosts
0
Views
751
Activity
Feb ’23
Setting up development environment for Passkey
Hi, I would like to create my own personal use case to test out the Passkey service. I have downloaded the Shiny app from the Apple website to begin with, but it says you need an associated domain to connect it to your website. I don't have a domain right now and whatever website I build will be run on a local host. Can I use a local host or an ip address as the associated domain, or do I need to purchase a domain to get the passkey up and running?
Replies
0
Boosts
0
Views
800
Activity
Feb ’23
webcredentials not working, but universal links do
Hey, I've tried everything and I'm stuck. I wanted to test passkeys with the shiny example app. I did everything as it should be, universal links are actually working. But not the webcredential part. My website is philippmheck.com look it up, its nothing on there yet :D. I also did the webcredential with ?mode=developer. Oh and I tested it with the https://branch.io/resources/aasa-validator/, it says everything is fine. Regards Philipp Heck
Replies
2
Boosts
0
Views
2.3k
Activity
Jan ’23
Why isn't safari web browser prompting to save a passkey?
Hi there - I have an existing webauthn implementation and I am trying to test out what changes are required to start leveraging Passkeys for our customers through iCloud Keychain. Right now when the user is prompted to register a credential on our site they are prompted with Do you want to allow [relying party] to use Touch ID? However I see that on Passkey demo sites like webauthn.io the prompt looks like Do you want to save a passkey for [username]? Passkeys are saved in your iCloud Keychain and are available for sign in on all your devices. Does anyone know why my implementation is not prompting to save a passkey? Interestingly, my implementation does result in a passkey prompt for Chrome on Mac.
Replies
0
Boosts
0
Views
1.2k
Activity
Jan ’23
Passkey username autofill doesn't show up
I'm trying to implement Passkey support for my app and was able to implement the registration and modal login flow. However, the username autofill just doesn't show up. I also tested with Shiny demo app and got the same result. Is there anything I need to do for it to work? So far: Domain entitlement is added and working (registration and modal login works) Registered Passkey shows up correctly in Settings > Passwords Password Options > Autofill Passwords is on and set to autofill from Keychain Checked that the input field has textContextType: username Checked that performAutoFillAssistedRequests() was called before the input is focused Tested on simulator (XCode 14.1, iOS 16.1) and iPhone 12 (iOS 16.1.1). Both were not showing autofill (no QuickType bar).
Replies
1
Boosts
0
Views
2.2k
Activity
Jan ’23
Does passkeys work on webviews ?
will webviews (within an app) have the ability to use the passkey feature (assuming the app/provider implements passkey capability, which is rendered in the webview). please help
Replies
2
Boosts
0
Views
4.2k
Activity
Jan ’23
Credential compare on server "AttestationObject invalid CBOR"
Hello developers, I'm trying to use the following library (https://github.com/passwordless-lib/fido2-net-lib) with passkeys on iOS. Every time I try to complete the registration I get a CBOR error from the library with the following response: "AttestationObject invalid CBOR (Declared Definite Length of CBOR Data Item Overs Available Buffer Size.)" I already spoke to the developer of the library on GitHub (https://github.com/passwordless-lib/fido2-net-lib/issues/357) Every time I've tried, the AttestationObject from the ASAuthorizationPlatformPublicKeyCredentialRegistration response is malformed. A CBOR verification in a web decoder also ends with an invalid CBOR object (verification error: CBOR Decode - Unexpected data: 0x36) When I try to verify on a site that uses passkeys, it works. Is there a fix for this, or is Apple removing something from the AttestationObject in the ASAuthorizationPlatformPublicKeyCredentialRegistration response?
Replies
1
Boosts
0
Views
1.5k
Activity
Jan ’23
autocomplete with WebAuthn in custom element
Hi all, I'm trying to implement a passkey login form based on an input element with autocomplete=webauthn. My form works fine inside an classic html page but the conditional UI is not triggered when the same input field is wrapped in a custom element. Is it a known issue on Safari 16.1?
Replies
3
Boosts
1
Views
1.6k
Activity
Dec ’22