Hi, In iOS 16 beta we can see WiFi password list in WiFi Setting. Is there anyway to retrieve this list in my Application? Will it be allowed by Apple? I have take a look at Supporting Passkey and WiFi core but still not see anything useful. Thanks in advanced.

Hi all. I'm trying to add passkeys as an authentication method to my app but I'm running into a problem. Based on the new passkey implementation we need to create a challenge every time a user visits the login page. Two questions: If we incorporate passkeys, we will need to create a challenge on the server and store it every time a user even visits the login page. This would make it extremely easy for attackers to DDOS us and fill up our database. Our current solution to this is exclusively IP-based throttling. Is there a better solution recommended by Apple? Ideally we would get the usernames/public keys/credential IDs of the passkeys before the user goes through biometrics to actually use the passkey. That way we could only issue challenges associated with those accounts. Is there a way to do this via the Apple APIs?

Hi, I'm reading different structures on how to construct my signature for verification with PassKeys. I have my key with: publicKeyU2F = b"".join([ (0x04).to_bytes(1, byteorder='big'), key_from_dict.x, key_from_dict.y ]) but when it comes to building the data to verify, I can see two choices...what's the correct format https://medium.com/webauthnworks/verifying-fido2-responses-4691288c8770 signature_base = b"".join( [ authenticator_data_bytes, client_data_hash_bytes, ] ) signature_base_hash = hashlib.sha256() signature_base_hash.update(signature_base) signature_base_hash_bytes = signature_base_hash.digest() or https://www.w3.org/TR/webauthn-2/#sctn-fido-u2f-attestation signature_base = b"".join([ (0x00).to_bytes(1, byteorder='big'), rpidhash, client_data_hash_bytes, credentialId, publicKeyU2F ]) signature_base_hash = hashlib.sha256() signature_base_hash.update(signature_base) signature_base_hash_bytes = signature_base_hash.digest()

Hi. I’m working on my own password manager and is wondering how I can enable support for passkeys in a similar fashion as auto fill for passwords from third party password managers? /Johan

Hi, I'm decoding an attestationObject created with ASAuthorizationPlatformPublicKeyCredentialRegistration, but the results have no statement: {'fmt': 'none', 'attStmt': {}, 'authData': '.....data here.......'} The whole credentialRegistration.rawAttestationObject is 182 bytes I'm expecting to see keys like: sig, x5c, alg, certInfo, pubArea etc, but the dictionary is empty, any ideas why it would be empty? Expected Keys: https://github.com/duo-labs/py_webauthn/blob/9d81f2ea12d247b034714aac73701dce32cd67c8/webauthn/helpers/parse_attestation_statement.py#L4

Hi, I understand that during subsequent login attempts, either the modal or autofill requests are shown for the user to authenticate if they are registered for passkeys during manual login first attempt. Currently, our app has the option to automatically authenticate user using Face ID on App launch using the enrollment keys we had obtained during manual login if the user has opted for Face ID as login method for subsequent attempts. Simply put, there is no user intervention for this existing autologin step other than app launch. My questions are: Is there an API option that could call Face Authentication step of Passkeys directly without showing modal or Autofill so that we land on delegate on Face ID authentication success? OR Can the continue button in modal that gets presented for subsequent passkeys authentication attempt be called programmatically so that we land on delegate on Face ID authentication success? we will call Option 1 or 2 after we get the challenge from Server on App Launch.

Hi, I would like to know the following regarding Passkeys: Will Apple support Passkeys to authenticate against it's services like icloud.com, store.apple.com, etc? Will third party password managers like LastPass and Bitwarden to act as Passkey client authenticators in the same way they are currently allowed to authenticate via username/password on Apps and Websites? Can Apple access my Passkeys inside iCloud? Thanks!

Are passkeys sharable across platforms? Can shared passes be revoked? And what is the mechanism for resetting a passkey?

Is it possible to revoke or change a passkey so a user can unshare a previously shared a passkey with someone.

Don't currently see a means of generating a registration/authentication request with this, do Passkeys currently support the handling/processing of client extensions as defined by WebAuthn? If so, is there a reference list of supported client extensions by Passkey? In particular, do Passkeys support creation of 'payment' credentials? https://www.w3.org/TR/secure-payment-confirmation/#sctn-payment-extension-registration extension

When logging into the website from a Mac using passkey from a nearby device, the session said a local connection will be constructed and both the device will connect to a relay server. First, the client shows a QR code, which the authenticator scans. This QR code contains a URL that encodes a pair of single-use encryption keys. Then, the authenticator produces a Bluetooth advertisement containing routing information for a network relay server. This local exchange allows selecting a server and sharing routing information, but also serves two additional functions. Once the local exchange and key agreement have happened, the two devices connect to a relay server picked by the phone. From there, they perform a standard FIDO CTAP operation, which is encrypted using the keys from earlier, so the relay server can't see anything that's going on. My question is what the relay server actually is? Is it the web browser or a server running on the nearby device?

Hey! I currently run all my sites off SpringBoot (Java). How would I go about implementing support for Passkeys within SpringBoot? I'm looking for a library or any method of doing this. Thank you!

We're excited about the introduction of Passkeys at our bank. One thing we try to discourage though, is the sharing of banking credentials. Is there a way to disable a Passkey from being sharable when it is created?

Many thx to Garrett Davidson for his exceptional WWDC2022 presentation: https://developer.apple.com/videos/play/wwdc2022/10092/ Basic question, how is the the private key for a passkey stored on a local device (let's say within the Edge or Chrome browser)? Is it in an encrypted cookie? If so, how is the local encryption done?

The video says that we should call signOn() as soon as possible even before the user focuses the username text field (e.g. in viewDidLoad). This method is supposed to obtain a challenge from the server and create authorization provider, request & controller and eventually call: controller.performAutoFillAssistedRequests(). But that means that the challenge from the server is needed before the username is known so... How can the server know which public key should it use to construct the challenge?

I'm interested in the "Transition users away from passwords" point that was mentioned but not covered in depth. Once set up with a passkey, should we be disabling password-based logins for that user? Essentially securing accounts one by one as they move over. (with the long term goal of preventing registration with passwords altogether) And what does the user flow look like for recovering an account when the private key is lost (stolen device), are we just back to sending an email or SMS with a url to connect a new device (seems like a weak link). or when the users device is "left at home" (I'm assuming no-device = no luck, a compromise of extra security vs weak passwords you carry around in your head).

In the tech preview of Safari setting the authenticatorAttachment to "platform" still enables the feature. However using the similar setting in Chrome previews - the feature is only enabled as "cross-platform". Will this be eventually aligned? If so which is the correct one?

Is this functionality based on registration with the requireResidentKey flag? Or will it also work with non-discoverable credentials? Also - does is use the user.displayName like the OS popups do? Thanks!