Meet passkeys

RSS for tag

Discuss the WWDC22 Session Meet passkeys

Posts under wwdc2022-10092 tag

67 Posts

Post

Replies

Boosts

Views

Activity

Screen is frozen after performAutoFillAssistedRequests
Hi, I am trying to implement passkey in my app and noticed this strange behavior. How to reproduce (iOS 16.0 beta): Call ASAuthorizationController.performAutoFillAssistedRequests Tap a text field to trigger the quick type UI Tap the key icon, and I will see a modally presented view controller with a list of credentials Select a passkey, and the view controller will be dismissed Now the app is frozen, I can not tap the text field or any other buttons If I switch to another app and then switch back (that is, making the app to background and then active again), the app will resume In step 4, if I select a password, the app will not freeze. If I dismiss the view controller by swiping down, the app will not freeze. It will only freeze if I select a passkey. I am testing using a simple view controller with only two text fields, and I am not doing anything special, so I wonder if this is a bug in the framework. Could someone help me to verify it?
1
0
943
Aug ’22
passkey with iCloud Keychain
Dear Apple, We are very nervous to discover that, in the next Public Beta of macOS, it's not feasible any more to use Touch ID as a platform authenticator without using iCloud Keychain. If a local stored and iCloud Keychain stored WebAuthn credential registered within Safari are indistinguishable, we had to ban all Safari users out in the intranet of our enterprise. Do you have any .mobileconfig provision / enterprise provision to make TouchID work again as a WebAuthn authenticator without using iCloud Keychain in the next version of macOS just like now? -- Best regards, Wang Kang Alibaba Group
0
1
816
Aug ’22
Problems with integrating passkeys
Hi all. I'm trying to add passkeys as an authentication method to my app but I'm running into a problem. Based on the new passkey implementation we need to create a challenge every time a user visits the login page. Two questions: If we incorporate passkeys, we will need to create a challenge on the server and store it every time a user even visits the login page. This would make it extremely easy for attackers to DDOS us and fill up our database. Our current solution to this is exclusively IP-based throttling. Is there a better solution recommended by Apple? Ideally we would get the usernames/public keys/credential IDs of the passkeys before the user goes through biometrics to actually use the passkey. That way we could only issue challenges associated with those accounts. Is there a way to do this via the Apple APIs?
1
0
958
Jul ’22
Verifying PassKey Signature - Structure
Hi, I'm reading different structures on how to construct my signature for verification with PassKeys. I have my key with: publicKeyU2F = b"".join([ (0x04).to_bytes(1, byteorder='big'), key_from_dict.x, key_from_dict.y ]) but when it comes to building the data to verify, I can see two choices...what's the correct format https://medium.com/webauthnworks/verifying-fido2-responses-4691288c8770 signature_base = b"".join( [ authenticator_data_bytes, client_data_hash_bytes, ] ) signature_base_hash = hashlib.sha256() signature_base_hash.update(signature_base) signature_base_hash_bytes = signature_base_hash.digest() or https://www.w3.org/TR/webauthn-2/#sctn-fido-u2f-attestation signature_base = b"".join([ (0x00).to_bytes(1, byteorder='big'), rpidhash, client_data_hash_bytes, credentialId, publicKeyU2F ]) signature_base_hash = hashlib.sha256() signature_base_hash.update(signature_base) signature_base_hash_bytes = signature_base_hash.digest()
6
0
1.9k
Jul ’22
PassKeys decoded attestation has no statement
Hi, I'm decoding an attestationObject created with ASAuthorizationPlatformPublicKeyCredentialRegistration, but the results have no statement: {'fmt': 'none', 'attStmt': {}, 'authData': '.....data here.......'} The whole credentialRegistration.rawAttestationObject is 182 bytes I'm expecting to see keys like: sig, x5c, alg, certInfo, pubArea etc, but the dictionary is empty, any ideas why it would be empty? Expected Keys: https://github.com/duo-labs/py_webauthn/blob/9d81f2ea12d247b034714aac73701dce32cd67c8/webauthn/helpers/parse_attestation_statement.py#L4
2
0
1.3k
Jul ’22
Implementation for AutoLogin in Apps using Passkeys
Hi, I understand that during subsequent login attempts, either the modal or autofill requests are shown for the user to authenticate if they are registered for passkeys during manual login first attempt. Currently, our app has the option to automatically authenticate user using Face ID on App launch using the enrollment keys we had obtained during manual login if the user has opted for Face ID as login method for subsequent attempts. Simply put, there is no user intervention for this existing autologin step other than app launch. My questions are: Is there an API option that could call Face Authentication step of Passkeys directly without showing modal or Autofill so that we land on delegate on Face ID authentication success? OR Can the continue button in modal that gets presented for subsequent passkeys authentication attempt be called programmatically so that we land on delegate on Face ID authentication success? we will call Option 1 or 2 after we get the challenge from Server on App Launch.
1
0
805
Jul ’22
Support for Passkeys
Hi, I would like to know the following regarding Passkeys: Will Apple support Passkeys to authenticate against it's services like icloud.com, store.apple.com, etc? Will third party password managers like LastPass and Bitwarden to act as Passkey client authenticators in the same way they are currently allowed to authenticate via username/password on Apps and Websites? Can Apple access my Passkeys inside iCloud? Thanks!
1
0
901
Jun ’22
Do Passkeys support the usage of client extensions?
Don't currently see a means of generating a registration/authentication request with this, do Passkeys currently support the handling/processing of client extensions as defined by WebAuthn? If so, is there a reference list of supported client extensions by Passkey? In particular, do Passkeys support creation of 'payment' credentials? https://www.w3.org/TR/secure-payment-confirmation/#sctn-payment-extension-registration extension
1
0
801
Jun ’22
What is the relay server ?
When logging into the website from a Mac using passkey from a nearby device, the session said a local connection will be constructed and both the device will connect to a relay server. First, the client shows a QR code, which the authenticator scans. This QR code contains a URL that encodes a pair of single-use encryption keys. Then, the authenticator produces a Bluetooth advertisement containing routing information for a network relay server. This local exchange allows selecting a server and sharing routing information, but also serves two additional functions. Once the local exchange and key agreement have happened, the two devices connect to a relay server picked by the phone. From there, they perform a standard FIDO CTAP operation, which is encrypted using the keys from earlier, so the relay server can't see anything that's going on. My question is what the relay server actually is? Is it the web browser or a server running on the nearby device?
1
0
1.4k
Jun ’22
Passkeys Adoption
Hi, I watched through the video for passkeys and I have couple of questions for passkeys adoption cross channel/platform. when I try to login from PC for an account for which I have passkey generated from App, PC browser generates a QR code, iOS will act as the authenticator on the scan of QR code and logs the user in. Now, for subsequent Login, will the PC user be still shown QR code or is the QR code and authenticator from iOS just single time for enrollment and for loggin in subsequent time, browser can take care? Will there be any 2nd public private key pair generated from PC to handle subsequent login? if not, does the iphone need to be in close proximity every time? My question is more towards the Keys generated for PC browser and subsequent logins from PC. can you please throw some light on above questions?
2
0
854
Jun ’22
Passkeys Adoption
Excellent work on Passkeys. For context, I’m soon to release a Password Manager app that is built specifically for Apple devices only (iOS, iPadOS, macOS). A user’s vault items are encrypted on their own device and synced end-to-end encrypted via their own private iCloud database. As you’d expect, the app requires the user to enter their master password to unlock their vaults, and allows them to optionally enable Touch or Face ID for a passwordless unlock experience. In this scenario where there is no third-party server involved, and auth takes place on-device only, is there any meaningful way an app like this can or should take advantage of Passkeys? The only thing I can think of so far would be to allow the user to use a Passkey instead of a master password to unlock their vault. But aside from the convenience factor for the user in terms of UX, I’m not entirely sure I understand if there would be any major security advantage in doing so, over the app’s existing auth/unlock flow?
1
1
1.7k
Jun ’22
Screen is frozen after performAutoFillAssistedRequests
Hi, I am trying to implement passkey in my app and noticed this strange behavior. How to reproduce (iOS 16.0 beta): Call ASAuthorizationController.performAutoFillAssistedRequests Tap a text field to trigger the quick type UI Tap the key icon, and I will see a modally presented view controller with a list of credentials Select a passkey, and the view controller will be dismissed Now the app is frozen, I can not tap the text field or any other buttons If I switch to another app and then switch back (that is, making the app to background and then active again), the app will resume In step 4, if I select a password, the app will not freeze. If I dismiss the view controller by swiping down, the app will not freeze. It will only freeze if I select a passkey. I am testing using a simple view controller with only two text fields, and I am not doing anything special, so I wonder if this is a bug in the framework. Could someone help me to verify it?
Replies
1
Boosts
0
Views
943
Activity
Aug ’22
Does webAuthn support signCount
Hi, I'm trying to implement passkey into my app. I am wondering if ASAuthorizationPublicKeyCredentialAssertion.rawAuthenticatorData supports signCount. It seems the value is always 0. Thank you!
Replies
2
Boosts
0
Views
1.3k
Activity
Aug ’22
How can I change passkeys?
If I have shared a passkey with my friends and famil and wish to no longer share access of an account, how will I be able to change the passkey for that account?
Replies
1
Boosts
0
Views
733
Activity
Aug ’22
passkey with iCloud Keychain
Dear Apple, We are very nervous to discover that, in the next Public Beta of macOS, it's not feasible any more to use Touch ID as a platform authenticator without using iCloud Keychain. If a local stored and iCloud Keychain stored WebAuthn credential registered within Safari are indistinguishable, we had to ban all Safari users out in the intranet of our enterprise. Do you have any .mobileconfig provision / enterprise provision to make TouchID work again as a WebAuthn authenticator without using iCloud Keychain in the next version of macOS just like now? -- Best regards, Wang Kang Alibaba Group
Replies
0
Boosts
1
Views
816
Activity
Aug ’22
Revoke/change a passkey
Is it possible to revoke or change a passkey so a user can unshare a previously shared a passkey with someone.
Replies
3
Boosts
0
Views
1.5k
Activity
Jul ’22
Get WiFi password list on iOS 16 and XCode 14 beta
Hi, In iOS 16 beta we can see WiFi password list in WiFi Setting. Is there anyway to retrieve this list in my Application? Will it be allowed by Apple? I have take a look at Supporting Passkey and WiFi core but still not see anything useful. Thanks in advanced.
Replies
1
Boosts
0
Views
1.1k
Activity
Jul ’22
Problems with integrating passkeys
Hi all. I'm trying to add passkeys as an authentication method to my app but I'm running into a problem. Based on the new passkey implementation we need to create a challenge every time a user visits the login page. Two questions: If we incorporate passkeys, we will need to create a challenge on the server and store it every time a user even visits the login page. This would make it extremely easy for attackers to DDOS us and fill up our database. Our current solution to this is exclusively IP-based throttling. Is there a better solution recommended by Apple? Ideally we would get the usernames/public keys/credential IDs of the passkeys before the user goes through biometrics to actually use the passkey. That way we could only issue challenges associated with those accounts. Is there a way to do this via the Apple APIs?
Replies
1
Boosts
0
Views
958
Activity
Jul ’22
Verifying PassKey Signature - Structure
Hi, I'm reading different structures on how to construct my signature for verification with PassKeys. I have my key with: publicKeyU2F = b"".join([ (0x04).to_bytes(1, byteorder='big'), key_from_dict.x, key_from_dict.y ]) but when it comes to building the data to verify, I can see two choices...what's the correct format https://medium.com/webauthnworks/verifying-fido2-responses-4691288c8770 signature_base = b"".join( [ authenticator_data_bytes, client_data_hash_bytes, ] ) signature_base_hash = hashlib.sha256() signature_base_hash.update(signature_base) signature_base_hash_bytes = signature_base_hash.digest() or https://www.w3.org/TR/webauthn-2/#sctn-fido-u2f-attestation signature_base = b"".join([ (0x00).to_bytes(1, byteorder='big'), rpidhash, client_data_hash_bytes, credentialId, publicKeyU2F ]) signature_base_hash = hashlib.sha256() signature_base_hash.update(signature_base) signature_base_hash_bytes = signature_base_hash.digest()
Replies
6
Boosts
0
Views
1.9k
Activity
Jul ’22
Passkeys in my password manager.
Hi. I’m working on my own password manager and is wondering how I can enable support for passkeys in a similar fashion as auto fill for passwords from third party password managers? /Johan
Replies
1
Boosts
0
Views
1k
Activity
Jul ’22
PassKeys decoded attestation has no statement
Hi, I'm decoding an attestationObject created with ASAuthorizationPlatformPublicKeyCredentialRegistration, but the results have no statement: {'fmt': 'none', 'attStmt': {}, 'authData': '.....data here.......'} The whole credentialRegistration.rawAttestationObject is 182 bytes I'm expecting to see keys like: sig, x5c, alg, certInfo, pubArea etc, but the dictionary is empty, any ideas why it would be empty? Expected Keys: https://github.com/duo-labs/py_webauthn/blob/9d81f2ea12d247b034714aac73701dce32cd67c8/webauthn/helpers/parse_attestation_statement.py#L4
Replies
2
Boosts
0
Views
1.3k
Activity
Jul ’22
Implementation for AutoLogin in Apps using Passkeys
Hi, I understand that during subsequent login attempts, either the modal or autofill requests are shown for the user to authenticate if they are registered for passkeys during manual login first attempt. Currently, our app has the option to automatically authenticate user using Face ID on App launch using the enrollment keys we had obtained during manual login if the user has opted for Face ID as login method for subsequent attempts. Simply put, there is no user intervention for this existing autologin step other than app launch. My questions are: Is there an API option that could call Face Authentication step of Passkeys directly without showing modal or Autofill so that we land on delegate on Face ID authentication success? OR Can the continue button in modal that gets presented for subsequent passkeys authentication attempt be called programmatically so that we land on delegate on Face ID authentication success? we will call Option 1 or 2 after we get the challenge from Server on App Launch.
Replies
1
Boosts
0
Views
805
Activity
Jul ’22
Support for Passkeys
Hi, I would like to know the following regarding Passkeys: Will Apple support Passkeys to authenticate against it's services like icloud.com, store.apple.com, etc? Will third party password managers like LastPass and Bitwarden to act as Passkey client authenticators in the same way they are currently allowed to authenticate via username/password on Apps and Websites? Can Apple access my Passkeys inside iCloud? Thanks!
Replies
1
Boosts
0
Views
901
Activity
Jun ’22
Sharing Passes across platforms?
Are passkeys sharable across platforms? Can shared passes be revoked? And what is the mechanism for resetting a passkey?
Replies
1
Boosts
2
Views
855
Activity
Jun ’22
Do Passkeys support the usage of client extensions?
Don't currently see a means of generating a registration/authentication request with this, do Passkeys currently support the handling/processing of client extensions as defined by WebAuthn? If so, is there a reference list of supported client extensions by Passkey? In particular, do Passkeys support creation of 'payment' credentials? https://www.w3.org/TR/secure-payment-confirmation/#sctn-payment-extension-registration extension
Replies
1
Boosts
0
Views
801
Activity
Jun ’22
What is the relay server ?
When logging into the website from a Mac using passkey from a nearby device, the session said a local connection will be constructed and both the device will connect to a relay server. First, the client shows a QR code, which the authenticator scans. This QR code contains a URL that encodes a pair of single-use encryption keys. Then, the authenticator produces a Bluetooth advertisement containing routing information for a network relay server. This local exchange allows selecting a server and sharing routing information, but also serves two additional functions. Once the local exchange and key agreement have happened, the two devices connect to a relay server picked by the phone. From there, they perform a standard FIDO CTAP operation, which is encrypted using the keys from earlier, so the relay server can't see anything that's going on. My question is what the relay server actually is? Is it the web browser or a server running on the nearby device?
Replies
1
Boosts
0
Views
1.4k
Activity
Jun ’22
Passkey Implementation with Java
Hey! I currently run all my sites off SpringBoot (Java). How would I go about implementing support for Passkeys within SpringBoot? I'm looking for a library or any method of doing this. Thank you!
Replies
1
Boosts
0
Views
1.6k
Activity
Jun ’22
Passkeys Adoption
Hi, I watched through the video for passkeys and I have couple of questions for passkeys adoption cross channel/platform. when I try to login from PC for an account for which I have passkey generated from App, PC browser generates a QR code, iOS will act as the authenticator on the scan of QR code and logs the user in. Now, for subsequent Login, will the PC user be still shown QR code or is the QR code and authenticator from iOS just single time for enrollment and for loggin in subsequent time, browser can take care? Will there be any 2nd public private key pair generated from PC to handle subsequent login? if not, does the iphone need to be in close proximity every time? My question is more towards the Keys generated for PC browser and subsequent logins from PC. can you please throw some light on above questions?
Replies
2
Boosts
0
Views
854
Activity
Jun ’22
Option to disable sharing of Passkeys?
We're excited about the introduction of Passkeys at our bank. One thing we try to discourage though, is the sharing of banking credentials. Is there a way to disable a Passkey from being sharable when it is created?
Replies
1
Boosts
0
Views
959
Activity
Jun ’22
Passkeys Adoption
Excellent work on Passkeys. For context, I’m soon to release a Password Manager app that is built specifically for Apple devices only (iOS, iPadOS, macOS). A user’s vault items are encrypted on their own device and synced end-to-end encrypted via their own private iCloud database. As you’d expect, the app requires the user to enter their master password to unlock their vaults, and allows them to optionally enable Touch or Face ID for a passwordless unlock experience. In this scenario where there is no third-party server involved, and auth takes place on-device only, is there any meaningful way an app like this can or should take advantage of Passkeys? The only thing I can think of so far would be to allow the user to use a Passkey instead of a master password to unlock their vault. But aside from the convenience factor for the user in terms of UX, I’m not entirely sure I understand if there would be any major security advantage in doing so, over the app’s existing auth/unlock flow?
Replies
1
Boosts
1
Views
1.7k
Activity
Jun ’22
Meet passkeys
Many thx to Garrett Davidson for his exceptional WWDC2022 presentation: https://developer.apple.com/videos/play/wwdc2022/10092/ Basic question, how is the the private key for a passkey stored on a local device (let's say within the Edge or Chrome browser)? Is it in an encrypted cookie? If so, how is the local encryption done?
Replies
4
Boosts
0
Views
2.2k
Activity
Jun ’22