Integrate Passkey iCloud Keychain with other smartphone-based FIDO authenticator

Hi Developers,

I am wondering how is it possible for other smartphone-based FIDO authenticators to use the same iCloud Keychain storage as Passkey does so those credentials can be used on non-apple devices too, and also on the smartphone at the same time.

There are some other iOS authenticators that have implemented BLE and are working on all devices including Windows, but the problem is that those apps cannot support signing in to the website on the smartphone itself (neither in apps nor inside the browser) using the previously registered credential of 'cross-platform' type.

Up vote post of sansei Down vote post of sansei
1.4k views
Posted by
sansei
Reply
Add a Comment

Replies

WebAuthn divides authenticator connections into two categories:

  1. Platform authenticators which are provided by the device itself. Passkeys as well as the existing FaceID/TouchID support in Safari fall into this category. You can typically only use these on the same machine as before, although Passkeys is trying to expand these to be synced across devices on your Apple account.

  2. Cross-platform authenticators (or "roaming" authenticators), which communicate over some sort of transport like USB, BLE, NFC, etc. These can be used whenever the authenticator is available over that transport and the browser/platform you are on supports them - most Macs are not going to have much luck using NFC to talk to an authenticator.

That said, there's nothing saying an authenticator can't be both - that you couldn't use your iPhone as an authenticator for your Windows laptop over USB/BLE/NFC. This is possible today.

That said, there are some issues with the bluetooth transport support. One is that you can't be sure you are pairing with the actual device, rather than an intermediary. Another is that the pairing with devices is at the platform level, while often it is the browser which really needs to establish and maintain that pairing. Keeping the bluetooth radio active in case an authentication request is sent is expensive, and trying to increase the reliability and decrease the latency when that message is sent is challenging cross-stack.

Google has been experimenting with solutions here, including a project called CaBLE which has been iterating within Chrome. CaBLE uses QR codes to establish a link between two devices rather than using traditional bluetooth pairing, and can synchronize that pairing between computers (for instance, across chrome instances signed into a google account).

While I am not privy to Apple's plans, I suspect they would be more inclined to these roaming approaches where other devices could use your phone as an authenticator, rather than letting the secrets be shared to non-Apple devices. Higher security uses such as enterprise and financial login will be paying close attention to the level of protection Apple's platform provides for these secrets when deciding whether to accept Passkeys.

Posted by
dwaite
Up vote reply of dwaite Down vote reply of dwaite
Add a Comment