Challenge in Autofill

Privacy & Security General
ladislav.lenart
ladislav.lenart OP
Created Jun ’22
Replies 1
Boosts 0
Views 718
Participants 2

The video says that we should call signOn() as soon as possible even before the user focuses the username text field (e.g. in viewDidLoad).

This method is supposed to obtain a challenge from the server and create authorization provider, request & controller and eventually call:

controller.performAutoFillAssistedRequests().

But that means that the challenge from the server is needed before the username is known so...

How can the server know which public key should it use to construct the challenge?

Replies  1
Boosts  0
Views  718
Participants  2
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
Jun ’22

The challenge doesn't need to be specific to the public key being used. Even if your server knew the user name, it's possible that a single account may have multiple passkeys (each with their own public key) associated with it, such as if that user has passkeys saved for multiple platforms. In general, challenges should be totally random and unique. The assertion object that gets returned specifies the userID for the account the passkey is associated with. This userID is how your server will know which account's public key(s) to check the signature against.

1
Challenge in Autofill
First post date Last post date
 
 
Q