Problems with integrating passkeys

Privacy & Security General
iosdeveloper123 OP
Created Jul ’22
Replies 1
Boosts 0
Views 941
Participants 2

Hi all. I'm trying to add passkeys as an authentication method to my app but I'm running into a problem. Based on the new passkey implementation we need to create a challenge every time a user visits the login page. Two questions:

  1. If we incorporate passkeys, we will need to create a challenge on the server and store it every time a user even visits the login page. This would make it extremely easy for attackers to DDOS us and fill up our database. Our current solution to this is exclusively IP-based throttling. Is there a better solution recommended by Apple?

  2. Ideally we would get the usernames/public keys/credential IDs of the passkeys before the user goes through biometrics to actually use the passkey. That way we could only issue challenges associated with those accounts. Is there a way to do this via the Apple APIs?

Replies  1
Boosts  0
Views  941
Participants  2
Systems Engineer OP
Apple
Jul ’22

  1. I don't think passkeys present any unique constraints here compared to other standard fraud prevention problems. If you're looking general fraud prevention solutions beyond IP-based rate limiting, Private Access Tokens may be able to help in some circumstances.

  2. The API does not let apps enumerate accounts available on the current device. Information about just the selected account is only provided after user consent, which is provided as part of asking for biometrics (on devices which support it).

0
Problems with integrating passkeys
First post date Last post date
 
 
Q