Passkeys - what happens to my FIDO credentials when I move to passkeys?

Hi everyone,

I have a website using FIDO2/WebAuthn. My current users have their FIDO credentials on the phone. As far as I understand, those credentials will not automatically synchronize with Passkeys when those users switch to iOS16 (meaning that their FIDO credential can't be used cross-device automatically). Is it true that, for example, if the keys were created with iOS15 on the phone, users will need to scan a QR Code on the desktop the first time to create the passkeys and add them to the iCloud Keychain?

If this was just too confusing let me know :) the bottom line is understanding if there is a way to "migrate" existing FIDO credentials created before iOS16 to Passkeys without scanning the QR Code one time.

Thanks!

Up vote post of craimundo Down vote post of craimundo
1.4k views
Posted by
craimundo
Reply
Add a Comment

Replies

For users with legacy (i.e. device-bound) platform credentials, those credentials will continue to work after upgrading to iOS 16, but they will not sync or show up in the password manager. If you would like to upgrade an existing legacy credential to a passkey, you can do that! By rotating the credential (as defined in the WebAuthn spec, or see the "Change or reset a passkey" section here) on a device running iOS 16, the existing legacy credential will be replaced with a passkey.

Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson

  • Hi,

    Thanks for the prompt response. I was talking about credentials created on the phone but through WebAuthn on the browser, not native apps (the documentation you refer to is about native apps). Anything similar but for the web specs? I couldn't find in the webAuthN spec the rotating the credential concept. Maybe you can help me with a URL? Thanks!

    craimundo

  • Ah my mistake it's actually defined in CTAP2, not WebAuthn. In authenticatorMakeCredential, Step 10 bullet 1, an existing resident credential (e.g. a legacy platform credential or a passkey) will be overwritten if a new one is registered with the same RPID and "account ID" (aka "userHandle" or "userID" depending on the spec you're looking at). In practice this means you just initiate a new registration with the same userID as used originally. This applies to both the native API and websites.

    garrett-davidson

  • Thanks!! the "problem" here is that if we create a new credential, we need to have the user scan their face twice. First to prove it's him and second to create a new key. Am I missing something? I can't find a good user experience for this "migration"

    craimundo
Add a Comment

Hi,

Thanks for the prompt response.

I was talking about credentials created on the phone but through WebAuthn on the browser, not native apps (the documentation you refer to is about native apps). Anything similar but for the web specs? I couldn't find in the webAuthN spec the rotating the credential concept. Maybe you can help me with a URL?

Thanks!

Posted by
craimundo
Up vote reply of craimundo Down vote reply of craimundo
Add a Comment