Reset passkeys

Hi, I referred to the documentation for reset passkeys - https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys#4047465 , this method createCredentialRegistrationRequest seems to be an instance of ASAuthorizationSecurityKeyPublicKeyCredentialRegistration and returns a registration request of the the type ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest, is this correct? When i tried to integrate the same, it gave "No algorithms specified for ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest" from iOS. So, i tried replacing the registration request with ASAuthorizationPlatformPublicKeyCredentialProvider with same params as expected for createCredentialRegistrationRequest with challenge, username and userId, but it ended up creating one more passkey which I could see in settings.

  • It created new passkey though I expected this to replace existing. is this expected?
  • Also, will this registration request expected to replace ALL passkeys created for this user for this domain or just 1 passkeys matching the user and domain?

Please let me know if I missed out anything. Thanks for your help

Up vote post of rprisram123 Down vote post of rprisram123
1.1k views
Posted by
rprisram123
Reply
Add a Comment

Replies

  • ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest is meant to register new credentials on hardware security keys.
  • ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest is meant register new passkeys.

Security key registrations always require you to specify credentialParameters, which means setting the list of supported algorithms. This is because not all security keys support all algorithms, so you need to make sure the hardware key supports something that you also support. Passkeys only support a single algorithm, so this isn't necessary.

For both passkeys and security keys, registering a new credential with a userID and domain that matches an existing credential will overwrite the existing credential. However, this is only true within the same type of credential. Registering a passkey will never overwrite a credential on a security key or vice versa, because these are different types.

When a replacement happens, exactly one credential will be replaced: the one with the matching userID and domain. Other credentials, including for the same domain, will not be affected.

Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Add a Comment

Hi Garrett, Can you confirm the API (securityKey) provided in the Change or reset a passkey section is wrong? This gives the impression that developers can update displayName of a passkey.

Posted by
Xiaoshouzi
Up vote reply of Xiaoshouzi Down vote reply of Xiaoshouzi
Add a Comment