Does the passkey created using third party provider model get synced to iCloud Keychain?

Does the passkey created using third party provider model get synced to iCloud Keychain? If yes, can we avoid that using the attestation object somehow to have it ties to the device where it was created? Being new to this domain, I am not sure if I am asking a right question.

Up vote post of letsbondiway1986 Down vote post of letsbondiway1986
675 views
Posted by
letsbondiway1986
Reply
Add a Comment

Replies

It’s not mandatory to use iCloud Keychain for sync. It‘s up to each third-party passkey provider to decide how they will securely create (based on WebAuthn Authenticator Model spec), persist, and optionally sync passkeys.

Apple have intentionally left the implementation details up to the passkey provider, to allow for flexibility.

Posted by
codecomet
Post not yet marked as solved Up vote reply of codecomet Down vote reply of codecomet

  • very good!

    bingoXXB

  • Thanks @codecomet . Could you also please let me know a generic user experience for a third-party passkey provider? If we goto 'https://webauthn.io' and click on Register. What happens next? Do we scan the QR code generated by the browser using the iPhone Camera app and then OS prompts for our app to generate passkey instead of it doing the same?

    letsbondiway1986
Add a Comment

Hey @letsbondiway1986 ,

The UX flow would be pretty much the same as creating a passkey with iCloud Keychain, but for a third-party provider/passkey manager some additions to that flow might be:

  1. Presenting a screen to unlock the password/passkeys database via biometrics (Face/Touch ID).
  2. Presenting a screen to allow the user to select which vault to save the passkey to (if your app supports vaults).

You can implement the passkeys creation and auth flows using the newly added extensions on ASCredentialProviderViewController:

https://developer.apple.com/documentation/authenticationservices/ascredentialproviderviewcontroller

Posted by
codecomet
Up vote reply of codecomet Down vote reply of codecomet

  • Thank you @codecomet . So, if I understand it correctly, there is no proximity involved in the case of third party provider model too similar to iCloud Keychain. Is that correct? In a way, it solves the password problem but doesnt match up to FIDO Alliance's CTAP specs looks like I think.

    letsbondiway1986
Add a Comment

Hi @codecomet . As per the answer here, bits 3-5 which pertain to backup eligibility and backup state need to be set to 1 for it to work on iOS. In that case, does the passkey generated using the credential provider extension get synced to a different iPhone/iOS device via iCloud Keychain for the same apple id?

Posted by
letsbondiway1986
Up vote reply of letsbondiway1986 Down vote reply of letsbondiway1986
Add a Comment