Clarification on Passkeys Display in iOS 16

Question

hgo_yj OP

Created May ’24

Replies 1

Boosts 0

Participants 2

Hello,

I run a website that's using FIDO for user logins. A lot of our users set up their device-bound passkeys back when they were on iOS 15. Now that they're moving to iOS 16, I'm trying to figure out what happens with those passkeys.

Here's my question: When these users upgrade to iOS 16 and start using other devices, how does iOS handle their existing passkeys? Do they see both the old device-bound and the new synced passkeys in the UI, or does it somehow merge them? This might not be an issue in the latest iOS 17, but I'm interested in knowing if it could occur in earlier versions like iOS 16.

I'm aiming to make this transition to synced passkeys as smooth as possible for my users and just want to make sure I understand the UX changes that come with iOS 16.

Thanks!

Boost

Answer 1

Apple Designer OP

Apple

2w

Glad to hear you're embracing the move to passkeys! In general legacy device-bound credentials should still show up and be usable in Safari for modal requests, but of course they get forever lost when a user moves to a new device. They also aren't accessible in apps via the native API, don't show up in passkey AutoFill (even in Safari), and aren't visible in the user's password manager.

One of the best things you can do to ensure a good user experience is to "upgrade" these legacy credentials to passkeys. If you see a sign-in with the BE and BS flags set to 0, you can then issue a new platform key registration to create a passkey. Since iOS 16, all new platform registrations are full, synced passkeys. And if the userHandle of the new registration matches the userHandle of the legacy credential, then the legacy credential will get silently removed in the process, leaving the user with only their new passkey.

1