PRF Extension Not Supported in Safari's Cross-Device WebAuthn Flow

Question

Created 3w

Replies 1

Boosts 1

Participants 2

Safari 18.0.1 on macOS 15.01 doesn't support the Passkey PRF extension during cross-device WebAuthn authentication when using QR code scanning, while it works correctly with iCloud passkeys.

Steps to Reproduce:

Clone and setup:

git clone https://github.com/quocle108/passkey-prf-test
yarn
yarn start

Test iCloud Passkey Flow:

Open http://localhost:3000 in Safari
Open DevTools (Cmd+Option+I)
Click "Register"
Choose "Passkey on iCloud"

Expected console output: PRF supported: true

Test Cross-Device Flow:

Click "Register"
Choose "Phone/Tablet"
Scan QR with mobile device

Expected: PRF supported: true PRF extension should be supported in cross-device flow, matching iCloud passkey behavior. Actual: PRF supported: false Cross-device flow returns empty extension results.

Verify in Chrome

Repeat steps 2-3 in Chrome
Both flows return proper PRF extension results: PRF supported: true

Test Environment:

Browser: Safari 18.1.1 , Chrome 131.0.6778.70
OS: macOS 15.01
Mobile: iOS 18.x / Galaxy Note9 Android 10
Test repo: https://github.com/quocle108/passkey-prf-test

Boost

Answer 1

Systems Engineer OP

Apple

2w

This issue was partially fixed in Safari 18.2. As of that version, PRF is available again in hybrid, but it's returning a different value over hybrid than when invoked on-device. This remaining issue will be fixed soon.

0