I'm working on integrating Passkey functionality into my iOS app (targeting iOS 16.0+), and I'm facing an issue where the system dialog still shows the "Save to another device" option during Passkey registration. I want to hide this option to force users to create Passkeys only on the current device.
1. My Current Registration Implementation
Here’s the code I’m using to create a Passkey registration request. I’ve tried to use ASAuthorizationPlatformPublicKeyCredentialProvider (which is supposed to target platform authenticators like Face ID/Touch ID), but the "Save to another device" option still appears:
`// Initialize provider for platform authenticators let provider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: domain)
// Create registration request
let registrationRequest = provider.createCredentialRegistrationRequest(
challenge: challenge,
name: username,
userID: userId
)
// Optional configurations (tried these but no effect on "another device" option)
registrationRequest.displayName = "Test Device"
registrationRequest.userVerificationPreference = .required
registrationRequest.attestationPreference = .none
// Set up authorization controller
let authController = ASAuthorizationController(authorizationRequests: [registrationRequest])
let delegate = PasskeyRegistrationDelegate(completion: completion)
authController.delegate = delegate
// Trigger the registration flow
authController.performRequests(options: .preferImmediatelyAvailableCredentials)`
2. Observation from Authentication Flow (Working as Expected)
During the Passkey authentication flow (not registration), I can successfully hide the "Use another device" option by specifying allowedCredentials in the ASAuthorizationPlatformPublicKeyCredentialAssertionRequest. Here’s a simplified example of that working code:
let assertionRequest = provider.createCredentialAssertionRequest(challenge: challenge)
assertionRequest.allowedCredentials = allowedCredentials
After adding allowedCredentials, the system dialog no longer shows cross-device options—this is exactly the behavior I want for registration.
3. My Questions
- Is there a similar parameter to allowedCredentials (from authentication) that I can use during registration to hide the "Save to another device" option?
- Did I miss any configuration in the registration request (e.g., authenticatorAttachment or other properties) that forces the flow to use only the current device’s platform authenticator?
- Are there any system-level constraints or WebAuthn standards I’m overlooking that cause the "Save to another device" option to persist during registration?
Any insights or code examples would be greatly appreciated!