Passkey UI displays app icon from applinks association even when webcredentials is not configured

Summary

When an app is associated with a domain via applinks in the Apple App Site Association (AASA) file, the app's icon is displayed next to passkey entries in the iOS passkey selection UI (e.g., in Safari's sign-in dialog). This occurs even when:

The AASA file does not contain a webcredentials section The passkey's relying party ID (rp.id) matches the domain, but the app has no webcredentials association The URL path of the passkey login page does not match any paths specified in the applinks configuration

Environment

iOS 18.6.2 iPhone 16 Pro Safari / Passkey UI via WebAuthn

Steps to Reproduce

Create an iOS app and register it in App Store Connect (or distribute via TestFlight) Configure the AASA file on the domain with only applinks — no webcredentials section:

json{
  "applinks": {
    "apps": [],
    "details": [
      {
        "appIDs": ["TEAMID.com.example.myapp"],
        "components": [
          { "/": "/specific-path/*" }
        ]
      }
    ]
  }
}

Implement WebAuthn/passkey registration on the same domain with the domain as rp.id Install the app on the device (via TestFlight or App Store) Register a passkey on the website via Safari Navigate to the login page and trigger the passkey selection UI

Expected Behavior

Since webcredentials is not configured in the AASA file, the passkey selection UI should NOT display the app icon next to the passkey entry. The passkey icon should be the default website favicon or a generic icon. Actual Behavior The app icon (from App Store Connect / TestFlight) is displayed next to the passkey entry in the selection UI, even though:

Only applinks is configured (no webcredentials) The current page URL does not match any paths in the applinks configuration

Impact

In our production environment, we have a single domain serving multiple partner bank apps. The AASA file contains applinks entries for many different apps (20+ partner apps). When a user accesses the passkey login page, the passkey UI may display an app icon from one of these partner apps, which can be confusing for users — especially if the displayed icon belongs to a different partner's app than the one the user intends to use.

Questions

1. Is this the intended behavior — that applinks associations influence the passkey UI icon display?

2. Is there a way to prevent applinks associations from affecting the passkey selection UI without removing the applinks entries?

3. Would adding a proper webcredentials section with the correct app ID override the icon source from applinks to webcredentials?

4. Is there a recommended approach for domains that serve multiple apps via applinks but want to control which icon appears in the passkey UI?