We are a financial institution and are considering to introduce passkeys as login mechanism for our web banking application. We see this as an important step to curb phishing.
But we saw that there is a way to share passkeys with others - https://support.apple.com/guide/iphone/share-passwords-iphe6b2b7043/ios - and are wondering if this can be disabled by us for our passkeys.
Social engineering attacks are very sophisticated nowadays and we are afraid attackers would be able to manipulate customers to share their passkeys with them.
thanks for your help
- stefan
There is indeed a way to share passkeys, but it is worth mentioning the amount of effort that has gone into the feature in order to make it extremely difficult to share them with a bad actor.
Passkeys can be shared in multiple ways, and each method has their own methods to protect inadvertent sharing.
Airdrop
First, this requires both devices to be in physical proximity with each other. Additionally for sharing passkeys both the sender and receiver must be in each other's contacts.
Shared groups
Like in the document you referenced, users can create sharing groups in the Passwords app. Invites to groups are sent via messages. While it is possible to accept a group invitation from anyone, deliberate warning screens are shown if the sender is not in your contacts.
Credential exchange
Passkeys can be exported from one credential manager app to another. In that case, both the exporting and receiving app must be entitled Credential Provider apps installed on the same device, and the process must always be initiated from the exporting app by the user.
This is again mediated by a series of system dialogs to make sure the user is really intending to share access to the passkeys.
Currently there is no mechanism for a developer to mark their passkeys unsharable, but we would invite you to make a feature request via our Feedback System
Providing Feedback: How and Why? has tips on creating a successful request.
Argun Tekant / WWDR Engineering / Core Technologies
