Post

Replies

Boosts

Views

Activity

Few Passkey questions
Is there a way to detect if the Passkey used for authentication came from the same device orthey used a Passkey from a different device by scanning a QR code. Does Apple Passkeys support https://www.w3.org/TR/webauthn-2/#signature-counter. In my testing its 0 always. If there are plans to implement it, will it be per device count or per user. Is there any plans for supporting cross domain Passkey usage if they RP owns multiple domains. Looks like spec has support for at least authentication within an iFrame https://w3c.github.io/webauthn/#sctn-iframe-guidance . Any plans to support this in WebKit.
1
1
1.4k
Oct ’22
Privacy concern with preferImmediatelyAvailableCredentials
As per the WebAuthN spec for Privacy, the authenticator shouldn't disclose the availability of keys on the device(although as a trusted RP knowing this info will be greatly help optimizing UI for end user) https://w3c.github.io/webauthn/#sctn-assertion-privacy But seems like I can guess the availability of keys by doing an assertion request with this option https://developer.apple.com/documentation/authenticationservices/asauthorizationcontroller/requestoptions/3994648-preferimmediatelyavailablecreden Although the error code is generic, based on timing information like if it returned immediately instead of opening the QR code fallback, I can guess the availability of a key.
2
0
764
Sep ’22
Clarifying WebAuthN web API availability on Web Views and Safari View Controller
Wanted to clarify that WebAuthN APIs don't function on WKWebView and SFSafariViewController within native apps. The only option for native apps is the native ASAuthorizationPublicKeyCredentials... APIs. The only exception being the native Apps with web browser entitlement as per this webKit change https://bugs.webkit.org/attachment.cgi?id=453655&action=prettypatch.
2
0
1.5k
Sep ’22