We're seeing the same in our app. Situation: We perform attestation on first app launch (and in the rollout to existing users) like this (all asynchronously): generateKey (get a challenge from our server) attestKey send result to server if server responds successfully, we store the keyID for later use in assertion. We also noticed that for some users attestKey generates the DCErrorInvalidKey error in some cases (~0.1% of our users, but as OP mentioned, each false positive blocked user is one too many). Our logs indicate that the keyID is not reused multiple times, and it's also not nil. Also, from what we can see this error is persistent for the users that encounter it: if we detect this specific error we allow users to retry generating a new key, to no avail. It makes me wonder whether the DCErrorInvalidKey error is also returned in undocumented cases, besides the provided key being nil or being already used before for attestation, and how to deal with those. Any insight on this would be very helpful.