Passkeys in iCloud Keychain

RSS for tag

Use public-key-based credentials using the WebAuthn standard that are synced with iCloud Keychain.

Posts under Passkeys in iCloud Keychain tag

90 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

Passkey Associated domain error 1004
iOS18.1.1 macOS15.1.1 xcode16.1 Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Unable to verify webcredentials association of ********** with domain ******************. Please try again in a few seconds." Our domain must query with VPN, so I set webcredentials:qa.ejeokvv.com?mode=developer following: "If you use a private web server, which is unreachable from the public internet, while developing your app, enable the alternate mode feature to bypass the CDN and connect directly to your server. To do this, add a query string to your associated domains entitlement, as shown in the following example: :?mode= " but it still not working, even after I set mode=developer. Please help!!!!
0
0
44
9h
How to Remove an Old Email-Associated Passkey from Apple Servers?
I noticed that when logging in to idmsa.apple.com, my old email address still appears as an option, even though I’ve updated my Apple ID to a new email. I understand that passkeys rely on a public-private key pair, with the public key stored on the server (e.g., idmsa.apple.com) and the private key saved locally in iCloud Keychain. Could you please clarify: 1. How can I request Apple to delete the public key associated with my old email address from their servers? 2. Is there a way for users to manage or update server-side passkeys without contacting Apple support? 3. Does this behavior affect my account security in any way? Any advice or insights would be greatly appreciated!
0
0
102
4d
Is there a way to hide the 'Save to another device' option during iOS WebAuthn registration?
Hello, I am currently implementing a biometric authentication registration flow using WebAuthn. I am using ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest, and I would like to know if there is a way to hide the "Save to another device" option that appears during the registration process. Specifically, I want to guide users to save the passkey only locally on their device, without prompting them to save it to iCloud Keychain or another device. If there is a way to hide this option or if there is a recommended approach to achieve this, I would greatly appreciate your guidance. Also, if this is not possible due to iOS version or API limitations, I would be grateful if you could share any best practices for limiting user options in this scenario. If anyone has experienced a similar issue, your advice would be very helpful. Thank you in advance.
0
0
164
5d
How to utilize each field of WebAuthn Options for implementation on iOS?
Hello, I am currently working on implementing credential registration for biometric authentication using WebAuthn in an iOS app. I am using ASAuthorizationPlatformPublicKeyCredentialProvider to create a credential registration request based on the data retrieved from the WebAuthn options endpoint. At the moment, I am only using user.id, user.name, and challenge from the options response, and I am unsure how to utilize the other fields effectively. I would greatly appreciate advice on how to use the following fields: **Fields I would like to use: ** rp (Relying Party) I am retrieving id and name, but I am not sure how best to pass and utilize these fields. Is there an explicit way to use them? authenticatorSelection How can I set requireResidentKey and userVerification in ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest? Also, what are the specific benefits of using these fields? timeout Is there a way to reflect the timeout value in the credential registration request, and what would be the best way to handle this information in iOS? attestation The attestation field can contain values such as none or direct. How should I reflect this in the credential registration request for iOS? I would appreciate a sample implementation or guidance on the benefits of setting this field. extensions If I want to customize the authentication flow using the extensions field, how can I appropriately reflect this in iOS? For instance, how can I utilize extensions like credProps? pubKeyCredParams Regarding pubKeyCredParams, which is a list of supported public key algorithms, I am unsure how to use it to select an appropriate algorithm in iOS. How should I incorporate this information into the request? excludeCredentials I understand that setting excludeCredentials can prevent duplicate registration, but I am not sure how to use past credential information to set it effectively. Any advice on this would be appreciated. **Current Code ** Currently, I have implemented the following code, but I am struggling to understand how to add and configure the fields mentioned above. let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider( relyingPartyIdentifier: "www.example.com" ) let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest( challenge: challenge, name: userId, userID: userIdData ) let authController = ASAuthorizationController(authorizationRequests: [registrationRequest]) authController.delegate = self authController.presentationContextProvider = self authController.performRequests() In addition to the above code, I would be grateful if anyone could advise on how to configure fields like rp, authenticatorSelection, attestation, extensions, and pubKeyCredParams as well. Furthermore, I would appreciate any insights into the benefits of setting each of these fields in iOS, and any security considerations to be aware of. If anyone has experience with this, your guidance would be extremely helpful. Thank you very much in advance!
1
0
90
5d
Whether non-Apple Store mac apps can use passkey?
Our desktop app for macos will be released in 2 channels appstore dmg package on our official website for users to download and install Now when we debug with passkey, we find that the package name of the appstore can normally arouse passkey, but the package name of the non-App Store can not arouse the passkey interface I need your help. Thank you
1
0
311
Oct ’24
List of Relay Servers for Passkeys
My organization routes all device traffic through a network security device that performs TLS intercept (SSL inspection). As might be expected, this breaks passkey Cross-Device Authentication (CDA) functionality, since the thumbprints don't match end-to-end between the authenticator (iPhone) and the client (laptop). As soon as I disable the VPN tunnel through our security device, the passkey login works as expected. The security team is willing to exclude the relay servers from SSL inspection, but we are unable to find a list of the relevant endpoints. Is there a list of Apple relay servers that are used for passkey tunnelling? We can review the network logs to find the traffic, but I'd prefer an authoritative list. For full context: we are using device-bound passkeys via Microsoft Authenticator to login to Entra but, as I understand it, the passkey is still handled via Apple's standard passkey infrastructure and APIs. Thanks!
0
0
116
Oct ’24
How to Create an NFC-Enabled Wallet Pass with pass.json Including NFC Field?
Hello, I’m working on creating an NFC-enabled Apple Wallet pass and I need assistance with the proper implementation of the pass.json file to include NFC functionality. My goal is to enable NFC interactions, such as tapping to unlock a door or interacting with other NFC systems. Here is what I have done so far: Set up a Pass Type ID and Certificates: I have registered a Pass Type ID in my Apple Developer account. I have generated and installed the required certificates (Pass Type ID certificate and WWDR certificate). Backend Integration: I have set up a backend service for generating passes, and I can successfully create and deliver standard Wallet passes without the NFC functionality. Adding the NFC Field: I understand that to enable NFC interactions, I need to add an nfc dictionary to the pass.json file. The key components for NFC include the encryptionPublicKey, message, and payload. Here’s an example of my current pass.json: { "formatVersion": 1, "passTypeIdentifier": "pass.com.example.mypass", "serialNumber": "123456", "teamIdentifier": "TEAMID12345", "webServiceURL": "https://example.com/api/passes", "authenticationToken": "my_secure_token", "nfc": { "message": "Tap to unlock door", "encryptionPublicKey": "MY_ENCRYPTION_PUBLIC_KEY", "payload": "encrypted_nfc_payload" }, "organizationName": "My Company", "description": "NFC-Enabled Access Pass", "logoText": "My NFC Pass", "foregroundColor": "rgb(255, 255, 255)", "backgroundColor": "rgb(0, 0, 0)", "barcode": { "format": "PKBarcodeFormatQR", "message": "https://example.com", "messageEncoding": "iso-8859-1" } } Questions: Are there any additional steps or configurations required to ensure that NFC is enabled in the pass? Is there a specific method to test or validate NFC functionality in the pass to debug why it’s not being activated? Any guidance or solutions to enable NFC in this pass would be greatly appreciated. Thank You
2
0
364
Oct ’24
How is WebAuthn conditional credential creation supposed to work
I'm trying to implement WebAuthn conditional credential creation but I'm not able to get it to work. From this video https://www.youtube.com/watch?v=p8a6ODX1zHY I understand I should call navigator.credentials.create with "mediation: conditional" but the explainer at https://github.com/w3c/webauthn/wiki/Explainer:-Conditional-Registration-Extension also mentions a call to navigator.credentials.get with "mediation: conditional" and "extensions: { conditionalCreate: true }". The explainer seems to suggest they should be called both but for me, both calls never resolve with a credential or an error. What am I doing wrong?
0
0
185
Oct ’24
AuthenticationServices framework returns an invalid signature when signing in with a passkey in a Swift app for iOS/macOS
I am trying to implement a login page in SwiftUI for an idp that relies on passkeys only, following the sample code from the food truck app. The registration of a new passkey works fine but when it comes to signing in, ASAuthorizationPlatformPublicKeyCredentialProvider().createCredentialAssertionRequest returns a signature that cannot be verified by the server. On safari (and other browsers) the signing in&up process works fine and additionally, a passkey registered from the swift app works on the web, which leads me to believe there is an issue in the AuthenticationServices framework as every other steps works without any problem. The verification of the signature happens on the server side (after several validation steps of the other parameters) with WebCrypto.subtle.verify(verifyAlgorithm, key, signature, data); With the data argument being a concat of the clientDataJSON and the authenticatorData and for an apple authenticator, the key argument (which is the public key stored by the server) is an EC2 key with the following verifyAlgorithm argument: verifyAlgorithm = { name: 'ECDSA', hash: { name: SHA-256 }, }; After carefully analyzing multiple responses, coming both from the app and safari, either on iOS or macOS, I can safely say that the ASAuthorizationResult.passkeyAssertion returns the expected values for: rawAuthenticatorData rawClientDataJSON credentialID userID Which all match the expected values during the server-side validation. The only remaining value from the ASAuthorizationResult.passkeyAssertion is the signature, which as mentioned above, is invalid when verified by the server. I already submitted a bug report (FB15113372) as well as a DTS request, but haven’t received any feedback yet. In order to further narrow down the problem, I replicated the signature verification process in a sage notebook. I got the same result: the signature produced in Safari is fine, but the one from the Swift app is invalid. I collected some thoughts of potential issues in this notebook, but I still haven’t been able to draw a clear conclusion on why does this issue occur. Hence if anyone has knowledge of this issue or has a similar problem with signature verification, their advice is most welcomed. Thank you in advance for your help PS: All the recent tests were made on the latest publicly available OS releases (iOS 18.01, macOS 15.0.1) and Xcode 16.0
2
0
317
2w
Different PRF output when using platform or cross-platform authentication attachement
Hello, I am using the prf extension for passkeys that is available since ios 18 and macos15. I am using a fixed, hardcoded prf input when creating or geting the credentials. After creating a passkey, i try to get the credentials and retrieve the prf output, which works great, but i am getting different prf outputs for the same credential and same prf input used in the following scenarios: Logging in directly (platform authenticator) on my macbook/iphone/ipad i get "prf output X" consistently for the 3 devices When i use my iphone/ipad to scan the qr code on my macbook (cross-platform authenticator) i get "prf output Y" consistently with both my ipad and iphone. Is this intended? Is there a way to get deterministic prf output for both platform and cross-platform auth attachements while using the same credential and prf input?
1
0
188
Sep ’24
Passkey QR code pop up Question
We are using performRequestsWithOptions to enable passkey on ios app. [authController performRequestsWithOptions:ASAuthorizationControllerRequestOptionPreferImmediatelyAvailableCredentials]; Based on apple doc, this will "Tells the authorization controller to prefer credentials that are immediately available on the local device.", and fail silently if there are no credentials available. However, in recent testing, we identified that on one device, we are seeing QR code popping up even though there's no credential on the device. Question is this a bug on the OS system? If this is a bug, what are the causes that will trigger this condition? Is there a recommendation to mitigate the issue? Should we move to the new api? Thank you.
1
0
241
Sep ’24
Unable to export App via Jenkins pipeline
Hi Team, Exporting the archive through the Jenkins pipeline (executing commands on a Mac EC2 instance as a Jenkins agent) isn't working, while exporting directly from the Mac terminal successfully generates the IPA file. What might be the cause? When we execute it on directly Mac terminal, it asks Keychain password first time & after that it automatically generates IPA file. Note : We are using below working command to open keychain access. security unlock-keychain -p "my_password" /Users/ec2-user/Library/Keychains/login.keychain-db Export command : xcodebuild -exportArchive -archivePath $PWD/build/Archive/MyApp.xcarchive -exportPath $PWD/build/IPA -exportOptionsPlist ../../Dev_exportOptions.plist -allowProvisioningUpdates Current details: Node version : node-v18.17.0-darwin-arm64 Npm version : 9.6.7 Ionic version : 5.2.6 Xcode version : 15.4 Macos : Sonoma 14.6.1
0
0
185
Sep ’24
Passkey Autofill is not triggered on ASWebAuthenticationSession
After iOS 17.4, Passkey Autofill stopped working inside ASWebAuthenticationSession. iOS 17.5 re-enabled users to pick passkeys if they tap "🔑" icon on right bottom of keyboard and opened Safari password manager. However, it still doesn't recommend passkeys on the first view. Even on the latest iOS 18.0 developer beta, the behaviour is not fixed yet.
1
0
443
Sep ’24
Passkey displayName not supported by public key credential?
In AuthorizationServices support for displayName exists in: class ASAuthorizationSecurityKeyPublicKeyCredentialProvider func createCredentialRegistrationRequest( challenge: Data, displayName: String, name: String, userID: Data ) -> ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest but is not supported in the corresponding class: class ASAuthorizationPlatformPublicKeyCredentialProvider func createCredentialRegistrationRequest( challenge: Data, name: String, userID: Data ) -> ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest I was under the impression that this should be supported in public key credential registration?
1
0
287
Sep ’24