My organization routes all device traffic through a network security device that performs TLS intercept (SSL inspection). As might be expected, this breaks passkey Cross-Device Authentication (CDA) functionality, since the thumbprints don't match end-to-end between the authenticator (iPhone) and the client (laptop). As soon as I disable the VPN tunnel through our security device, the passkey login works as expected. The security team is willing to exclude the relay servers from SSL inspection, but we are unable to find a list of the relevant endpoints. Is there a list of Apple relay servers that are used for passkey tunnelling? We can review the network logs to find the traffic, but I'd prefer an authoritative list. For full context: we are using device-bound passkeys via Microsoft Authenticator to login to Entra but, as I understand it, the passkey is still handled via Apple's standard passkey infrastructure and APIs. Thanks!

Hello, I’m working on creating an NFC-enabled Apple Wallet pass and I need assistance with the proper implementation of the pass.json file to include NFC functionality. My goal is to enable NFC interactions, such as tapping to unlock a door or interacting with other NFC systems. Here is what I have done so far: Set up a Pass Type ID and Certificates: I have registered a Pass Type ID in my Apple Developer account. I have generated and installed the required certificates (Pass Type ID certificate and WWDR certificate). Backend Integration: I have set up a backend service for generating passes, and I can successfully create and deliver standard Wallet passes without the NFC functionality. Adding the NFC Field: I understand that to enable NFC interactions, I need to add an nfc dictionary to the pass.json file. The key components for NFC include the encryptionPublicKey, message, and payload. Here’s an example of my current pass.json: { "formatVersion": 1, "passTypeIdentifier": "pass.com.example.mypass", "serialNumber": "123456", "teamIdentifier": "TEAMID12345", "webServiceURL": "https://example.com/api/passes", "authenticationToken": "my_secure_token", "nfc": { "message": "Tap to unlock door", "encryptionPublicKey": "MY_ENCRYPTION_PUBLIC_KEY", "payload": "encrypted_nfc_payload" }, "organizationName": "My Company", "description": "NFC-Enabled Access Pass", "logoText": "My NFC Pass", "foregroundColor": "rgb(255, 255, 255)", "backgroundColor": "rgb(0, 0, 0)", "barcode": { "format": "PKBarcodeFormatQR", "message": "https://example.com", "messageEncoding": "iso-8859-1" } } Questions: Are there any additional steps or configurations required to ensure that NFC is enabled in the pass? Is there a specific method to test or validate NFC functionality in the pass to debug why it’s not being activated? Any guidance or solutions to enable NFC in this pass would be greatly appreciated. Thank You

I'm trying to implement WebAuthn conditional credential creation but I'm not able to get it to work. From this video https://www.youtube.com/watch?v=p8a6ODX1zHY I understand I should call navigator.credentials.create with "mediation: conditional" but the explainer at https://github.com/w3c/webauthn/wiki/Explainer:-Conditional-Registration-Extension also mentions a call to navigator.credentials.get with "mediation: conditional" and "extensions: { conditionalCreate: true }". The explainer seems to suggest they should be called both but for me, both calls never resolve with a credential or an error. What am I doing wrong?

I am trying to implement a login page in SwiftUI for an idp that relies on passkeys only, following the sample code from the food truck app. The registration of a new passkey works fine but when it comes to signing in, ASAuthorizationPlatformPublicKeyCredentialProvider().createCredentialAssertionRequest returns a signature that cannot be verified by the server. On safari (and other browsers) the signing in&up process works fine and additionally, a passkey registered from the swift app works on the web, which leads me to believe there is an issue in the AuthenticationServices framework as every other steps works without any problem. The verification of the signature happens on the server side (after several validation steps of the other parameters) with WebCrypto.subtle.verify(verifyAlgorithm, key, signature, data); With the data argument being a concat of the clientDataJSON and the authenticatorData and for an apple authenticator, the key argument (which is the public key stored by the server) is an EC2 key with the following verifyAlgorithm argument: verifyAlgorithm = { name: 'ECDSA', hash: { name: SHA-256 }, }; After carefully analyzing multiple responses, coming both from the app and safari, either on iOS or macOS, I can safely say that the ASAuthorizationResult.passkeyAssertion returns the expected values for: rawAuthenticatorData rawClientDataJSON credentialID userID Which all match the expected values during the server-side validation. The only remaining value from the ASAuthorizationResult.passkeyAssertion is the signature, which as mentioned above, is invalid when verified by the server. I already submitted a bug report (FB15113372) as well as a DTS request, but haven’t received any feedback yet. In order to further narrow down the problem, I replicated the signature verification process in a sage notebook. I got the same result: the signature produced in Safari is fine, but the one from the Swift app is invalid. I collected some thoughts of potential issues in this notebook, but I still haven’t been able to draw a clear conclusion on why does this issue occur. Hence if anyone has knowledge of this issue or has a similar problem with signature verification, their advice is most welcomed. Thank you in advance for your help PS: All the recent tests were made on the latest publicly available OS releases (iOS 18.01, macOS 15.0.1) and Xcode 16.0

We’re trying to get Passkeys to work with iOS and macOS Catalyst. Apple fails to accept the associated domain, without giving a reason why. The JSON is correct and shows up on Apple’s CDN. We are stuck.

The peripheral is initiating a passkey entry mechanism, IOS device is getting a pop up to enter the passkey but the WatchOS device is not displaying any pop-up. Is there anything to be enabled from the watch side?

when I performAutoFillAssistedRequests ,my keyboard cannot show passkeys that could choose,and nothing callback.i don't know the error reason.but I could request successfully by authController.performRequests.

Hello, I am using the prf extension for passkeys that is available since ios 18 and macos15. I am using a fixed, hardcoded prf input when creating or geting the credentials. After creating a passkey, i try to get the credentials and retrieve the prf output, which works great, but i am getting different prf outputs for the same credential and same prf input used in the following scenarios: Logging in directly (platform authenticator) on my macbook/iphone/ipad i get "prf output X" consistently for the 3 devices When i use my iphone/ipad to scan the qr code on my macbook (cross-platform authenticator) i get "prf output Y" consistently with both my ipad and iphone. Is this intended? Is there a way to get deterministic prf output for both platform and cross-platform auth attachements while using the same credential and prf input?

We are using performRequestsWithOptions to enable passkey on ios app. [authController performRequestsWithOptions:ASAuthorizationControllerRequestOptionPreferImmediatelyAvailableCredentials]; Based on apple doc, this will "Tells the authorization controller to prefer credentials that are immediately available on the local device.", and fail silently if there are no credentials available. However, in recent testing, we identified that on one device, we are seeing QR code popping up even though there's no credential on the device. Question is this a bug on the OS system? If this is a bug, what are the causes that will trigger this condition? Is there a recommendation to mitigate the issue? Should we move to the new api? Thank you.

My device has open passkeys , in setting app. when I performAutoFillAssistedRequests,callback performRequests ASAuthorizationError(rawValue: 1001)".at same time,authController.performRequests could request successfully

Hi Team, Exporting the archive through the Jenkins pipeline (executing commands on a Mac EC2 instance as a Jenkins agent) isn't working, while exporting directly from the Mac terminal successfully generates the IPA file. What might be the cause? When we execute it on directly Mac terminal, it asks Keychain password first time & after that it automatically generates IPA file. Note : We are using below working command to open keychain access. security unlock-keychain -p "my_password" /Users/ec2-user/Library/Keychains/login.keychain-db Export command : xcodebuild -exportArchive -archivePath $PWD/build/Archive/MyApp.xcarchive -exportPath $PWD/build/IPA -exportOptionsPlist ../../Dev_exportOptions.plist -allowProvisioningUpdates Current details: Node version : node-v18.17.0-darwin-arm64 Npm version : 9.6.7 Ionic version : 5.2.6 Xcode version : 15.4 Macos : Sonoma 14.6.1

After iOS 17.4, Passkey Autofill stopped working inside ASWebAuthenticationSession. iOS 17.5 re-enabled users to pick passkeys if they tap "🔑" icon on right bottom of keyboard and opened Safari password manager. However, it still doesn't recommend passkeys on the first view. Even on the latest iOS 18.0 developer beta, the behaviour is not fixed yet.

In AuthorizationServices support for displayName exists in: class ASAuthorizationSecurityKeyPublicKeyCredentialProvider func createCredentialRegistrationRequest( challenge: Data, displayName: String, name: String, userID: Data ) -> ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest but is not supported in the corresponding class: class ASAuthorizationPlatformPublicKeyCredentialProvider func createCredentialRegistrationRequest( challenge: Data, name: String, userID: Data ) -> ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest I was under the impression that this should be supported in public key credential registration?

I'm using the same code to authenticate using passkeys on iOS and macOS. On iOS (simulator, on-device, and deployed with TestFlight), I have no issues registering or authenticating with a passkey. On macOS using Catalyst, when I attempt to authenticate with a passkey (ASAuthorizationController#performRequests), I see the following error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier TEAMID.com.bundle is not associated with domain bundle.com" UserInfo={NSLocalizedFailureReason=Application with identifier TEAMID.com.bundle is not associated with domain bundle.com} I've double-checked my apple-app-site-association file is being served from the associated domain, and I've double-checked that the Apple CDN is also returning that same association file with webcredentials for my team/bundle. Any ideas why it would succeed in iOS environments but fail under macOS with Catalyst?

Referring to this explainer(https://github.com/w3c/webauthn/wiki/Explainer:-Conditional-Registration-Extension) for enabling passkey automatic upgrades. As per the explainer wiki, the credential manager's GET API needs a flag "conditionalCreate: true" before invoking the create API with "mediation: conditional". There is an assumption here that the password autofill needs to be completed as part of the GET API call and only then the passkey automatic upgrades are enabled via conditional mediation in the create API call. Are these assumptions correct? If the previously stated assumptions are correct would automatic passkey upgrades work in native iOS applications if I use the native credential manager APIs for GET and the web based credential manager API for CREATE? (The sign-in pages are opened in a web view for native application)

Hello, I would like to know how I recreate the data that was signed by the private key during assertion flow. I read on various sources that my code should get the 37 bytes of authenticator data, append the SHA-256 hash of clientDataJSON string to the end and verify that data given the signature and the public key! But it doesn't seem to work. I have opened a StackOverflow issue to it where I've provided broader details: https://stackoverflow.com/q/78819955/26530591

Is it possible to have device bound passkeys on ios and iPadOS?

Hello all - we have enabled our app users to create and sign in using their passkey. However - for some users, we get a NSLocalizedFailure reason exception that the app is not associated with the domain. We have ensured that the endpoint /.well-known/apple-app-site-association isnt blocking any requests. Like I said before, 90% of our users are able to successfully create and sign in with their passkey but we receive the above error for the remaining 10%. Any suggestions/guidance on how we can resolve this would be helpful and greatly appreciated. Thank you.

"ASCredentialProviderViewController" class was implemented in my password manager to autofill password for the app clients. I've added passkey support recently but biometric/code authentication is not asked by the system when the user tries to sign in with a passkey thanks to "provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest)". For passwords: extensionContext.completeRequest(withSelectedCredential: ASPasswordCredential(), completionHandler: nil) -> Does trigger biometric/code authentication For passkeys: extensionContext.completeAssertionRequest(using: ASPasskeyAssertionCredential()) -> Does NOT trigger biometric/code authentication => Why authentication is managed by the system for password but not for passkeys ? And how to fix that?

Hello, Is it correct that right now when any passkey-provider prepares the passkey registration ceremony response with attestation, iOS strips off the attestation before handing over response-assertion to the client. Does this stripping off of attestation have to do anything with the BS and BE flags that are populated by passkey-provider ? Meaning, is it correct statement that iOS removes the attestation blob from the response if the BE and BS flags are set to zero ??