惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Privacy International News Feed
I
Intezer
T
Tenable Blog
S
Schneier on Security
Project Zero
Project Zero
G
GRAHAM CLULEY
酷 壳 – CoolShell
酷 壳 – CoolShell
小众软件
小众软件
Know Your Adversary
Know Your Adversary
博客园 - 司徒正美
The Cloudflare Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
News and Events Feed by Topic
博客园 - 叶小钗
宝玉的分享
宝玉的分享
L
LINUX DO - 热门话题
aimingoo的专栏
aimingoo的专栏
S
Secure Thoughts
Forbes - Security
Forbes - Security
T
The Exploit Database - CXSecurity.com
D
Darknet – Hacking Tools, Hacker News & Cyber Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 【当耐特】
罗磊的独立博客
IT之家
IT之家
H
Hacker News: Front Page
I
InfoQ
云风的 BLOG
云风的 BLOG
S
Security Affairs
M
MIT News - Artificial intelligence
GbyAI
GbyAI
Jina AI
Jina AI
Help Net Security
Help Net Security
Engineering at Meta
Engineering at Meta
大猫的无限游戏
大猫的无限游戏
Webroot Blog
Webroot Blog
L
Lohrmann on Cybersecurity
A
About on SuperTechFans
Attack and Defense Labs
Attack and Defense Labs
The Register - Security
The Register - Security
V
V2EX
G
Google Developers Blog
D
DataBreaches.Net
Apple Machine Learning Research
Apple Machine Learning Research
C
Cybersecurity and Infrastructure Security Agency CISA
J
Java Code Geeks
W
WeLiveSecurity
Cloudbric
Cloudbric
T
Tor Project blog

Passkeys Developer Resources on passkeys.dev

Client Hints Related Origin Requests Bootstrapping Reauthentication What are passkeys? Libraries Test Sites & Tools Chrome OS Android macOS Windows Known Issues Specifications Terms About passkeys.dev Device Support Privacy Policy
iOS & iPadOS
2022-09-04 · via Passkeys Developer Resources on passkeys.dev

Resources for passkeys in Apple’s iOS and iPadOS

Local Authenticator

(create and use passkeys from the local device)

External Authenticator

(create and use passkeys from another device)

Overview  

The default platform authenticator in iOS 16+ and iPadOS 16+, Apple Passwords, has the following capabilities:

  • creating and using passkeys saved to Apple Passwords
  • creating and using passkeys on/from another device, such as:
  • using a passkey from the local iOS or iPadOS device to sign into services on another device (such as a laptop or desktop), using FIDO Cross-Device Authentication

1 On iOS and iPadOS, user verification methods (device PIN, biometric, etc) must already be configured on the security key prior to credential creation

Platform Notes  

Cross-Device Authentication  

iOS and iPadOS support both client and authenticator roles for Cross-Device Authentication (CDA) .

iOS and iPadOS devices (as authenticators) do not support persistent linking for Cross-Device Authentication. When an authenticator is not persistently linked, a QR code must be scanned on every use.

Legacy Credentials  

WebAuthn credentials created using the platform authenticator in iOS/iPadOS 15 and earlier will not not be converted to passkeys but will remain available for the lifetime of the device.

To replace a legacy platform credential with a passkey, start a credential registration ceremony and pass the same user handle (user.id) in the request. iOS/iPadOS will overwrite the legacy credential with a new passkey that will be saved to Apple Passwords.

WebViews  

Embedded WebViews  

WKWebView is the embedded WebView (EWV) on iOS and iPadOS. Embedded WebViews allow the calling app full control over the embedded web session, including modifying and intercepting requests, so many web platform features are limited in these contexts.

NOTE:

Embedded WebViews run in the context of the calling app, meaning only passkeys for the linked web domain (RP ID) can be created or used for sign in.

Said differently, only use EWV when sign in is handled by your own service (non-federated). When supporting multiple identity providers, System WebView should be used (see below).

WKWebView docs @ Apple Developer

System WebViews  

ASWebAuthenticationSession is the System WebView (SWV) on iOS and iPadOS for authentication flows. All Web Platform features that are available in Safari, including WebAuthn, are available in a ASWebAuthenticationSession instance.

Sites loaded in ASWebAuthenticationSession are isolated from the calling app and run in the context of the top level site, just like in a full browser. This means that sign in flows on third party domains, such as a federated identity provider, can use passkeys for signing in.

ASWebAuthenticationSession docs @ Apple Developer

User Verification Behavior  

When a user tries to interact with a passkey on iOS or iPadOS, an available screen unlock method is used for user verification. Users can configure a passcode and Touch ID or Face ID as their screen unlock.

Both passkey creation and authentication ask for Touch ID or Face ID if one is configured, but fallback to a passcode if they are not. iOS asks the user to configure a passcode (and Touch ID or Face ID) if not yet set up.

Safari on iOS / iPadOS 17  

  • When Touch ID or Face ID are not configured, but a passcode is configured on iOS:
    • The behavior with both userVerification='required' and userVerification='preferred' are the same: iOS asks for tapping on a “Confirmation” button, then a passcode for both passkey creation and authentication. Since they fail locally if user verification fails, the server can always expect the UV flag to be true.
    • Calling PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() always returns true.
  • When a passcode is not configured on iOS:
    • The behavior with both userVerification='required' and userVerification='preferred' are the same: User verification fails, iOS asks the user to set up a passcode and then Touch ID or Face ID for both passkey creation and authentication. Since the failure happens locally, the server can expect at least a passcode is already configured and the UV flag to be true.
    • Calling PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() always returns true.

Resources