Apple Passkeys allows users to create a webauthn key for one referring party on one device, and sync the generated private key securely to the other devices registered to your Apple ID.
The referring party, in this case, receives the same public key no matter which device the user is authenticating from.
You can see this working in your Safari browser by selecting the option in their
Develop menu to
Enable syncing platform authenticator, and registering a test username on webauthn.io.
You can also see how Internet Identity breaks by trying to register an anchor.
The reason is because Safari doesn’t support direct webauthn attestations when the syncing platform authenticator option is enabled, only ‘none’ as the attestation (I suspect as a way to force the user experience to sync keys by default).
We’ve already submitted PRs to fix II and support Apple Passkeys, but I wanted to bring up the issue with you all and ask if we need direct attestations for anything?
Thanks a lot @dostro!
It looks like, at some point,
attestation was set to
direct. I’m going to take some time to figure out why it was removed, and whether or not setting it to
none could be an issue. We’ll need to be careful though since II does need to work on many platforms (like Windows Hello) which may have different expectations; whereas, as I understand, Apple Passkeys (or “Passkeys in iCloud Keychain”) are just a tech preview for now, and not meant to be used for production:
These passkeys are only meant for testing, not for production accounts.
@nmattia thanks the info.
Please be aware that
- the “not for production” statement is about a year old
- the latest iOS 15.4. beta 4 as of 3rd May has enabled (some) passkey features
iOS & iPadOS 15.5 Beta 4 Release Notes
Authentication / New Features
Support is added to the passkey technology preview, enabling signing in to passkey-compatible websites and apps on Mac and iPad using an iPhone with a saved passkey. (87998254)
- there has been a joint press release about a week ago of FIDO Alliance, Apple, Microsoft and Google about expanded support, aka passkeys (Press Release). All big players committed to support this feature (“These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year”).
I would expect that passkeys become production-ready soon, not only on Apple’s platforms but on Google’s and Microsoft’s, too.
As it would make logins to the Internet Computer a lot more consumer friendly and thus support adoption of the Internet Computer ecosystem, I would love to see this a high-prio implementation task at Dfinity.
Thanks for the info!
Agreed, we should support that. Most likely this will be an easy fix, though I still want to make sure we understand exactly what’s happening.
We’re tracking this internally; we’re focusing on recovery and UX tasks right now and will get on it right after!