Apple Passkeys allows users to create a webauthn key for one referring party on one device, and sync the generated private key securely to the other devices registered to your Apple ID.
The referring party, in this case, receives the same public key no matter which device the user is authenticating from.
You can see this working in your Safari browser by selecting the option in their Develop menu to Enable syncing platform authenticator, and registering a test username on webauthn.io.
You can also see how Internet Identity breaks by trying to register an anchor.
The reason is because Safari doesnât support direct webauthn attestations when the syncing platform authenticator option is enabled, only ânoneâ as the attestation (I suspect as a way to force the user experience to sync keys by default).
Weâve already submitted PRs to fix II and support Apple Passkeys, but I wanted to bring up the issue with you all and ask if we need direct attestations for anything?
It looks like, at some point, attestation was set to direct. Iâm going to take some time to figure out why it was removed, and whether or not setting it to none could be an issue. Weâll need to be careful though since II does need to work on many platforms (like Windows Hello) which may have different expectations; whereas, as I understand, Apple Passkeys (or âPasskeys in iCloud Keychainâ) are just a tech preview for now, and not meant to be used for production:
These passkeys are only meant for testing, not for production accounts.
the ânot for productionâ statement is about a year old
the latest iOS 15.4. beta 4 as of 3rd May has enabled (some) passkey features
iOS & iPadOS 15.5 Beta 4 Release Notes
Authentication / New Features
Support is added to the passkey technology preview, enabling signing in to passkey-compatible websites and apps on Mac and iPad using an iPhone with a saved passkey. (87998254)
there has been a joint press release about a week ago of FIDO Alliance, Apple, Microsoft and Google about expanded support, aka passkeys (Press Release). All big players committed to support this feature (âThese new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming yearâ).
I would expect that passkeys become production-ready soon, not only on Appleâs platforms but on Googleâs and Microsoftâs, too.
As it would make logins to the Internet Computer a lot more consumer friendly and thus support adoption of the Internet Computer ecosystem, I would love to see this a high-prio implementation task at Dfinity.
