WWDC Quick Look 💓 By SwiftGGTeam
Move beyond passwords

Move beyond passwords

Watch original video

Highlight

iOS 15 and macOS Monterey launch WebAuthn technology preview, which stores public key-based passkeys in iCloud Keychain to achieve one-click login, cross-device synchronization, and anti-phishing, and the server no longer stores any authentication keys.

Core Content

The fundamental problem with passwords

Passwords have been around for decades and everyone uses them.But the industry is increasingly realizing that the convenience of passwords comes at the cost of security.

According to Verizon’s 2020 Data Breach Investigations Report, more than 80% of hacker-related data breaches involved the brute force cracking of credentials or the use of lost/stolen credentials.

The core problem with passwords is that they are “shared keys” - both the user and the server hold the same secret.Every time this secret is transmitted, there is a risk of interception.Problems such as phishing attacks, password reuse, and weak passwords all stem from this.

Existing improvement solutions have limitations:

  • Password Manager: Can generate strong passwords, but security is only as good as the master password
  • SMS/OTP Verification Code: Still an enterable, phishing shared key
  • Federated Authentication (like Sign in with Apple): Centralizes trust in a few accounts, but not applicable in all scenarios

WebAuthn: Public key instead of shared secret

The WebAuthn (Web Authentication) standard uses public/private key pairs instead of passwords.It works completely differently:

  1. When registering, the device generates a pair of keys: public key and private key
  2. The public key is sent to the server for storage (the public key can be made public and there is no confidentiality requirement)
  3. The private key remains on the device and will never be shared with anyone
  4. When logging in, the server sends a challenge, and the device returns after signing it with the private key.
  5. The server uses the public key to verify the signature and confirm the identity.

The private key never leaves the device during the entire process.Even if the server is compromised, the attacker can only obtain the public key, and the public key itself has no value.

Security Keys vs Passkeys

The hardware security key (Security Key) already supports WebAuthn, which has good security, but requires additional purchase and carrying of hardware, which is not user-friendly enough for ordinary users.

Apple’s solution is passkeys in iCloud Keychain: Store WebAuthn credentials in iCloud Keychain, combining the security of WebAuthn with the convenience of iCloud Keychain.

  • One-click login: usually just one click or Face ID verification
  • Cross-device sync: available on all Apple devices
  • Secure backup: Restore from iCloud even if you lose all your devices
  • Anti-phishing: The operating system strictly restricts the credentials to be used only on the website/app that created it
  • End-to-end encryption: even Apple can’t read it

Technology Preview Status

In macOS Monterey and iOS 15, passkeys is released as a technology preview and is turned off by default.It needs to be turned on manually in “Settings > Developer” in iOS or in the “Develop” menu in macOS Safari.This preview is for testing only and is not recommended for production accounts.

Detailed Content

Register an account

(17:32) Use ASAuthorizationPlatformPublicKeyCredentialProvider to create a registration request:

func createAccount(with challenge: Data, name: String, userID: Data) {
    let provider = ASAuthorizationPlatformPublicKeyCredentialProvider(
        relyingPartyIdentifier: "example.com"
    )

    let registrationRequest = provider.createCredentialRegistrationRequest(
        challenge: challenge,
        name: name,
        userID: userID
    )

    let controller = ASAuthorizationController(
        authorizationRequests: [registrationRequest]
    )

    controller.delegate = self
    controller.presentationContextProvider = self
    controller.performRequests()
}

Key points:

  • relyingPartyIdentifierUsually a domain name, used to associate applications and websites
  • challengeIt is a one-time challenge value obtained from the server.
  • nameIs the account name visible to the user
  • userIDis the backend account identifier
  • ASAuthorizationControllerA system sheet will pop up, and the user can complete the registration after confirming through Face ID/Touch ID.

Log in

(17:39) Login is very similar to registration, just use assertion request instead:

func signIn(with challenge: Data) {
    let provider = ASAuthorizationPlatformPublicKeyCredentialProvider(
        relyingPartyIdentifier: "example.com"
    )

    let assertionRequest = provider.createCredentialAssertionRequest(
        challenge: challenge
    )

    let controller = ASAuthorizationController(
        authorizationRequests: [assertionRequest]
    )

    controller.delegate = self
    controller.presentationContextProvider = self
    controller.performRequests()
}

Key points:

  • createCredentialAssertionRequestUsed for login (called “assertion” in WebAuthn terminology)
  • Just needchallengeParameters, not requirednameanduserID
  • authorizationRequestsThe parameter is an array, and requests for passwords, Sign in with Apple, and other authentication methods can be passed in at the same time.
  • The system sheet will display all available voucher options

Handling callbacks

(17:41) Process the registration or login results in the delegate callback:

func authorizationController(
    controller: ASAuthorizationController,
    didCompleteWithAuthorization authorization: ASAuthorization
) {
    switch authorization.credential {
    case let registration as ASAuthorizationPlatformPublicKeyCredentialRegistration:
        let attestationObject = registration.rawAttestationObject
        let clientDataJSON = registration.rawClientDataJSON
        // Send to the server for verification to complete account creation

    case let assertion as ASAuthorizationPlatformPublicKeyCredentialAssertion:
        let signature = assertion.signature
        let clientDataJSON = assertion.rawClientDataJSON
        // Send to the server for verification to complete sign-in

    default:
        break
    }
}

Key points:

  • Obtained when registeringrawAttestationObjectandrawClientDataJSON, sent to the server for verification
  • Get it when you log insignatureandrawClientDataJSON, the server uses the public key to verify the signature
  • The credential data format is consistent with WebAuthn Web API, and server-side logic can be reused

Association between application and website

(19:46) In order for the anti-phishing protection provided by the platform to take effect, it needs to be configured in Associated DomainswebcredentialsAssociation type:

applinks:example.com
webcredentials:example.com

This establishes a strong association between the app and the website, ensuring that credentials can only be used in the correct domain.

Security Key API

(13:21) iOS 15 and macOS Monterey also open the Security Key API to all apps.This is a new member of the ASAuthorization API family and is the native equivalent of the WebAuthn API.

Security keys are suitable for scenarios with high security requirements, such as enterprise applications or financial applications.Users need to purchase and carry a hardware key, but receive the highest level of security.

Core Takeaways

  • Add Passkey support for App: Integrate WebAuthn registration and login flows into existing login systems.Start from the server side, build the WebAuthn backend, and then use it in iOS AppASAuthorizationPlatformPublicKeyCredentialProviderImplement the front end.Users can register and log in with just one click using Face ID.

  • Unified Authentication Portal: UseASAuthorizationControllerArray parameter attribute, passing in passkey, password and Sign in with Apple request.The system automatically displays all available options, allowing users to choose the most convenient method.

  • Cross-Platform Credential Sharing: Passedwebcredentialsassociated domain associates apps and websites, and a passkey created by a user on one platform can be used on another platform.This eliminates the problem of separation of “App passwords” and “Website passwords” in traditional password management.

  • Hardware keys for high security scenarios: For applications with high security requirements such as finance and medical care, the security key API is integrated.iOS 15 supports USB, NFC, and Lightning security keys to provide users with hardware-level protection.

Comments

GitHub Issues · utterances