Highlight
iOS 15 and macOS Monterey launch WebAuthn technology preview, which stores public key-based passkeys in iCloud Keychain to achieve one-click login, cross-device synchronization, and anti-phishing, and the server no longer stores any authentication keys.
Core Content
The fundamental problem with passwords
Passwords have been around for decades and everyone uses them.But the industry is increasingly realizing that the convenience of passwords comes at the cost of security.
According to Verizon’s 2020 Data Breach Investigations Report, more than 80% of hacker-related data breaches involved the brute force cracking of credentials or the use of lost/stolen credentials.
The core problem with passwords is that they are “shared keys” - both the user and the server hold the same secret.Every time this secret is transmitted, there is a risk of interception.Problems such as phishing attacks, password reuse, and weak passwords all stem from this.
Existing improvement solutions have limitations:
- Password Manager: Can generate strong passwords, but security is only as good as the master password
- SMS/OTP Verification Code: Still an enterable, phishing shared key
- Federated Authentication (like Sign in with Apple): Centralizes trust in a few accounts, but not applicable in all scenarios
WebAuthn: Public key instead of shared secret
The WebAuthn (Web Authentication) standard uses public/private key pairs instead of passwords.It works completely differently:
- When registering, the device generates a pair of keys: public key and private key
- The public key is sent to the server for storage (the public key can be made public and there is no confidentiality requirement)
- The private key remains on the device and will never be shared with anyone
- When logging in, the server sends a challenge, and the device returns after signing it with the private key.
- The server uses the public key to verify the signature and confirm the identity.
The private key never leaves the device during the entire process.Even if the server is compromised, the attacker can only obtain the public key, and the public key itself has no value.
Security Keys vs Passkeys
The hardware security key (Security Key) already supports WebAuthn, which has good security, but requires additional purchase and carrying of hardware, which is not user-friendly enough for ordinary users.
Apple’s solution is passkeys in iCloud Keychain: Store WebAuthn credentials in iCloud Keychain, combining the security of WebAuthn with the convenience of iCloud Keychain.
- One-click login: usually just one click or Face ID verification
- Cross-device sync: available on all Apple devices
- Secure backup: Restore from iCloud even if you lose all your devices
- Anti-phishing: The operating system strictly restricts the credentials to be used only on the website/app that created it
- End-to-end encryption: even Apple can’t read it
Technology Preview Status
In macOS Monterey and iOS 15, passkeys is released as a technology preview and is turned off by default.It needs to be turned on manually in “Settings > Developer” in iOS or in the “Develop” menu in macOS Safari.This preview is for testing only and is not recommended for production accounts.
Detailed Content
Register an account
(17:32) Use ASAuthorizationPlatformPublicKeyCredentialProvider to create a registration request:
func createAccount(with challenge: Data, name: String, userID: Data) {
let provider = ASAuthorizationPlatformPublicKeyCredentialProvider(
relyingPartyIdentifier: "example.com"
)
let registrationRequest = provider.createCredentialRegistrationRequest(
challenge: challenge,
name: name,
userID: userID
)
let controller = ASAuthorizationController(
authorizationRequests: [registrationRequest]
)
controller.delegate = self
controller.presentationContextProvider = self
controller.performRequests()
}
Key points:
relyingPartyIdentifierUsually a domain name, used to associate applications and websiteschallengeIt is a one-time challenge value obtained from the server.nameIs the account name visible to the useruserIDis the backend account identifierASAuthorizationControllerA system sheet will pop up, and the user can complete the registration after confirming through Face ID/Touch ID.
Log in
(17:39) Login is very similar to registration, just use assertion request instead:
func signIn(with challenge: Data) {
let provider = ASAuthorizationPlatformPublicKeyCredentialProvider(
relyingPartyIdentifier: "example.com"
)
let assertionRequest = provider.createCredentialAssertionRequest(
challenge: challenge
)
let controller = ASAuthorizationController(
authorizationRequests: [assertionRequest]
)
controller.delegate = self
controller.presentationContextProvider = self
controller.performRequests()
}
Key points:
createCredentialAssertionRequestUsed for login (called “assertion” in WebAuthn terminology)- Just need
challengeParameters, not requirednameanduserID authorizationRequestsThe parameter is an array, and requests for passwords, Sign in with Apple, and other authentication methods can be passed in at the same time.- The system sheet will display all available voucher options
Handling callbacks
(17:41) Process the registration or login results in the delegate callback:
func authorizationController(
controller: ASAuthorizationController,
didCompleteWithAuthorization authorization: ASAuthorization
) {
switch authorization.credential {
case let registration as ASAuthorizationPlatformPublicKeyCredentialRegistration:
let attestationObject = registration.rawAttestationObject
let clientDataJSON = registration.rawClientDataJSON
// Send to the server for verification to complete account creation
case let assertion as ASAuthorizationPlatformPublicKeyCredentialAssertion:
let signature = assertion.signature
let clientDataJSON = assertion.rawClientDataJSON
// Send to the server for verification to complete sign-in
default:
break
}
}
Key points:
- Obtained when registering
rawAttestationObjectandrawClientDataJSON, sent to the server for verification - Get it when you log in
signatureandrawClientDataJSON, the server uses the public key to verify the signature - The credential data format is consistent with WebAuthn Web API, and server-side logic can be reused
Association between application and website
(19:46) In order for the anti-phishing protection provided by the platform to take effect, it needs to be configured in Associated DomainswebcredentialsAssociation type:
applinks:example.com
webcredentials:example.com
This establishes a strong association between the app and the website, ensuring that credentials can only be used in the correct domain.
Security Key API
(13:21) iOS 15 and macOS Monterey also open the Security Key API to all apps.This is a new member of the ASAuthorization API family and is the native equivalent of the WebAuthn API.
Security keys are suitable for scenarios with high security requirements, such as enterprise applications or financial applications.Users need to purchase and carry a hardware key, but receive the highest level of security.
Core Takeaways
-
Add Passkey support for App: Integrate WebAuthn registration and login flows into existing login systems.Start from the server side, build the WebAuthn backend, and then use it in iOS App
ASAuthorizationPlatformPublicKeyCredentialProviderImplement the front end.Users can register and log in with just one click using Face ID. -
Unified Authentication Portal: Use
ASAuthorizationControllerArray parameter attribute, passing in passkey, password and Sign in with Apple request.The system automatically displays all available options, allowing users to choose the most convenient method. -
Cross-Platform Credential Sharing: Passed
webcredentialsassociated domain associates apps and websites, and a passkey created by a user on one platform can be used on another platform.This eliminates the problem of separation of “App passwords” and “Website passwords” in traditional password management. -
Hardware keys for high security scenarios: For applications with high security requirements such as finance and medical care, the security key API is integrated.iOS 15 supports USB, NFC, and Lightning security keys to provide users with hardware-level protection.
Related Sessions
- Secure login with iCloud Keychain verification codes — TOTP verification code generator, a transition solution in the password era
- Meet Face ID and Touch ID for the web — Web-side biometric authentication
- What’s new in Sign in with Apple — Federal Certification Program
Comments
GitHub Issues · utterances