iOS & iPadOS

Overview #

The platform authenticators in iOS 16+ and iPadOS 16+ have the following capabilities:

• creating and using passkeys that are backed up to iCloud Keychain
• creating and using passkeys on/from another device, such as:
  • an iPhone or iPad signed in to a different iCloud account, using FIDO Cross-Device Authentication
  • an Android phone or tablet, using FIDO Cross-Device Authentication
  • a FIDO2 security key¹
• using a passkey from the local iOS or iPadOS device to sign into services on another device (such as a laptop or desktop), using FIDO Cross-Device Authentication

¹ On iOS and iPadOS, user verification methods (device PIN, biometric, etc) must already be configured on the security key prior to credential creation

Platform Notes #

Cross-Device Authentication #

iOS and iPadOS support both client and authenticator roles for Cross-Device Authentication (CDA).

iOS and iPadOS devices (as authenticators) do not support persistent linking for Cross-Device Authentication. When an authenticator is not persistently linked, a QR code must be scanned on every use.

Legacy Credentials #

WebAuthn credentials created using the platform authenticator in iOS/iPadOS 15 and earlier will not not be converted to passkeys but will remain available for the lifetime of the device.

To replace a legacy platform credential with a passkey, start a credential registration ceremony and pass the same user handle (user.id) in the request. iOS/iPadOS will overwrite the legacy credential with a new passkey that will be backed up to iCloud Keychain.

Resources #

• Apple landing page for passkeys
• About the security of passkeys
• Supporting passkeys
• Supporting device-bound passkeys on security keys
• Sample Code