Passkey autofill doesn't require biometric or code to autofill

"ASCredentialProviderViewController" class was implemented in my password manager to autofill password for the app clients.

I've added passkey support recently but biometric/code authentication is not asked by the system when the user tries to sign in with a passkey thanks to "provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest)".

=> Why authentication is managed by the system for password but not for passkeys ? And how to fix that?

Answered by Systems Engineer in 796913022

For passkeys, the concept of User Verification (UV) in the WebAuthn spec makes this complicated. The authenticator can attempt to verify that the person using it is the owner of the authenticator, and the response it returns changes based on whether that happened. Authenticators generally implement their own UV. Also UV is optional in the spec, as the primary strength of passkeys comes from being managed public/private keys pairs, not from local biometrics/passcode. If the system performed its own UV in front of the authenticator's UV, it would likely be cumbersome for the user and would make returning a correct result complicated.

Because of this, the current API expects passkey providers to implement their own UV, and decide on a per-request basis whether to trigger it. If you have a case in mind for a way to implement UV that doesn't fit the current model, please let us know through Feedback Assistant!

For passkeys, the concept of User Verification (UV) in the WebAuthn spec makes this complicated. The authenticator can attempt to verify that the person using it is the owner of the authenticator, and the response it returns changes based on whether that happened. Authenticators generally implement their own UV. Also UV is optional in the spec, as the primary strength of passkeys comes from being managed public/private keys pairs, not from local biometrics/passcode. If the system performed its own UV in front of the authenticator's UV, it would likely be cumbersome for the user and would make returning a correct result complicated.

Because of this, the current API expects passkey providers to implement their own UV, and decide on a per-request basis whether to trigger it. If you have a case in mind for a way to implement UV that doesn't fit the current model, please let us know through Feedback Assistant!

Passkey autofill doesn't require biometric or code to autofill
 
 
Q