Different PRF output when using platform or cross-platform authentication attachement

Privacy & Security General
andreigiura OP
Created Sep ’24
Replies 1
Boosts 0
Views 181
Participants 2

Hello,

I am using the prf extension for passkeys that is available since ios 18 and macos15. I am using a fixed, hardcoded prf input when creating or geting the credentials. After creating a passkey, i try to get the credentials and retrieve the prf output, which works great, but i am getting different prf outputs for the same credential and same prf input used in the following scenarios:

  1. Logging in directly (platform authenticator) on my macbook/iphone/ipad i get "prf output X" consistently for the 3 devices

  2. When i use my iphone/ipad to scan the qr code on my macbook (cross-platform authenticator) i get "prf output Y" consistently with both my ipad and iphone.

Is this intended? Is there a way to get deterministic prf output for both platform and cross-platform auth attachements while using the same credential and prf input?

Replies  1
Boosts  0
Views  181
Participants  2
Systems Engineer OP
Apple
Sep ’24

These values should match, assuming your use of UV matches in both cases. The PRF extension specifies to use different seeds depending on whether UV (passcode/biometrics) was performed or not. But assuming you're either always performing or always not performing UV in both cases, the same inputs should produce the same outputs.

If you're seeing this not working, please let us know through Feedback Assistant! Logs from all the devices involved and any info you can provide about how you're testing would be very helpful.

0
Different PRF output when using platform or cross-platform authentication attachement
First post date Last post date
 
 
Q