[MacOS] Determining whether user already has passkey for given domain

Hi, I'm leveraging ASAuthorizationSecurityKeyPublicKeyCredentialProvider to authenticate users to an internal service using security keys or passkeys. I'm not using Sign in with Apple - registration is done in another internal service. We're using associated domains. This is on MacOS only.

I'm wondering whether I can programatically determine whether the user has a passkey enrolled with our super-secret-internal-service.com domain already?

The reason I'm asking is simply better UX - if the user doesn't have a passkey enrolled, I'd like to avoid offering them an option to use a platform authenticator and only offer them to tap their security key. We can assume that all users already have their security keys enrolled already.

So something like the following:


  let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
  let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data())

  let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
  let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data())

  var authRequests: [ASAuthorizationRequest] = [securityKeyRequest]
  if (userHasPasskeyForDomain("super-secret-internal-service.com")) { // TODO how do I check this??
    authRequests.append(platformKeyRequest)
  }
  let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest])

Many thanks!

[MacOS] Determining whether user already has passkey for given domain
 
 
Q