Ricky Mondello

🔑🧵 iOS 17, macOS Sonoma, and passkeys (1/n)

Password manager apps can now save and sign in with passkeys across the entire OS — all apps and websites — by integrating with the AuthenticationServices framework's updated Credential Provider Extensions!
https://developer.apple.com/documentation/authenticationservices/ascredentialproviderviewcontroller

This will include third-party web browsers like Chrome and Firefox on macOS, because macOS 13.3 added support for web browsers to use iCloud Keychain’s passkeys (and now third-party app’s passkeys)!
https://developer.apple.com/documentation/authenticationservices/asauthorizationwebbrowserpublickeycredentialmanager

ASCredentialProviderViewController | Apple Developer Documentation

A view controller that a password manager app uses to extend AutoFill.

Apple Developer Documentation
Jun 8, 2023 at 4:05pmWeb
Show threadRicky MondelloJun 8, 2023

🔑🧵 iOS 17, macOS Sonoma, and passkeys (2/n)

Password manager apps and TOTP apps running on iOS 17 and macOS Sonoma have new API available to directly open the screen to enable system integration with their apps. It should be easier than ever to set up these apps! See `ASSettingsHelper` in the AuthenticationServices framework. https://developer.apple.com/documentation/authenticationservices/assettingshelper?language=objc

ASSettingsHelper | Apple Developer Documentation

There's never been a better time to develop for Apple platforms.

Apple Developer Documentation
Show threadRicky MondelloJun 8, 2023

🔑🧵 iOS 17, macOS Sonoma, and passkeys (3/n)

📺 WWDC Session: Deploy passkeys at work
https://developer.apple.com/wwdc23/10263

“We'll explore how passkeys can work well in enterprise environments through Managed Apple ID support for iCloud Keychain. We'll also share how administrators can manage passkeys for specific devices using Access Management controls in Apple Business Manager and Apple School Manager.”

And Tailscale has already adopted! https://twitter.com/tailscale/status/1666495448645787663

Deploy passkeys at work - WWDC23 - Videos - Apple Developer

Discover how you can take advantage of passkeys in managed environments at work. We'll explore how passkeys can work well in enterprise...

Apple Developer
Show threadChancerubbageJun 8, 2023

@rmondello key chains, passkey, other apple variants- I need a glossary! What are the differences? Improvements?

I saw things touted as iOS 17 features I thought had been around for years. I did that contact bumping over 7 yrs ago it seems.

Show threadFlorian EgermannJun 8, 2023
@rmondello I switched to Keychain from 1Password, and it’s been great. But I was really hoping that Passwords gets a dedicated modern app this year, digging into settings every time I need a password for a non-Safari browser is ridiculous. Also: Spotlight, please!
Show threadTom Klaver Jun 9, 2023
@fleg oof, how did you (in practice) make the move? Super manually or some kind of exporting and importing?
Show threadFlorian EgermannJun 9, 2023
@tomk I had a large database stretching back years and years, so I decided to just have both 1p and iCloud Keychain active and every time I logged in (with 1p), I saved it to the Keychain.
Show threadMigrated to @[email protected] 🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈Jun 9, 2023
@rmondello Ohhhh nice to know Tailscale has adopted it!
Show threadKevinJun 8, 2023
@rmondello My stupid brain every time you mention Time-based One-Time Passwords:
Show threadJohn BraytonJun 8, 2023
@rmondello Amazing! I appreciate both the OS-level password/passkey management capabilities and the integration possibilities for third party password managers. 🙏
Show threadJeff Hatz ☕️Jun 8, 2023
@rmondello So does this mean I can auto-fill any iCloud password in Chrome? That's the biggest problem I have with iCloud Passwords, because I need Chrome for work but there's no way to easily use iCloud passwords there.
Show threadRicky MondelloJul 12, 2023
@jeffhatz You’ll be very interested in this: https://hachyderm.io/@rmondello/110702610642273712
Ricky Mondello (@[email protected])

Attached: 3 images ‼️🔑 macOS Sonoma brings Apple’s password manager to Google Chrome, Microsoft Edge, and other browsers using their extensions stores with the “iCloud Passwords” browser extension. You can AutoFill passwords and one-time codes, save new passwords, and right-click QR codes to set up code generators. If you’re running the macOS Sonoma public or developer beta, you can try it right now! Chrome: https://chrome.google.com/webstore/detail/icloud-passwords/pejdijmoenmkgeppbflobdenhhabjlaj Edge: Coming soon. [*] I am not breaking news here; this is public information.

Hachyderm.io
Show threadJeff Hatz ☕️Jul 12, 2023
@rmondello 😀😀😀
Show threadDoug BaileyJun 8, 2023
@rmondello I haven’t seen anything but I’m still holding out hope for a Firefox on Windows iCloud Keychain extension like Chrome and Edge have
Show threadFranciscoJun 9, 2023
@rmondello are there plans to bring Android support? Right now the only thing holding me back to using 1password is cross-platform support. Also...if you need android developers...😲
Show threadalexmccoJun 9, 2023
@rmondello incredible progress this year. Thanks so much for the work. I can’t wait for a Passkeys app… someday!
Show threadNekodojoJun 9, 2023

@rmondello
OK I admit I was super skeptical of the idea of people exporting/sharing their #passkeys but I'm coming around a bit.

Can they be saved to a flat file, and would it be encrypted? I would be concerned that Passkeys would get a bad rap because people export their keys onto flat files and lose control of them, leading to FUD and folk stories about how Passkeys are easily compromised and not secure.

Show threadTorsteinJun 9, 2023
@rmondello @siracusa maybe i have misunderstood, but doesn't passkeys make passeord managers such as 1Password superflous? I was hoping i could quit my sub to the terrible 1P 8.0.
Show threadAndy NormanJun 9, 2023
@torsteinv @rmondello @siracusa no, you still have to store all the passkeys for the sites you visit somewhere. So you still either need an app like 1Password or use the built in OS password manager. Though I really don’t get the hate for 1P8, it feels fine to me.
Show threadRicky MondelloJun 9, 2023
@andynormancx @torsteinv A little nit that isn't important for the topic of this conversation, but I think is important in general: “passkey” is a common noun, just like “password”, so it's spelled in all lower-case.
Show threadAndy NormanJun 9, 2023
@rmondello @torsteinv I read the transcript of the session pointing out just after posting that 😉
Show threadAndy NormanJun 9, 2023
@torsteinv @rmondello @siracusa there are password-less schemes out there, which avoid storing separate tokens for each site, like https://en.m.wikipedia.org/wiki/SQRL for example. But even then you still need a client app (or something in the OS) to manage the authentication process for you
SQRL - Wikipedia

Show threadkahnclusionsJun 10, 2023
@rmondello on macOS can passkeys only be stored in keychain? Can third party apps have their own passkey storage or do can only interact with the mac keychain storage via these APIs?
Show threaddarbyothrillJun 10, 2023
@rmondello Does that SDK provide a way for the apps to generate a passkey? I’m thinking about what it would take to do an in-house enterprise app
Show threadLukeAug 16, 2024
@rmondello sorry to reply to such an old post but I don't suppose there's a Password equivalent of ASAuthorizationWebBrowserPublicKeyCredentialManager is there? A way for third party browsers to access passwords from keychain (or third-party password manager apps)?
Show threadRicky MondelloAug 16, 2024
@Lukew There is not. But very interested in knowing who is looking for this!
Show threadLukeAug 16, 2024
@rmondello ah, thanks for answering! Just something I was wondering, been thinking on credential management APIs a bit. In an ideal world I'd like a browser extension API for credential managers. But some counter arguments have been that using the platform APIs for that would be better. It seems that can work for passkeys but not passwords on iOS and macOS (ideally we'd all use passkeys tbf).