šIbiza
š bruins š urban mobility
| Home | https://timcappalli.me |
| GitHub | https://github.com/timcappalli |
| Gravatar | https://gravatar.com/timcappalli |
| Bluesky/ATP | @timcappalli.me |
tim
@timcappalli@infosec.exchange
- 800 Followers
- 253 Following
- 1.3K Posts
š #passkeys šŖŖ verifiable digital credentials
š bruins š urban mobility
š bruins š urban mobility
Ricky MondelloiOS 26 (and OSes 26 in general) add an OS-facilitated way to securely migrate your passkeys, passwords, and other data saved in one password manager app to another. The details here are super interesting and are covered in the WWDC25 video āWhat's new in passkeysā (https://developer.apple.com/videos/play/wwdc2025/279). The rest of this post includes a summary of part of that video and other publicly-available information. (I am not breaking any kind of news here.)
- Data is sent from one app to the other without exporting any kind of file to a filesystem. This means it canāt accidentally be accidentally uploaded to an attacker attempting to compromise one or all of your accounts.
- Thereās an OS API that password manager apps call to export their data. Then, securely and out-of-process, users select which app to send the data to. They are reminded of the scope of the data, and authentication with local biometrics or their passcode to confirm sending the data.
- The destination app is not revealed to the source app.
- Remember that crappy unstandardized CSV format for migrating passwords between password managers? Itās going to be a thing of the past, becauseā¦
- The data sendable via the API is explicitly based on the āCredential Exchange Formatā (https://fidoalliance.org/specifications-credential-exchange-specifications/) standard. This standard is being developed in the FIDO Alliance, the standards body working on passkeys, but the spec covers far more than passwords and passkeys. In fact, it was co-developed by 1Password, Dashlane, and others. Thereās a collection of Swift structs in the SDK implementing the standard, with as few modifications as possible.
- The data format part of the API is versioned so it can evolve as the Credential Exchange Format does.
I know itās taken some time for this to come to fruition, but I hope that delivering a phishing-resistant credential migration process based on open standards (with a credential format standardized for the first time!) makes up for the delay. As I have said since day 1, your passkey data is yours. Passkeys are not a form of āvendor lock-inā.
OpenID for Verifiable Presentations 1.0 is now final!
This is the core presentation protocol used with the Digital Credentials API.
https://openid.net/specs/openid-4-verifiable-presentations-1_0-final.html
#dc #oid4vp #vdc #mdl #vc #sdjwt #eudiw #dcapi #digitalcredentials
Steve Troughton-SmithA very reasonable predictor for 'what is Apple going to do next' is to look at what Microsoft was doing 5 years ago. Flat design, Surface, desktop/tablet mode, Universal Apps, mobile-first design across the desktop, splitscreen windowing, Hololens, Copilot, GenAI throughout the OS, 'Game Mode' and a game bar overlay, phone mirroring, foldable phones. It's exhausting to watch Microsoft do cool things, have them fall on their face, and be discontinued before becoming standard across the industry
The First Public Working Draft of the W3C Digital Credentials API is now published š
Digital Credentials
This document specifies an API to enable user agents to mediate presentation and issuance of digital credentials such as a driver's license, government-issued identification card, and/or other types of digital credential. The API builds on Credential Management Level 1 as a means by which to request or issue a digital credential from a user agent or underlying platform.
