lyokato / WebAuthnKit-iOS

WebAuthn iOS Library
MIT License
103 stars 30 forks source link

Direct Attestation #9

Open bugnuker opened 3 years ago

bugnuker commented 3 years ago

When using the lib and setting attestation to direct, we are getting back a self-attestation.

Are there plans to use Safari or iOS to sign the attestation for this library instead of self-attestation?

acoutts commented 1 year ago

I've been researching this a lot lately, writing my own similar implementation in dart. From what I've found android has the option of using the KeyStore attestation: https://developer.android.com/training/articles/security-key-attestation

But I can't find anything on iOS. The closest I've been able to imagine is if you were to use AppAttest to get an attestation and include the client data hash so it can be verified after by the RP.

acoutts commented 1 year ago

I've looked at using passkeys too. While that conveniently implements the webauthn standard and you can simply feed it the standard request classes, without having to implement anything about credential storage, the problem is more a UX one because it requires several taps and modal sheets to login every time the app opens.

You could try using the special safari web view for webauthn and that would handle the credential part but again it's not a great UX to open a webview every time the app opens just to sign an assertion to login again.

It seems like we don't have a good out of the box solution from apple yet for native mobile to use the Secure Enclave as a crypto authenticator in webauthn.

daviorze commented 1 year ago

I'm trying to integrate this library to use in iOS17 and create a Passkeys authenticator. It is possible?