Public-Private Key Authentication

Overview

Eliminating passwords simplifies account creation and authentication for apps and websites. Additionally, it reduces risks that arise from the reuse of one password across multiple services, brute force attacks, and social engineering that bad actors use to obtain credential information. By implementing public-private authentication according to the W3C Web Authentication specification, your users no longer need to remember complicated passwords or rely on password managers.

Instead of using a password, your macOS, iOS, or iPadOS device, known as the authenticator, generates a public-private key pair at account creation time, and sends the public key to the server. The server, known as the relying party, holds the public key for subsequent authentication, and uses assertion to challenge the authenticator to prove its identity is valid.

There are two forms of public-private key authentication: passkeys and security keys. With passkeys, the device stores its public-private key pair in the user’s iCloud Keychain and syncs the keys across the user’s devices. Security keys store the public-private key pair on a physical medium, such as a security card or a USB key.

Topics

Fundamentals

• Connecting to a service with passkeys
• Supporting passkeys
• Supporting Security Key Authentication Using Physical Keys

Account registration

• ASAuthorizationPublicKeyCredentialRegistration
• ASAuthorizationPlatformPublicKeyCredentialRegistration
• ASAuthorizationSecurityKeyPublicKeyCredentialRegistration
• ASAuthorizationPublicKeyCredentialRegistrationRequest
• ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest
• ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest

Account authentication

• ASAuthorizationPublicKeyCredentialAssertion
• ASAuthorizationPlatformPublicKeyCredentialAssertion
• ASAuthorizationSecurityKeyPublicKeyCredentialAssertion
• ASAuthorizationPublicKeyCredentialAssertionRequest
• ASAuthorizationPlatformPublicKeyCredentialAssertionRequest
• ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest

Credential providers

• ASAuthorizationPlatformPublicKeyCredentialProvider
• ASAuthorizationSecurityKeyPublicKeyCredentialProvider

Request configuration

• ASPublicKeyCredential
• ASAuthorizationPublicKeyCredentialParameters
• ASCOSEAlgorithmIdentifier
• ASCOSEEllipticCurveIdentifier
• ASAuthorizationPublicKeyCredentialAttestationKind
• ASAuthorizationPublicKeyCredentialResidentKeyPreference
• ASAuthorizationPublicKeyCredentialUserVerificationPreference
• ASAuthorizationPublicKeyCredentialDescriptor
• ASAuthorizationPlatformPublicKeyCredentialDescriptor
• ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor
• ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.Transport
• allSupported

See Also

Passkeys

• Passkey use in web browsers
• Performing fast account creation with passkeys
• Connecting to a service with passkeys