Passkeys in iOS 15

iOS 15, launched in September 2021, marked a significant milestone in Apple's ongoing efforts to enhance user authentication security. While the support for WebAuthn had already made its debut in the iOS 14.5 update with support for external hardware security keys (e.g. YubiKeys), iOS 15 introduced a key development: the ability to create device-bound passkeys / WebAuthn credentials with a platform authenticator (Touch ID or Face ID). These single-device credentials set the stage for the more advanced, synced passkeys that were introduced in iOS 16. On iOS 15, though, the synchronization feature could have been activated by going into the developer mode and turning it manually on.

For developers and product managers, understanding how passkeys operate on iOS 15 is crucial, especially if an online service supports a heterogenous user base with devices ranging from older models, that might be running on iOS 15, to the latest ones.

This blog post analyzes the specifics of WebAuthn and passkeys on iOS 15, exploring how different configurations – such as having iCloud Keychain or Touch ID / Face ID turned on or off – affect the creation and usage of passkeys.

The goal is to help provide a seamless and secure passkey experience, today in the era of iOS 17 (and iOS 18 recently presented), for all users, regardless of the iOS version they are using.

For our test scenario, we used an iPhone 7 running iOS 15.5. This device, equipped with a Touch ID sensor, provided the environment to evaluate the functionality of WebAuthn and device-bound passkeys on iOS 15.

To conduct our tests, we utilized passkeys-debugger.io and webauthn.io.

One of the most critical settings for passkeys to function correctly on iOS 15 is the setup of Touch ID / Face ID. This requirement differs from iOS 16+, where reliance on just the iOS passcode might suffice. In iOS 15, solely relying on the passcode is insufficient for enabling passkeys and using platform authenticators.

• Without Touch ID / Face ID: Users are limited to using hardware security keys (e.g. YubiKeys) and cross-platform authenticators.
• With Touch ID / Face ID: Users can use passkeys and the underlying platform authenticator.

When Touch ID / Face ID is turned off, our testing revealed significant limitations.

It’s only possible to create a WebAuthn credential on hardware security keys. We checked for the support of different Web Authentication API functions:

• WebAuthn support: yes
• Platform authenticator support: no
• Conditional UI support: no

Setting up Touch ID / Face ID unlocked device-bound passkeys on iOS 15. These were not synced, even though the iCloud Keychain was activated. The test for different Web Authentication API functions revealed the following:

• WebAuthn support: yes
• Platform authenticator support: yes
• Conditional UI support: no

Setting attestation=direct in the PublicKeyCredentialCreationOptions provided an attestation statement from Apple. The corresponding AAGUID was f24a8e70-d0d3-f82c-2937-32523cc4de5a. This is quite different to iOS 16+ where attestation is not provided by Apple devices, no matter what the PublicKeyCredentialCreationOptions demand. Besides, the userPresent and userVerified flags were set to true but backupEligible(BE) and backupStatus(BS) were set to false.

Another core question now emerges: is the created passkey a discoverable credential / resident key or not? To test the discoverability of the credential on the iOS 15 device, we started a WebAuthn authentication ceremony without providing a username (and thus an empty WebAuthn allowCredentials list which was returned in the PublicKeyCredentialRequestOptions), so that we could see if stored passkeys were suggested for login. The following list of passkeys was suggested, indicating that the passkeys are discoverable:

WebAuthn credentials created using the platform authenticator (Touch ID, Face ID) in iOS 15 and earlier will not be converted to synced passkeys but will remain available as device-bound passkeys for the lifetime of the device.

During our tests, we didn’t see any difference, when the iCloud Keychain was enabled or disabled. In any case, the credential was a device-bound passkey (requiring activated Touch ID / Face ID) which was not synced (this could have been changed in the developer mode though).

Many developers and product managers might now face the question of how to handle iOS 15 devices when developing their passkey authentication solutions. From our extensive experience in the passkeys space, we recommend consistently checking the BE/BS flags or operating based on the iOS version (via user agent or client hints) to decide which approach to take:

Option A: Go for maximum passkey adoption

• Test for platform authentication support via PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable().
• If the check is true, proceed with passkeys, treating them like device-bound Windows 10 passkeys without Conditional UI support.
• If the check is false, fall back to an alternative authentication method, as iOS 15 cannot be used as a CDA client.

Option B: Avoid user frustration at all costs

• Recognize that passkeys on iOS 15 are never synced, posing issues in recovery scenarios.
• Note that passkeys on iOS 15 cannot be stored in third-party password managers.
• To avoid user frustration, consider falling back to other authentication methods instead of using device-bound passkeys from iOS 15.

Overall, this decision is not critical given the low market share of iOS 15, which stood at only 5% in Q1 2024. However, it is essential to be aware of this complexity and manage it accordingly to maintain a smooth user experience.

Understanding the special characteristics of WebAuthn credentials / passkeys on iOS 15 is important for developers and product managers aiming to provide a seamless user experience across various devices.

Our tests with an iPhone 7 running iOS 15.5 revealed that setting up Touch ID is crucial for enabling device-bound passkeys and getting support for platform authenticators. Without Touch ID / Face ID, users are restricted to hardware security keys / cross-platform authenticators. These insights help ensure robust and secure authentication flows, even for users on older iOS versions.