Hi everyone — I’m developing an iOS passkey/password manager where the private key material must be stored on a physical device (NFC card / USB token). I’m hitting a hard limitation: CoreNFC is not available for use from app extensions, which prevents an appex (e.g. password/credential provider or other extension) from talking directly to an NFC card during an authentication flow.  My questions: 1. Is there any plan to make CoreNFC (or some limited NFC-API) available to app extensions in a future iOS version? If not, could Apple clarify why (security/entitlements/architecture reasons)? 2. Are there any recommended/approved workarounds for a passkey manager extension that needs to access a physical NFC token during authentication? (For example: background tag reading that launches the containing app, or some entitlement for secure NFC card sessions.) I’ve read about background tag reading, but that seems to be about system/OS handling of tags rather than giving extensions direct NFC access.  3. Is the only supported pattern for my use case to have the containing app perform NFC operations and then share secrets with the extension via App Groups / Keychain Sharing / custom URL flow? (I’m already evaluating App Groups / Keychain access groups for secure sharing, but I’d like official guidance.)  Implementation details that may help responders: • Target: iOS (latest SDK), building a Credential Provider / password manager extension (appex). • Intended physical token: NFC smartcard / ISO7816 contactless (so CoreNFC APIs like NFCISO7816Tag would be ideal). • Security goals: private key never leaves the physical token; extension should be able to trigger/sign during a browser/app AutoFill flow. Possible alternatives I’m considering (open to feedback): designing the UX so that the extension opens the main app (only possible for Today widget in a supported way) which runs the NFC flow and stores/returns a short-lived assertion to the extension. Are any of these patterns sanctioned / recommended by Apple for credential providers?  Thanks — any pointers to docs, entitlement names, or example apps/samples would be extremely helpful.

I have an iOS/iPadOS app and 'm trying to communicate with usb smart card reader using CryptoTokenKit on all platforms (ios/ipados/macos). Minimal Repro Code import CryptoTokenKit import SwiftUI struct ContentView: View { @State var status = "" var body: some View { VStack { Text("Status: \(status)") } .padding() .onAppear { let manager = TKSmartCardSlotManager.default if manager != nil { status = "Initialized" } else { status = "Unsupported" } } } } And my entitlement file has only one key: com.apple.security.smartcard = YES Behavior • iPadOS (on device): status = "Initialized" ✅ • macOS (native macOS app, with the required CryptoTokenKit entitlement): status = "Initialized" ✅ • macOS (Designed for iPad, regardless of CryptoTokenKit entitlement): status = "Unsupported" → TKSmartCardSlotManager.default is nil ❌ Expectation Given that the same iPadOS build initializes TKSmartCardSlotManager, I expected the iPad app running in Designed for iPad mode on Apple silicon Mac to behave the same (or to have a documented limitation). Questions Is CryptoTokenKit (and specifically TKSmartCardSlotManager) supported for iPad apps running on Mac in Designed for iPad mode? If support exists, what entitlements / capabilities are required for USB smart-card access in this configuration? If not supported, is Mac Catalyst the correct/only path on macOS to access USB smart-card readers via CryptoTokenKit? Are there recommended alternatives for iPad apps on Mac (Designed for iPad) to communicate with USB smart-card readers (e.g., ExternalAccessory, DriverKit, etc.), or is this scenario intentionally unsupported? Thanks!