Many thx to Garrett Davidson for his exceptional WWDC2022 presentation: https://developer.apple.com/videos/play/wwdc2022/10092/
Basic question, how is the the private key for a passkey stored on a local device (let's say within the Edge or Chrome browser)? Is it in an encrypted cookie? If so, how is the local encryption done?
Thank you!
The private keys are stored in the user's iCloud Keychain. They are never exposed to any application, including the web browser. Applications only receive the signed challenge, not the private key, when authenticating with a passkey. We have more details about the security properties of iCloud Keychain in About the security of passkeys and the annual Platform Security Guide.
Thx for the fast reply.
If I have some users with iPhones and some users with Android phones, how do the Android users access the iCloud?
There must be something in the browser like a credential reference that correlates to the user's private key in the iCoud, right?
Are credentials device specific, like in FIDO's WebAuthn? How are credentials securely provissioned, inititially?
How are keys provisioned on new devices?
Is there a link to the collection of technical documents? I am looking for a flow chart.
There is not a lot about passkeys here: Learn more about Apple ID security and iCloud Keychain security in the Platform Security Guide https://support.apple.com/en-us/HT213305
Thx again for your help!
After reading, About the security of passkeys, I am confused.
The article states, "iCloud Keychain is end-to-end encrypted with strong cryptographic keys not known to Apple..."
How does Apple access and utilize the private key for signature purposes?
OK. After reading, Escrow security for iCloud Keychain, I think I have a better understanding.
The iCloud Keychain is offline storage of the user's security data and is only used to restore the user's private keys on his/her devices.
"To recover a keychain, users must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After this is done, users must enter their iCloud security code."
The HSM cluster verifies the data the user entered and then returns the escrow record, which is the iCloud Keychain data.
" Next, the device uses the iCloud security code to unwrap the random keys used to encrypt the user’s keychain. With that key, the keychain—retrieved from iCloud key-value storage and CloudKit—is decrypted and restored onto the device."