Hi! Is it possible to disable the option for users to 'Sign in with Another Device'? I encounter this message during the authentication process and I want to prevent it from appearing. I appreciate your help and look forward to your response.

I have been able to save and remove ASPasskeyCredentialIdentities in the ASCredentialIdentityStore. But after saving a ASPasskeyCredentialIdentity, when I retrieve the current identities stored, it always returns an empty list. I check to make sure the store is enabled. I am using this method which is available starting with iOS 17.4: extension ASCredentialIdentityStore { public func credentialIdentities(forService serviceIdentifier: ASCredentialServiceIdentifier? = nil, credentialIdentityTypes: ASCredentialIdentityStore.IdentityTypes = []) async -> [any ASCredentialIdentity] } I have called it like this: store.credentialIdentities(forService: nil, credentialIdentityTypes: .passkey) And this: store.credentialIdentities() Has anyone got this to work?

Hi Apple Team and Community, We've encountered a sudden and widespread failure with the App Attest service starting today across multiple production apps and regions. The previously working implementation is now consistently returning the following error on iOS: The operation couldn’t be completed. (com.apple.devicecheck.error error 4.) (serverUnavailable) Despite the green status on Apple’s System Status page, this appears to be a backend issue—possibly infrastructure or DNS-related. Notably: The issue affects multiple apps. It is reproducible across different geographies. No code changes were made recently to the attestation logic. We previously reported a similar concern in this thread: App Attest Attestation Failing, but this new occurrence seems unrelated to any client-side cause. Update: An Apple engineer in this thread(https://developer.apple.com/forums/thread/782987) confirmed that the issue was due to a temporary DNS problem and has now been resolved. Can anyone else confirm seeing this today? Any insights from Apple would be appreciated to ensure continued stability. Thanks!

I'm using aws cognito for authentication in my app, and added the "Sign in with apple" identity provider. Not working at all by displaying "Sign Up Not Completed" error. I am using custom domain in cognito.. I tried recreating the Private Key, and also recreating the Service Identifier. Nothing helped. Anyone experiencing anything like this?

Since around March 4, 2025 off and on, we've been receiving 500 errors back from the validate_device_token endpoint on development and production. Today (March 6) we are constantly getting 500 error back. https://api.development.devicecheck.apple.com/v1/validate_device_token This was working previously before then. No change has happened on our end since then. This is a critical piece for our infrastructure. Thanks in advance. -Matt

Hi! We are developing an authentication plugin for macOS that integrates with the system's authentication flow. The plugin is designed to prompt the user for approval via a push notification in our app before allowing access. The plugin is added as the first mechanism in the authenticate rule, followed by the default builtin:authenticate as a fallback. When the system requests authentication (e.g., during screen unlock), our plugin successfully displays the custom UI and sends a push notification to the user's device. However, I've encountered the following issue: If the user does not approve the push notification within ~30 seconds, the system resets the screen lock (expected behavior). If the user approves the push notification within approximately 30 seconds but doesn’t start entering their password before the timeout expires, the system still resets the screen lock before they can enter their password, effectively canceling the session. What I've Tried: Attempted to imitate mouse movement after the push button was clicked to keep the session active. Created a display sleep prevention assertion using IOKit to prevent the screen from turning off. Used the caffeinate command to keep the display and system awake. Tried setting the result as allow for the authorization request and passing an empty password to prevent the display from turning off. I also checked the system logs when this issue occurred and found the following messages: ___loginwindow: -[LWScreenLock (Private) askForPasswordSecAgent] | localUser = >timeout loginwindow: -[LWScreenLock handleUnlockResult:] _block_invoke | ERROR: Unexpected _lockRequestedBy of:7 sleeping screen loginwindow: SleepDisplay | enter powerd: Process (loginwindow) is requesting display idle___ These messages suggest that the loginwindow process encounters a timeout condition, followed by the display entering sleep mode. Despite my attempts to prevent this behavior, the screen lock still resets prematurely. Questions: Is there a documented (or undocumented) system timeout for the entire authentication flow during screen unlock that I cannot override? Are there any strategies for pausing or extending the authentication timeout to allow for complex authentication flows like push notifications? Any guidance or insights would be greatly appreciated. Thank you!

Seeing the following error when attempting automatic passkey upgrade - [Warning] NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission. We're trying to enable Automatic passkey upgrade (https://developer.apple.com/videos/play/wwdc2024/10125/?time=38) for our website but it's not working from our testing on iOS 18.2 and 18.3 Beta Safari. The flow on our website looks like: the customers use autofill to fill out email and password on the sign-in page (abc.com/signin) PublicKeyCredential.getClientCapabilities is called to check if conditionalCreate supported. land on another page of our website (abc.com/pageX), which calls navigator.credentials.create with mediation conditional (Right after sign-in). We checked that we followed the steps in above video: Allow automatic passkey upgrades is enabled, mediation is set to conditional and password autofill is used to signed in. However, Safari threw an error [Warning] NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission. Can Apple help guide us if anything is missed here?

Hello everyone, I'm working on a project where I intend to use Secure Enclave-based, device-bound private keys within a Webauthn flow. I have the following question: Is it possible to generate private keys in the Secure Enclave with integrated attestation in order to reliably prove to a relying party the authenticity and uncompromised state of the key? If so, I would appreciate details on the implementation—specifically, any prerequisites, limitations, or particular API calls and configuration options that need to be considered. I look forward to any advice, best practices, or pointers to further documentation on this topic. Thank you in advance for your support! Best regards, Alex

The Passwords App is accessing websites found in the ASCredentialIdentityStore associated with a 3rd Party password management app (SamuraiSafe). This behaviour appears to be associated with looking up website favicons in order to display in Passwords. However the websites contacted are not stored in the Passwords App/iCloud KeyChain - only the 3rd Party password management app (SamuraiSafe). This is effectively leaking website information stored in the 3rd Party password management app. I first noticed this behaviour on macOS, and it appears to happen every 8 days. Today it was seen on iOS. The behaviour is revealed through the App Privacy Report on iOS (and LittleSnitch on macOS). I would not be surprised to see the Passwords App do this for websites saved in the Passwords App/iCloud KeyChain, however I believe it should not be arbitrarily testing every website found in the ASCredentialIdentityStore as reference to that website url should be entirely under the control of the end user. See attached screenshots from App Privacy Report. Filed bug with Apple: FB16682423

Hey all, Question for the masses.... Does the Yubikey authentication have a OS dependency and it only works with a stable, public OS? Does Azure/Okta/Yubikey beta OS26? My CEO installed iPadOS 26 on his iPad and was not able to authenticate via Yubikey into our company environment. I ran the same scenario on my iPad using iPadOS 26 and I had the same results. Downgrading to iPAdOS doesn't pose these issues. I'm assuming something isn't fine-tuned yet?

I’m having an issue with my Credential Provider Extension for passkey registration. On the browser I click on registration, in IOS i can select my App for passkey registration with a continue button. Wenn I click the continue button the prepareInterface(forPasskeyRegistration:) function is called but the MainInterface is not shown —it only appears when I click the continue button a second time. Here’s a simplified version of my prepareInterface method: override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest) { guard let request = registrationRequest as? ASPasskeyCredentialRequest, let identity = request.credentialIdentity as? ASPasskeyCredentialIdentity else { extensionContext.cancelRequest(withError: ASExtensionError(.failed)) return } self.identity = identity self.request = request log.info("prepareInterface called successfully") } In viewDidAppear, I trigger FaceID authentication and complete the registration process if register is true. However, the UI only shows after a second “Continue” tap. Has anyone encountered this behavior or have suggestions on how to ensure the UI appears immediately after prepareInterface is called? Could it be a timing or lifecycle issue with the extension context? Thanks for any insights!

I'm looking for confirmation on the security aspects of fdesetup authrestart when used on a FileVault-enabled Mac. As I understand it, this command temporarily stores the decryption key in memory to allow the system to restart without requiring manual entry of the FileVault password. However, I have a few security-related concerns: Storage of the Decryption Key: Where exactly is the key stored during an authenticated restart? Is it protected within the Secure Enclave (for Apple Silicon Macs) or the T2 Security Chip on Intel Macs? Key Lifetime & Wiping: At what point is the decryption key erased from memory? Does it persist in any form after the system has fully rebooted? Protection Against Physical Attacks: If an attacker gains physical access to the machine before the restart completes, is there any possibility that they could extract the decryption key from memory? Cold Boot Attack Resistance: Is there any risk that advanced forensic techniques (such as freezing RAM to retain data) could be used to recover the decryption key after issuing an authenticated restart? Malware Resistance: Could a compromised system (e.g., root access by an attacker) intercept or misuse the decryption key before the restart? I understand that on Apple Silicon and T2-equipped Macs, FileVault keys are tied to hardware-based encryption, making unauthorized access difficult. However, I'd like to confirm whether Authenticated Restart introduces any new risks compared to a standard FileVault-enabled boot process.

I’m trying to update the Domains and Redirects section for my Services ID configuration in Apple Developer (for Sign in with Apple). When I add new domains and click Save, nothing happens. In the browser console, I see a network request that fails with: PATCH not supported What I’ve tried so far: Logging out/in and refreshing the page Clearing browser cache and cookies Trying in Safari, Chrome, and incognito mode Verifying domain formatting (HTTPS, no trailing slash, domain is live) The issue persists in all browsers I’ve tested. Request: Is this a known issue with the Developer portal, or is there an alternative method to update my Services ID domains? Any guidance would be appreciated. Thanks,

Recently, we received an user enquiry regarding the inability to perform bookings for the app. After investigation, we found that the issue appears to be caused by the failure of the Apple DeviceCheck service. Based on our checks, approximately 0.01% of requests fail each day (e.g., on 26 June: 6 failures out of 44,544 requests) when using Apple DeviceCheck. Could you please assist in raising the following enquiries with Apple Support? What is the typical failure rate of Apple DeviceCheck? Are there any reliability metrics or benchmarks for its performance? How can the failures be prevented, or is there a recommended retry mechanism to handle such failures? Does the iOS version affect the performance or reliability of Apple DeviceCheck? Are there known issues or limitations with specific iOS versions? How long does the token remain valid, and when should a new one be retrieved? Does using a jailbroken device affect the functionality of Apple DeviceCheck?

I have something with a new individual on my team I've never seen before. They checked out our code repository from git and now anytime they try to open a .json file that is legitimately just a text file, GateKeeper tells them it cannot verify the integrity of this file and offers to have them throw this file away. I've seen this with binaries, and that makes sense. I removed the com.apple.quarantine extended attribute from all executable files in our source tree, but I've never seen GateKeeper prompt on text files. I could remove the extended attribute from all files in our source tree, but I fear the next time he pulls from git he'll get new ones flagged. Is there someway around this? I've never personally seen GateKeeper blocking text files.

Hi folks We have a Developer ID Application which we create using electron. We made our last release for our Application on Nov'24 which was correctly working. Using the same code, we tried creating a notarized application again which started showing the following error while opening our Application. Monterey- M2- When we directly run the dmg on the dev machine, it does not give us the prompt. But if we download it from somewhere and run, the prompt comes up even in dev machine. We executed some commands to verify the notarization: 1- spctl --assess -vv /Applications/Refresh\ Pro.app On both dev machine and non-dev machine, the output was "accepted" /Applications/Refresh Pro.app: accepted source=Notarized Developer ID origin=Developer ID Application: Prograde Digital Incorporated (*******) 2- xcrun stapler validate /Applications/Refresh\ Pro.app On dev machine, we executed this command and the output is as follows. Processing: /Applications/Refresh Pro.app The validate action worked! 3- codesign -vvv --deep --strict /Applications/Refresh\ Pro.app/ /Applications/Refresh Pro.app: valid on disk /Applications/Refresh Pro.app: satisfies its Designated Requirement We have created a bug attaching the dmg. Please suggest anything we can try to make the release out the door. Bug link- https://feedbackassistant.apple.com/feedback/16811025

Hello everyone, In my application, i have implemented authentication using ASWebauthenticationSession. However, when redirecting the user to a WKWebView, no cookies are shared, causing the session to be lost and requiring the user to log in again. Is there a way to share cookies between the two? If not, what would be the best approach to set up authentication that ensures SSO when switching to a WebView ? Thank you very much for your help !

We are currently trying to fix a bug when using SignIn with Apple. It appears that on some occasions we are not receiving a user's profile info (name, email) when a new account is created. After doing some investigation we believe this bug is due to the same Apple login being used as an already deleted account. ASF only appears to send profile info the very first time an Apple login is used. If that account is deleted and another is created with the same apple login we won't receive the profile info. As a result we are not in compliance with Apple's guidelines requiring that we use the provided profile info with Apple SigIn, and need to prompt users to enter it again. Is there a process in place to properly "clear" a user after their account is deleted in our system, so that the next time a user creates an account with the same Apple login, we receive their profile info again?

Since release of 18.4. prepareInterfaceToProvideCredential .oneTimeCode case is not called and instead prepareInterfaceForUserChoosingTextToInsert() is called. That is the wrong delegate for this case and it causes confusion for the users. Also, some TOTP fields are recognised however, the key icon button is not presented above the keyboard next to TOTP suggestions. I've also tested 18.5 and it has the same issue. provideOneTimeCodeWithoutUserInteraction works just fine.

Our app uses Sign in with Apple. In recent weeks (or months), we've noticed that emails sent to @privaterelay.appleid.com addresses are not being delivered. We're not receiving any bouncebacks or error messages from the mail server, but the emails never reach the user's mailbox. We've also checked spam folders, with no luck. We have verified that our Email Sources are configured correctly in Apple Developer settings. Is there any way to debug or trace what might be happening with these messages? Thanks in advance!