DEV Community: Authsignal

Passkey iOS SDK - Authsignal

Authsignal — Wed, 30 Aug 2023 21:38:13 +0000

What are passkeys?

iCloud Keychain's public key credentials power Passkeys, making passwords obsolete. They utilize biometric verifications like Touch ID and Face ID on iOS, or a distinct confirmation on macOS to generate and authenticate accounts.

When acting as the authenticator, your Apple device produces a distinct public-private key duo for each account established on a platform. The device keeps the private key while sending the public key to the server, referred to as the relying party.

Authsignal passkeys solution provides a back-end server also known as a WebAuthn server that facilitates the lifecycle of passkey management, check out this blog post that talks through the details implementing passkeys.

Now to the iOS implementation.

iOS passkeys prerequisites

There are certain prerequisites in the iOS ecosystem that you need to ensure are setup before implementation, we list the following

Passkeys are compatible with iOS 15 and later versions, and they synchronize through iCloud Keychain. For Autofill functionality, iOS 16 or higher is necessary.

To use passkeys you must first setup an associated domain with the webcredentials service type.

Host an apple-app-site-association file on the domain that matches your relying party:

GET https://<yourrelyingparty>/.well-known/apple-app-site-association

The response JSON should look something like this:

{
 "applinks": {},
 "webcredentials": {
     "apps": ["ABCDE12345.com.example.app"]
 },
 "appclips": {}
}

where ABCDE12345 is your team id and com.example.app is your bundle identifier.

In XCode under "Signing & Capabilities" add a webcredentials entry for your domain / relying party e.g. example.com:

Installation

Authsignal iOS Passkey GitHub Repository

Cocoapods

Add the Authsignal cocoapod to your Podfile:

pod 'Authsignal', '~> 0.1.10'

Swift Package Manager

Add authsignal-ios to the dependencies value of your Package.swift.

dependencies: [
    .package(url: "https://github.com/authsignal/authsignal-ios.git", .upToNextMajor(from: "0.1.10"))
]

Registering a new passkey

Check out this youtube video of the iOS passkey registration flow

To register a new passkey, you first need to request a token via track. If the user is new, create a record for them in your own DB and pass their ID to Authsignal server-side to get a token, which can then be passed to the iOS SDK along with their username.

let result = await authsignal.passkey.signUp(token: initialToken, userName: userName)

if let error = result.error {
    print(error)
} else if let resultToken = result.data {
    // Pass this short-lived result token to your backend to validate that passkey registration succeeded
}

Checkout the following for more steps on how to implement a passkey sign in flow, and the passkey autofill flow.

That's it, easy.

React Native Passkeys SDK

Authsignal — Thu, 13 Jul 2023 02:05:35 +0000

Wanting to implement passkeys in React Native? Authsignal has just released our React Native SDK and documentation to help you implement passkeys.

Accompanying our React Native SDK is our Android and iOS SDK.

Introducing Authsignal

Authsignal — Wed, 13 Jul 2022 05:06:22 +0000

👋 My name is Justin, On my first day of my last job, I walked into my office hoping to be greeted with high fives and fist pumps after my company's first big fund raise.

I got the opposite, I walked into a burning fire 🔥 where my company (FinTech) didn't realize that they had been credential stuffed for 3 months straight! Just as I was walking through the door, they were facing the onslaught of account take overs. I spent the next 3 years learning about the world of scales ups and how it creates a big target for fraud.

🚫 Problem

It was very hard to observe fraud within your platform, there was no Google analytics for fraud, there were disparate reporting tools, a team of people who can write SQL, and two weeks later you have some insight on your risk. A little too late.
If you were able to observe your risk, great! Your next move is to defend against the adversarial nature of fraud actors. You do this through implementing risk controls and risk management. Risk and ops quickly turned into "if" statements littered through the code base and our teams were tasked with constant requirements to tweak and modify parameters and rules, it was a resource drain and didn't empower business users. We found many platforms with the same problem.
The last thing on the list to think about, and typically the most overlooked is the User Experience, after spending so much time on problem 1 and 2, most companies leave this to last and give a sub par experience for good customers, blocks, customer support wait times, frustrating conversations with support reps to verify who you are over email. Meanwhile cyber criminals exploit this knowing the more chaos they wreck into your system the more good customers get impacted.

✅ Solution
Authsignal.com is a suite of tools for platforms to observe fraud risk in their systems in near real time, make operational adjustments to how they manage risk via a no code rules engine, and passwordless authenticator flows that can be used to step up customers or to sign transactions, all through a single API call, augmentable into your current stack, with no additional vendors/sales people to talk to.

Authsignal solves a fragmented ecosystem of solutions through great Developer Experience (DX) via a lightning fast integration and out of the box Fraud Ops best practices so you don't have to do the heavy lifting.

🚀 Vision
A Fraud Ops operating system, delivering delightful trust and safety for customers.