-4

Is it possible to implement CTAP 2.2's hybrid transport in an iOS app? Currently, it seems the iPhone's Camera app has already implemented it whereby it scans a QR code prompted by the client platform (Chrome browser), decodes it into CBOR2 and advertises a BLE before establishing a tunnel connection.

Is there a way similar functionality can be implemented on custom app? In a way, it also means that the platforms (Android and iOS) are ahead of the spec (CTAP 2.2 is still in draft). Does that mean even if it is possible to so, App stores will reject the app during review?

letsbondiway
  • 470
  • 3
  • 18

1 Answers1

3

A hybrid authenticator implementation should be handled by the system, rather than individual apps. Instead, apps can (in iOS 17 and Android 14) provide passkeys into the system. That way those passkeys can be options after the user scans the QR code, but so can the usual passkeys.

With Android 14, apps can be a passkey provider via the CredMan API. (Although the documentation is rather geared towards apps that want to consume rather than provide passkeys, the latter is possible.)

In iOS 17, the same API that allows apps to be pass_word_ providers on previous versions of iOS has been extended to support passkeys too. You'll have to dig around in the ASAuthenticationServices framework since I don't think there's any WWDC session about this.

agl
  • 1,129
  • 5
  • 6