Security of userID in Apple passkeys — how exposed is it?

Question

Created Apr ’25

Replies 1

Boosts 0

Participants 2

I’m considering storing some sensitive information in the userID field of a passkey, as described in the createCredentialRegistrationRequest method.(link to method).

I'm aware of the largeBlob extension introduced in iOS 17+, but it doesn't meet my needs since I want to create a cross-platform passkey that can be used across various devices — and currently, not many devices support the largeBlob extension.

According to W3C documentation, the userID field is not considered private information and can be displayed to the user without requiring a verification process. Based on my understanding, it's also not encrypted, which means it might be accessible with physical access to the device.

So here are my questions:

How do Apple devices (especially iPhones) handle the userID field in their authenticators?
Is it possible to access the userID without user verification, as permitted by the W3C specification?
Are there any alternative methods to access the userID value stored in a passkey on Apple devices?

Boost

Answer 1

Systems Engineer OP

Apple

Apr ’25

As you mentioned, the WebAuthn spec explicitly states that userID field should not be used for private or personally identifiable information. As such, Apple doesn't make any guarantees that this data is kept private from someone with access to the device.

What you might be looking for is the prf WebAuthn extension. This extension lets you generate a pseudo-random value from a given input, when signing in with a passkey. One of the example use cases described there is to use the output value as an encryption key for user data.

Our API for the prf extension is here.

0