Chrome nettleser, Nyheter

Chrome starts supporting passkeys on iCloud Keychain on macOS

04 okt

Passkeys are a safer and more user friendly alternative to passwords. They
enable users to sign in to apps and websites by unlocking their device
screen–with a biometric sensor (such as a fingerprint or facial recognition),
PIN, or a pattern. With passkeys, users no longer need to remember and manage
passwords. Passkeys are already supported in Chrome across many operating
systems.

Until today, passkeys created on macOS were only stored locally in the user’s
Chrome profile. They were
not synchronized, even when they were discoverable credentials.

Chrome's passkey dialog to create a new passkey. The passkey will be saved to Chrome profile locally.
Chrome’s passkey dialog to create a new passkey. The passkey will be saved to Chrome profile locally.

Starting in Chrome 118, on macOS 13.5 or later, users will have the option
to save passkeys in, and use them from, iCloud Keychain. Passkeys stored in
iCloud Keychain are synchronized across the Apple ecosystem.

How iCloud Keychain is supported in Chrome

There are no changes required from developers to align their passkey
implementation with iCloud Keychain. The API behaviors on Safari and Chrome with
iCloud Keychain are identical. Users on Chrome 118 and later on macOS 13.5 or
later will see the following changes:

Registration

When creating a new passkey, macOS’s system user verification dialog appears.
This dialog is the same as Safari’s.

macOS's system user verification dialog that asks for Touch ID to create a new passkey.
macOS’s system user verification dialog that asks for Touch ID to create a new passkey.

The UI varies depending on the supported user verification method on the device
such as Apple Watch, Touch ID or a system password. When the user verifies their
identity, a new passkey is created and saved to iCloud Keychain.

iCloud Keychain synchronizes the saved passkey to other Apple devices that run
macOS, iOS or iPadOS where the user is signed in using the same iCloud account,
so that they can use the passkey to sign in to the websites and apps.

Passkeys stored in iCloud Keychain are available to different browsers as well.
For example, a passkey created on Safari can be available in Chrome on macOS and
vice versa.

Authentication

Users can also sign in to your website using the passkey stored in iCloud Keychain.

macOS's system user verification dialog that asks for Touch ID to sign in with a passkey saved to iCloud Keychain.
macOS’s system user verification dialog that asks for Touch ID to sign in with a passkey saved to iCloud Keychain.

Note that passkeys stored to the Chrome profile previously continue to be
available, but ones stored to iCloud Keychain are prioritized. If only a
passkey from Chrome profile is available, it will be used to authenticate the
user.

Chrome's passkey dialog to sign in with a passkey saved to Chrome profile.
Chrome’s passkey dialog to sign in with a passkey saved to Chrome profile.

If authentication is requested using form autofill (conditional UI), passkeys
from iCloud Keychain are listed as part of the autofill suggestions if the user
has granted Chrome the necessary permission. If there are passkeys stored in the
Chrome profile, they are suggested too.

Form autofill suggests passkeys from both iCloud Keychain and the Chrome profile.
Form autofill suggests passkeys from both iCloud Keychain and the Chrome profile.

Saving passkeys to Chrome profile

Even with iCloud Keychain support, users can choose to save passkeys to their
Chrome profile by default .

  1. In Chrome, visit chrome://password-manager/settings
  2. Turn off the Use passkeys across your Apple devices toggle to explicitly
    store passkeys to the Chrome profile by default.
The user can choose to store passkeys to Chrome profile (only available locally and will not sync).
The user can choose to store passkeys to Chrome profile (only available locally and will not sync).

Users can also cancel the macOS’s user verification dialog and choose iCloud
Keychain or Chrome profile to save a new passkey.

If the user cancels the dialog, Chrome asks to choose how to create a passkey.
If the user cancels the dialog, Chrome asks to choose how to create a passkey.

On macOS 13.4 or earlier, all passkeys created on Chrome on macOS are stored to
the Chrome profile locally
by default and they are not synchronized across devices. The stored passkeys are
visible to the user from chrome://settings/passkeys.

Even on macOS 13.5 or later, passkeys are stored to Chrome profile if the user
is not signed into iCloud Drive.

Distinguishing the origin of a passkey

Again, there are no changes required from developers to align their passkey
implementation with iCloud Keychain. The API behavior between Chrome profile and
iCloud Keychain are already identical.

Relying parties can find out the origin of a passkey and distinguish whether it’s
been created on iCloud Keychain or on Chrome profile, by looking at the
AAGUID (an identifier indicating the
type of the authenticator) in the credential’s authenticator
data.

The AAGUID of a passkey created in Chrome profile is:
adce0002-35bc-c60a-648b-0b25f1f05503. In iCloud Keychain it is:
00000000-0000-0000-0000-000000000000 as of September 2023. You can find known
AAGUIDs in the crowd sourced AAGUID repository.

iCloud Keychain activation

Users must grant Chrome the permission to use iCloud Keychain on macOS the
first time they try.

If a user tries to use iCloud Keychain passkeys but is not signed into iCloud
or does not have iCloud Keychain syncing enabled, they are directed to System
Settings.

A dialog shown when iCloud Keychain is not enabled on the user's macOS.
A dialog shown when iCloud Keychain is not enabled on the user’s macOS.

Learn more

Photo by Aarón Blanco Tejedor on Unsplash

This post is also available in: English

author-avatar

About Aksel Lian

En selvstendig full stack webutvikler med en bred variasjon av kunnskaper herunder SEO, CMS, Webfotografi, Webutvikling inkl. kodespråk..

Newer October 2023 Spam Update
Older What’s New in WebGPU (Chrome 118)