Add strong authentication with Passkeys to your native iOS application, while providing a native experience. This describes how to use our iOS SDK to register credentials and use them to authenticate for login and transaction approval scenarios. For transaction approval flows, transactions are signed per PSD2.0 SCA.
This SDK implements Apple's public-private key authentication for passkeys. It allows you to add FIDO2-based biometric authentication to your iOS app, while providing your users a native experience instead of a browser-based one.
With passkeys, credentials are securely stored by the device in the iCloud keychain. These credentials must be associated with your domain, so they can be shared between your mobile app and your website (if you have one). The Transmit iOS SDK also cryptographically binds the credentials to the device itself, which ensures that it can only be used by the device that registered it.
The SDK offers many advantages over the APIs, including:
- Orchestration functionality to support decisions and complex flows
- Client-side WebAuthn calls, along with data processing before and after
- Stores local state, including registration status of devices, known users, etc.
- Simplifies all calls to the Transmit Service, reducing unnecessarily complexity
- Automatically handles tracking of cross-device flows, using simple event handlers
The requirements for passkey authentication include:
- iOS 15.0+ (or iOS 16.0+ for passkeys)
- Xcode 13.0+ (or Xcode 14.0+ for passkeys)
- Device with registered biometrics (e.g., FaceID or TouchID)
- Device registered with the user's Apple ID
- Device with iCloud KeyChain turned on
To integrate with Transmit, you'll need to configure an application. From the Applications page, create a new application or use an existing one. From the application settings:
- For Client type, select native
- For Redirect URI, enter your website URL. This is a mandatory field, but it isn't used for this flow.
- Obtain your client ID and secret for API calls, which are auto-generated upon app creation.
From the Authentication page, configure the WebAuthn login method for your application (whose name is shown at the top of the page in the drop-down list):
-
For WebAuthn RP ID, add your website's full domain (e.g., www.example.com). This is the domain that will be associated with your credentials in Step 3.
-
For WebAuthn RP Origin, use https://YOUR_DOMAIN, where YOUR_DOMAIN is your website's domain that you configured as the RP ID (e.g., https://www.example.com). This is the origin that will be provided when requesting registration and authentication with passkey credentials.
In order to support passkeys, Apple requires having a domain associated with the relevant credential type (as noted here). This is done by adding the associated domain file to your website, and the appropriate entitlement in your app.
To use Apple's sample code project, follow these steps. The domain should be set to your domain, and match the WebAuthn RP ID configured in Step 2. To learn more about associated domains, click here.
CocoaPods is a dependency manager for Cocoa projects. For usage and installation instructions, visit their website. To integrate TSAuthenticationSDK into your Xcode project using CocoaPods, specify it in your Podfile
:
pod 'TSAuthenticationSDK', '~> 1.0.0'
The Swift Package Manager is a tool for automating the distribution of Swift code and is integrated into the swift
compiler. It is in early development, but TSAuthenticationSDK does support its use on supported platforms.
Once you have your Swift package set up, adding TSAuthenticationSDK as a dependency is as easy as adding it to the dependencies
value of your Package.swift
.
dependencies: [
.package(url: "https://github.com/TransmitSecurity/authentication-ios-sdk", .upToNextMajor(from: "1.0.0"))
]
If you prefer not to use any of the aforementioned dependency managers, you can integrate TSAuthenticationSDK into your project manually.
-
Download the TSAuthenticationSDK framework manullay, open the new
TSAuthenticationSDK
folder, and drag theTSAuthenticationSDK.xcframework
into the Project Frameworks directory of your application's Xcode project. -
And that's it!
The
TSAuthenticationSDK.framework
is automagically added as a target dependency, linked framework and embedded framework in a copy files build phase which is all you need to build on the simulator and a device.
let config = TSConfiguration()
config.domain = "YOUR_DOMAIN"
TSAuthentication.shared.initialize(baseUrl: "https://webauthn.identity.security/v1",
clientId: "CLIENT_ID", configuration: config) { response, error in
if let error {
print("SDK initialization failed \(String(describing: error.code))
\(String(describing: error.message))")
} else {
//Send the response.publicKey to the server
print("SDK initialized")
}
}
TSAuthentication.shared.prepareWebauthnRegistration(username: "USERNAME", authSessionId:
"AUTH_SESSION_ID") { [weak self] success, error in
if let error {
//Handle error
} else {
//Complete the registration flow
} }
TSAuthentication.shared.executeWebauthnRegistration { [weak self] response, error in
if let error {
//Handle error
} else {
//User registered successfully. Use response.authCode for the token exchange
} }
TSAuthentication.shared.prepareWebauthnAuthentication(username: "USERNAME") { [weak
self] success, error in
if let error {
//Handle error
} else {
//Complete the authentication flow
} }
TSAuthentication.shared.executeWebauthnAuthentication { [weak self] response, error in
if let error {
//Handle error
} else {
//User is authenticated. Use response.authCode for the token exchange
} }
let approvalData = [ "payee": "Acme", "payment_method": "Acme card", "pay_amount"
: "200"]
TSAuthentication.shared.prepareWebauthnSignTransaction(username: "USERNAME",
approvalData: approvalData) { [weak self] success, error in
if let error {
//Handle error
} else {
//Complete the transaction signing flow
} }
TSAuthentication.shared.executeWebauthnSignTransaction() { [weak self] response, error
in
if let error {
//Handle error
} else {
//User has authenticated successfully. You can use the response.authCode for
token exchange.
}
}
Transmit Security, https://github.com/TransmitSecurity
This project is licensed under the Apache 2.0 license. See the LICENSE file for more info.