This is a guide for mobile and web developers building solutions and/or considering supporting U2F/FIDO2 security keys on Apple iPhones and iPads.
On December 10, 2019, Apple released iOS/iPadOS 13.3 and announced the following:
“[iOS/iPadOS 13.3] supports NFC, USB, and Lightning FIDO2-compliant security keys in Safari, SFSafariViewController, and ASWebAuthenticationSession using the WebAuthn standard, on devices with the necessary hardware capabilities.”
For developers currently supporting FIDO2 security keys using the WebAuthn standard on desktop browsers, this release enables you to reach a large pool of mobile users who can now use their FIDO2 security keys when authenticating into your service from Safari on iPhones and iPads. If your users are already on 13.3, no further action is needed from you other than verifying that the WebAuthn flow on mobile Safari works as expected for your web application flows.
Certain use cases present blockers: see Known Issues in this document.
The 13.3 release also offers a wider range of WebAuthn solutions—or paths—for supporting mobile users. These development paths are described below.
To familiarize yourself with related FIDO2 features in 13.3, check out this Yubico blog post. To see these enhancements in action, watch this video demonstrating WebAuthn registration and authentication within the Safari browser on iOS 13.3.