PRF Extension Not Supported in Safari's Cross-Device WebAuthn Flow

Question

Created Feb ’25

Replies 4

Boosts 1

Participants 3

Safari 18.0.1 on macOS 15.01 doesn't support the Passkey PRF extension during cross-device WebAuthn authentication when using QR code scanning, while it works correctly with iCloud passkeys.

Steps to Reproduce:

Clone and setup:

git clone https://github.com/quocle108/passkey-prf-test
yarn
yarn start

Test iCloud Passkey Flow:

Open http://localhost:3000 in Safari
Open DevTools (Cmd+Option+I)
Click "Register"
Choose "Passkey on iCloud"

Expected console output: PRF supported: true

Test Cross-Device Flow:

Click "Register"
Choose "Phone/Tablet"
Scan QR with mobile device

Expected: PRF supported: true PRF extension should be supported in cross-device flow, matching iCloud passkey behavior. Actual: PRF supported: false Cross-device flow returns empty extension results.

Verify in Chrome

Repeat steps 2-3 in Chrome
Both flows return proper PRF extension results: PRF supported: true

Test Environment:

Browser: Safari 18.1.1 , Chrome 131.0.6778.70
OS: macOS 15.01
Mobile: iOS 18.x / Galaxy Note9 Android 10
Test repo: https://github.com/quocle108/passkey-prf-test

Boost

Answer 1

Systems Engineer OP

Apple

Feb ’25

This issue was partially fixed in Safari 18.2. As of that version, PRF is available again in hybrid, but it's returning a different value over hybrid than when invoked on-device. This remaining issue will be fixed soon.

0

Answer 2

ConChimNon OP

Mar ’25

This issue was partially fixed in Safari 18.2. As of that version, PRF is available again in hybrid, but it's returning a different value over hybrid than when invoked on-device. This remaining issue will be fixed soon.

0 comments

I have tested again with Safari 18.4 (20621.1.14.11.3) on macOS 15.4 Beta (24E5228e) with cross device: Iphone IOS 18.2.1, and the issue persists. PRF support is still reported as false, and the extension results remain empty.

Could you confirm whether this fix is included in the latest beta, or if further updates are needed?

0

Answer 3

matthiasgeihs OP

Apr ’25

Any updates on this? Last time I checked cross-device flow was unfortunately giving different result than same device flow.

0

Answer 4

matthiasgeihs OP

Apr ’25

MacOS / Safari: 15.3.2 / 18.3.1 iOS: 18.3.2

Mac was the device initiating the WebAuthn PRF call. iPhone was the device scanning the QR code, executing the PRF call, and reporting back to the Mac. PRF result is different than running the whole flow just on MAC, when using the same Passkey entry.

0