Safari 18.1 [MacOS / iOS / iPadOS] FIDO known issues


Some Apple users have reported being prompted for the FIDO PIN repeatedly in a loop, despite entering it correctly, preventing authentication. The issue appears to affect all FIDO CTAP 2.1 authenticators (for Yubico products, this is limited to YubiKeys with the 5.7 firmware) after upgrading to Safari 18.1 or iOS/iPadOS 18.1. This issue only occurs when an allowlist (user needs to input username) and user verification (PIN is used) is used for authentication. This impacts Safari 18.1 for MacOS, mobile browsers on iOS 18.1 and some 3rd party browsers on MacOS systems where Safari 18.1 is installed. 

 

On mobile devices, after upgrading to iOS/iPadOS 18.1, the user will receive an error after entering the FIDO PIN if a security key is physically plugged in. If the user is trying to authenticate via NFC, the user may not be prompted to authenticate with the FIDO security key. 

 

Yubico has been able to reproduce these findings, is working with Apple to resolve the issues, and will update this article as new information becomes available. 

 

December 11 update: In Apple's macOS 15.2 and iOS/iPadOS 18.2 released today, there is a fix for the FIDO2 PIN prompt issue documented here, however a new issue has been introduced that affects FIDO authentication in certain circumstances, see this article for more information.

 

November 26 update: In Apple's macOS 15.2 Developer Beta 4 and iOS/iPadOS 18.2 Developer Beta 4 releases, there is a fix for the FIDO2 PIN prompt issue. Please test within your environment, report any issues to Apple, and subsequently inform Yubico including your Apple issue/feedback identifier.

 

Potential mitigations and workarounds

  1. Identify your YubiKey by following the instructions here
    info-circle-line-icon.svg Info: YubiKeys with firmware 5.7.x are impacted
  2. If you think your users would be impacted by this issue, investigate if you can delay upgrading to iOS/iPadOS 18.1 or macOS 15.1 until the issues are resolved.
    info-circle-line-icon.svg Info: When a fix is available, this article will be updated.
  1. For MacOS users, Chrome or Firefox can be used as a substitute for the Safari browser for authentication.
  1. Potential workarounds for browser based applications:

Some Identity Providers allow you to log-in without a username. This can be a suitable workaround that allows login to succeed, but if cookies are still present it may not work. Make sure to clear cookies or use a private browsing window to be sure.

Example: Entra ID allows a usernameless login option.
Option 1:

  1. When prompted for username at the Sign in screen, instead of typing username select Sign-in options
  2. Select Face, fingerprint, PIN or security key
  3. Then follow the prompts to sign-in with a security key

 

Option 2:

If the username is already populated, you can either open a new browser with a Private tab or:

  1. Instead of selecting the username select Use another account
  2. Select Sign-in options
  3. Select Face, fingerprint, PIN or security key
  4. Then follow the prompts to sign-in with a security key