No reaction when using WebAuthn on macOS, iOS and iPadOS


This article applies to:

 

  • Safari, Chrome and Firefox on iOS/iPadOS 14.5+
  • Safari on macOS Big Sur 11.3+

Issue

When using the above devices and browsers, the user may simply experience sign-in pages that don't function and may not provide any direct error messages to the user. After updating their Apple devices, users may experience pages that previously automatically prompted users to touch their YubiKeys to sign-in. The sign-in pages may no longer display the security key sign-in prompt.

 

The browser's developer tools console may display some error messages similar to any of the below. Note: The first two bullets relate to the Safari browser running on supported Apple platforms

 

  • User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' within user activated events.
  • User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.get' within user activated events.
  • NotAllowedError: This request has been cancelled by the user.

Cause

Due to recent changes to Apple devices this may occur when a WebAuthn request is initiated without a user activated event including events such as, 'click', 'touchend', 'doubleclick', or 'keydown' events. If a WebAuthn request is initiated without one of these user activated events then the above error messages may be encountered and the sign-in flow will not work.

 

Apple has explained their rationale for this decision as it applies to FaceID and TouchID, but with recent releases of Apple iOS, iPadOS, and macOS the user gesture requirement also applies to WebAuthn requests for security keys. See this Apple article for more details.

 

Workaround

The sign-in with YubiKey flow will not function on the listed devices and browsers until the service changes the sign-in to be initiated by a user activated event.

 

Report the error to the website or application owner. Include the error messages that are shown in the developer tools console and point them to the Apple blog post.

 

If there is a retry button available on the site, depending on the site, the retry button may work as a suitable workaround.