Hardware Security Keys on iOS

This guide provides important compatibility information and troubleshooting tips for using hardware security keys with Keeper on iOS devices. If you're encountering issues with PINs, autofill, or NFC key support, this page will help you understand which iOS versions are compatible and how to resolve common problems.

To ensure seamless use of hardware security keys with Keeper, make sure you're using the latest version of Keeper and that your iOS device is running the most up-to-date version of the operating system.

Which hardware keys are supported with Keeper on iOS?

  • Keeper works with any FIDO® Certified security keys. Ensure you have the latest version of Keeper installed for full compatibility with hardware keys.

  • Unsupported Keys: Currently, software keys such as Passkeys or iCloud Keys are not supported for login or autofill with Keeper.


What are the iOS version requirements for hardware key compatibility?

To help you understand the compatibility of your iOS version with hardware keys and Keeper, refer to the table below:

iOS Version

Keeper App (Main)

Autofill

KeeperFill (Legacy)

iOS 16 or earlier

Supported

Not Supported

Not Supported

iOS 17

Supported

Supported

Not Supported

iOS 18+

Supported

Supported

Supported


Do I need a PIN for my hardware security key on iOS?

  • Setting a PIN for your hardware security key is optional. You can choose whether or not to set up a PIN when configuring your key. The PIN setup process is done through the hardware key manufacturer’s software (e.g., Yubico Authenticator).

  • Once a PIN is set for your security key, iOS will ask you to enter the PIN every time you use the key, whether for login or filling passwords.

  • No PIN Bypass: Unlike the Keeper Web Vault, iOS does not support bypassing the PIN. You must enter the PIN each time the key is used.


What happens if I enter the wrong PIN for my hardware key too many times?

  • If you enter the wrong PIN 6 times in a row, your hardware key will be locked. To unlock it, you will need to reset the key before you can use it again.

    • To reset your hardware security key please use the hardware key manufacturer’s software (e.g., Yubico Authenticator).


Can I use NFC hardware keys on iOS devices?

  • Yes, NFC hardware keys are supported on most iOS devices.

  • iPads do not support NFC hardware keys at all. This is a restriction at the OS level, and only physical hardware keys that plug into the device (via Lightning or USB-C) will work.

    • USB-C hardware keys require Keeper Version 16.12.0 or greater.

  • NFC hardware keys are not supported in Keeper extensions (Autofill | KeeperFill) on iOS.

    • Recommendations to work around this limitation can be found HERE.


Known Issues:

Issue Overview: Some users with FIDO CTAP 2.1 security keys (specifically YubiKeys with firmware 5.7) have reported being repeatedly prompted to enter their FIDO PIN in a loop, even after entering it correctly. This issue began after upgrading to Safari 18.1 or iOS/iPadOS 18.1. Users may experience difficulties authenticating with their security keys, as the prompt fails to complete the authentication process.

To check the firmware version of your YubiKey, download the Yubico Authenticator HERE.

Affected Devices and Scenarios:

  • iOS/iPadOS: On mobile devices, after upgrading to iOS/iPadOS 18.1, the following issues are observed:

    • Physical key plugged in: Users will see an error after entering the FIDO PIN.

    • NFC authentication: The system may not prompt users for authentication when attempting to authenticate via NFC.

  • MacOS: This issue affects Safari 18.1 and certain 3rd-party browsers that rely on Safari’s WebKit engine. It can occur when a username allowlist and PIN verification are required during authentication.

Status: Yubico has acknowledged the issue and is working with Apple to resolve it. Apple has released a beta fix in macOS 15.2 Developer Beta 4 and iOS/iPadOS 18.2 Developer Beta 4. This update addresses the FIDO2 PIN prompt issue, but it is still in development, and users are advised to report any persistent issues to Apple.

Workaround Options: If you're experiencing this issue, consider the following options:

  1. Upgrade to iOS/iPadOS 18.2 Public Beta: If you're not already on the public beta, upgrading to iOS/iPadOS 18.2 may resolve the issue, as it addresses the FIDO2 PIN loop problem. You can opt into the public beta via Apple's Beta Software Program.

  2. Re-register Your Key: If you're already on iOS/iPadOS 18.2 public beta and still encountering the issue, try removing and re-registering your security key. This may help resolve any lingering issues.

  3. As a temporary workaround, you can log into your Keeper account on another device or browser and remove the hardware key from your authentication settings. This will allow you to continue using other methods of authentication while awaiting a full fix from Apple.

For more details and updates, please refer to the Yubico support article.

Long-Tap Autofill and Hardware Security Keys

With the addition of iOS 18, Apple introduced a new long-tap autofill feature that allows users to quickly fill in login credentials from their password manager directly into apps or websites. However, when using a hardware security key for authentication, long-tap autofill will not work as expected. This limitation occurs because the system requires interaction with the hardware key to complete authentication, which isn’t compatible with the autofill feature’s workflow.

Affected Devices and Scenarios:

  • iOS/iPadOS 18+ Devices: The long-tap autofill feature does not work with accounts secured by hardware security keys.

Recommendation: To work around this limitation, we recommend using the following steps:

  1. Enable "Stay Logged In" from the Desktop App:

    1. Open the Keeper web/desktop app (this option is not available in the mobile app for now) and enable the "Stay Logged In" option. This will ensure you remain authenticated for a longer period, allowing long-tap autofill to function without needing to re-authenticate with your hardware key.

  2. Log into the Keeper Main app on your iOS device and then you can proceed to use the long-tap autofill feature as intended.

Last updated