We see pages like this almost every day, and we all know the dance. You enter your email or the username you want, then you enter the password you came up with when you were twelve, maybe with a “!” at the end depending on the requirements.
This is obviously, a terrible way to manage passwords and leaves the door open for any single security breach to compromise multiple accounts.
Fortunately, password managers have our backs. A correctly set up password manager can generate and save unique and computationally difficult text strings to brute force, removing the human error from the equation.
Unfortunately, it is not common enough to see apps set up to support this functionality on iOS.
Requirements
An apple developer account enrolled in the apple developer program.
An https domain to provide a .json file.
Setting up the UI for password suggestions
The UI requirements for iOS to suggest passwords are very simple. There simply needs to be two text input views in the view hierarchy; one with a UITextContentType of username and one with newPassword.
Fire up your app, enter your username and focus on the password field. There won’t be a password suggestion, but there will be a message logged to the console:
Cannot show Automatic Strong Passwords for app bundleID: {{ your bundle ID }} due to error: Cannot save passwords for this app. Make sure you have set up Associated Domains for your app and AutoFill Passwords is enabled in SettingsSetting up the app’s association with the domain
In Xcode, on the “Signing and Capabilities” tab for the projects target, press the “+ Capability” button in the top left. Xcode should present a window with options for each available capability; select “Associated Domains”. If “Associated Domains” is not visible, it’s likely the certificate and profile are not correctly associated with the enrolled apple developer account. Make sure the app is using certificates and profiles created through the developer.apple.com service. There should now be a section at the bottom of the page like this:
Press the + button underneath the Domains box and add:webcredentials:{{ your website’s address without the https and www }} (for example: webcredentials:example.com).
Setting up the domain’s association with the app
Firstly, you will need to build the Associated Domains json file, which for just web-credentials should look like this:
{"webcredentials": {"apps":["ABCDE12345.com.example.app"]}}ABCDE12345 corresponds to your apple developer team ID. You can find this in your Apple Developer Account membership tab from here: https://developer.apple.com/account.
com.example.app corresponds to your app’s bundle identifier, which can be found on the “Signing & Capabilities” tab in Xcode for your target.
This json file should be returned by your domain at the path .well-known/apple-app-site-association.
Once this is done, your app should start offering iCloud generated passwords for .newPassword text fields. As it is the apple shared web-credentials daemon which is responsible for validating the associated domains entitlement provided by the app against the one provided by the website, it may be necessary to restart the phone and reinstall the app to get the daemon to evaluate the app and website’s association.
Additional resources