[Webkit-unassigned] [Bug 219814] New: `navigator.credentials.get()` immediately fails if a different security key is plugged in

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 11 16:35:09 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=219814

            Bug ID: 219814
           Summary: `navigator.credentials.get()` immediately fails if a
                    different security key is plugged in
           Product: WebKit
           Version: Safari 14
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: lgarron at chromium.org

Created attachment 416069

  --> https://bugs.webkit.org/attachment.cgi?id=416069&action=review

Screen capture of the UX in question

Reproduction steps:

1. Register a security key on GitHub.com
2. On a MacBook Pro with macOS Big Sur 11.0, plug in a *different* security key.
3. Log into the account with registered in step 1.

Observed:

At the security key step, Safari flashes the security key prompt, but immediately removes it and replaces it with a "Found no credentials on this device" explanation.

Expected:

The user is prompted to insert a security key, as if the correct (or no) security key was currently inserted.

The current behaviour somewhat makes sense if you assume that a user only has a single security key that they would ever plug into a given device (or perhaps if the device can only hold one security key that is generally not left in permanently, as on iOS), but it will result in a rather confusing UX if someone:

1. Has two computers with a permanently plugged-in security key each.
2. Registers a security key in computer.
3. Tries to log into the other computer (perhaps to try to register the other key).

If they didn't switch the keys ahead of the prompt (quite likely if they don't immediately do step 3 after step 2), they get this issue.

If the user is not given a chance to plug in another security key, it would be helpful if the prompt at least explained the reason (one key is already plugged in, and it doesn't have a valid registration for the site).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201212/fa9c44e9/attachment-0001.htm>

More information about the webkit-unassigned mailing list