[Webkit-unassigned] [Bug 225646] New: [WebAuthn] excludeCredentials ignored if using FaceID
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 11 03:13:14 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=225646
Bug ID: 225646
Summary: [WebAuthn] excludeCredentials ignored if using FaceID
Product: WebKit
Version: Safari 14
Hardware: iPhone / iPad
OS: iOS 14
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ruesweg+bugswebkitorg at woltlab.com
Created attachment 428260
--> https://bugs.webkit.org/attachment.cgi?id=428260&action=review
Video demonstrating the bug.
On iOS 14.5.1 (iPhone 12 Pro) the excludeCredentials parameter (https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials) for WebAuthn is ignored for FaceID.
If I am adding the FaceID key to the excludeCredentials and I want to add another key, you can select the already registered FaceID for registering again. If you select FaceID, the Webkit-Webauthn-Loader is looping infinitely (see video).
The expected behaviour would be, that iOS does not allow to select FaceID or, imo the much better solution, throwing a InvalidStateError (see https://github.com/w3c/webauthn/issues/1566)
iPadOS 14.4.2 (iPad Pro, 12.9", 3. Generation) does not offer to register FaceID twice, if the FaceID key is provided via the excludeCredentials parameter. With iPadOS 14.5.1 i can reproduce the issue on the same iPad.
I have added a short video, demonstrating the problem, iff the FaceID key is provided within the excludeCredentials parameter.
The bug only affects the FaceID implementation. The security key implementation works fine.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210511/5d11a2ed/attachment.htm>
More information about the webkit-unassigned
mailing list