[Webkit-unassigned] [Bug 235344] New: [WebAuthn] Clearing Safari history "clears" all Platform credentials leading to zombie credentials on FIDO server

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jan 18 18:32:10 PST 2022


https://bugs.webkit.org/show_bug.cgi?id=235344

            Bug ID: 235344
           Summary: [WebAuthn] Clearing Safari history "clears" all
                    Platform credentials leading to zombie credentials on
                    FIDO server
           Product: WebKit
           Version: Safari 15
          Hardware: iPhone / iPad
                OS: iOS 15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: arshad.noor at strongkey.com

Steps to reproduce: (tested on https://demo.strongkey.com/basicdemo or https://demo.strongkey.com/fidopolicy - Minimum-Any-Hardware-Authenticator policy)

1. Register a platform credential with a userid and TouchID (OK)
2. Authenticate with the newly generated credential (OK)
3. Clear browser history (OK)
4. Authenticate with the newly generated credential (Not OK - prompts to login with Security Key)

When using MacBook, macOS Big Sur 11.6, Safari 15: similar results.

When using MacBook, macOS Big Sur 11.6, Google Chrome 80.x: I can successfully authenticate using Platform credentials as long as I do NOT clear "Passwords and other sign-in data" from Advanced tab of "Clear browsing data" - the Basic tab does not delete passwords and other sign-in data.

The Safari UX is a poor one for users who know their userid and where their credential is still available in the site's FIDO Server - that userid can neither be used to register a new Platform credential, nor can it be used to authenticate with the previously registered credential - thus creating a "zombie" credential on the FIDO server.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220119/ea370acd/attachment.htm>


More information about the webkit-unassigned mailing list