[Webkit-unassigned] [Bug 235344] New: [WebAuthn] Clearing Safari history "clears" all Platform credentials leading to zombie credentials on FIDO server
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jan 18 18:32:10 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=235344
Bug ID: 235344
Summary: [WebAuthn] Clearing Safari history "clears" all
Platform credentials leading to zombie credentials on
FIDO server
Product: WebKit
Version: Safari 15
Hardware: iPhone / iPad
OS: iOS 15
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: arshad.noor at strongkey.com
Steps to reproduce: (tested on https://demo.strongkey.com/basicdemo or https://demo.strongkey.com/fidopolicy - Minimum-Any-Hardware-Authenticator policy)
1. Register a platform credential with a userid and TouchID (OK)
2. Authenticate with the newly generated credential (OK)
3. Clear browser history (OK)
4. Authenticate with the newly generated credential (Not OK - prompts to login with Security Key)
When using MacBook, macOS Big Sur 11.6, Safari 15: similar results.
When using MacBook, macOS Big Sur 11.6, Google Chrome 80.x: I can successfully authenticate using Platform credentials as long as I do NOT clear "Passwords and other sign-in data" from Advanced tab of "Clear browsing data" - the Basic tab does not delete passwords and other sign-in data.
The Safari UX is a poor one for users who know their userid and where their credential is still available in the site's FIDO Server - that userid can neither be used to register a new Platform credential, nor can it be used to authenticate with the previously registered credential - thus creating a "zombie" credential on the FIDO server.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220119/ea370acd/attachment.htm>
More information about the webkit-unassigned
mailing list