[Webkit-unassigned] [Bug 241775] New: [WebAuthn] WebAuthn catches error but still prompts user

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Jun 19 22:13:27 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=241775

            Bug ID: 241775
           Summary: [WebAuthn] WebAuthn catches error but still prompts
                    user
           Product: WebKit
           Version: Safari 15
          Hardware: iPhone / iPad
                OS: iOS 15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit API
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nina.marie.wahl at gmail.com

Created attachment 460346

  --> https://bugs.webkit.org/attachment.cgi?id=460346&action=review

A video showing the registration process - the face ID prompt is shown even though an error is thrown.

The registration process with WebAuthn on IOS works fine and expected. As we use the same code on both android and IOS, we dont use discoverable credentials, but instead saves the credential-id in a cookie. If an user deletes his cookie, we can not see if the user has registered previously without prompting the user for registration again. This is okay, and if we get an InvalidStateError (because the user is already registered) we let the user think he has registered again, and just creates a new cookie.

The problem is: When the navigator.credentials.create() is called, the InvalidStateError is catched immideately, before the user have time to do anything about the faceID prompt which shows. When the InvalidStateError is caught, the Registration Completed page shows (See the video - "Biometri ble lagt til" in Norwegian). This means the completed page is shown behind the face-id prompt, which is very confusing for the user. How can the registration be completed if the face-id prompt is not finished?

On Windows, the InvalidStateError is not thrown before the user has completed the faceid prompt, which means the registration-process is experienced exactly as a first-time registration.

I think this might be a bug, that the prompt is shown even though the error is thrown? I would prefer the logic to be the same as on Windows - the error is thrown after the faceid prompt is completed, but not showing the prompt at all would also be better. 

Best regards, Nina

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220620/5cd2c0ed/attachment-0001.htm>

More information about the webkit-unassigned mailing list