[Webkit-unassigned] [Bug 259691] New: [Webauthn] NFC read unresponsive when more than 3 credentials are in the allowList

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Aug 1 10:07:45 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=259691

            Bug ID: 259691
           Summary: [Webauthn] NFC read unresponsive when more than 3
                    credentials are in the allowList
           Product: WebKit
           Version: Safari 16
          Hardware: iPhone / iPad
                OS: iOS 16
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: erik.parkkonen at yubico.com

Discovered that NFC read is unresponsive when attempting to authenticate using WebAuthn on a FIDO2 security key like a YubiKey. 
This only seems to happen when more than 3 credentials are in the WebAuthn allowList.
User attempts to authenticate
User is prompted to scan NFC YubiKey
The first NFC read is successful and then the user is next prompted for PIN
The user is then prompted to scan their NFC Security Key again, however the system never responds to the scan. 


Repro steps
1. Log-in to aka.ms/webauthntest
2. Register 4 resident credentials (Require Resident Key = true) for Bob. Also require UV.
3. Try to authenticate using NFC YubiKey and make sure the Use AllowList option is selected
4. Notice that first NFC scan is successful and user is then prompted for PIN.
5. Notice that when prompted again for NFC scan after entering PIN that nothing happens. 
6. Now remove the 4th credential for Bob.
7. Try to authenticate again using NFC YubiKey.  This time it is successful. 


Customers have mentioned this only started occurring after upgrading to iOS 16. I don't have test devices to confirm this statement. 
I've seen this behavior on both iOS 16.6 and 16.5.1

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230801/0d6e6952/attachment.htm>

More information about the webkit-unassigned mailing list