[Webkit-unassigned] [Bug 261301] WebAuthn auth always shows hybrid QR code when only "internal" transport in allowCredentials but no credentials recognized by platform

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 8 10:13:35 PDT 2023


--- Comment #6 from matthew at millerti.me ---
> If a credential is available over "internal," then it follows that it would also be available over hybrid if it's on another device's platform authenticator.

A specific pain point with this line of reasoning is that, if a passkey is registered via macOS Safari, but iCloud Keychain sync is OFF in iOS, then there's no way to scan the QR code that iOS shows by any device running macOS. It seems like an impossible scenario for a user to complete auth in because of macOS' lack of a OS-level way to scan QR codes.

There's an alternative idea that came up this morning: what if Safari consistently showed the same prompt to enable iCloud Keychain sync that it shows during registration, but during authentication as well? If Safari is given a credential with ["internal", "hybrid"] then how can it test if the platform authenticator on the iOS device recognizes it if iCloud Keychain sync (which still seems to be a hard requirement to use a platform authenticator on an Apple device) is disabled?

I'm going to attach a couple screenshots of the registration CTA to turn on sync that I think could also unstick users here.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230908/0811ce32/attachment.htm>

More information about the webkit-unassigned mailing list