[Webkit-unassigned] [Bug 270553] New: WebAuthn excludeCredentials option stopped preventing duplicate passkey registration

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 5 18:38:07 PST 2024 

https://bugs.webkit.org/show_bug.cgi?id=270553

            Bug ID: 270553
           Summary: WebAuthn excludeCredentials option stopped preventing
                    duplicate passkey registration
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nov at matake.jp

iOS 17.4 Safari (maybe Safari 17.4?) stopped preventing duplicate passkey registration even excludeCredentials option is specified.

How to reproduce
1. sign-up at https://id.moneyforward.com
2. go to https://id.moneyforward.com/webauthn/credentials and register a passkey
3. after successful registration of the 1st passkey, register 2nd passkey again on the same device

until iOS 17.3, it resulted in an error.
since iOS 17.4, it start succeeds and RP start having 2+ passkeys for the same device.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240306/e52d3eaf/attachment.htm>

More information about the webkit-unassigned mailing list