[Webkit-unassigned] [Bug 270553] WebAuthn excludeCredentials option stopped preventing duplicate passkey registration

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 26 04:27:14 PDT 2024


--- Comment #4 from arian.vanputten at gmail.com ---
Another (more problematic scenario) is that this an cause account lockout under adverse network conditions without the user doing anything wrong in their view:

0. have an account logging in with passkeys. with credentialId: "12345"
1. call navigator.credentials.create({excludeCredentials:["12345"]})
2. Instead of aborting due to a passkey already being stored, Safari creates a new credential "54321" and stores it in iCloud keychain, overriding "12345" in place. 
3. Network connectivity drops
4. the RP never receives the Credential from step 2. and still only has "12345" registered as an allowed Credential
4. User reloads page
5. User tries to log in with navigator.credentials.get({}).  Safari selects "54321" as that is the only passkey stored.
6. RP doesn't recognise "54321" and the user can not log in.
5. User is now permanently locked out of their account as their passkey got replaced with "54321" but the website only accepts "12345".

Either Safari should start adhering `excludeCredentials` again or it should allow  storing multiple passkeys under a single `userHandle` (though I think that is not spec-compliant).

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240326/cfb553ab/attachment-0001.htm>

More information about the webkit-unassigned mailing list