[Webkit-unassigned] [Bug 273712] New: WebAuthn/passkeys intermittently stop functioning (hangs or doesn't resolve promise)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 3 14:37:57 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=273712

            Bug ID: 273712
           Summary: WebAuthn/passkeys intermittently stop functioning
                    (hangs or doesn't resolve promise)
           Product: WebKit
           Version: Safari 17
          Hardware: All
                OS: Unspecified
            Status: NEW
          Severity: Critical
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: eric at ericstern.com

Calls to `navigator.credentials.get` appear to have intermittently started either no-op'ing or never resolve the promise, both of which leave a user hanging in a lurch. Sometimes the WebAuthn dialog opens (and does nothing if the user presses continue), and sometimes it does not open at all. When it does open, frequently nothing happens at all when pressing continue. Similar behavior for the conditional mediation/autofill UI.

This results in completely broken sign-in and registration flows using passkeys (as well as non-passkey WebAuthn). The same pages work fine in other browsers with no other changes, so I'm very confident it's not an issue with the logic on the website (also, it worked fine in Safari last week and nothing has changed)

By adding debug statements, breakpoints, etc, I can see the code is executing fine right up until the `.get()` call (similar behavior on `.create()` frequently) and then... nothing. I've tried:

- Changing from async/await to promises (.then().catch())
- Changing various options passed to the API
- Adding and removing AbortSignals (maybe this is related to https://bugs.webkit.org/show_bug.cgi?id=271257)
- Checking on `localhost` projects and real-world websites (my own and others)

And more.

I've experienced this on:

- macOS 14.4.1 / Safari Version 17.4.1 (19618.1.15.11.14). Desktop and laptop, various M-series chips, with and without biometric hardware
- Safari technical preview Release 193 (Safari 17.4, WebKit 19619.1.9.4)
- iOS/iPadOS 17.5 beta (b3?)

iOS seems to work more often/more consistently, iPadOS less often, and desktop is now quite rare when it does work. I've been having intermittent issues (including https://bugs.webkit.org/show_bug.cgi?id=271747) that started, I think, earlier this week.

I also filed this under FB13773774 (navigator.credentials.create (and get) promise does not always resolve after user tries to register or sign in with a passkey) which contains a screen recording and sysdiagnose reports.

Note that when `.create()` does actually dismiss the modal dialog (through continue, not cancel) but experiences this issue, it seems that the passkey is saved to the system keychain but the website never gets the response and consequently is unable to store anything their end to finish the webauthn processing. This leads to EXTREMELY confusing interactions later on, since the user can be prompted to sign in with their passkey that's not actually registered with the relying party.

On iPad (only?) I noticed an EXTREMELY brief (a frame or two) error flash in the touchID prompt - I think indicating the fingerprint failed? I haven't seen anything equivalent on other platforms.

Happy to provide any additional information, debug statements, jump on a screen sharing session, etc. Whatever can help!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240503/b244b7e9/attachment.htm>

More information about the webkit-unassigned mailing list