Re: [webauthn] How to guarantee created resident key is actually received by RP in adverse networking conditions? (#2038) from Arian van Putten via GitHub on 2024-03-26 (public-webauthn@w3.org from March 2024)

From: Arian van Putten via GitHub <sysbot+gh@w3.org>
Date: Tue, 26 Mar 2024 10:56:34 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2020117576-1711450592-sysbot+gh@w3.org>

How can I protect myself against a misbehaving authenticator that ignores `excludeCredentials` like Safari?
J
Now the following scenario can happen which is even worse than the original issue. Namely account lockout for existing accounts:

1. Register passkey
2. Log in
3. Click register passkey button again. Safari overrides the passkey in your keychain in-place. 
4. Network is lost
5. You're now completely locked out of your account as the first Passkey doesn't work anymrore



-- 
GitHub Notification of comment by arianvp
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2038#issuecomment-2020117576 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 26 March 2024 10:56:35 UTC