Bug 235344

Summary:	[WebAuthn] Clearing Safari history "clears" all Platform credentials leading to zombie credentials on FIDO server
Product:	WebKit	Reporter:	Arshad Noor <arshad.noor>
Component:	WebKit Misc.	Assignee:	Nobody <webkit-unassigned>
Status:	NEW ---
Severity:	Normal	CC:	bfulgham, pascoe, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	Safari 15
Hardware:	iPhone / iPad
OS:	iOS 15

Description Arshad Noor 2022-01-18 18:32:10 PST

Steps to reproduce: (tested on https://demo.strongkey.com/basicdemo or https://demo.strongkey.com/fidopolicy - Minimum-Any-Hardware-Authenticator policy)

1. Register a platform credential with a userid and TouchID (OK)
2. Authenticate with the newly generated credential (OK)
3. Clear browser history (OK)
4. Authenticate with the newly generated credential (Not OK - prompts to login with Security Key)

When using MacBook, macOS Big Sur 11.6, Safari 15: similar results.

When using MacBook, macOS Big Sur 11.6, Google Chrome 80.x: I can successfully authenticate using Platform credentials as long as I do NOT clear "Passwords and other sign-in data" from Advanced tab of "Clear browsing data" - the Basic tab does not delete passwords and other sign-in data.

The Safari UX is a poor one for users who know their userid and where their credential is still available in the site's FIDO Server - that userid can neither be used to register a new Platform credential, nor can it be used to authenticate with the previously registered credential - thus creating a "zombie" credential on the FIDO server.

Comment 1 Radar WebKit Bug Importer 2022-01-25 18:33:18 PST

<rdar://problem/88055729>