Created attachment 425562 [details] Screencast of behavior with USB security key attached In Safari 14.0.3, when I create a WebAuthn credential with the platform authenticator, e.g. on webauthntest.azurewebsites.net, Safari fails to assert that credential when the get() call passes the credential identifier in the allowCredentials parameter *as long as a USB security key happens to be connected to the machine*. Asserting the credential via an empty allowCredentials parameter works (shows the account selector). If no USB security key is connected, asserting with empty or non-empty allow list both work. This is likely another flavor of the bug already reported in https://bugs.webkit.org/show_bug.cgi?id=219814.
<rdar://problem/76731282>
FWIW, via: Safari 15.1 (17612.2.6.1.1) on Monterey beta, Syncing Platform Authenticator and Web Authentication Modern disabled, Yubikey 5c (with passcode). Was not able to replicate. Was able to: - add a platform credential, use it - add the security key as a credential, still use both - uncheck allow credentials, worked fine as well - removed yubikey and tested successfully, reinserted and tested successfully
I've also been unable to replicate on Safari 15 and STP (Release 133 (Safari 15.4, WebKit 17613.1.2.2). Steps I tried on webauthntest.azurewebsites.net 1. Register platform authenticator 2. Perform get() call with and without allowCredentials (both work) 3. Plug in security key (Yubikey 5c nano) 4. Perform get() call with and without allowCredentials (both work) 5. Plug in a second security key (AT.Key Pro) 6. Perform get() call with and without allowCredentials (both work)