Created attachment 428260 [details] Video demonstrating the bug. On iOS 14.5.1 (iPhone 12 Pro) the excludeCredentials parameter (https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials) for WebAuthn is ignored for FaceID. If I am adding the FaceID key to the excludeCredentials and I want to add another key, you can select the already registered FaceID for registering again. If you select FaceID, the Webkit-Webauthn-Loader is looping infinitely (see video). The expected behaviour would be, that iOS does not allow to select FaceID or, imo the much better solution, throwing a InvalidStateError (see https://github.com/w3c/webauthn/issues/1566) iPadOS 14.4.2 (iPad Pro, 12.9", 3. Generation) does not offer to register FaceID twice, if the FaceID key is provided via the excludeCredentials parameter. With iPadOS 14.5.1 i can reproduce the issue on the same iPad. I have added a short video, demonstrating the problem, iff the FaceID key is provided within the excludeCredentials parameter. The bug only affects the FaceID implementation. The security key implementation works fine.
<rdar://problem/78147681>
Created attachment 453783 [details] Patch
Comment on attachment 453783 [details] Patch r=me
Committed r290840 (248076@main): <https://commits.webkit.org/248076@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 453783 [details].
This fix shipped with Safari 15.5 (all platforms).