Bug 235344 - [WebAuthn] Clearing Safari history "clears" all Platform credentials leading to zombie credentials on FIDO server
Summary: [WebAuthn] Clearing Safari history "clears" all Platform credentials leading ...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: Safari 15
Hardware: iPhone / iPad iOS 15
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-01-18 18:32 PST by Arshad Noor
Modified: 2022-01-25 18:33 PST (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arshad Noor 2022-01-18 18:32:10 PST
Steps to reproduce: (tested on https://demo.strongkey.com/basicdemo or https://demo.strongkey.com/fidopolicy - Minimum-Any-Hardware-Authenticator policy)

1. Register a platform credential with a userid and TouchID (OK)
2. Authenticate with the newly generated credential (OK)
3. Clear browser history (OK)
4. Authenticate with the newly generated credential (Not OK - prompts to login with Security Key)

When using MacBook, macOS Big Sur 11.6, Safari 15: similar results.

When using MacBook, macOS Big Sur 11.6, Google Chrome 80.x: I can successfully authenticate using Platform credentials as long as I do NOT clear "Passwords and other sign-in data" from Advanced tab of "Clear browsing data" - the Basic tab does not delete passwords and other sign-in data.

The Safari UX is a poor one for users who know their userid and where their credential is still available in the site's FIDO Server - that userid can neither be used to register a new Platform credential, nor can it be used to authenticate with the previously registered credential - thus creating a "zombie" credential on the FIDO server.
Comment 1 Radar WebKit Bug Importer 2022-01-25 18:33:18 PST
<rdar://problem/88055729>