NEW 259691
[Webauthn] NFC read unresponsive when more than 3 credentials are in the allowList 
https://bugs.webkit.org/show_bug.cgi?id=259691
Summary [Webauthn] NFC read unresponsive when more than 3 credentials are in the allo...
erik.parkkonen
Reported 2023-08-01 10:07:45 PDT
Discovered that NFC read is unresponsive when attempting to authenticate using WebAuthn on a FIDO2 security key like a YubiKey. This only seems to happen when more than 3 credentials are in the WebAuthn allowList. User attempts to authenticate User is prompted to scan NFC YubiKey The first NFC read is successful and then the user is next prompted for PIN The user is then prompted to scan their NFC Security Key again, however the system never responds to the scan. Repro steps 1. Log-in to aka.ms/webauthntest 2. Register 4 resident credentials (Require Resident Key = true) for Bob. Also require UV. 3. Try to authenticate using NFC YubiKey and make sure the Use AllowList option is selected 4. Notice that first NFC scan is successful and user is then prompted for PIN. 5. Notice that when prompted again for NFC scan after entering PIN that nothing happens. 6. Now remove the 4th credential for Bob. 7. Try to authenticate again using NFC YubiKey. This time it is successful. Customers have mentioned this only started occurring after upgrading to iOS 16. I don't have test devices to confirm this statement. I've seen this behavior on both iOS 16.6 and 16.5.1
Attachments
Add attachment proposed patch, testcase, etc.
erik.parkkonen
Comment 1 2023-08-01 10:44:31 PDT
Likely related to this issue, we saw a 2nd scenario where the NFC scan is unresponsive. If the allowList has 3 credentialIDs and none of the credentials exist on the YubiKey, it seems that iOS is also unresponsive in this scenario also. To summarize both issues again. - If 4 or more credentials are in the allowList and regardless if the credentialID exists on the key or not, NFC scan is unresponsive. also - If 3 or more credentials are in the allowList, and the credentialID doesn't exist on the key, NFC scan is also unresponsive. We expect the error "No Credentials Found", but instead it just hangs until it times out.
Radar WebKit Bug Importer
Comment 2 2023-08-01 13:24:42 PDT
<rdar://problem/113224345>
nuno.sung
Comment 3 2023-12-25 02:25:44 PST
I see similar phenomena but results are a little different on different platforms - macOS-12.7 + Safari 17.2 has no this issue. - macOS-14.2.1 + Safari 17.2 has this issue. - iPhone13 17.2.1, iPhoneXR 17.2 - internal NFC reader has no this issue - external NFC(over ccid) reader has this issue. - iPadOS 16.6.1 has this issue. Besides, I see shorter credential-id length may cause this issue to happen just when 5 credential in the allowed list. So I guess this maybe due to some part's buffer is not enough.
Note You need to log in before you can comment on or make changes to this bug.