259691 – [Webauthn] NFC read unresponsive when more than 3 credentials are in the allowList

Bug 259691 - [Webauthn] NFC read unresponsive when more than 3 credentials are in the allowList

Summary: [Webauthn] NFC read unresponsive when more than 3 credentials are in the allo...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	Safari 16
Hardware:	iPhone / iPad iOS 16

Importance:	P2 Normal
Assignee:	pascoe@apple.com

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-08-01 10:07 PDT by erik.parkkonen
Modified:	2023-12-25 02:25 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description erik.parkkonen 2023-08-01 10:07:45 PDT

Discovered that NFC read is unresponsive when attempting to authenticate using WebAuthn on a FIDO2 security key like a YubiKey. 
This only seems to happen when more than 3 credentials are in the WebAuthn allowList.
User attempts to authenticate
User is prompted to scan NFC YubiKey
The first NFC read is successful and then the user is next prompted for PIN
The user is then prompted to scan their NFC Security Key again, however the system never responds to the scan. 


Repro steps
1. Log-in to aka.ms/webauthntest
2. Register 4 resident credentials (Require Resident Key = true) for Bob. Also require UV.
3. Try to authenticate using NFC YubiKey and make sure the Use AllowList option is selected
4. Notice that first NFC scan is successful and user is then prompted for PIN.
5. Notice that when prompted again for NFC scan after entering PIN that nothing happens. 
6. Now remove the 4th credential for Bob.
7. Try to authenticate again using NFC YubiKey.  This time it is successful. 


Customers have mentioned this only started occurring after upgrading to iOS 16. I don't have test devices to confirm this statement. 
I've seen this behavior on both iOS 16.6 and 16.5.1

Comment 1 erik.parkkonen 2023-08-01 10:44:31 PDT

Likely related to this issue, we saw a 2nd scenario where the NFC scan is unresponsive. 

If the allowList has 3 credentialIDs and none of the credentials exist on the YubiKey, it seems that iOS is also unresponsive in this scenario also.  


To summarize both issues again. 
- If 4 or more credentials are in the allowList and regardless if the credentialID exists on the key or not, NFC scan is unresponsive.
also
- If 3 or more credentials are in the allowList, and the credentialID doesn't exist on the key, NFC scan is also unresponsive.  We expect the error "No Credentials Found", but instead it just hangs until it times out.

Comment 2 Radar WebKit Bug Importer 2023-08-01 13:24:42 PDT

<rdar://problem/113224345>

Comment 3 nuno.sung 2023-12-25 02:25:44 PST

I see similar phenomena but results are a little different on different platforms
- macOS-12.7 + Safari 17.2 has no this issue.
- macOS-14.2.1 + Safari 17.2 has this issue.
- iPhone13 17.2.1, iPhoneXR 17.2
  - internal NFC reader has no this issue
  - external NFC(over ccid) reader has this issue.
- iPadOS 16.6.1 has this issue.

Besides, I see shorter credential-id length may cause this issue to happen just when 5 credential in the allowed list. So I guess this maybe due to some part's buffer is not enough.