Created attachment 470448 [details] A video showing the reproduction steps. Safari on MacOS 14.4 seems to overwrite an existing credential on a FIDO2 security key during an authentication ceremony under certain circumstances. This generally presents itself when a credential is registered, the key is unplugged, and then the key is plugged in again to authenticate. Steps below shown with Safari, but this is also reproduced similarly with Firefox 123. While the exact symptoms vary between security keys from different manufacturers, this issue doesn't seem to be limited to a single manufacturer. Steps below completed with a YubiKey 5 with Firmware 5.4.3. Steps to reproduce: 1. Reset a security key so that it is in the default state. 2. Navigate to any website that uses WebAuthn, like webauthn.io. 3. Insert a security key. 4. Register a credential, it seems most reliable to repro by only changing attachments=cross-platform 5. Next authenticate with the security key, note that authentication is successful. 6. Remove the security key. 7. Go to another device to prove that the credential exists on the security key. a. Example: go to a Windows device to webauthn.io and authenticate with the security key b. Success 8. Go back to webauthn.io using Safari on macOS and authenticate. 9. Plug in the security key, the key may act unresponsive and instead of blinking will stay lit up for 15 seconds. 10. Cancel the webauthn request. 11. Authenticate again. 12. The user will see the error message “No Credentials Found” 13. Go back to Windows device to webauthn.io and authenticate with the security key. The user sees “The security doesn’t look familiar. Please try a different one”
There is an extremely similar issue presenting on Firefox 123: https://bugzilla.mozilla.org/show_bug.cgi?id=1886569 leading me to believe this may be a bug in an OS component shared by both Firefox and Safari.
<rdar://problem/125127381>