271747 – webauthn autofill no longer prefers passkeys

Bug 271747 - webauthn autofill no longer prefers passkeys

Summary: webauthn autofill no longer prefers passkeys

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	Safari 17
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2024-03-26 23:52 PDT by James Manger
Modified:	2024-05-20 13:23 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description James Manger 2024-03-26 23:52:01 PDT

A sign-in process that supports passkey and username+password options will often start with a form with a username field that has autocomplete="username webauthn" and a webauthn sign-in started with conditional-mediation. The user will often have a password saved for the site (in the iOS and/or Chrome password manager). Users with a passkey will also have that in their password manager.

iOS used to offer a great user experience (on iOS 17.3 with Chrome or Safari). Safari and Chrome would offer passkey as the first choice. Tap the username field; tap your offered passkey; Face ID; and you are signed-in.

Now the experience has been broken in many circumstances.

Chrome will offer the saved password, not the passkey. The key icon beside the offered password option brings up a list with passwords and passkeys; however selecting the passkey does not work -- it autofills username+password, but does not perform a passkey sign-in.

Safari will sometimes offer the passkey and sometimes a password. The key icon beside the offered password option brings up a list with passwords and passkeys; however selecting the passkey does not work -- it autofills username+password, but does not perform a passkey sign-in.

The option to sign-in with a cross-platform passkey is no longer available.

It is no longer clear how or if a website can trigger a great user experience that supports a customer base with mix of passkeys, passwords, and both.

Comment 1 James Manger 2024-03-26 23:54:55 PDT

Also noted on a FIDO Alliance public forum:
Passkey autofill stopped working on iOS 17.4 ASWebAuthenticationSession.
https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/JuEW2uT_83Q

Comment 2 Radar WebKit Bug Importer 2024-04-02 23:52:12 PDT

<rdar://problem/125831008>

Comment 3 wring_thrower.0a 2024-04-18 17:06:47 PDT

+1 this behavior severely impacts the end to end flow for passkey adoption on web/webview.

Comment 4 small.koala 2024-04-23 16:41:27 PDT

Still occurring in the latest iOS17.5 beta 3 released today.

Comment 5 Yuriy Ackermann 2024-05-20 12:34:31 PDT

Still occurring in the latest iOS17.5.

Comment 6 Yuriy Ackermann 2024-05-20 12:53:03 PDT

Still occurring in the latest iOS17.5.1 beta.

Comment 7 Yuriy Ackermann 2024-05-20 13:23:48 PDT

After additional exploration, I found that only iCloud passkeys don't work. If you are using alternative passkey/password providers such as Dashlane, it works fine, so maybe iCloud Keychain issues?