Created attachment 477442 [details] Repro HTML document, to be hosted at http://localhost(:whatever) ## Summary Safari will hardlock when a WebAuthn authentication ceremony is triggered with a single allowCredentials entry containing `["nfc"]` for transports. You cannot cancel out of the platform modal that prompts you to use a security key. Additionally, triggering a similar authentication ceremony with a single allowCredentials entry containing `["nfc", "usb"]` will allow the platform modal to be cancelled out of, but will never allow the corresponding security key to used to complete the auth. `allowCredentials` must be empty for impacted security keys to become usable for auth. ## Requirements - macOS 26.1 - A USB NFC reader - An NFC-capable security key, like a YubiKey Security Key or a YubiKey 5 ## Repro Steps 1. Download the attached index.html 2. Host the HTML file at http://localhost(:whatever) 3. Navigate to http://localhost(:whatever) 4. Open Safari dev console 5. Complete Step 1 to register a passkey 6. Attempt Step 2a to call WebAuthn's `.get()` with `allowCredentials` containing a single entry with `transports: ["nfc"]` 7. Force-quit out of Safari because you cannot cancel the platform modal (see step_2a.png for what is shown after making the `.get()` call) 8. Go back to http://localhost(:whatever) and re-open the Safari dev console 9. Complete Step 1 again to register another passkey 10. Attempt Step 2b to call WebAuthn's `.get()` with `allowCredentials` containing a single entry with `transports: ["nfc", "usb"]` 11. Observe that the just-registered security key cannot be used to trigger auth. 12. Cancel out of the platform modal 13. Attempt Step 2c to call WebAuthn's `.get()` with an empty `allowCredentials` array 14. Use the registered security key to return an authentication response as expected ## Expected Behavior Safari supports use of NFC security keys when allowCredentials is populated.