When the passkey is generated with user verification required options with macOS (w/ device password and w/o/ touchId), the operation requires user prompt to perform UV with device password. This is an expected behavior.
But, after successful registration, when trying to signin with auto-fill feature (conditional mediation), the signin process is failed on the RP side.
- RP sets UV as
required(since the generated credential is protected by UV and RP would like perform MFA with UV) - Safari shows the user account (which is registered before)
- Select the registered user account
- No UV is performed and Safari returns the assertion response
- RP rejects the assertion response since the requested options are not respected (expected UV flag is
true, but currently UF flag is set asfalsewith no UV performed). - When authentication is requested with Modal UI, then the authentication performs the UV and the returned UV flag is set as
true. (correct and expected behavior)
Expected behavior
- Safari should respect UV required when handling such request with Auto-fill.
FYI, I'm not tested with this scenario with other macOS (w/ touch Id).