How to specify the excludedCredentials when a passkey is created?

Question

Created Jan ’23

Replies 5

Boosts 1

Views 2.1k

Participants 6

There is no excludedCredentials parameter on the platform authenticator creation interface of Native API. ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.

The excludedCredentials parameter is used to prevent the inconsistency between the public keys managed on RP and the private keys managed on authenticator. In particular, a passkey is created for each RPID and user_id. If a user tries to re-register a passkey with the same RPID and user_id, the existing passkey will be overwritten. But there is no way for RP to detect it. This can be confusing for the user as they might see multiple credentials on the RP, but only one on the authenticator.

By the way, there is the excludedCredentials parameter on the security key interface. ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest

I’d like to know if there is a way to specify excludedCredentials on the platform authenticator interface also like the security key interface. Or, is there any way to prevent the credential inconsistency between RP and platform authenticator?

Boost

Answer 1

Systems Engineer OP

Apple

Jan ’23

There is no way to set excludeCredentials for passkeys currently. The experience of using it in the spec is strange: to the user they go through the full registration and it looks like they got a new credential, but behind the scenes the developer got an error saying they already had a credential. To this point, we've been assuming there isn't a realistic scenario where we expect this to happen and it would result in a good user experience. The use case you've described makes some sense though.

Can you file this request through Feedback Assistant? Please explain the use case you have in mind where a user might actually go through a registration flow while they have an existing credential and not expect to get a new one.

0

Answer 2

kokukuma OP

Jan ’23

garrett-davidson

Thank you for your reply! (I try to Add a Comment, but it looks not working ...)

The experience of using it in the spec is strange: to the user they go through the full registration and it looks like they got a new credential, but behind the scenes the developer got an error saying they already had a credential.

I see... if my understanding is correct, in this case, the client(browser/mobile os) should return an error instead to create a new credential according to the WebAuthn spec. https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials

But the looks like they got a new credential means that the finish of local biometrics authentication looks like a new credential is created from a user point of view, right...?

Can you file this request through Feedback Assistant? Please explain the use case you have in mind where a user might actually go through a registration flow while they have an existing credential and not expect to get a new one.

I sent Feedback also. https://feedbackassistant.apple.com/feedback/11943515

But there was not so detailed explanation of the use case. So I will add it!

0

Answer 3

amitnadir@pingidentity.com OP

Oct ’23

Added feedback also: https://feedbackassistant.apple.com/feedback/13223323 as the excludeCredentials seems to be required. Thanks!

1

Answer 4

lienhage OP

Dec ’23

Has this been resolved?

0

Answer 5

BartoszMilew OP

Apr ’24

any news ?

0