We’ve observed a couple of concerning alterations in the passkey registration and authentication behaviour in iOS 17.4.1:
- During passkey registration, “excludeCredentials” property is ignored. Existing passkey is silently overwritten and no error is reported from navigator.credentials.create (both, Safari and Chrome).
However, according to W3 spec when “excludeCredentials” is present in the PublicKeyCredentialCreationOptions - “The client is requested to return an error if the new credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.” PublicKeyCredentialCreationOptions we use:
"credCreateOptions": {
"rp": {
"name": "RP name"
},
"user": {
"name": "username",
"id": "abcd"
},
"challenge": "56elsKE5pKgEECg-fJpLl3gF33ACRSVBl00Mn03JAIk",
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
}
],
"excludeCredentials": [
{
"type": "public-key",
"id": “abcd”
}
],
"authenticatorSelection": {
"authenticatorAttachment": "platform",
"userVerification": "required"
},
"hints": [
"client-device"
],
"attestation": "direct",
"extensions": null
}
}
This behaviour is different from what is observed on iOS 17.3.1 where the registration call to navigator.credentials.create with the same options produces the following error: “At least one credential matches an entry of the excludeCredentials list in the platform attached authenticator”
- During passkey login flow, iOS 17.4.1 ignores
"hints": [ "client-device" ]
According to https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create#client-device, hints specify what authentication UI the user-agent should provide for the user. “client-device” requests the user authenticates using their own device, such as a phone.
Here’s our PublicKeyCredentialRequestOption:
"credRequestOptions": {
"challenge": "xk_wd1BaVue7mOZ-UM_KVj6Z4AmGxf12_7H1Gilq01I",
"timeout": 300000,
"allowCredentials": [
{
"type": "public-key",
"id": “abcd”,
"transports": [
"internal"
]
}
],
"userVerification": "required",
"hints": [
"client-device"
],
"extensions": null
}
}
However, iOS 17.4.1 gives user an option to sign in with another device . On iOS 17.3.1, the request to navigator.credentials.get with the same same PublicKeyCredentialRequestOption presents the UI screen without the “Sign In with Another Device” option.
Is that a bug on iOS 17.4.1 or intended behaviour? This does not follow the official specs and different from the other platforms like Android.
Is there any documentation around this change on iOS 17.4.1? That would be helpful.