top | item 47193364

(no title)

lxgr | 1 day ago

I consider myself pretty sophisticated with passkeys (I wrote a toy implementation of WebAuthN once to understand them better), and yet I still get tripped up by this sometimes: Not via intentional deletion, but accidental overwriting.

As far as I understand, there are several ways to enforce per-account passkey uniqueness via WebAuthN, but every once in a while, some site will somehow not realize that I have a passkey for them available already, they will offer to create a new one for me, and my password manager (Bitwarden) will do this by overwriting the old/existing passkey.

Now consider a synchronization hiccup (updating my password manager storage and the relying party's backend is not atomic), and I could totally see my passkey get lost.

discuss

namibj|22 hours ago

That sounds like broken behavior from you password manager: deleting credentials without making that destructive action clear enough to prevent minor levels of negligence from accidentally destroying them.

lxgr|20 hours ago

I think it's actually the RP being broken, not my authenticator. Conceptually, it's the RP's burden to either avoid this situation or allow eventual consistency:

There's an explicit mechanism in WebAuthN to avoid duplicate credential generation (excludeCredentials). If a RP still insists on rotating, what they should be doing is to first add the new credential, perform a successful authentication with it, and then retire the old one.

So the problem only happens if a "single passkey only" site does not support excludeCredentials, as far as I can tell.

ezfe|1 day ago

What you describe is annoying but not an issue if the website doesn’t use the passkey for encryption - so definitely a good recommendation