search

MasterKale / SimpleWebAuthn

WebAuthn, Simplified. A collection of TypeScript-first libraries for simpler WebAuthn integration. Supports modern browsers, Node, Deno, and more.
https://simplewebauthn.dev
MIT License
1.62k stars 137 forks source link

Registering Passkey on MacOS - ICloud results in two passkeys being created #591

Closed thaoula closed 4 months ago

thaoula commented 4 months ago

Describe the issue

Hi Team,

I am using MacOS Sanoma 14.5 and I have a strange issue with the registration process creating two passkeys.

One of the passkeys will work (allow login) and the other one will not work (passkey not found). Also, deleting one of the passkeys in the Mac passwords section in settings will actually delete both passkeys.

Initially I thought this was a Safari issue but it seems to be MacOS related. Chrome, Firefox and Safari result in exactly two passkeys being registered on the Mac.

In contrast. I also have 1password installed on my computer. It has support for generating passkeys and is active as a browser plugin only in Chrome. When I register for a passkey in Chrome, 1password attempts to answer first and it successfully creates a single Passkey as expected.

I could not find anyone else having this issue.

Kind Regards, Tarek

Reproduction Steps

  1. Login to application via username and password
  2. Go to passkeys area. Click Register Passkey.
  3. Browser will present modal dialog that requires touch id. Use touch ID and passkey is created.
  4. Check in database - 1 passkey created
  5. Check in Mac / Settings / Passwords - 2 passkeys created.
  6. Log out
  7. On login page click Sign In via passkey
  8. MacOS display two passkeys.
  9. Pick the first passkey (Majority of the time it works)
  10. (If first failed) Pick second passkey and it will work.
  11. Go to Mac / Settings / Password
  12. Search for domain and see two passkeys
  13. Delete one of them and both will be deleted.

Expected behavior

Code Samples + WebAuthn Options and Responses

Dependencies

SimpleWebAuthn Libraries

$ npm list --depth=0 | grep @simplewebauthn
├── @simplewebauthn/browser@_._._
├── @simplewebauthn/server@_._._
# ...

├── @simplewebauthn/browser@10.0.0 ├── @simplewebauthn/types@10.0.0

Additional context

MasterKale commented 4 months ago

Hello @thaoula I've seen this before, InvalidStateError doesn't get raised by iCloud Keychain so you can register over and over but only ever have a single passkey for a site. The RP thinks you've registered multiple passkeys though, and has no way to know otherwise because of the lack of an InvalidStateError error from the WebAuthn call.

I thought the situation had improved recently but you appear to be on the latest macOS. I can ask around and confirm that this is simply a fact of life with the first-party Apple passkey provider 🫠