Registering with same username twice!!!

[afridi26]

Hi, While playing around with webauthn.io I tried to register the same user twice and even three times? and more. What I believe for the same username the library must send excludeCredentials that tells the authenticator that for the public keys already existing for a given use and it is provided by the relying party's server if it wants to prevent the creation of new credentials for an existing user. Link for excludeCredentials field

[aseigler]

I had to look because I know I had specifically addressed this, but yes, it is definitely an issue in current master branch. This is fixed in server.RequestNewCredential() in the fido-testing branch as this scenario is tested by the conformance test tool.

[afridi26]

I have tested this locally and the same behaviour is on https://webauthn.io/. Need to deploy fresh version :) thanks

[eigenl]

Not sure if this is related, but when registering the same username multiple times and then trying to log in, the RP sends multiple authenticatorGetAssertion calls with a single credential in allowList rather than all credentials like the spec says. For example this happens when you respond with CTAP2_ERR_CREDENTIAL_EXCLUDED for the first credential.

Looking at the browser console, I see the public keys in a single array, but the authenticator only receives one at a time.

Possibly related to this: https://chromium-review.googlesource.com/c/chromium/src/+/1629587

[m9a]

Hi @aseigler @nicksteele, do you know if this issue fixed in master? I just observed a similar error with double registration on top of tree master and wondering if it's the same bug. As I see the fido-testing fix has not yet been merged into master.

[aseigler]

Hi @aseigler @nicksteele, do you know if this issue fixed in master? I just observed a similar error with double registration on top of tree master and wondering if it's the same bug. As I see the fido-testing fix has not yet been merged into master.

As far as I know, it is not fixed in master.

[MasterKale]

I believe this is fixed in the latest "v2" version of this site. I'm getting told by Chrome when I've tried re-registering something at least:

(Weird that it says "security key" when I tried to enroll the platform authenticator, but that's a Chrome problem)