It appears the cause of this is that "test" is a popular username, so many people have registered keys with that name. When performing a login, webauthn.io client code requests all registered IDs for the given username from the server, and puts all of them in allowCredentials.
One possible fix for this would be to limit how many keys can be registered for a given username.
Today, when trying to log in with a username of "test", I got the error "The
allowCredentials
attribute exceeds the maximum allowed size (64)". This error comes from Chrome's implementation (https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/credentialmanagement/credentials_container.cc;l=929?q=allowCredentials%2064&ss=chromium).It appears the cause of this is that "test" is a popular username, so many people have registered keys with that name. When performing a login, webauthn.io client code requests all registered IDs for the given username from the server, and puts all of them in allowCredentials.
One possible fix for this would be to limit how many keys can be registered for a given username.