Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a Relying Party may still wish to send less specific ones for user-agents that may not recognise the more specific one.
But there's nothing explicit about what happens if a hint appears more than once:
A particularly adversarial reader could read this example as:
"security-key" is preferred over "client-device",
"client-device" is preferred over "security-key",
therefore the the preference order is not well defined!
Perhaps more likely is that implementation bugs could inadvertently end up with that kind of logic if the implementation does not take care to check whether or not a hint has already been encountered.
§5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHints) defines some behaviour for how hints are interpreted relative to each other:
But there's nothing explicit about what happens if a hint appears more than once:
A particularly adversarial reader could read this example as:
"security-key"
is preferred over"client-device"
,"client-device"
is preferred over"security-key"
,Perhaps more likely is that implementation bugs could inadvertently end up with that kind of logic if the implementation does not take care to check whether or not a hint has already been encountered.
Proposed Change
Add to §5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHints):