How to specify the excludedCredentials when a passkey is created?

There is no excludedCredentials parameter on the platform authenticator creation interface of Native API. ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.

The excludedCredentials parameter is used to prevent the inconsistency between the public keys managed on RP and the private keys managed on authenticator. In particular, a passkey is created for each RPID and user_id. If a user tries to re-register a passkey with the same RPID and user_id, the existing passkey will be overwritten. But there is no way for RP to detect it. This can be confusing for the user as they might see multiple credentials on the RP, but only one on the authenticator.

By the way, there is the excludedCredentials parameter on the security key interface. ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest

I’d like to know if there is a way to specify excludedCredentials on the platform authenticator interface also like the security key interface. Or, is there any way to prevent the credential inconsistency between RP and platform authenticator?

Up vote post of kokukuma Down vote post of kokukuma
1.5k views
Posted by
kokukuma
Reply
Add a Comment

Replies

There is no way to set excludeCredentials for passkeys currently. The experience of using it in the spec is strange: to the user they go through the full registration and it looks like they got a new credential, but behind the scenes the developer got an error saying they already had a credential. To this point, we've been assuming there isn't a realistic scenario where we expect this to happen and it would result in a good user experience. The use case you've described makes some sense though.

Can you file this request through Feedback Assistant? Please explain the use case you have in mind where a user might actually go through a registration flow while they have an existing credential and not expect to get a new one.

Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson

  • Thank you for your reply!

    The experience of using it in the spec is strange: to the user they go through the full registration and it looks like they got a new credential,

    I see... if my understanding is correct, in this case, the client(browser/mobile os) should return an error instead to create a new credential according to the WebAuthn spec.

    kokukuma
  • Can you file this request through Feedback Assistant?

    I sent Feedback also. https://feedbackassistant.apple.com/feedback/11943515

    But there was not so detailed explanation of the use case. So I will add it!

    kokukuma

  • (maybe I missed to submit... sorry if it is duplicated) Thank you for your reply!

    The experience of using it in the spec is strange: to the user they go through the full registration and it looks like they got a new credential,

    I see... if my understanding is correct, in this case, the client(browser/mobile os) should return an error instead to create a new credential according to the WebAuthn spec. https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials

    kokukuma

garrett-davidson

Thank you for your reply! (I try to Add a Comment, but it looks not working ...)

The experience of using it in the spec is strange: to the user they go through the full registration and it looks like they got a new credential, but behind the scenes the developer got an error saying they already had a credential.

I see... if my understanding is correct, in this case, the client(browser/mobile os) should return an error instead to create a new credential according to the WebAuthn spec. https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials

But the looks like they got a new credential means that the finish of local biometrics authentication looks like a new credential is created from a user point of view, right...?

Can you file this request through Feedback Assistant? Please explain the use case you have in mind where a user might actually go through a registration flow while they have an existing credential and not expect to get a new one.

I sent Feedback also. https://feedbackassistant.apple.com/feedback/11943515

But there was not so detailed explanation of the use case. So I will add it!

Posted by
kokukuma
Up vote reply of kokukuma Down vote reply of kokukuma
Add a Comment

Added feedback also: https://feedbackassistant.apple.com/feedback/13223323 as the excludeCredentials seems to be required. Thanks!

Posted by
amitnadir@pingidentity.com
Post not yet marked as solved Up vote reply of amitnadir@pingidentity.com Down vote reply of amitnadir@pingidentity.com
Add a Comment

Has this been resolved?

Posted by
lienhage
Up vote reply of lienhage Down vote reply of lienhage
Add a Comment

any news ?

Posted by
BartoszMilew
Up vote reply of BartoszMilew Down vote reply of BartoszMilew
Add a Comment