Can't register webauthn in two different browsers on windows

[mooreds]

Can't register webauthn in two different browsers on windows #1930

Description

A clear and concise description of what the bug is.

Affects versions

EAP 20221020

Steps to reproduce

Register using Windows pin on Chrome. This succeeds and I can reauthenticate.

Then try to register using the same windows machine, but use Edge, not Chrome.

Result: error message in browser console on registration. This is the edge one:

Uncaught (in promise) DOMException: The user attempted to register an authenticator that contains one of the credentials already registered with the relying party.

I also tried it the other way (first registering edge, then chrome). Got the same issue: registration didn't succeed. Here's the chrome error message.

Uncaught (in promise) DOMException: The user attempted to register an authenticator that contains one of the credentials already registered with the relying party.

Expected behavior

Can register two different browsers.

Screenshots

If applicable, add screenshots to help explain your problem.

Platform

using edge ( Version 106.0.1370.47 (Official build) (64-bit) ) on windows 10 home.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Originally seen here: https://github.com/FusionAuth/fusionauth-issues/issues/1928#issuecomment-1286132349

This is with PIN auth, still haven't got fingerprint auth to work on windows.

[spwitt]

This error is expected, but we aren't doing a good job handling it and surfacing to the user.

When a new credential is registered, we return the list of credentials already registered for the user as part of the creation options that go to the WebAuthn API in the browser. Authenticators that already have one of the credentials in that list are excluded from the current registration ceremony. This is a way to prevent having several credentials for the same account in one authenticator.

That's the issue you're seeing here: Windows says "wait a minute, I've already got one of these, why would I add another?"

It is interesting that Windows shares these between browsers. In macOS the platform credentials are not shared between browsers. A TouchId credential registered in Chrome is not recognized by Safari and vice versa.

We'll use this issue to track some JavaScript error handling updates.

[robotdan]

@spwitt is this one resolved by any of the other general enhancements we made in the previous release?

[spwitt]

@robotdan the following PR resolved the issue where there is no indication to the user that there was an issue with passkey registration.

• https://github.com/FusionAuth/fusionauth-app/pull/156

The behavior Dan described is expected, at least in terms of not succeeding in registering the passkey. macOS does not share the registered passkeys between browsers that I have seen. It sounds like passkeys registered in one browser on Windows are accessible from other browsers.

Browsers often display an error message in this case that helps to explain what happened (see Chrome example below), but I don't know that we have a good way to display a more detailed error. We do now display a generic error about an issue parsing the authenticator response that indicates something went wrong, but the specific error message from JavaScript is subject to change and likely varies slightly between browsers.

Chrome passkey registration failure UI

Generic error message

Chrome JavaScript error

DOMException: The user attempted to register an authenticator that contains one of the credentials already registered with the relying party.

Safari JavaScript error

InvalidStateError: At least one credential matches an entry of the excludeCredentials list in the platform attached authenticator.