MasterKale
Register Passkey for Samsung devices is no longer working
Describe the issue
recently, we have noticed that our users are no longer able to create passkeys to login to our platform. After investigating the issue we have found that the browser is refusing the operation with error NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client. After further investigation, I have tried the example in your codebase, and it didn't work with mobile devices too. It works normally for Windows hello.
Reproduction Steps
- open the example on localhost:8000
- Choose Register
- Select other device
- Scan the QR code from Mobile device.
- Continue the process on the mobile device.
- Once done the process is not completed with error shown NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.
Expected behavior
Passkey is registered successfully.
Code Samples + WebAuthn Options and Responses
Your example is not working with mobile phones, although it was working a couple of months ago.
Dependencies
- OS: Windows 11
- Browser: Edge 136, Chrome 136
- Authenticator: Android 15
SimpleWebAuthn Libraries
@simplewebauthn/server 13.1.1 @simplewebauthn/browser 13.1.0
Additional context
Having the same issue on desktop with Bitwarden. Same versions as above.
@MasterKale do you have any idea what's happening here?
I don't know about Samsung, but a clue for Bitwarden is that if I manually add a login with just the username that I'm going to create, and then try to register with a Passkey, it works fine. There seems to be something wrong with some password managers when it's a new login entry and we're asking it to save a Passkey at the same time.
@manarhusrieh, can you try that and see if you have the same "workaround" on Samsung?
I'll try the flow with Bitwarden and let you know. Meanwhile, I have found this issue is even happening with Passkey on GitHub itself. @arimendelow
@manarhusrieh sorry, I meant try:
- before registering, save new login in Samsung password manager with the username you intend to register with
- register, and save Passkey to that same login you created in step 1
I've done it a few times now in Bitwarden and it works reliably.
Hey sorry for the delay. It's conference season and I've been distracted by all that. If the demo app worked in the past but doesn't now then this is a browser, OS, and/or passkey provider issue likely due to an update of one of those...there's nothing I can really do in SimpleWebAuthn to fix issues like that.
@MasterKale no worries, and thanks for the reply :)
it almost seems like the authenticator is returning control to the browser after it creates the new cred but before saving the passkey, can you share some info on how this part of the flow works? if we can isolate the problem i think it would make a big difference towards resolution.
we also should probably test other authenticator apps - so far ive only tested BitWarden (has this issue) and iCloud passwords (does not). but i'm curious about 1password etc
Can you all report the specific model of mobile device that you're having issues with? I see "Samsung" mentioned a couple of times but it's unclear if everyone who's posted so far is having issues with Samsung phones specifically, or if we're talking about a mix of Samsung and other non-Samsung Android devices.
I've been dealing with some Samsung-related issues at work too and I wonder if this is somehow related...I can't go into specifics unfortunately, suffice to say there seems to be something going around with Android 14- and 15-based Samsung devices but I've yet to zero in any potential causes myself.
One thing I can say is that none of my WebAuthn troubleshooting steps work in Android Chrome (or any Android browser for that matter, really) because A) adb's logcat tool is tricky to filter its output for usable logging, and B) browser tabs that aren't in focus are forced to sleep till they get focus again, so it's not possible to use something like chrome://device-log to debug things.
Honestly I'm kinda stuck on how to further troubleshoot issues on Android's side during hybrid registration and authentication. I'm all ears if anyone has suggestions on how to make progress here.
Sorry @MasterKale, I should have specified more clearly — I am not using mobile. I'm using:
- macOS 15.5
- Bitwarden 2025.5.1
- Chrome 137.0.7151.69
Bitwarden has a related issue as well:
https://github.com/bitwarden/android/issues/4669
Hey all, I work at Bitwarden. I'm trying to repro this but so far haven't been able to.
Here's short video of running the simplewebauthn example on localhost:8000: https://share.cleanshot.com/XJZfnmSR
@arimendelow If you're able to, it would be valuable to see a screen recording of the failing scenario.
Chrome: Version 137.0.7151.104 (Official Build) (arm64) MacOS: Version 15.5 (24F74) Bitwarden Version: 2025.5.1 SDK: 'main (c6835e5)' Server version: 2025.5.3
@abergs huh, the plot thickens!
Here's a video of my repro:
Feel free to repro it yourself: https://mendelow.cooking/user/signup
This is using:
- https://github.com/redwoodjs/sdk 0.1.0-alpha.7
- Cloudflare
- macOS 15.5
- Bitwarden 2025.5.1
- Chrome 137.0.7151.69
- @simplewebauthn/browser ^13.1.0
- @simplewebauthn/server ^13.1.1
Very odd. I could register successfully on your site.
https://share.cleanshot.com/vlyz2PXt
@abergs can you try again a few times? It seems to be somewhat transient, it's very odd. It mostly doesn't work, but:
- Randomly it works
- If you save an empty login with the same username before registering, it always works
Aha — @MasterKale this was indeed an issue with my password manager. This PR fixed it, for reference: https://github.com/bitwarden/clients/pull/15157
I assume whatever is happening on Samsung etc is the same :)
Closing this out as it seems the problem's been resolved. Nice work, everyone!