Private key not overwritten after deleting public key and recreating passkey. #672
Replies: 1 comment
-
|
Hello @Yuntran, I converted this to a Discussion because it didn't seem to be calling out an issue with WebAuthn. Passkey private key management is mostly outside the influence of libraries like SimpleWebAuthn. Populating You mention a second passkey being created. I'm curious, is |
Beta Was this translation helpful? Give feedback.
-
Describe the issue
Private key not overwritten after deleting public key and recreating passkey.
Steps to Reproduce:
1.Go to the server and delete the public key associated with a passkey.
2. Click on Create new passkey from the front-end or initiate the passkey registration process.
3. Scroll down to the point where the new private key is generated on the device.
4. See the error that the private key is generated anew instead of overwriting the old private key.
Expected behavior:
The private key should be overwritten when creating a new passkey after deleting the old public key, preserving the same Credential ID without creating a new private key
Dependencies
SimpleWebAuthn Libraries
Additional context
Currently, after deleting the public key, the private key is not overwritten upon creating a new passkey. This results in a new private key being generated rather than reusing the old private key.
Possible issues may arise due to how WebAuthn handles the relationship between public and private keys. While public keys are typically stored server-side, private keys remain securely stored on the client device. However, the WebAuthn specification does not inherently support the ability to overwrite private keys, as they are meant to be uniquely generated for each credential. Therefore, it's not guaranteed that overwriting the private key is possible unless custom handling is implemented.
Beta Was this translation helpful? Give feedback.
All reactions