Scenario (one I’m fighting currently): Add passkey login to an existing website account. The passkey was saved to a device (this was before Bitwarden supported passkeys).
Then, the passkey on the device was deleted. However, the website in this case certainly doesn’t know that I’ve deleted my end of the passkey certs, and unfortunately there is no mechanism on their website to allow the user to delete an existing passkey. Thus, things are out of sync and I have spent countless time on the phone trying to a) get the site’s IT support to understand the issue, and b) get a solution.
So my question is, shouldn’t websites that state that they fully support Passkeys be required (as part of the certification) to demonstrate that the user has the ability to delete and recreate them, if something happens to the original passkey?
And is you problem, that you can’t add another passkey?
Because I would think, that a registered passkey on their side - though it would be “cleaner” if it was deleted - doesn’t do much harm. (the security is the same, whether you on your side still have the passkey or not… maybe even a bit more secure, because your part of the passkey-pair can’t even be obtained any more )
I would say it this way: yeah, you should be able to delete the passkey on their side. But if they don’t make that possible, there’s not much (or rather: nothing) we can do about that here.
And on the other side, I guess your question touches the topic of “account recovery” - because if you had no other way of logging in to that service now, the question would be how you could recover that account. But again, that’s fully a thing how the services implements that and no one else can do anything about that, I guess.
And BTW, that’s the reason - regarding passkeys - to always register more than one passkey, if possible. (at least if we are talking about device-bound passkeys - and especially if the services would allow the deletion of “classical login data” like username, password, …)
I don’t think there is any certification scheme. The FIDO alliance provide a specification for authentication but I don’t think there is any formal certification process for websites.
Exactly. Since I had already configured a Passkey, the website doesn’t allow you to create another one.
In the end, though not yet resolved, I did manage via talking to about 6 people in their support center, to get an actual ticket created on their end with all of the details. Possibly the right person will see it and realize that yeah they need to allow customers to delete existing passkeys (in other words, don’t assume that just because one had been created previously, it will remain in existence and available to the end user in perpetuity.
@bwuser10000 Theoretically, you could send them the link to the UX Guidelines of the FIDO Alliance: FIDO UX Guidelines - FIDO Alliance (also “subtle” hint to the FIDO Alliance itself for their passkey implementation etc)
Whether that makes things better or worse, depends, I guess.
)