Best practice to delete a passkey?

[ahmadwrites]

Aware that users can manually delete the passkeys on their authenticator, as well as developers creating an API to delete if from the server. However, how can we delete it programmatically for both? In the case a user deletes it with an API call, the passkey in authenticator would still exist. When they try to create a passkey again, it will fail as a passkey already exists with that same method.

[f-23]

There are ways to inform the users password manager that a credential has been deleted (See iOS and Android)

I'm not sure what you mean by the last part since one authenticator can create and store multiple credentials (or passkeys) at the same time, so creating another one should not be an issue. Problem would be the user not knowing which passkey was still valid and which is not when trying to sign in.

I will take a look at implementing this, although both iOS and Android only allow you to signal the Password Managers that a credential has been removed, what they do with that signal is not something we can influence, so there's no guarantee the credential will be removed.

[f-23]

I will wait with implementing this since the Signal API on Android is not fully released yet (latest androidx credentials version is 1.6.0-rc2 as of now).

[ahmadwrites]

@f-23 The error I'm getting when attempting to create another passkey using the same user + device + authenticator (Apple Passwords), I get:

{
    "error": "Unknown error",
    "message": "An unknown error occurred"
}

Just to add, we allow the user to delete it via a button that deletes it from the server. However, since it's not deleted from the authenticator, when the user wants to add a passkey again, this issue arises. Let me know if anything is unclear.

[ahmadwrites]

Closing this issue as it was happening due to excludeCredentials.

[f-23]

Glad you could fix it! I'm gonna keep this open since I wanna use it to track the Signal API implementation.