Check out my WebAuthn test app, a web app for trying passwordless sign on in the browser.

Note: As always, I haven’t paid for the “always on” feature, so you may have to click the link and wait a minute if the Azure app service has been paused.

running updates

26 Oct 2024: Added toggle to control whether conditional mediation request is fired on the Sign in tab, added dark mode

30 Sept 2024: Added capability checking using the new WebAuthn getClientCapabilities() method.

24 June 2024: OK, we are back. I’ve re-added the conditional mediation, with best efforts to abort in-process requests if the user either clicks over to the Register tab or clicks the Sign In button. Still doesn’t work great on the iPhone. Will continue refining.

13 Aug 2023: So now interactive (aka “modal”) navigator.credentials.create() calls are failing with error message “A request is already pending.”, due presumably to the in-flight mediated navigator.credentials.get(). I swear I do not recall this happening previously, but I could be wrong. Need to be more selective about when I fire off the mediated get, or otherwise more aggressive about aborting it.

28 July 2023: I’ve turned conditional mediation back on as AbortController.abort() now seems to be working on most browsers/platforms to kill the mediation = “conditional” request when the user initiates an interactive sign on.

15 May 2023: Because of collisions resulting in signon failures, I’m pulling conditional mediation until we find out what is going on.

capabilities

Capability Test tab

• Capability checking for WebAuthn support and for conditional mediation support in the browser/platform combination the user is using.

• Capability checking using the new WebAuthn getClientCapabilities() method

Registration tab

• Registration of WebAuthn credential in browser/platform combinations that support WebAuthn

• Advanced registration options to specify authenticator attachment, resident key requirement, user verification requirement, attestation type, and exclude credentials list (limited to only one entry currently, when specified via this UI option.) Default behavior (when Exclude credentials behavior is set to ‘default’) is for a back end lookup of credential id(s) associated with the provided username, and this supports many entries, aka many registered credentials for one user.

• Attestation statement verification (on the back end) for attestation formats ‘none’, ‘packed’, and ‘TPM’

Sign in tab

• WebAuthn sign in using credentials registered on WebAuthn tab

• Conditional mediation UI where supported

• Advanced sign in options to specify user verification requirement and allowed credentials list (limited to only one entry currently)

Forget me tab

• Capability, gated on a WebAuthn sign in, to remove a user and all of their registered credentials from the back end

known issues

• When specified via UI, allow credentials lists and exclude credentials lists are limited to one credential ID only

resolved

• In Safari on iPhone, on the Sign In tab, the first sign in request via the “Sign In” button will fail with error “Operation failed”. This is apparently a known issue on Apple’s side. The workaround is to use the conditional mediation request type (selected from drop down in username field) or re-execute the Sign In button request after initial failure (the second request should work).

For additional issues, feel free to send me a message.