1878069 - All the passkey entries for the visited website are presented from the start in the autofill dropdown making the option 'Use another passkey' obsolete

Status: NEW

(Core :: DOM: Web Authentication, defect, P3)

Description

[Bogdan Maris, Desktop Test Engineering]

Attachment: Video showing the issue

Found in

• Latest Nightly 124.0a1

Affected versions

• Latest Nightly 124.0a1
• Firefox 123.0b4

Tested platforms

• Affected platforms: MacOS 13
• Unaffected platforms: Windows 11, Ubuntu 22.04

Preconditions

• Have security.webauthn.enable_macos_passkeys set to true in mac 13 or mac 14
• Have a iClould account connected to the used Mac.

Steps to reproduce

1. Visit https://webauthn.io/
2. Use a few usernames to register (more then 5 for example, I have around 30)
3. Click the textarea where the username is entered.
4. See all the available passkeys recommended.
5. Click the Use another passkey option in the dropdown.

Expected result

• All the passkeys used on that particular website are displayed in the passkey menu in mac.

Actual result

• At step 4 all the available passkeys used on this particular website are displayed. After step 5, the same passkeys are displayed.

Regression range

• Not a regression, this was introduced along with the Conditional Mediation feature enabled in bug 1865379 in Nightly 2024-01-17.

Additional notes

• I think we should only display like the last 5 users used or something like that, not the entire list of users since clicking the Use another passkey also displays all of them.

Comment 1

[John Schanck [:jschanck] (out of office Aug 11-18)]

The "use another passkey" option is primarily there in case the user wants to use passkey on a phone or security key (these are available through "Other sign-in options" in the system prompt).

I'm not opposed to showing fewer options in the dropdown, but I would want to study how often users have more than, say, 5 passkeys before making that change.