Is it possible to remove a registered credential from a device?

[ericlhopper]

This library is awesome, we have successfully used it to enable FIDO2 authentication in a mobile web app and tested on iOS, Android, and Windows. The only way I've found to remove a credential from these platforms is either brute force "Clear History and Website Data", or a special tool on windows that is very cryptic.

Ideally, we would like to enable a user to remove a device credential from our mobile web experience.

[bathos]

Currently the WebAuthn API itself doesn't provide for this. There are some threads that touch on it at https://github.com/w3c/webauthn/issues, though iiuc the concept would not be applicable in all cases and would likely require user mediation for the cases where it could apply.

[ericlhopper]

Makes perfect sense. Thank you! I'll continue to watch the w3c spec...

[MasterKale]

Ideally, we would like to enable a user to remove a device credential from our mobile web experience.

Getting pedantic for a second, it sounds like what you're really trying to do is "delete a discoverable credential". These credentials are actually persisted in the authenticator and are unique in that they can be used without needing to specify the credential ID in allowCredentials during authentication.

Unfortunately we see in the wild that some authenticators will always create discoverable credentials even without specifying residentKey: "required" during registration. What's even more frustrating is the fact that there are almost no tools for managing discoverable credentials on either cross-platform or platform authenticators. What's worse is that some platform authenticators, like Touch ID, refuse to save new credentials once you fill up the maximum number of slots for an RP ID...I filled up my laptop's Touch ID for one of my localhost RP ID's by creating too many credentials with random user ID's while testing out discoverable credentials. Without some kind of tool to delete these discoverable credentials I have no choice but to remember to use a different RP ID, and remember to use one or a limited number of user IDs so that future discoverable credentials will overwrite existing credentials instead of adding to the pile.

As you've noted Windows offers up some kind or arcane command line tool for managing these types of credentials (what was the name of that, if you don't mind? I can't remember), but there's no friendly GUI available as far as I'm aware. As a matter of fact I'm experimenting with using CTAP2 directly to try and manage discoverable credentials via Yubico's fido2 library. It seems if I can pull something off it'll be limited to cross-platform authenticators, and Windows Hello; Apple doesn't seem to offer command line access to the secure enclave in the same way Windows allows you to interact with Windows Hello...

[MasterKale]

BTW the CTAP2.1 docs have more info about its authenticatorCredentialManagement command

[ericlhopper]

The windows tool: Per this thread How to remove WebAuthN credentials from onboard-TPM on Win10 device?, I found this tool passwordless/webauthn-fido2-key-remover.

It works, and allows me to iteratively test the registration process on windows. Although the 2 columns of data displayed appear to be a GUID, and the Credential ID. Neither help me know which credential I'd be removing. So as with iOS, I purge everything to re-test registering a new device.

When I was doing my initial integration and upgrades, I ended up with numerous credentials on both windows and my mobile device.

Perhaps I can alter our logic to ensure "future discoverable credentials overwrite existing credentials". The use case I ran into wasn't with numerous user IDs, I had my same user ID popping up on Mobile and Windows laptop. You provided a great deal of information in your second paragraph that I need to wrap my head around.

Thank you for this insight!

[coolaj86]

Since search brought me here, I'll go head and drop these here as I'm figuring them out:

• chrome://settings/passkeys
• brave://settings/passkeys
• Search "passkeys" in macOS Settings
• YubiKey Manager GUI (deprecated): https://www.yubico.com/support/download/yubikey-manager/
  To install without allowing admin privileges:

  pkgutil --expand-full ~/Downloads/yubikey-manager-qt-1.2.5-mac.pkg /tmp/yubikey-gui/
  mv "/tmp/yubikey-gui/com.yubico.ykman.pkg/Payload/YubiKey Manager.app" /Applications/

• YubiCo Authenticator: https://www.yubico.com/products/yubico-authenticator/#h-download-yubico-authenticator
  (probably similar steps to the above)
• YubiKey Manager CLI: https://developers.yubico.com/yubikey-manager/Releases/

  pkgutil --expand-full ~/Downloads/yubikey-manager-5.5.0-mac.pkg /tmp/yubikey-cli
  mv /tmp/yubikey-cli/ykman.pkg/Payload/usr/local/ ~/.local/opt/yubikey-v5.5.0
  ln -s yubikey-v5.5.0 ~/.local/opt/yubikey
  xattr -r -d com.apple.quarantine ~/.local/opt/yubikey/
  ln -s ../opt/yubikey/bin/ykman ~/.local/bin/

  and then make sure ~/.local/bin is in your PATH, such as with https://webinstall.dev/pathman (or webi itself).

  pathman add ~/.local/opt/yubikey/bin/

  # this definitely shows fewer accounts that I know I have, but I didn't find them under the other options either
  ykman fido credentials list --csv
  ykman fido credentials delete <full-id> [-f]

[MasterKale]

Thanks for contributing all of this @coolaj86! This would make for some good guidance in the docs... 🤔