How to handle failed verify registration responses?

[neotrow]

Sure, here is a proofread version of your message:

---

Hey there,

I hope this hasn't been answered anywhere else yet, but I couldn't find anything in the issues or the docs.

My question is how one should handle errors during the verification of the registration of a new device.

Given the following code:

const registrationOptions = await axios.get("/api/webauthn/generate-registration-options");
const registrationResponse = await startRegistration(registrationOptions.data);
const response = await axios.post("/api/webauthn/verify-registration", registrationResponse);
alert(JSON.stringify(response.data));

What if something goes wrong in the API call to /api/webauthn/verify-registration? It doesn't really matter for what reasons, but for example, if the user is not allowed to register any more devices.

The problem is that right now, if something goes wrong during this API call, the passkey has already been saved on the device. Ideally, if the response from that API call does not indicate success, I would like to remove the passkey again. Or even better (although I'm not sure if it would be technically possible), I would like to first verify the registration and only then save the passkey.

What are your thoughts on this?

[MasterKale]

Hello @neotrow, the answer is there's no way to induce deletion of a credential at this time in response to a registration response failing verification for whatever reason.

However, we (I and many others on the Web Authentication Working Group over in the W3C) are actively working on improving this! Check out this explainer of a new "Signal API" that we're currently workshopping over here:

https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Signal-API-explainer

Hypothetically one of the new methods, currently called signalUnknownCredentialId(), could be called immediately after registration fails for whatever reason (malformed response, AAGUID isn't allowed, etc...) to give the authenticator a chance to delete the credential on its side.

If you take a look at the explainer and have any questions or suggestions, I'm happy to forward them along or feel free to comment in the related issue w3c/webauthn#1967

[neotrow]

Hey @MasterKale

Thank you very much for your swift reply.

Good to know that I didn't miss anything and there is simply nothing we can do right now.

Very cool that you are working on a better solution, i will check it out and provide feedback directly there if i have any.

Thanks again and happy coding!