Hi there, we are currently playing around with passkeys and especially with the client side discoverable credentials flow as we don't require any email (or account id) from our users.
Our current authentication flow: request challenge from server sign challenge with existing passkey send signed challenge to server server returns auth result and OAuth token to authenticate further requests.
Our registration flow in case no passkey exists: request credential registration options from server (includes a UUID which is used to create the passkey as we don't require email/user name from the user create passkey locally upload public key to server
After the registration has completed the authentication process will be retried.
Let's look at following example:
The user has successfully created a passkey for our platform and is able to authenticate against the server. All good so far. For some arbitrary reason the public key on the server gets deleted (possibly by deleting the account, or other reasons). The next time the user tries to authenticate against the platform the authentication is rejected, which is correct. The logical next step would be to register a new passkey. But there is the catch. By registering a new key a new UUID will be requested from the server which will create a new passkey. As we are using the client side discoverable credentials we don't know the user id with which the passkey has been created. The next time the user tries to authenticate he will be prompted with the action sheet to select one of the two existing keys.
I would like to know whether there is a way to re-register an existing passkey in order to prevent the key selection step.
Additionally, is there any way to customize (use a different userId) the passkey action sheet message? "Do you want to sign in <platform> with you saved passkey for '4636bbbf-27fa-4a54-b892-a2aec8b0d68e'?" doesn't help the user a lot, especially when there are multiple keys existing.
Thanks for your support!