passkey authentication on android platform

Question

I have one quick point to confirm.

On Android platform with google-password-manager, on any device is it correct that there can NOT be more than one passkey of same account (eg., [email protected] ) per Relying-party (walmart.com) EVEN if the attached google-account is different.

And secondly, if I am using 3rd party password manager like Dashlane or Bitwarden, I would like to know who exactly creates the key-pair. Is it part of Dashlane code OR is it created by platform-authenticator and handed it to Dashlane ?

Thanks.

Answer 1

Typically authenticators only allow one passkey per user handle (i.e. user.id). RPs should use the same user handle for each unique account.

Each account for each passkey provider is logically a unique authenticator. So if I had 2 Google accounts on my device, both with GPM enabled as passkey providers, and I also had a 3rd passkey provider enabled, say Bitwarden, I could end up with 3 passkeys for an account at the RP.

If a user has multiple passkey providers on their device, they are given the choice of where to save it.

Answer 2

Excellent Tim !! You answer is totally logical as that is how it should be. So much so that I am going to call following a bug in google.

As I write (02/02) , I tried to create a second passkey for the same account ([email protected]) while explicitly selecting a different google account on my latest Samsung S23 device. It failed.

In order to make sure the RP has NO ROLE to play in it, I tried to do the same on webauthn.io ([email protected]) and it failed too.

In order to make sure that device-vendor has NO ROLE to play, I tried same exercise on Pixel 6a (android 14) and it failed too.