I'm trying to implement WebAuthn authentication on my website. Users can register several authenticators (e.g. laptop, tablet, smartphone), and use each one for login. All those registered authenticators are stored in a database, and that is how I identify the user during the login process.
However, I ran into a problem when the user manually removes website credentials in his authenticator (e.g. you can enter into your iCloud and remove specific credentials). In such case, the user can't re-register the same device again (because during the registration process server specifies excludeCredentials field). Also, user cant login into the system on that device because he removed the credentials and server does not know that.
Are there ways to solve this?
If a passkey is no longer in the authenticator, then it won't match the excludeCredentials list, and can be created again in that authenticator.
Most authenticators will give the user a warning that deleting a passkey may prevent them from accessing their account. There's not much more that can be done.