With iOS 14, Apple is now allowing users to use Face ID and Touch ID to authenticate using the Web Authentication API (WebAuthN).This is great - except for one major caveat: being seemingly unable to remove created credentials. (For more information, see the WWDC2020 Demo or the Apple Release Notes.)
In the Web Authentication API Spec, W3C lists the case I'm talking about under Possibility #3 - the user employing an authenticator-specific method to delete a credential:
- Possibility #3 -- user deletes the credential from the authenticator.
- User employs a authenticator-specific method (e.g., device settings UI) to delete a credential from their authenticator.
- From this point on, this credential will not appear in any selection prompts, and no assertions can be generated with it.
- Sometime later, the server deregisters this credential due to inactivity.
As asked in a similar question, doing this is confirmed to be possible on Windows 10, with a working albeit convoluted method to remove stored public key credentials. In a similar boat to said question, I see no easy way to remove a credential once it's created on iOS/MacOS. Because MacOS and especially iOS are much more locked down than Windows, I'm not hopeful that this is possible - but perhaps there is a hidden method somewhere.
Example image, showing a saved account with the username "test".
With that said,
- Once created, is it possible to delete (not hide via removing it from the "acceptable credentials" object) a public key credential client-side on either iOS or MacOS (preferably both), and
- If so, how?
