Handling missing passkeys
A passkey could be deleted from your vault, but remain on the user’s device. Equally, the user might remove it from their device, but you still retain a record in your backend. You’ll need to account for both scenarios.
Missing device passkey
Section titled “Missing device passkey”When using the allowCredentials property, you’re telling the device to use a specific passkey which the user might have deleted. In this case the device will usually prompt the user to follow the roaming authenticator flow, the reasoning being that the passkey must be stored on a different device.
Assuming the user does not have the specified passkey on another device they will cancel the operation. You should test for the generic OtherPasskeyError and ask them to authenticate via a different mechanism.
Missing vault passkey
Section titled “Missing vault passkey”Conversely, if you allow the user to use any passkey on their device (allowCredentials is not specified), the device could present a passkey that was deleted from your vault.
In this case authenticatePasskey will return a PasskeyNotFound error. It’s important to inform the user that they should remove this passkey, otherwise they’ll keep running into the same issue.
Passlock offers a helper utility to programmatically remove passkeys from a device.