WebAuthn credProtect + security keys: why Chrome works and Safari “does nothing”

The confusing failure: YubiKey registered in Chrome, login fails in Safari A common FIDO2 security keys interoperability issue: you create a credential in Chrome , everything works, then Safari on the same machine can’t use that “same” YubiKey—often with no PIN prompt and basically no actionable error. The usual root cause is WebAuthn credProtect (a.k.a. credentialProtectionPolicy , CTAP 2.1). Chrome silently hardens discoverable credentials on roaming keys in ways Safari can’t reliably satisfy. The trigger combo: discoverable credentials + UV="preferred" This mainly hits RPs that register/login with: residentKey: "required" (aka discoverable credentials / resident key ) userVerification: "preferred" (chosen to avoid “hard fail” edge cases at scale) With that combo, Chromium may escalate the credential to credProtect Level 3 (UV required at the authenticator), even if you didn’t explicitly request it. CTAP 2.1 credProtect levels (why Level 3 is special) credProtect controls whether a c