95% of WebAuthn errors are not errors
Plus: the iOS 26.2 isUVPAA bug that broke passkey detection in WKWebView, fixed in 26.3 stable.
Here are this week’s topics that you don’t wanna miss out on!
🐛 Ultimate WebAuthn Errors in Production Guide (2026)
🍎 isUVPAA iOS 26.2 Bug: Fixed in iOS 26.3 stable
Why most WebAuthn errors are not bugs
Most teams treat every WebAuthn error like a system failure, but the numbers say otherwise. In optimized production deployments, over 95% of recorded errors are actually expected user aborts: someone hit cancel, clicked away or let the prompt time out.
The post sorts the noise into 8 real DOMException types (NotAllowedError, AbortError, SecurityError and the rest) and shows how to classify them by operation type, timing and platform instead of just the error name.
It also surfaces the messier edges: password manager extensions like Bitwarden or 1Password intercepting WebAuthn calls and returning broken credential objects, iOS 18’s new error code 1006 for duplicate credentials, and Windows 11 passkey completion sliding to 45 to 60% on identifier-first flows.
The right error taxonomy turns your auth logs from a wall of alarms into real signal. So which of your “errors” are actually customers who just changed their mind?
iOS 26.2 broke passkey detection in WKWebView
Apple shipped a regression in iOS 26.2 that made isUserVerifyingPlatformAuthenticatorAvailable() return false inside WKWebView, so Chrome, Edge and Firefox on iPhone all stopped detecting passkeys even on devices that fully support them.
The fix landed in iOS 26.3 stable (build 23D127), but the gap leaves a real chunk of users stranded on broken versions for weeks. The post walks through the older isUVPAA() boolean and the newer getClientCapabilities() dictionary, and shows when each one lies.
Surprisingly, getClientCapabilities() is the more reliable signal on iOS 26.2+ non-Safari browsers, but flips wrong inside Google App’s webview where it reports passkeys work and they do not. There is a platform-aware fallback chain to keep your detection honest while iPhones drift across versions. So which API should you actually trust right now to decide whether to show the passkey button?
Join the Passkeys Community!
Our mission is to free the world from passwords to make the Internet a safer place - this can only be accomplished together.
Join our passkeys community to connect with other passkey enthusiasts, stay up-to-date, get implementation support and show your passkeys projects!