When you register a Webauthn credential, the private key gets stored in the device(Platform Authenticator/Roaming authenticator). This credential is mapped to the domain(say, www.mydomain.com) of the Relaying Party(RP). When you decommission a credential, we can have the server deregister the credential, but how do we deregister the private key in the authenticator. Does it end up as an unused dangling reference and does the authenticator deregister it after a period of un-usage? What if the same RP now registers a new credential in the same device? At what point does the authenticator get exhausted with a proliferation of these dangling private keys pertaining to a domain? How does the same work with Passkeys?
Thanks!
An authenticator only stores a single credential for an (RP ID, user ID) pair. So if the user creates another credential for the same user on that authenticator, it'll overwrite rather than duplicate.
(But RPs should set excludeCredentials and catch InvalidStateError in that case.)
When a passkey is removed on the site, it isn't removed from the authenticator. Like passwords in a password manager, the user manages their passkeys. There has been discussion of a "report" flow for WebAuthn that websites could use to to indicate things like "this passkey wasn't recognised" and thus hint to the user's device that perhaps it should be deleted, but that doesn't currently exist.