iOS Safari misroutes YubiKey NFC registration to platform-bound passkeys — no roaming credential created + Outlook password prompts on passwordless account

[SA5760010]

I’m reporting a multi-layered issue affecting mobile security workflows across Microsoft and Apple platforms:

1. YubiKey Misregistration via Safari/iOS
   Attempting to register a physical YubiKey 5 NFC with my personal Microsoft account using Safari on iPhone (iOS 18.5) consistently results in creation of platform-bound passkeys stored in iCloud Keychain. These are mislabeled in the dashboard as “Yubikey” credentials but are tied to the device, not the hardware token. No option to register a true roaming FIDO2 credential appears in the mobile flow.

2. Misleading Credential Labeling
   The credentials appear under “Passkeys” and are stored in the Secure Enclave, yet are named “Yubikey Prime” or “Yubikey Secondary,” creating a false sense of hardware-backed security. This undermines MFA enforcement and cross-device portability.

3. Passwordless Account Conflict
   My Microsoft account is configured as passwordless, meaning fallback to password is disabled. The misregistration of platform-bound passkeys creates a dangerous mismatch—especially since fallback methods (Face ID, SMS, Authenticator) remain active and Outlook repeatedly prompts for login credentials on iOS.

4. Mobile Feedback Limitations
   Microsoft’s feedback forms on mobile Safari:• Disable paste, preventing technical narratives from being submitted
   • Claim screenshot upload is supported, but no such option appears
   • These limitations make it nearly impossible to report bugs from the affected platform

5. Cross-Vendor Accountability
   These issues span Microsoft, Apple, and Yubico ecosystems. Users enforcing hardware-only authentication and secure mobile workflows are left with:• Misregistered credentials
   • Inaccurate dashboard labeling
   • Broken feedback channels
   • Repeated password prompts that degrade trust and usability

Request for Action:

• Microsoft: Clarify mobile support for true FIDO2 credential registration and fix misleading passkey labeling
• Apple: Investigate persistent Outlook password prompts and restore feedback form functionality
• Yubico: Confirm whether SDK or platform constraints contribute to fallback behavior on iOS Safari

Screenshots and forensic traces available upon request. I’m happy to provide credential origin metadata, NFC handshake logs, and dashboard captures to support escalation.