Seeing how Chromium on laptop + Passwords works correctly, I'm inclined to believe the issue lies with Safari (at least on iOS). If I had to "guess" what is happening, it is that Safari automatically adds ES256 when it does not exist (and possibly removes the supplied algorithms). This violates the spec though. WebAuthn Level 3 § 5.1.3 Step 10 states the steps a user agent MUST follow:
If pkOptions.pubKeyCredParams’s size is
is zero:
Append the following pairs of PublicKeyCredentialType and COSEAlgorithmIdentifier values to credTypesAndPubKeyAlgs:
public-key and -7 ("ES256").
public-key and -257 ("RS256").
is non-zero
For each current of pkOptions.pubKeyCredParams:
If current.type does not contain a PublicKeyCredentialType supported by this implementation, then continue.
Let alg be current.alg.
Append the pair of current.type and alg to credTypesAndPubKeyAlgs.
If credTypesAndPubKeyAlgs is empty, throw a "NotSupportedError" DOMException.
In particular when an RP does supply a list of algorithms, the user agent is not permitted to add its own algorithms nor remove any of the supplied algorithms (assuming the PublicKeyCredentialType is supported (e.g., "public-key")).
