Steffen
Well-known member
- Affected version
- 2.3.3
After adding a Passkey, users can login using the Passkey just fine. But when they attempt to login using their password again (*) they unexpectedly see a 2FA prompt which asks them to provide their Passkey as a second factor. This seems to hit users by surprise because they just clicked "Add Passkey". They did not click and were not told either that 1) they would no longer be able to login via password anymore and 2) 2FA would be enabled and 3) they absolutely have to save their 2FA backup codes now and 4) the account recovery method "Forgot your password?" would become useless for them (because it only recovers passwords but not 2FA).
I don't think that adding a Passkey and enabling 2FA should be intermingled as they are right now because it makes it easy for users to lock themselves out of their account. At the very least users need to be able to make an informed decision, i.e. be told about numbers 1–4 above.
Please don't turn this into a feature suggestion. This is a bug.
(*) One user told us that their Passkey was gone after they replaced their mainboard. Another user told us that Passkey setup using their Yubikey was seemingly successful from XenForo's perspective but they got an "unknown security key" error when they tried to login.
I don't think that adding a Passkey and enabling 2FA should be intermingled as they are right now because it makes it easy for users to lock themselves out of their account. At the very least users need to be able to make an informed decision, i.e. be told about numbers 1–4 above.
Please don't turn this into a feature suggestion. This is a bug.
(*) One user told us that their Passkey was gone after they replaced their mainboard. Another user told us that Passkey setup using their Yubikey was seemingly successful from XenForo's perspective but they got an "unknown security key" error when they tried to login.
Last edited: