Adding a Passkey implicitly enables 2FA which effectively disables password-based login and unexpectedly makes account recovery impossible

[Steffen]

Affected version

2.3.3

After adding a Passkey, users can login using the Passkey just fine. But when they attempt to login using their password again (*) they unexpectedly see a 2FA prompt which asks them to provide their Passkey as a second factor. This seems to hit users by surprise because they just clicked "Add Passkey". They did not click and were not told either that 1) they would no longer be able to login via password anymore and 2) 2FA would be enabled and 3) they absolutely have to save their 2FA backup codes now and 4) the account recovery method "Forgot your password?" would become useless for them (because it only recovers passwords but not 2FA).

I don't think that adding a Passkey and enabling 2FA should be intermingled as they are right now because it makes it easy for users to lock themselves out of their account. At the very least users need to be able to make an informed decision, i.e. be told about numbers 1–4 above.

Please don't turn this into a feature suggestion. This is a bug.

(*) One user told us that their Passkey was gone after they replaced their mainboard. Another user told us that Passkey setup using their Yubikey was seemingly successful from XenForo's perspective but they got an "unknown security key" error when they tried to login.

 

[Kirby]

Passkeys are strong authentication and they are also marketed as such, I therefore don't think it would be a good idea to kinda weaken their added security by still allowing to use password based logins without 2FA after a Passkey has beeen added.

However I absolutely agree that users should be better informed about the consequences of adding a passkey, eg. there should be some kind of information that adding a passkey enfoces 2FA and that they won't be able to login with just username and password afterwards.

Adding a passkey should also require password verification, just like changing other 2FA methods to avoid unauthorized "account takeover", but that is another issue.

Another user told us that Passkey setup using their Yubikey was seemingly successful from XenForo's perspective but they got an "unknown security key" error when they tried to login.

Yep. The amount of Passkeys (=Residential FIOD2 Keys) on a YubiKey 5 is pretty limited, it can only store up to 100 identities (with fimware 5.7, older versions can only store 25).
Somewhat depending on the OS and browser, XenForo doesn't set all flags correctly so the Key might not be created discoverable.

Such keys will still work for 2FA, but not as a passkey; it's even possible to "create a passkey" on a YubiKey 4 which doesn't support FIOD2 at all (only U2F).

See https://xenforo.com/community/threads/login-via-passkey-created-on-yubikey-5-does-not-work.220467/

 

[Xon]

Passkeys are strong authentication and they are also marketed as such, I therefore don't think it would be a good idea to kinda weaken their added security by still allowing to use password based logins without 2FA after a Passkey has beeen added.

XenForo doesn't actually expose any UI to make an account no longer have a password. XF's passkey support simply isn't a password replacement as they have been implemented.

This just exposes more foot-guns and makes account recovery unreasonably harder

 

[Strawbby]

After adding a Passkey, users can login using the Passkey just fine. But when they attempt to login using their password again (*) they unexpectedly see a 2FA prompt which asks them to provide their Passkey as a second factor. This seems to hit users by surprise because they just clicked "Add Passkey". They did not click and were not told either that 1) they would no longer be able to login via password anymore and 2) 2FA would be enabled and 3) they absolutely have to save their 2FA backup codes now and 4) the account recovery method "Forgot your password?" would become useless for them (because it only recovers passwords but not 2FA).

I don't think that adding a Passkey and enabling 2FA should be intermingled as they are right now because it makes it easy for users to lock themselves out of their account. At the very least users need to be able to make an informed decision, i.e. be told about numbers 1–4 above.

Please don't turn this into a feature suggestion. This is a bug.

(*) One user told us that their Passkey was gone after they replaced their mainboard. Another user told us that Passkey setup using their Yubikey was seemingly successful from XenForo's perspective but they got an "unknown security key" error when they tried to login.

I’m new to this topic, but I think I understand the concern being raised here. Passkeys are clearly a strong authentication mechanism, but the way adding one currently enforces 2FA without clear warning does seem like it could lead to lockouts or confusion for regular users.

I agree it would help a lot if the system made the implications really explicit when adding a passkey like that you can’t just log in with only your password anymore, that recovery codes become essential, etc. That way users can make an informed choice instead of feeling caught off guard.

From what Kirby and Xon said, it sounds like the issue isn’t so much about weakening security but about giving users better transparency and safer recovery options. That feels like a reasonable balance to me.

 

[Miri]

I tried using the passkey option mostly out of curiosity, through my phone. Over time I changed phones, and while I was on vacation without access to a PC, I urgently needed to log into the forum. There was simply no way to log in or recover my password. To me, that seemed like such an unreasonable limitation.

Of course, after a few days, once I was back at my work PC, I managed to log in through phpMyAdmin and disable it on my account. But it made me wonder what an average user would do in the same situation.

That’s why I think there should be an option to completely disable the Passkey login button from the interface at least for those who, like me, don’t want to use it on their forum.