- Affected version
- 2.3.7
Adding, editing or removing a passkey does not require password confirmation.
This allows kinda easy "account lockouts" by unauthorized actors if they are able to access an active session.
Suggested Fix
Adding, editing or removing a passkey should require re-authentication of the user (password if no 2FA is available, Password + 2FA if no Passkey is available or also Passkey without password if at least one Passkey is available)
This allows kinda easy "account lockouts" by unauthorized actors if they are able to access an active session.
Suggested Fix
Adding, editing or removing a passkey should require re-authentication of the user (password if no 2FA is available, Password + 2FA if no Passkey is available or also Passkey without password if at least one Passkey is available)
Last edited: