Fixed Adding, editing or removing passkey does not require user re-authentication

[Kirby]

Affected version

2.3.7

Adding, editing or removing a passkey does not require password confirmation.

This allows kinda easy "account lockouts" by unauthorized actors if they are able to access an active session.

Suggested Fix
Adding, editing or removing a passkey should require re-authentication of the user (password if no 2FA is available, Password + 2FA if no Passkey is available or also Passkey without password if at least one Passkey is available)

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.3.8).

Change log:

Require re-authentication before allowing passkey additions or modifications

There may be a delay before changes are rolled out to the XenForo Community.