Passkey Auth won't remember me on multiple devices

stromb0li

Well-known member
Affected version
XF 2.3 B5
If using the new passkey auth with a Yubi Key and you check to remember the device, when authenticating on another device it'll remove access to the other device. In this case, if you want to access XenForo on your PC and Phone, you'll constantly have to reauth.

Maybe this is intended behavior, but my assumption is the device would be remembered if checked.

Reproducible on XenForo.com.
 
Reproducible on XenForo.com.
Not reproducible for me.

Steps I've taken
  1. Logged out of xenforo.com in desktop chrome
  2. Cleared all cookies for xenforo.com in desktop chrome
  3. Logged in with my YubiKey 5 in desktop chrome
  4. Unplugged YubiKey from USB but kept desktop chrome session open
  5. Plugged YubiKey into USB on my notebook
  6. Logged into xenforo.com with the YubiKey in notebook chrome
  7. Checked status of desktop chrome session
Result
I was still logged into xenforo.com in desktop chrome

But there is an issue regarding Passkey login:
When logging into an account with Stay logged in ticked using a passkey on a fresh browser XenForo does not set cookie xf_tfa_trust.
So when the session expires or becomes otherwise invalid TFA will be required.

This is not technically "wrong" (passkey login does not ask wether to trust the device) but kinda unexpected.
Passkey login therefor should probably set that cookie if Stay logged in is ticked.
 
Add step 4.5 and close the browser. Then step 8, open the browser and you'll be logged out.
Tried that and I can't reproduce what you are describing.

Screenshot after closing and reopening the browser after step 4):
1714427843018.webp

As you can see, I am remembered but TFA re-verification is required (due to missing cookie xf_tfa_trust)

If I complete TFA (using a Passkey or another method) once while having Trust this device for 30 days ticked I can use the Yubikey to log into any other device without affecting this device at all.

So "you'll constantly have to reauth" just isn't the case.
 
But there is an issue regarding Passkey login:
When logging into an account with Stay logged in ticked using a passkey on a fresh browser XenForo does not set cookie xf_tfa_trust.
So when the session expires or becomes otherwise invalid TFA will be required.
After more testing, you are right; I was mistaking the two-step verification required screen after initial auth as constant login prompt, but it just happened to be prompting each time I logged in on each device. The issue is remember me is not honored, but once you are prompted for the passkey and check Trust this device for 30 days, it is.

IMO, either the remember me box should be honored, or ideally during/after auth, it asks if you want the device to be trusted/remembered.
 
Back
Top Bottom