- Affected version
- 2.3.0 Beta 4
Steps to reproduce
A passkey acts like a password replacement - if an authenticator is lost / compromised and thus removed from an account, I would expect all sessions that used it to get invalidated immediately to prevent account abuse - just like they are when the password is changed.
- Create a new account
- Add a Passkey in browser context A
- Log into the account with the passkey in another browser context (B)
- Log into the account with username and password in a third browser context (C) using a backup code as TFA
- Remove the Passkey from browser context A
- Check session status in browser context B and C
- Add another passkey in browser context A
- Log into the account with the Passkey in browser context B
- Change the password in browser contect A
- Check session status in browser context B and C
- The session in browser context B is invalidated in step 6) while the session in browser context C) is unaffected (Preferred)
or
The sessions in browser context B and C are invalidated in step 6) - Sessions in browser context B and C are invalidated in step 10
- Sessions in browser context B and C are unaffected in step 6)
- Sessions in browser context B and C are invalidated in step 10)
A passkey acts like a password replacement - if an authenticator is lost / compromised and thus removed from an account, I would expect all sessions that used it to get invalidated immediately to prevent account abuse - just like they are when the password is changed.
Last edited:
