You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Expected behavior:
I was recently setting up a new passwordless user, I created a user with a single passkey. I was able to delete the users one passkey
Current behavior:
If a user only has one passkey, we shouldn't let them delete it, until they have a new passkey added.
Bug details:
Teleport version
Recreation steps
Debug logs
The text was updated successfully, but these errors were encountered:
I think this might be an unintended consequence of "second_factor:optional" in the cluster settings. Still a bug, but you shouldn't be able to do this with "second_factor:on" or "second_factor:webauthn" (arguably better settings for a passwordless cluster).
A difficulty in fixing this is that we don't mark users as "passwordless", so the backend interprets this as deleting a regular MFA method, not as locking the user out. A simple solution is to just not delete the last resident credential they have, assuming there are not other MFA methods registered. It's a bit weird in some corner-cases, but should solve potential lockouts.
@bl-nero, I can this one if that's alright to you.
Expected behavior:
I was recently setting up a new passwordless user, I created a user with a single passkey. I was able to delete the users one passkey
Current behavior:
If a user only has one passkey, we shouldn't let them delete it, until they have a new passkey added.
Bug details:
The text was updated successfully, but these errors were encountered: