If a user has one Passkey, don't let the user delete it. #32690
Comments
|
Can we lump this in with #19314? |
|
I think this might be an unintended consequence of "second_factor:optional" in the cluster settings. Still a bug, but you shouldn't be able to do this with "second_factor:on" or "second_factor:webauthn" (arguably better settings for a passwordless cluster). |
|
A difficulty in fixing this is that we don't mark users as "passwordless", so the backend interprets this as deleting a regular MFA method, not as locking the user out. A simple solution is to just not delete the last resident credential they have, assuming there are not other MFA methods registered. It's a bit weird in some corner-cases, but should solve potential lockouts. @bl-nero, I can this one if that's alright to you. |
|
I don't mind, as long as it's backend-only (I'm gonna rewrite a lot of stuff in the UI in upcoming days) |
Expected behavior:
I was recently setting up a new passwordless user, I created a user with a single passkey. I was able to delete the users one passkey
Current behavior:
If a user only has one passkey, we shouldn't let them delete it, until they have a new passkey added.
Bug details:
The text was updated successfully, but these errors were encountered: