wordpress-mobile/WordPressAuthenticator-iOS

The Security Key option is displayed for an account that does not have a Security Key setup

kean opened this issue · 3 comments

kean commented

Setup:

  • Account A has a security key set up
  • Account B has two-factor authentication enabled, but no security key

Steps:

  • Log in with account A (using password autofill)
  • Tap "Back" on the second factor screen
  • Log in with account B

Expected Result

The second factor screen does not show "Use a security key" option.

Actual Result

  • The second factor screen shows a "Use a security key" option.
  • The nonce value and other parameters are the same as after the login with the account A
kean commented

Here's another scenario I tested which I believe has the same root cause.

Setup:

  • Account A has a security key set up
  • Account B has a security key set up

Steps:

  • Log in with account A (using password autofill)
  • Use passkey for account B as a second factor (incorrect passkey)
  • See an error message and tap "OK" to navigate back to the login screen
  • Login with account B
  • Use passkeys for account B again (this time it's correct)

Expected Result

The login went through.

Actual Result

  • The login fails because nonce is invalid (the nonce from the initial login was used)
  • The app shows a non-user friendly error
Ecarrion commented

Hey @kean I tested the steps for your second scenario

Steps:
Log in with account A (using password autofill)

  • Use passkey for account B as a second factor (incorrect passkey)
  • See an error message and tap "OK" to navigate back to the login screen
  • Login with account B
  • Use passkeys for account B again (this time it's correct)

And it worked for me with the latest trunk version.

RPReplay_Final1703735752.MP4

Steps

  • Autofilled credentials for ecarrionc
  • Used security key for carrion.silver
  • Got the invalid security key error
  • Autofilled credentials for carrion.silver
  • Used security key for carrion.silver
  • Successful login

Where these the same steps you followed?

kean commented

I also couldn't reproduce it by following these steps using the WP-iOS build from trunk. Maybe it requires some additional steps. I suggest focusing on the original issue as there is likely the same root cause.