The Security Key option is displayed for an account that does not have a Security Key setup
kean opened this issue · 3 comments
kean commented
Setup:
- Account A has a security key set up
- Account B has two-factor authentication enabled, but no security key
Steps:
- Log in with account A (using password autofill)
- Tap "Back" on the second factor screen
- Log in with account B
Expected Result
The second factor screen does not show "Use a security key" option.
Actual Result
- The second factor screen shows a "Use a security key" option.
- The
nonce
value and other parameters are the same as after the login with the account A
kean commented
Here's another scenario I tested which I believe has the same root cause.
Setup:
- Account A has a security key set up
- Account B has a security key set up
Steps:
- Log in with account A (using password autofill)
- Use passkey for account B as a second factor (incorrect passkey)
- See an error message and tap "OK" to navigate back to the login screen
- Login with account B
- Use passkeys for account B again (this time it's correct)
Expected Result
The login went through.
Actual Result
- The login fails because nonce is invalid (the nonce from the initial login was used)
- The app shows a non-user friendly error
Ecarrion commented
Hey @kean I tested the steps for your second scenario
Steps:
Log in with account A (using password autofill)
- Use passkey for account B as a second factor (incorrect passkey)
- See an error message and tap "OK" to navigate back to the login screen
- Login with account B
- Use passkeys for account B again (this time it's correct)
And it worked for me with the latest trunk version.
RPReplay_Final1703735752.MP4
Steps
- Autofilled credentials for
ecarrionc
- Used security key for
carrion.silver
- Got the invalid security key error
- Autofilled credentials for
carrion.silver
- Used security key for
carrion.silver
- Successful login
Where these the same steps you followed?
kean commented
I also couldn't reproduce it by following these steps using the WP-iOS build from trunk
. Maybe it requires some additional steps. I suggest focusing on the original issue as there is likely the same root cause.