Removing TOTP and trying to sign in shows a security key as an MFA option but doesn't actually work

[lukasSerelis]

If you remove the TOTP method from an account that has backup codes set up, it'll show option to enter backup code after correctly inputting email + password, but will also show the "Sign in with security key" as an option. Clicking which, you get taken to the initial login state.

Flow: (pre-reqs - account registered, TOTP unlinked, passwordless sign in set up, backup codes set up) 1) Enter email and password, hits Sign in

2)Sees screen with backup recovery code entry and sign in with security key option. Click sign in with security key.

3) Taken to the initial login page.

The sign in with security key option should not be in that screen to begin with.

[syncronize-issues-to-jira[bot]]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-1163.

This message was autogenerated

[natalian98]

@edlerd could you hide the "Sign in with security key" button on 2fa screen?

[edlerd]

I cannot reproduce this with the current main branch locally.

I created an account with backup codes, mfa, and passkeys. Then removed mfa. Then started a login with username/password. The backup code screen has no notion of the passkeys for me.

Also after setting up mfa again, the 2fa screen has no notion of the passkeys.