Closed shentschel closed 4 months ago
Also a flag or indication that a credential can only be used as a MFA credential is missing. Currently you can use a credential that was created as MFA for a passkey login.
I updated all findings + openapi spec and added the missed mfa flag
When calling
/mfa/registration/initialize
the options are missing theattachment
.When trying to use a security key at
/mfa/login/finalize
I always get an error{"title":"failed to get user handle","details":"user not found","status":401}
. When using a credential that was created through the passkey endpoints I don't get this error.
I fixed all findings but was unable to reproduce your 401 error. I do not own a security key so I tried to reproduce it with an iPhone which worked fine.
I fixed all findings but was unable to reproduce your 401 error. I do not own a security key so I tried to reproduce it with an iPhone which worked fine.
You can use the Chrome Virtual Authenticator to test it.
Create a new virtual authenticator with protocol: ctap2
, transport: usb
, supportsResidentKeys: true
and supportsUserVerifcation: true
. Then create a new mfa credential and try to login with that new credential and you will get the error.
I don't know if my attachment changes fixed them. but it works on my side:
https://github.com/teamhanko/passkeys/assets/2470308/17fad974-7cb8-4b09-9929-b27fdb9a63c1
Edit: I think I found a big I have to fix and then test again. I tried the new MFA optional mechanism at the same time. And while looking into the code I think I made a copy paste error when creating the default MFA config (using all webauthn parameters from passkey config instead of defaults when mfa config is missing in dto)
Closes: #45, #50