Closed shentschel closed 4 months ago
FreddyDevelop
commented
6 months ago Also a flag or indication that a credential can only be used as a MFA credential is missing. Currently you can use a credential that was created as MFA for a passkey login.
shentschel
commented
5 months ago I updated all findings + openapi spec and added the missed mfa flag
shentschel
commented
5 months ago When calling
/mfa/registration/initializethe options are missing theattachment.When trying to use a security key at
/mfa/login/finalizeI always get an error{"title":"failed to get user handle","details":"user not found","status":401}. When using a credential that was created through the passkey endpoints I don't get this error.
I fixed all findings but was unable to reproduce your 401 error. I do not own a security key so I tried to reproduce it with an iPhone which worked fine.
FreddyDevelop
commented
5 months ago I fixed all findings but was unable to reproduce your 401 error. I do not own a security key so I tried to reproduce it with an iPhone which worked fine.
You can use the Chrome Virtual Authenticator to test it.
Create a new virtual authenticator with protocol: ctap2, transport: usb, supportsResidentKeys: true and supportsUserVerifcation: true. Then create a new mfa credential and try to login with that new credential and you will get the error.
shentschel
commented
5 months ago I don't know if my attachment changes fixed them. but it works on my side:
https://github.com/teamhanko/passkeys/assets/2470308/17fad974-7cb8-4b09-9929-b27fdb9a63c1
Edit: I think I found a big I have to fix and then test again. I tried the new MFA optional mechanism at the same time. And while looking into the code I think I made a copy paste error when creating the default MFA config (using all webauthn parameters from passkey config instead of defaults when mfa config is missing in dto)
Closes: #45, #50