When the Passkey flow fails, it's not possible anymore to try a new key fetching due to how the webauthn nonce works. But since any Passkey failure keeps the user in the 2FA screen, it may mislead that they can hit the use a security key button to try again.
To address this scenario, this PR implements any Passkey error scenario and moves the user back to the Password screen, where it's actually possible to restart the authentication flow and try once again.
Open the Woo app configured with this PR and start the login flow with the same WordPress.com account you used to create the Security Key.
Once you hit the 2FA screen, make sure the Use security key button appears and click on it.
Make sure the Credential Manager opens up with a selectable Passkey, instead of selecting it a Passkey, HIT THE BACK BUTTON TO LEAVE THE CREDENTIAL MANAGER WITHOUT A PASSKEY SELECTION.
This should trigger a Passkey failure scenario, make sure the login flow moves back to the Password selection view, with the Password pre-filled.
Update release notes:
[x] I have considered if this change warrants user-facing release notes and have added them to RELEASE-NOTES.txt if necessary.
Summary
When the Passkey flow fails, it's not possible anymore to try a new key fetching due to how the webauthn nonce works. But since any Passkey failure keeps the user in the 2FA screen, it may mislead that they can hit the
use a security key
button to try again.To address this scenario, this PR implements any Passkey error scenario and moves the user back to the Password screen, where it's actually possible to restart the authentication flow and try once again.
Screen capture
https://github.com/wordpress-mobile/WordPress-Login-Flow-Android/assets/5920403/3c8e1322-718d-43c5-9b98-3b5107bef91e
How to Test
Use security key
button appears and click on it.Update release notes:
RELEASE-NOTES.txt
if necessary.