Bug #22201
open
Using a passkey shouldn't also require a password
Added by Raffi Khatchadourian about 2 months ago.
Updated about 1 month ago.
Category name:
Authentication
Description
I noticed that GitHub doesn't require a password if I have setup a passkey; it just uses the passkey. However, I also have a passkey setup on CAC, but it asks me for the passkey only after I enter my password. Should not the passkey suffice?
Hi Raffi,
The plugin we rely on for WebAuthn passkeys is tied to the core 2FA plugin. So at a glance, it looks like the WebAuthn plugin only supplements the core 2FA plugin by adding WebAuthn as a provider and does not do any core changes like bypassing the initial username/password authentication.
I also checked the WebAuthn wp.org support forum and their Github issues list and no one has raised this issue before. That being said, I'll ask the WebAuthn author on their Github issues page to see if this could be addressed in their WebAuthn plugin.
By "replace," I mean, I personally would replace the 2FA plug-in with just the passkey. But, if there are other users that want to keep using password/2FA combination, then they can continue to use the 2FA plug-in.
Also available in: Atom
PDF