Bug #22201
open
Using a passkey shouldn't also require a password
Added by Raffi Khatchadourian about 1 year ago.
Updated about 1 month ago.
Category name:
Authentication
Description
I noticed that GitHub doesn't require a password if I have setup a passkey; it just uses the passkey. However, I also have a passkey setup on CAC, but it asks me for the passkey only after I enter my password. Should not the passkey suffice?
Hi Raffi,
The plugin we rely on for WebAuthn passkeys is tied to the core 2FA plugin. So at a glance, it looks like the WebAuthn plugin only supplements the core 2FA plugin by adding WebAuthn as a provider and does not do any core changes like bypassing the initial username/password authentication.
I also checked the WebAuthn wp.org support forum and their Github issues list and no one has raised this issue before. That being said, I'll ask the WebAuthn author on their Github issues page to see if this could be addressed in their WebAuthn plugin.
By "replace," I mean, I personally would replace the 2FA plug-in with just the passkey. But, if there are other users that want to keep using password/2FA combination, then they can continue to use the 2FA plug-in.
- Target version set to 2.8.0
I think we should continue to research this as email-based passkeys become more common (or, by contrast, become less common). I don't want to jump into one of the authentication models only to find that it's on the way out. We on the Commons team will have a discussion over the summer about the status of these alternative authentication methods.
Also available in: Atom
PDF