You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The language after successful recovery via email is confusing since there isn't a password nor social sign-in setup. In addition no hardware token is displayed in the list.
In addition when pressing "Add security key" and registering the same device with a different key name (using the id after-recovery in the below example) only then does the key identifier used during sign-up displayed (in the below example j-zero).
Worse if I click Remove security key "after-recovery", both keys are removed in the UI.
Reproducing the bug
When, as a project admin, I configure an ory network developer project to passkey only (enabling passkeys and disabling password auth),
The, as a user, I sign up with an email, use the account recovery option using the Ory Account Experience UI, after entering the OTP the Account Recovery page says: You successfully recovered your account. Please change your password or set up an alternative login method (e.g. social sign in) within the next 15.00 minutes.
Pressing "Add security key" and registering the same device with a different key name now shows 2 keys.
Removing only one of the keys leads to none being displayed.
jmatsushita
changed the title
Passkey only recovery flow asks to "change password"m doesn't display hardware key and can lead to account lock out
Passkey only recovery flow asks to "change password" doesn't display hardware key and can lead to account lock out
Jul 22, 2023
jmatsushita
changed the title
Passkey only recovery flow asks to "change password" doesn't display hardware key and can lead to account lock out
Passkey only recovery flow asks to "change password" doesn't display hardware key
Jul 22, 2023
Preflight checklist
Describe the bug
The language after successful recovery via email is confusing since there isn't a password nor social sign-in setup. In addition no hardware token is displayed in the list.
In addition when pressing "Add security key" and registering the same device with a different key name (using the id
after-recovery
in the below example) only then does the key identifier used during sign-up displayed (in the below examplej-zero
).Worse if I click
Remove security key "after-recovery"
, both keys are removed in the UI.Reproducing the bug
When, as a project admin, I configure an ory network developer project to passkey only (enabling passkeys and disabling password auth),
The, as a user, I sign up with an email, use the account recovery option using the Ory Account Experience UI, after entering the OTP the Account Recovery page says:
You successfully recovered your account. Please change your password or set up an alternative login method (e.g. social sign in) within the next 15.00 minutes.
Pressing "Add security key" and registering the same device with a different key name now shows 2 keys.
Removing only one of the keys leads to none being displayed.
Relevant log output
No response
Relevant configuration
No response
Version
https://console.ory.sh/
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
Ory Network
Additional Context
No response
The text was updated successfully, but these errors were encountered: