Affects Version/s: Master
Component/s: Application Security > Multi-Factor Authentication
Backported to Branch:Committed
Sprint:Iteration 45, Iteration 46, Iteration 47, Iteration 48, Iteration 49, Iteration 50, AppSec Iteration 51, AppSec Iteration 52, AppSec Iteration 53, AppSec Iteration 54, AppSec Iteration 55, AppSec Iteration 56
Git Pull Request:
When I enabled multiple MFA verifier, EOTP, TOTP and FIDO2 and the user fails at login with FIDO2 verifier, then even if I enter other verifier data correctly, I cannot enter the site.
- Enable MFA verifiers, EmailOTP, TimeBased OTP and FIDO2
- Set FIDO2's allowed origin to something special "HTTP://not.existing.com"
- Go to Portal and press Sign in
- Enter your email and password
- Authenticate yourself with FIDO2. Note that FIDO2 will fail due the different origin.
- Switch to a different verifier at the Login page, eg Email based
- Send out the email
- Enter the valid code from email and submit the form
Video of the repro
Watch repro video
User might be able to login with fallback to other verifiers?
User cannot login, using fallback verifiers in a single flow.
Updated on: Tue Nov 17 13:37:30 2020 -0800