Details
-
Impedibug
-
Status: Closed
-
Minor
-
Resolution: Completed
-
Master
-
7.3.x
-
Committed
-
3
-
Iteration 45, Iteration 46, Iteration 47, Iteration 48, Iteration 49, Iteration 50, AppSec Iteration 51, AppSec Iteration 52, AppSec Iteration 53, AppSec Iteration 54, AppSec Iteration 55, AppSec Iteration 56
Description
Summary
When I enabled multiple MFA verifier, EOTP, TOTP and FIDO2 and the user fails at login with FIDO2 verifier, then even if I enter other verifier data correctly, I cannot enter the site.
Repro
- Enable MFA verifiers, EmailOTP, TimeBased OTP and FIDO2
- Set FIDO2's allowed origin to something special "HTTP://not.existing.com"
- Go to Portal and press Sign in
- Enter your email and password
- Authenticate yourself with FIDO2. Note that FIDO2 will fail due the different origin.
- Switch to a different verifier at the Login page, eg Email based
- Send out the email
- Enter the valid code from email and submit the form
Video of the repro
Watch repro video
Expectation
User might be able to login with fallback to other verifiers?
Actual result
User cannot login, using fallback verifiers in a single flow.
Reproduced on
master
SHA: a13ddd1546319ec52ea5228accd463f4c407694c
Updated on: Tue Nov 17 13:37:30 2020 -0800