• Resolved My1

    (@my1xt)


    would that mean people could just forge a user agent that cannot use webauthn like the Internet explorer and then go ham on the password login despite the Password login having been disabled? or how does this exactly go.

    also if password login is disabled maybe instead of the password form, show something to the user that tells them to get a decent browser as password login is turned off.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Axton

    (@axton)

    No, this feature is intended to allow password login (even when password login is disabled) if the site is configured incorrectly (missing required extensions or running under HTTP instead of HTTPS. In these cases WebAuthn couldn’t work). A user agent that doesn’t support WebAuthn cannot bypass “WebAuthn only”.

    When user using a browser that doesn’t support WebAuthn and try to login to a site disabled password login will lead to a login form that doesn’t work. I’ll improve the UX in the next version.

    Hope that could help. Sorry for the delay.

    • This reply was modified 4 years ago by Axton.
    • This reply was modified 4 years ago by Axton.
    Thread Starter My1

    (@my1xt)

    okay thanks, that helps (as long as the server can correctly see the state of HTTPS and stuff) with required extensions I guess you mean PHP extensions, right?

    also “Sorry for the delay.”, lol it was sunday, no problem. it’s not like I am expecting 24/7 support with a 2 hour response time.

    Plugin Author Axton

    (@axton)

    Yes “extensions” refers to PHP extensions.

    Cool, I think I can mark this thread as resolved now.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘how does “Avoid locking users out if WebAuthn is not available” work?’ is closed to new replies.