josevirtual

Worked for me too

The same is happening to me

Thanks for your answer. I think that the warning is a good idea.

Android users should use their password, U2F never should be the only security factor. The username is not a secure factor at all, in many WordPress websites it is very easy to find it, and people reuse usernames, hackers may easily guess them. You probably should allow password access for every user that does not use FIDO2.

Summarizing, the FIDO standards are designed to be used in this way:

Username + Password + FIDO U2F
Only FIDO2, o just with the username

Many companies even ask for password + FIDO2

I hope this helps

That’s right. However, as I have mentioned in my edited review, FIDO U2F should never allow to access without password. Only WebAuthn (FIDO2) is secure enough to allow Passwordless Authentication. It is a basic rule regarding secure authentication.

Everything else looks fine for me in the plugin.