Deleting all WebAuthn devices doesn't reset the recovery codes
If there is only one WebAuthn device registered, deleting it should destroy the recovery codes. On a subsequent authenticator registration, new recovery codes should be displayed.
When there is only one WebAuthn device registered, these two actions should have the same results:
Step to reproduce
- Delete all registered authenticators
- Enable the following feature flag:
Feature.enable(:webauthn_without_totp)
- Register a WebAuthn device
- User is redirected to see the recovery codes
- Delete the registered device
- Register a new authenticator (TOTP or WebAuthn)
- The user is not redirected to see the recovery codes, hence I assume the previous recovery codes are still valid.1
Screen_Recording_2023-03-02_at_21.50.11
-
Confirmed, see video
↩
Edited by Eduardo Sanz García