ENXF NET
Administrator
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P.S Member
S.V.I.P Member
V.I.P Member
Collaborate
Registered
- Joined
- Nov 13, 2018
- Messages
- 29,134
- Points
- 823
Adding, editing or removing a passkey does not require password confirmation.
This allows kinda easy "account lockouts" by unauthorized actors if they are able to access an active session.
Suggested Fix
Adding, editing or removing a passkey should require re-authentication of the user (password if no 2FA is available, Password + 2FA if no Passkey is available or also Passkey without password if at least one Passskey is available)
Continue reading...
This allows kinda easy "account lockouts" by unauthorized actors if they are able to access an active session.
Suggested Fix
Adding, editing or removing a passkey should require re-authentication of the user (password if no 2FA is available, Password + 2FA if no Passkey is available or also Passkey without password if at least one Passskey is available)
Continue reading...