Page MenuHomePhabricator
Create Task
Maniphest T393259

Unable to remove webauthn key using another key
Closed, InvalidPublic
Actions

Description

Enrolled 2 yubikeys, and then tried to remove them. I had to have the same key plugged in to be able to remove it

This causes problems if you've lost a key, and want to remove it because you no longer trust it

Event Timeline

Reedy created this task.May 3 2025, 11:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 3 2025, 11:46 AM
Reedy changed the task status from Open to Stalled.May 3 2025, 11:54 AM

Or maybe not...

TheDJ subscribed.Jul 10 2025, 7:40 PM

@Reedy can this be closed then ?

Tgr subscribed.Aug 1 2025, 12:50 AM

I didn't test this but looked through the code (while looking at {T268384}), and I don't think this is the case - the disable form eventually calls WebAuthn::verify() which doesn't privilege any key.

You need to use the same module to remove a key (e.g. you can't use TOTP to remove a WebAuthn key), which is not ideal, but not that big a deal.

Tgr moved this task from Backlog to Bugs on the MediaWiki-extensions-OATHAuth board.Aug 1 2025, 3:50 PM
Catrope closed this task as Invalid.Aug 16 2025, 7:47 PM
Catrope subscribed.

Boldly closing this as invalid since I also could not reproduce. I added a Yubikey and a passkey, and I could use either to remove either.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits