Optimizations for WebAuthn Passwordless Auth

[Florian Ritterhoff]

Hi together,

for an event in my master studies we used KeyCloak as Identity Provider. The goal was to realize a complete passwordless authentication. In the course of this, on the one hand a possibility to reset a lost token was created, on the other hand an unusual behavior was noticed, which we have fixed in our opinion. As soon as the user cancelled the registration process for his passwordless account when registering the token (or accidentally deleted his last token), a third party was able to "take over" the account via the login page and the possibly known username.

We would like to contribute these changes to the keycloak project ;)

Thanks and kind regards!

[Florian Ritterhoff]

Hi,

is there no interest on these changes?