Forcing another session to log out does not support WebAuthn
cendyne opened this issue · comments
Steps to reproduce
Where are you starting? What can you see?
User Settings -> Security -> My Sessions -> Tap on a session -> Tap on "Sign out this session"
Then, by coincidence, it requires me to re-authenticate with my social identity provider, in this case GitHub.
GitHub then requires me to use my security key, because I use 2FA with GitHub.
I tap the use security key button in the web page.
It says "authentication failed", despite using it earlier to sign into this device.
Other notes:
I have experienced this with the Cisco AnyConnect app. We had to change our configuration so the iOS app uses a slightly different web view technology.
Something about how SFSafariWebView
Apple Documentation: ASWebAuthenticationSession
Yubico: No reaction when using WebAuthn on macOS, iOS and iPadOS
Apple: Meet Face ID and Touch ID for the Web
Element has no control on what or how the scripts run on a social login provider. This issue likely will only be resolved by switching the web view technology that comes up when tapping "Sign out this session".
Outcome
What did you expect?
I expect to be able to use my security key to authenticate with GitHub and then return to Element's UI to remove the session.
What happened instead?
I was blocked
Your phone model
iPhone 13 Pro Max
Operating system version
17.0.3
Application version
No response
Homeserver
No response
Will you send logs?
Yes
Rage shaking was not recognized during this flow. I am unable to submit logs with that method. Here's a screenshot at least.
Again, the issue is: The way Element iOS is creating this webview prevents successful use of WebAuthn security keys. This is not a case where my security key failed. I was never prompted to bring my security key to the device.