Prevent security flaw using passwordless authentication

If you register without an password or delete your last token your account can be hijacked. This is can be done by simply trying to login in that moment where the account is without a token. You get the "normal" registration dialog and can capture the complete account.
This commit is contained in:
Florian Ritterhoff 2021-06-12 18:30:27 +02:00 committed by Bruno Oliveira da Silva
parent b4536a394a
commit 65480cb5a1

View file

@ -53,4 +53,10 @@ public class WebAuthnPasswordlessAuthenticatorFactory extends WebAuthnAuthentica
public String getId() { public String getId() {
return PROVIDER_ID; return PROVIDER_ID;
} }
@Override
public boolean isUserSetupAllowed() {
return false;
}
} }