bugfix/17445 2fa, passkeys and `maxInvalidLogins`

Open i-just opened this issue 8 months ago • 0 comments

Description

Passkey and 2fa login attempts should be factored into the maxInvalidLogins.

When a user tries to login with a passkey that's deemed invalid, or provided a valid password but invalid verification code (e.g. totp or recovery code) update the account locking parameters and lock the account if maxInvalidLogins is reached, just like we do when logging in with a password.

Related issues

#17445

Jun 16 '25 15:06 i-just