Note: this is a desirable behaviour from a security point of view, but we can enhance the UX if this happens to a user
If a user has registered a U2F token it won’t work if the hostname of the site has changed since it was registered.
However, there’s no feedback to the user that this might be because the hostname changed since we don’t store that information in Discourse. And if the user isn’t savvy as to why this might be the case, they’ll get confused.
An enhancement for this case might be on this screen:
- disabling “Authenticate with Security Key”
- saying something like “we have a security key on file for this account, but it’s not for the hostname to which you’re making the request (www.example.com)”
- if we do the above, we have to ensure that we don’t remap the old hostname to the new hostname in the UserSecurityKey table