Harden Components/Account/Pages/Manage/Passkeys.razor

[cincuranet]

We should disable adding new passkey until the user has fully reauthenticated. Fair to say the security stamp validation by itself will prevent very stale cookies from working, but new cookies will not be invalidated, because the Identity system does not want to hit the DB every request.

[github-actions]

Triage Summary

Area: area-identity — The issue is about hardening the Identity UI passkeys management page (Components/Account/Pages/Manage/Passkeys.razor), specifically around requiring reauthentication before adding new passkeys, which falls squarely in ASP.NET Core Identity.

Type: Feature — This is a security hardening request (not a bug): the author proposes disabling passkey registration until the user has fully reauthenticated, which is an enhancement to the existing Identity UI behavior.

Potential Duplicates

• None found

Notes

The issue is filed by a contributor and describes an intentional design improvement — requiring a fresh reauthentication gate before adding new passkeys (similar to how password change flows require reauthentication). This is a reasonable security hardening feature request for the Identity UI passkeys management page.

Generated by Issue Triage Agent for dotnet/aspnetcore for issue #66865 · sonnet46 594.8K · ◷