When MFA_PASSKEY_LOGIN_ENABLED is True, users can authenticate with passkeys regardless of the individual credential's passwordless field setting. The passwordless checkbox on the WebAuthn credential creation form appears to have no effect on authentication behavior.
Expected Behavior
When a WebAuthn credential is created with passwordless=False (checkbox unchecked), that specific credential should not be usable for passwordless authentication
Only credentials with passwordless=True should be allowed for passwordless login
The global MFA_PASSKEY_LOGIN_ENABLED setting should enable the feature, but individual credentials should be filtered based on their passwordless field
Actual Behavior
Users can authenticate with any WebAuthn credential using the "Sign in with a passkey" button, regardless of the credential's passwordless setting
The passwordless checkbox setting is stored but not enforced during authentication
Steps to Reproduce
Set MFA_PASSKEY_LOGIN_ENABLED = True in settings
Create a WebAuthn credential with the passwordless checkbox unchecked (passwordless=False)
Navigate to login page
Click "Sign in with a passkey" button
Use the credential that was created with passwordless=False
Result: Authentication succeeds when it should fail
Environment
django-allauth[mfa] version: 65.11.2
Django version: 4.2.16
Python version: 3.10
Additional Context
The authentication flow should check both:
Global setting: MFA_PASSKEY_LOGIN_ENABLED = True
Individual credential setting: credential.passwordless = True
Currently, only the global setting appears to be enforced, making the per-credential passwordless field ineffective.