Draft: Render email verification view as fallback for webauthn authentication
What does this MR do and why?
Render email verification view as fallback for webauthn authentication. This is part one of https://gitlab.com/gitlab-org/gitlab/-/issues/570174+
References
Re: https://gitlab.com/gitlab-org/gitlab/-/issues/570174+
Screenshots or screen recordings
| use case | Before | After | notes |
|---|---|---|---|
| WebAuthn verification succeeds | unchanged | Screen_Recording_2025-10-20_at_10.34.42_AM | login succeeds as before |
| WebAuthn verification failed twice AND user chooses to verify with 2fa | unchanged | Screen_Recording_2025-10-20_at_10.37.32_AM | login succeeds with 2fa |
WebAuthn verification failed BUT user.email_otp_permitted_after is tmr |
unchanged | Screen_Recording_2025-10-20_at_10.40.55_AM | user is not presented with the email otp fallback method because email_otp_permitted_after is in the future |
WebAuthn verification failed AND user.email_otp_permitted_after is yesterday |
 |
Screen_Recording_2025-10-20_at_10.31.25_AM | user can fallback to email otp |
user clicks on Enter recovery code
|
link not available before | Screen_Recording_2025-10-20_at_10.36.01_AM | It links to https://docs.gitlab.com/user/profile/account/two_factor_authentication/#recovery-codes |
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Jennifer Li