PM-29652: Increase the limit of passkeys to 25

[abergs]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-29652

📔 Objective

This PR bumps our passkey limit from 5 -> 25 for users. There was no specific reason 5 was picked, and with the upcoming Login in passkey features a higher number is more reasonable to avoid users running into the limit.

Related to UI change: bitwarden/clients#17931

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @abergs's task —— View job

---

Code Review Complete ✅

Todo List

• Read the changed file to understand the context
• View the PR diff to see exact changes
• Run bitwarden-code-reviewer agent to analyze changes
• Post inline comments if needed
• Provide review summary

---

Review Summary

This is a clean, well-contained change that increases the passkey limit from 5 to 25. The change is safe to merge.

✅ Approved - No Blocking Issues

Strengths:

• Simple, focused one-line change
• Existing tests automatically validate the new limit (they reference the constant)
• No security concerns identified
• Negligible performance impact (indexed queries)
• Proper use of constants throughout codebase

Business Justification:

• Original limit of 5 was arbitrary
• 25 aligns better with upcoming "Login with passkey" features
• Prevents users from hitting artificial limits
• Industry standard typically allows 10-50 passkeys per user

---

Security Assessment ✅

No security risks identified:

• ✅ Authentication required on endpoint
• ✅ User verification with password/secret required
• ✅ Time-limited tokens prevent replay attacks
• ✅ Per-user limit (not global) prevents abuse
• ✅ All credentials properly encrypted
• ✅ Database queries filter by authenticated userId

---

Performance Assessment ✅

Minimal performance impact:

• ✅ Database has index on UserId column (IX_WebAuthnCredential_UserId)
• ✅ Query fetches max 25 small records (~12.5 KB total)
• ✅ No N+1 query issues
• ✅ Only fetched during credential creation/listing

---

Testing Assessment ✅

Existing tests are sufficient:

• Test file: test/Core.Test/Auth/UserFeatures/WebAuthnLogin/CreateWebAuthnLoginCredentialCommandTests.cs
• Tests already use the MaxCredentialsPerUser constant
• Automatically test new limit of 25
• Edge cases already covered (at limit, below limit)

---

📝 Minor Suggestions for Follow-up

These are not blockers - consider for future improvements:

1. More Descriptive Error Messages (src/Api/Auth/Controllers/WebAuthnController.cs:122)

   • Currently returns generic "Unable to complete WebAuthn registration"
   • Could specify when user has hit the 25 passkey limit
   • Would require distinguishing limit errors from other failures

2. Add Logging for Analytics

   • No logger currently injected in CreateWebAuthnLoginCredentialCommand
   • Consider logging when users hit the limit (for product analytics)
   • Ensure no sensitive data (keys, credentials) is logged

3. Technical Debt (CreateWebAuthnLoginCredentialCommand.cs:2)

   • File has #nullable disable with FIXME comment
   • This is existing technical debt, not introduced by this PR

4. Separate System Note

   • Found WebAuthnTokenProvider.cs with hardcoded limit of 5 for two-factor authentication
   • This is a different system (2FA vs passwordless login) and not related to this PR
   • Consider reviewing 2FA limits separately if needed

---

Overall Verdict

✅ LGTM - Approved

This PR is ready to merge. The change is simple, safe, well-tested, and properly implements the business requirement. No code changes required.

---

[github-actions]

Checkmarx One – Scan Summary & Details – 2f31caa2-d88a-4461-a27d-af58d9bdc56d

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.83%. Comparing base (e3d5406) to head (75c4b55).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6725   +/-   ##
=======================================
  Coverage   53.83%   53.83%           
=======================================
  Files        1917     1917           
  Lines       85101    85101           
  Branches     7613     7613           
=======================================
+ Hits        45813    45814    +1     
+ Misses      37527    37526    -1     
  Partials     1761     1761           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.