Steps to reproduce the issue

• Install Joomla 4.1.0

• Create a secondary user, let's call it joomlalala

• Log into the site with joomlalala

• Edit your user profile and set up WebAuthn

• Log out of the site

• Log into the backend of the site with your primary Super User account

• Update to Joomla 4.1.1

• Go to the frontend of the site

• Log into the site with joomlalala using Webauthn

• Log out of the site

• Try to log back into the site with user joomlalala using a password

Expected result

You are logged into the site

Actual result

You are NOT logged into the site

System information (as much as possible)

Completely irrelevant.

Additional comments

You are blindly setting the user's authProvider field to whatever the login method's type is, without checking if it corresponds to an existing plugin in the authentication group or it's a placeholder, like what's CORRECTLY used by WebAuthn to differentiate passwordless from password logins.

You are then using that to lock the user to that non-existent authentication plugin which means that the user can no longer log in. They can only log in with WebAuthn. If the site operator edits the database and disables the WebAuthn plugin (or simply deletes the plugins/system/webauthn folder in a desperate attempt to figure out what the hell is going on) they are LOCKED. OUT. OF. THEIR. SITE.

The same thing happens if the user is first logged into the site after the upgrade with the Remember Me (cookie authentication) plugin. In this case it's even worse because you are now completely locked out of the site. If you are the sole Super User, congratulations, you are completely dead in the water.

I will open a separate issue for Joomla 3.