can you may activate debug log and show if you get more information?

maybe @nikosdion has an idea where if fails?

This is a JavaScript error. @ceford Is this something you can reproduce on a fresh installation and a browser without any browser extensions enabled? Or does it only happen on one site?

For what is worth, I have already upgraded my business site to 4.2 and migrated several thousand MFA records from LoginGuard to Joomla MFA. While only a few hundred are WebAuthn, I am using it myself and I've already logged into that site's front- and backend more than 50 times since Tuesday evening. I didn't have any such problem. That makes me think that something third party is trying to do something with JavaScript but it's missing some error checking somewhere. The captive page only disables modules, not plugins. It's still possible for a plugin to inject JavaScript code on that page.

You know, speaking of which, have you tried clearing your browser's cache? Let's try that first and avoid potentially chasing windmills.

My test was on a new install of J4.2.0. I have just done a new install of J.4.2.1RC1 with a new database. Then:

Add new User in Registered group.
Add menu item for Edit User Profile.
Login to Site as that user.
Select My Profile menu item.
Go down to Web Authentication below Multi-factor Authentication.
Add my dongle authenticator - first screenshot is after that stage.
Logout.
Login - select the Web Authentication button. That is when the error occurs - second screen shot.
I cleared all localhost cookies before this but not the cache. Should be almost nothing cashed at this stage.

Cleared the browser cache - no change.

I just tried that but I cannot reproduce it.

Which browser and Operating System are you using?

Have you tried with a different browser which has no browser extensions?

Are you visiting your site over HTTPS?

I am using Mac OSx Catalina 10.15.7. I have tried with Firefox, Google Chrome and Safari and they all give the same result, albeit with different system prompts to press the button on the dongle. They all fail to login with the Web Authentication button in the Login module. But if I click the Login button I go to a page where I am prompted to use my dongle. I do and it works.

Ah... I just filled out the first part of the front end form - the part entitled ** W3C Web Authentication (WebAuthn) Login ** and now login works directly. So I was confused by having two separate places to register my dongle. I did not even realise the back end Profile page has separate tabs for Web Authentication and Multi-factor Authentication.

There is nothing about this in the Help screens - something I was proposing to fix - and I don't really understand why there are two places one can add a hardware device. I guess we can close this. Unless - can we clarify this in the front end Profile form wording?

I am using Mac OSx Catalina 10.15.7

I am a Mac user as well. macOS Catalina was the very first version of macOS to offer official WebAuthn support, i.e. WebAuthn would work without having to turn on a hidden development switch in Safari. However, it was still very rough around the edges. That said, Chrome and Safari — especially any version released 2020 and later — do work just fine with WebAuthn.

You are right that every browser uses its own prompt for WebAuthn. The design of user prompts is not part of the WebAuthn specification.

I'm using macOS Monterey and tested with fully updated Safari (15.6.1), Chrome and Edge. I could not reproduce your issue using the blog sample content and a blank installation, using the login module and the com_users' login page to log in. Unfortunately I don't have any machines which can run Catalina so I'm not sure if it's something specific to your OS version (I have a MacBook Pro M2 and a Mac mini M1, the latter I'll probably sell).

The “W3C Web Authentication (WebAuthn) Login” has nothing to do with MFA. Joomla supports two different uses of WebAuthn:

1. Instead of a password. This is what you set up in “W3C Web Authentication (WebAuthn) Login”.
2. In conjunction with a password. This is what you set up in MFA.

The WebAuthn authenticators you set up in each feature are separate from each other.

I know that the Help is horrendous. I had written documentation for WebAuthn login which went nowhere. See #28094 in the PR description under “Documentation Changes Required”. If someone would please transfer this information to the Joomla help screens and documentation I would be grateful. It's only two and a half years after I wrote it but better late than never.

For the MFA feature we need to convert the documentation of LoginGuard into Joomla core documentation. The options are mostly the same and the way it works very similar, with the major differences a. you do not have the system and user plugins (they are built into the core) and b. the plugin group is multifactorauth instead of loginguard. Unfortunately I am up to my eyeballs with other core contributions to do that too :/

The article on WebAuthn was revised back in March/May: https://docs.joomla.org/WebAuthn_Passwordless_Login

This morning I added some content to the Help screen which has now fed through. Still thinking about an MFA tutorial. It was my misunderstanding of the feature introduced in 4.2 that led to this issue! Thank you for your patience!

Whenever you want any help understanding or documenting a feature I've contributed you can open an issue and at-mention me. I'm here to help ?

@nikosdion I have written an article using the information from Loginguard that you suggested. You might like to take a look when you have a moment: https://docs.joomla.org/J4.x:Multi-factor_Authentication

@ceford Please change Two Step Verification with Multi-factor Authentication (note the capitalisation) or, where appropriate, the acronym MFA. We decided to use that terminology as it seems to be fairly standard in the industry. Other than that I think it's good :)

@nikosdion Thank you - cleaned up using your suggestions and some small issues I noticed myself.