WebAuthn devices beyond previous max do not work as 2FA

[jolness1]

Steps To Reproduce

1. Register 6 or more WebAuthn devices at vault.bitwarden.com
2. Log out
3. Attempt to login
4. When prompted, attempt to use 6th or later device registered as 2FA security key

Expected Result

Website accepts the key and user successfully logs in.

Actual Result

Get an error "Try a different security key. You're using a security key that's not registered with this website".

Screenshots or Videos

No response

Additional Context

All previously registered security keys (up to the previous limit of 5) work as expected still.
Behavior is identical across Brave and firefox on macOS, Debian 13 and Windows 11.
Keys register and save successfully but all keys past the former 5 key limit do not work as a second factor
Not sure about passkey login, my hunch is the behavior is the same.
Happy to test that hypothesis and work this issue if needed. Would love a chance to work on some FIDO2/WebAuthn stuff/contribute to one of my favorite OSS projects.

Build Version

latest

Environment

Cloud (bitwarden.com)

Environment Details

N/A

EDIT: Clarity/Accuracy

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[bitwarden-bot]

Thank you for reporting this issue! We've added this to our internal tracking system.
ID: PM-31212
Link (for internal use): https://bitwarden.atlassian.net/browse/PM-31212

[pamperer562580892423]

Is your BW cloud account a free account?

[SergeantConfused]

Hello @jolness1,

Thank you for your report. I have flagged this report to the Engineering department; please feel free to post additional information, such as screenshots or a screen video recordings, if you wish.

By the way, does that individual Bitwarden account have an individual Premium subscription?

Thank you again,

[jolness1]

@SergeantConfused I have it fixed. Looks like someone enabled checking premium accounts for adding more WebAuthn keys but not for login. Super minor change but wanted to run tests/do manual QA.

PR is here: #6894

Thanks for responding late on a Friday night by the way!

——— Videos demonstrating behavior ———

Possible to add more than 5 keys on premium account(pre and post-fix):

premium-account-add-key.mov

6th+ key does not work as 2nd factor:

bug-behavior-of-keys-over-5.mov

Key under the old 5 key limit:

key-under-5-behavior.mov

Behavior after fix:

fixed-behavior-of-keys-over-5.mov

Free account still limited to 5 key maximum:

free-acct-test.mov