[immibis]

"Your WebAuthn key enrollment period has expired. Please log in to re-enroll a new key."

Something similar to this was in the recent npmjs thing.

[tialaramex]

I can't find any trace of such a thing, do you have links?

What would it even mean to "log in" if they reject my authenticator ? Logging in is what it's for.

[immibis]

You have to log in with your password, of course. And then re-enroll your authenticator.

[tialaramex]

So, firstly, this won't actually help them which is why they won't try it. GitHub is aware that passwords are crap and since I have a Security Key it will ask to see my Security Key, "But I know tialaramex's password" doesn't help you.

But also you presented no evidence they can somehow detect their problem and try to ask for the password even if it would help them.