From 5c2d502edfd41cb167beb8fa10eba2e0726f3c69 Mon Sep 17 00:00:00 2001
From: enmande <3836813+enmande@users.noreply.github.com>
Date: Fri, 30 Jan 2026 15:54:29 -0500
Subject: [PATCH] refactor(2fa-webauthn) [PM-29890]: Add comment around
 last-credential deletion.

---
 .../DeleteTwoFactorWebAuthnCredentialCommand.cs                | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Core/Auth/UserFeatures/TwoFactorAuth/Implementations/DeleteTwoFactorWebAuthnCredentialCommand.cs b/src/Core/Auth/UserFeatures/TwoFactorAuth/Implementations/DeleteTwoFactorWebAuthnCredentialCommand.cs
index caefef3d9e..426ebc0a31 100644
--- a/src/Core/Auth/UserFeatures/TwoFactorAuth/Implementations/DeleteTwoFactorWebAuthnCredentialCommand.cs
+++ b/src/Core/Auth/UserFeatures/TwoFactorAuth/Implementations/DeleteTwoFactorWebAuthnCredentialCommand.cs
@@ -27,6 +27,9 @@ public class DeleteTwoFactorWebAuthnCredentialCommand : IDeleteTwoFactorWebAuthn
             return false;
         }
 
+        // Do not delete the last registered key credential.
+        // This prevents accidental account lockout (factor enabled, no credentials registered).
+        // To remove the last (or single) registered credential, disable the WebAuthn 2fa provider.
         if (provider.MetaData.Count(k => k.Key.StartsWith("Key")) < 2)
         {
             return false;