Cannot login after remove security keys and all other 2FA settings

[sawadashota]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Users cannot login when users configure security keys for 2FA once and remove all 2FA settings.
Then they will find empty 2FA form like following when next login.

Reproducing the bug

1. Change host to localhost from 127.0.0.1 at docker-compose files to enable WebAuthn
2. Run docker-compose -f quickstart.yml -f quickstart-postgres.yml -f quickstart-oathkeeper.yml up
3. Access to http://localhost:4455/welcome and register account
4. Configure security keys for 2FA at settings page
5. Remove all settings for 2FA at settings page
6. Logout
7. Login by ID/Password
8. Expected to finish login flow but required 2FA with empty form. User cannot do anything.

Relevant log output

No response

Relevant configuration

version: v0.7.1-alpha.1

dsn: memory

serve:
  public:
    base_url: http://localhost:4433/
    cors:
      enabled: true
  admin:
    base_url: http://kratos:4434/

selfservice:
  default_browser_return_url: http://localhost:4455/
  whitelisted_return_urls:
    - http://localhost:4455

  methods:
    password:
      enabled: true
    lookup_secret:
      enabled: true
    totp:
      enabled: true
    webauthn:
      config:
        rp:
          id: localhost
          origin: http://localhost:4455
          display_name: Ory
      enabled: true

  flows:
    error:
      ui_url: http://localhost:4455/error

    settings:
      ui_url: http://localhost:4455/settings
      privileged_session_max_age: 15m

    recovery:
      enabled: true
      ui_url: http://localhost:4455/recovery

    verification:
      enabled: true
      ui_url: http://localhost:4455/verification
      after:
        default_browser_return_url: http://localhost:4455/

    logout:
      after:
        default_browser_return_url: http://localhost:4455/login

    login:
      ui_url: http://localhost:4455/login
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: http://localhost:4455/registration
      after:
        password:
          hooks:
            -
              hook: session

log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  algorithm: bcrypt
  bcrypt:
    cost: 8

identity:
  default_schema_url: file:///etc/config/kratos/identity.schema.json

courier:
  smtp:
    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

Version

v0.8.2-alpha.1

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

Database has empty credentials for webauthn.

                 id                  |       config        |     identity_credential_type_id      |             identity_id              |        created_at         |         updated_at         |                 nid
--------------------------------------+---------------------+--------------------------------------+--------------------------------------+---------------------------+----------------------------+--------------------------------------
 270150c2-ba38-469e-aed4-a303b391567b | {"credentials": []} | 6b213fa0-e6ad-46cb-8878-b088d2ce2e3c | 8b1836d2-4da3-4b09-8d50-2d3f642679cd | 2022-01-31 04:38:30.77556 | 2022-01-31 04:38:50.371614 | 2ba76065-ada8-40e9-aa87-b15bb5fd1736

[aeneasr]

Oh, that looks like a serious bug, thank you for finding it! Contributions towards fixing it are highly appreciated!