Reason why UVPA not recommended for account bootstrapping

[danyao]

From Section 4:

Note: We do not recommend allowing users to register user-verifying platform authenticators as second factors for account bootstrapping. If you want to give your users the convenience of biometric sign-in, follow the steps above to register a user-verifying platform authenticator as a password replacement for reauthentication, not as a second factor for account bootstrapping.

It will be helpful to clarify why. Is it because a user-verifying platform authenticator would not be useful for bootstrapping an account on a different device? It'll be helpful to say so explicitly because the current language gives the impression that there may be some security difference between a UVPA and a UVRA.

Then later in Section 6, there is stronger language:

If a user's only registered authenticator is a platform authenticator that is used only for FIDO-based reauthentication, then the user presumably has some other means to perform bootstrap sign-ins. Thus, the user does not necessarily need to register a second authenticator, because the user will not be "locked out" of their account if they lose access to their platform authenticator. By definition, this "re-authentication-only" authenticator is used to simply bypass a different, more onerous login challenge (such as a password) during reauthentication - it must not be used for account bootstrap. Thus, the user will have other means to perform account bootstrap, and if needed, register a new platform authenticator for FIDO-based reauthentication.

Again "must not" seems to suggest some security deficiency. If it's because UVPA is not portable, I think "it should not have been used for account bootstrap" would be more consistent with the recommendation from Section 4.