Reason why UVPA not recommended as second factors for account bootstrapping ? #5
Comments
|
I think the main reason for
is to prevent potential account recovery problem. Users may have no other way but to login using the UVPA if users use user-verifying platform authenticators as second factor ; this model creates potential for account recovery problem if the user loses the UVPA. We should explain this reason clearly in the text. Additionally, some readers will think; So the current recommendation sounds confusing. ======= I know it is difficult in many consumer use cases to expect every consumers owning roaming authenticators and you end up with this recommendation. But the reasoning to come up with this recommendation should be communicated to the readers. |
|
Created a PR, #24 |
Note: We do not recommend allowing users to register user-verifying platform authenticators as second factors for account bootstrapping. If you want to give your users the convenience of biometric sign-in, follow the steps above to register a user-verifying platform authenticator as a password replacement for reauthentication, not as a second factor for account bootstrapping.Why "We do not recommend allowing users to register user-verifying platform authenticators as second factors for account bootstrapping"? We should explain the reason why we make this recommendation, so that implementers can understand the recommendation.
The text was updated successfully, but these errors were encountered: