Open StevenDufresne opened 12 months ago
What if the default wasn't a specific provider, but rather, the last-used provider?
Sometimes I need to use TOTP because I'm on a device that doesn't have my security key. When I return to my preferred device, I wouldn't want to be back to using TOTP.
Sometimes I need to use TOTP because I'm on a device that doesn't have my security key.
That's fair; I wonder if we could remember the last provider used per client then, long-lived session-agnostic cookie?
Additional factor I'd like to add to this conversation; at present, only 30% of users have both TOTP and Security Keys enabled.
If that's the case, it's probably fine to assume security keys as the primary and do nothing here?
With the 30% number, yeah, I think it can be skipped for now, or at least left on a Low-priority maybe list.
If it was higher, over 50% (as a random number..) then I think it'd make sense that maybe we'd want to offer further options here.
If a user has registered (and enabled) 2fa security keys, they will be used as the primary provider. Let's consider adding the ability to change that default.