Context
I believe this requirement originated from the initial ADA specifications and was approved during our early lab meetings. However, after a more critical review of our requirements, this particular one seems potentially irrelevant for the majority of applications that will use the web profile. I believe it's also an ASVS L2 requirement, which indicates it may not be entirely suitable for the baseline profile.
Recommendation
Consider removing the following requirements:
1.3 Lookup secrets shall be random and not reused
1.3.1 Lookup secrets shall be used only once
1.3.2 Lookup secrets shall have sufficient randomness
Next Steps
I'd like to request feedback from our Lab partners on how frequently lookup secrets are being used in apps they're testing. If my assumption is correct and the usage of lookup secrets is relatively low, then I recommend we consider removing these requirements.
1 on removing this from the requirements. I concur that these lookup secrets (pre-generated random values representing recovery codes) are not suitable for a baseline profile as they are not used in the majority of web apps.
Context I believe this requirement originated from the initial ADA specifications and was approved during our early lab meetings. However, after a more critical review of our requirements, this particular one seems potentially irrelevant for the majority of applications that will use the web profile. I believe it's also an ASVS L2 requirement, which indicates it may not be entirely suitable for the baseline profile.
Recommendation Consider removing the following requirements:
Next Steps I'd like to request feedback from our Lab partners on how frequently lookup secrets are being used in apps they're testing. If my assumption is correct and the usage of lookup secrets is relatively low, then I recommend we consider removing these requirements.