maxhata
commented
3 years ago I think the main reason for
not to recommend allowing users to register user-verifying platform authenticators as second factor for bootstrapping.
is to prevent potential account recovery problem. Users may have no other way but to login using the UVPA if users use user-verifying platform authenticators as second factor ; this model creates potential for account recovery problem if the user loses the UVPA. We should explain this reason clearly in the text.
Additionally, some readers will think; if the user has already registered a roaming authenticator as a second factor, the user can be allowed to register a UVPA as a second factor, since the roaming authenticator can solve the account recovery problem even if the user looses the UVPA.
So the current recommendation sounds confusing.
======= I think we should first explain the lock-out issue by UVPA including additional roaming authenticators to be registered as a solution to break the lock-out. Then, all these recommendations will become easier to be understood by using the lock-out issue as the reason.
I know it is difficult in many consumer use cases to expect every consumers owning roaming authenticators and you end up with this recommendation. But the reasoning to come up with this recommendation should be communicated to the readers.
Note: We do not recommend allowing users to register user-verifying platform authenticators as second factors for account bootstrapping. If you want to give your users the convenience of biometric sign-in, follow the steps above to register a user-verifying platform authenticator as a password replacement for reauthentication, not as a second factor for account bootstrapping.Why "We do not recommend allowing users to register user-verifying platform authenticators as second factors for account bootstrapping"? We should explain the reason why we make this recommendation, so that implementers can understand the recommendation.