Reason why it is not recommended requiring a second factor during reauthentication? #9
Comments
|
I find that the current text self-explains why the recommendation is made. When a user-verifying platform authenticator is employed for reauthentication, the user experience is user-friendly without sacrificing security. If you have a suggested re-word, could you please submit a PR. If after re-reading the above explanation you think that a re-word is not necessary, perhaps close the issue? |
It is still not clear to me what "We do not recommend that relying parties require a second factor during reauthentication." wants to say. Does it want to say "We do not recommend that relying parties require a second factor during reauthentication using the roaming authenticator"? So does it want to recommend to use UVPA instead of the UVRA if UVPA is available for better usability? |
|
It's more generic than that: We mean to say - relying parties shouldn't ask for a fingerprint during reauthentication, and then also go on to ask for other types of second factors (like SMS OTP 2-FA, etc). A FIDO authentication should be enough to satisfy both the physical possession and user verification factors. |
Why "We do not recommend that relying parties require a second factor during reauthentication"?
I think you should explain the reason why you make this recommendation.
The text was updated successfully, but these errors were encountered: