When a service deploys FIDO Authentication, it must have a secure account recovery process to address lost, damaged or stolen FIDO authenticators. A previous FIDO Alliance white paper, Recommended Account Recovery Practices for FIDO Relying Parties, recommends two strategies:

  1. Require the user to register multiple authenticators, to reduce the need for account recovery; 

if #1 is not feasible:

  1. Re-run the initial identity proofing or user onboarding process to recover the account.

The first strategy, to require multiple authenticators, plays a very important role for FIDO-enabled consumer-facing accounts where the number of account recovery options can be limited. This includes scenarios where the password has been disabled after FIDO credentials are registered, or where passwords and FIDO credentials are registered for two-step authentication. 

This paper focuses on the first strategy and provides guidance on how to deploy FIDO Authentication with multiple authenticators. It discusses how to register new authenticators bound to an already-registered authenticator, security considerations, coverage/authenticator options, usability, and policy, based on FIDO-enabled browsers and platforms. It provides recommendations for registration methods and policy examples for deploying the solution.


More

White Paper: Replacing Password-Only Authentication with Passkeys in the Enterprise

Editors Khaled Zaky, Amazon Web Services Abstract This white paper describes the need for a…

Read More →

White Paper: FIDO Deploying Passkeys in the Enterprise – Introduction

Editors Dean H. Saxe, Amazon Web Services, Co-Chair FIDO Enterprise Deployment Working Group 1. Introduction…

Read More →

White Paper: FIDO Attestation: Enhancing Trust, Privacy, and Interoperability in Passwordless Authentication

Editors Khaled Zaky, Amazon Web ServicesMonty Wiseman, Beyond IdentitySean Miller, RSA Security Eric Le Saint, Visa…

Read More →