Hi Jason.
Thanks for your reply.
I appreciate your perception that this does not qualify as a bug, as it intersects with a feature request.
I think the more fundamental question we need to ask ourselves is: what is our definition of bug?
I personally like that of Rubin J. and Dana Chisnell take on the user perspective to validate software functionally, which could help us understand that a bug can be literally any aspect the user believes to not be working as intended or according to expectations.
Objectively, people use Biometric/U2F/FIDO for many reasons, including, but not limited to: reduced MITM, SIM swapping, phishing, or even mobile theft + takeover risks.
Many people feel safer using only this method for 2FA.
If I factually need to add a secondary authentication method, e.g. OTP, I’m usually adding a point of vulnerability to my data platform authentication mechanism. This means that if my OTP provider or setup code are compromised, “Mallory” can win control over mine - and my client’s data.
I prefer to use a physical authentication mechanism because I trust it better. Products like Google, Twitter, Apple, Okta, 1password and Github, &c. support FIDO authentication and the addition of multiple security keys - they understand this need.
While some people might trust SMS/Email/OTP better, and that’s OK, it’s their preference, I believe there is a bug in the way that the security keys authentication method offered in Cloud’s IAM is incomplete as it does not yet meet industry standards for the actual use-case described above.
Back to the original question, is this a bug (or not)?
As the user who have my intent frustrated - yes.
As the feature that is incomplete / does not meet quality standards - yes.
Can this be a feature request instead of a bug? Also yes.
I personally don’t see a difference in priority between a bug and a feature by the very taxonomy - but rather on the impact it provides by either addressing or not addressing it.
Have a nice day!