Context
I want to only use biometric keys as 2FA method.
Issue
I can only enroll 1 biometric key at Atlas.
Pain
When using Security Keys, it’s very common to be able to enroll more than 1 key, so if I lose one (damage or theft), I can use the back up one in my safety vault.
Definition of Ready
You already support adding 1 key, I’d assume all it takes is either display the option to add it again.
Hi @Angelo_Reale1,
Thanks for those details. I note that you’ve put the title to include [bug] but I do not believe this to be the case. This appears to be more of a feature request in which case I would recommend posting this type of feedback on the MongoDB feedback engine in which yourself and others can vote for.
Regards,
Jason
Hi Jason.
Thanks for your reply.
I appreciate your perception that this does not qualify as a bug, as it intersects with a feature request.
I think the more fundamental question we need to ask ourselves is: what is our definition of bug?
I personally like that of Rubin J. and Dana Chisnell take on the user perspective to validate software functionally, which could help us understand that a bug can be literally any aspect the user believes to not be working as intended or according to expectations.
Objectively, people use Biometric/U2F/FIDO for many reasons, including, but not limited to: reduced MITM, SIM swapping, phishing, or even mobile theft + takeover risks.
Many people feel safer using only this method for 2FA.
If I factually need to add a secondary authentication method, e.g. OTP, I’m usually adding a point of vulnerability to my data platform authentication mechanism. This means that if my OTP provider or setup code are compromised, “Mallory” can win control over mine - and my client’s data.
I prefer to use a physical authentication mechanism because I trust it better. Products like Google, Twitter, Apple, Okta, 1password and Github, &c. support FIDO authentication and the addition of multiple security keys - they understand this need.
While some people might trust SMS/Email/OTP better, and that’s OK, it’s their preference, I believe there is a bug in the way that the security keys authentication method offered in Cloud’s IAM is incomplete as it does not yet meet industry standards for the actual use-case described above.
Back to the original question, is this a bug (or not)?
As the user who have my intent frustrated - yes.
As the feature that is incomplete / does not meet quality standards - yes.
Can this be a feature request instead of a bug? Also yes.
I personally don’t see a difference in priority between a bug and a feature by the very taxonomy - but rather on the impact it provides by either addressing or not addressing it.
Have a nice day!