[bug] [security] Add more than 1 Biometric Key as 2FA method

I want to only use biometric keys as 2FA method.

I can only enroll 1 biometric key at Atlas.

When using Security Keys, it’s very common to be able to enroll more than 1 key, so if I lose one (damage or theft), I can use the back up one in my safety vault.

Definition of Ready
You already support adding 1 key, I’d assume all it takes is either display the option to add it again.

Hi @Angelo_Reale1,

Thanks for those details. I note that you’ve put the title to include [bug] but I do not believe this to be the case. This appears to be more of a feature request in which case I would recommend posting this type of feedback on the MongoDB feedback engine in which yourself and others can vote for.


Hi Jason.

Thanks for your reply.

I appreciate your perception that this does not qualify as a bug, as it intersects with a feature request.

I think the more fundamental question we need to ask ourselves is: what is our definition of bug?

I personally like that of Rubin J. and Dana Chisnell take on the user perspective to validate software functionally, which could help us understand that a bug can be literally any aspect the user believes to not be working as intended or according to expectations.

Objectively, people use Biometric/U2F/FIDO for many reasons, including, but not limited to: reduced MITM, SIM swapping, phishing, or even mobile theft + takeover risks.

Many people feel safer using only this method for 2FA.

If I factually need to add a secondary authentication method, e.g. OTP, I’m usually adding a point of vulnerability to my data platform authentication mechanism. This means that if my OTP provider or setup code are compromised, “Mallory” can win control over mine - and my client’s data.

I prefer to use a physical authentication mechanism because I trust it better. Products like Google, Twitter, Apple, Okta, 1password and Github, &c. support FIDO authentication and the addition of multiple security keys - they understand this need.

While some people might trust SMS/Email/OTP better, and that’s OK, it’s their preference, I believe there is a bug in the way that the security keys authentication method offered in Cloud’s IAM is incomplete as it does not yet meet industry standards for the actual use-case described above.

Back to the original question, is this a bug (or not)?

As the user who have my intent frustrated - yes.
As the feature that is incomplete / does not meet quality standards - yes.

Can this be a feature request instead of a bug? Also yes.

I personally don’t see a difference in priority between a bug and a feature by the very taxonomy - but rather on the impact it provides by either addressing or not addressing it.

Have a nice day!