MFA - allow add multiple security keys

Currently you can only add a single security key for MFA. Best practice is to allow users to add multiple keys to prevent account lockout if the device is lost, destroyed, stolen or unavailable.

I’d suggest allowing up to five. These security keys could be a YubiKey, Android passkey, Windows Hello, Apple FaceID etc - some might be cross-platform and others might be platform authenticators.

A common scenario is you are at a different computer and left your security key behind and now you can’t login (but you could 've just used your phone if you had been able to set it up too) - same with overseas travel.

This should be pretty straightforward to implement but you’ll need to allow the user to input a nickname for the key so they can delete it specifically. Have a look at GitHub’s implementation.

This should also reduce the number of tickets I’m sure you get for account lockout due to these scenarios.

1 Like