Account Recovery

Per commonly accepted security practices, it should be noted that the overall strength of any authentication is only as strong as its weakest step. It is thus recommended that provisioning of phishing-resistant and other credentials stronger than shared secrets should be accomplished using methods that are at least as strong as the credential being provisioned. By counter-example, allowing people to retrieve a phishing-resistant credential using only a phishable shared secret negates much of the value provided by the phishing-resistant credential itself. Similarly, sometimes using a phishing-resistant method when a phishable method continues to also sometimes be employed may still enable phishing attacks to compromise the authentication.

Note that encouraging the user to register more than one WebAuthn credential is an effective account recovery option that does not degrade the overall security strength. Make sure to use the excludeCredentials parameter when creating new credentials, so that the credentials are created on different authenticators.