Verify user identity for additional authenticator registration
Your users can register multiple authenticators. When a user attempts to register an additional authenticator, you must identify the user first to prevent attacks.
An attacker might be able to register their own authenticator on behalf of an existing user if you do not verify the identity of the user at the registration of an additional authenticator.
Recommended solution
To prevent attacks, ensure that a user is strongly authenticated when they attempt to register a new authenticator. Implementing one of the following solutions can ensure that the requester and the user are the same person:
- Only allow registering additional authenticators to users whose session was initiated by multi-factor authentication using Authentication Cloud as the second factor.
- Require a transaction approval for the registration of an additional authenticator.
If the requester can identify themselves as the user with the already registered authenticator, then the registration of the new authenticator is allowed.