Mandate the use of FIDO2 security key
let us mandate a specific login method. E.g. login only possible via security key.
As it is now, security keys are only optional and ADD-ON to the existing methods. For configuring a security key in the first place, one needs to set-up MFA with SMS/Phone before.
But what good is a security key if a malicious somebody can just choose "sign in with another method" and then choose SMS, when SMS based MFA is discouraged everywhere because of security concerns.
I would like to see something as in Google's advanced protection programme. True, this is not passwordless, but then again they mandate the user of a security key as a second factor. Nothing else is allowed.
This is something we are looking to add.
I agree to this request, not sure why security keys are not considered a "second factor" considering its more secure than phone/SMS, which should simply be removed.