IZUKA Masahiro

I posted the same message to #570 today, but removed and re-posted here because it has already been closed.

[NIST](https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret) says: > In order to assist the claimant in successfully entering a memorized secret, the verifier SHOULD offer an option to display the secret — rather than a series...

I mistake to close. Should I move to #570?

The masking mitigates the risk of password leaks by people behind the user by looking at or taking a shot. It is sure that attackers may obtain by tracking move...

Thanks for clarifying and sorry for confusing. For the last one, for example, I often see password is displayed in the confirmation page or the finished page with other field...

Suggestion about 1.1.6. > Verify implementation of centralized, simple (economy of design), vetted, secure, and reusable security controls to avoid duplicate, missing, ineffective, or insecure controls. (C10) It is included...

FYI, CISA published around push bombing threats in MFA. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf According to this, in push notification, additional step called number matching is effective to push bombing.