Authenticators that require the manual entry of an authenticator output, such as out-of-band and OTP authenticators, SHALL NOT be considered verifier impersonation-resistant since the manual entry would not bind the authenticator output to the particular session getting authenticated.This document assumes that the subscriber isn't colluding using a… Read More