I am designing a system that uses two-factor authentication. Where the user can only granted access only if the two authentication factors passed the verification.
Let us assume that the first factor is simply a password-based authentication and the second factor is a fingerprint biometric.
Now, if the user wants to reset his password, there is no big issue. The user hit a password reset button and the system email to the user a reset password link or maybe the system can be more aggressive and ask the user to verify his identity using the fingerprint before emailing him the reset password link. To me, this sounds OK
But the other way around is what I do not like. Let us say that the user want to reset his Fingerprint, of course, someone, can ask why the fingerprint does not change (despite the fact that this is not entirely correct) but let us say that the user will use another finger like the thumb instead of the index finger. Here, I can see a problem the security level of the system falls down to the password-based security level.
A hacker who managed to obtain the user password for our system. He can claim that he wants to reset his fingerprint because his finger is injured. If we allow him to reset his fingerprint, then why do we have a second factor authentication?
I can send the user a link to his email where he can only reset his fingerprint through this link. But again the email box is only password protected. In fact, it could be worst if our system and the user email box using a single sign one or active directory.
I do not see a technical solution for this problem. I believe only a security policy can only help in this case. But I am not sure what is the policy exactly.