@dylanh724, that’s my situation. I don’t merely utilise RFC 5233 sub-addresses, but different local parts (albeit, with the same subdomain) per service:
Others utilise different local parts and a generic domain that doesn’t relate to them, for which this cannot even theoretically be supported any other way.
Consequently, I want to explain that the undermentioned is nonsensical:
I’ve 2FA enabled. Currently, via TOTP, but shall be via CTAP1, when the undermentioned has been resolved:
This is solely for username-plus-password entry. Instead, I’ve also CTAP2 1FA active for the account. It’s also active for all possible OAuth alternatives, thereby rendering the stated rationale for preventing connecting alternative SSO options quite outdated.
It’s also quite confusing for someone who isn’t aware of the restriction:
Consequently, I advise that this not be the default, especially whilst the undermentioned remains:
That, plus the general dissuasion toward 2FA, means that it’s a net security negative.