Alena Dubeshko

I'm glad to see this requirement being discussed and refined. I want to share some ideas about it. 1. The part "Such controls include blocking the most common breached passwords"...

> We need to watch it separately - 2.1.7 and 2.1.14 blocks users to use it, which makes it even more suspicious, when someone start to use those "can not...

> Is this wording more clear? > > _Verify that the architecture treats client-side secrets--such as symmetric keys, passwords, or API tokens--as insecure and never uses them to protect or...