...
Approved alternative means will be added to the website and will be considered normative.
The AD Silver Issue and 1.2
The issue with 1.2 and Active Directory is around the technologies (MD5 hash) that AD uses for storage of password secrets. There are doubts that AD could pass the "approved algorithm" bar set in version 1.2, although the alternative means option must be explored to determine this. While AD makes it possible to enable two-factor authentication, it is not possible to turn off authentication via password. Microsoft has not indicated that they plan to change the way passwords are stored in AD.
...
Benn Oshrin notes that version 1.2 could lead to some confusion around what is needed for password reset under bronze assurance. The issue is that v1.2 makes part of bronze, section §4.2.4.3 which says:
"After expiration of the current Credential, if none of these methods are successful then the Subject must re-establish her or his identity
with the IdPO per Section 4.2.2 before the Credential may be renewed or re-issued."
However, almost none of §4.2.2 applies to Bronze, since Bronze has no registration record requirements. So what does this imply for a Subject with an expired credential, a no longer valid Address of Record, and no (or forgotten) pre-registered questions?
...