The memo does not include any requirements for authenticators to be phishing-resistant, even though DoD is required to retire phishable authenticators by 2027.