dickhardt
commented
3 months ago I had hoped that Chapter 7 would provide some details, but it looks to only cover certification. A regulated authentication process for users will not have the nimbleness required to thwart ever evolving threats.
The ARF 2.1 states that it provides "high-security authentication" -- but there are no details on what that is, or how it is accomplished. Account protection is hard. Large providers today (Amazon, Apple, Facebook, Google) have teams of 100s of security engineers looking at 100s of signals with sophisticated ML models built on trillions of transactions to do anomaly detection to protect their user's accounts from takeover.
There is no life cycle on what happens when someone loses their phone, when their phone is stolen and someone has access. How do they recover? What happens when they get a new phone? Are all of these factors an exercise for the wallet providers?
It appears that enrollment and identification are left to each state to perform, which is reasonable as they already have processes in place to do that.