adding user_pin_required feature in OpenID4VP?

openid / OpenID4VP

54 stars 19 forks source link

adding user_pin_required feature in OpenID4VP? #13

Closed OIDF-automation closed 7 months ago

OIDF-automation commented 1 year ago

Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1744

Original Reporter: KristinaYasuda

in VCI, we have user_pin_required feature. given pin is a useful feature to secure cross-device flows in openid4vp and siopv2, suggest we discuss adding it in 4vp too.

OIDF-automation commented 1 year ago

Imported from AB/Connect bitbucket - Original Commenter: dwc8

The PIN is there to authenticate the client in OpenID4VCI. What purpose to you think it will serve in OpenID4VP?

Sakurann commented 7 months ago

PIN can prevent a cross-device replay attack when the verifier knows that where it is sending the PIN belongs to an authenticated user. but in other cases, where verifier might be sending a PIN to an attacker, the mitigation is not effective, since attacker can spoof both PIN and a QRcode/request. so closing this issue.