Open ianbjacobs opened 3 weeks ago
I think this is a very interesting idea, thanks Ian! Whether through WebAuthn alone or through SPC, relying on a physical card to do the crypto verification has some appealing security and usability properties. It would also be possible to enrol the local device (WebAuthn/SPC/DBSC/etc.) after a card-based confirmation if desired by the issuer & user.
Or, it might be interesting in the "new device" flow:
Issue #12 is about support in SPC for roaming authenticators. I have wondered whether cards could act as roaming authenticators, which means that a person could use a card for in-person payments, and also as a possession factor in a strong authentication flow.