Comment by idontwantthis
13 days ago
Is this not easily patched by the provider encrypting and signing the whole payload? I would have thought that would be table stakes for an identity provider.
13 days ago
Is this not easily patched by the provider encrypting and signing the whole payload? I would have thought that would be table stakes for an identity provider.
The identity provider is on-device and has to run on phones which don't do hardware attestation.
That’s only for selfies. If they use and id I’m pretty sure it is getting sent to a k-id server.