Could cards be authenticators for SPC (or WebAuthn)?

[ianbjacobs]

Issue #12 is about support in SPC for roaming authenticators. I have wondered whether cards could act as roaming authenticators, which means that a person could use a card for in-person payments, and also as a possession factor in a strong authentication flow.

[RByers]

I think this is a very interesting idea, thanks Ian! Whether through WebAuthn alone or through SPC, relying on a physical card to do the crypto verification has some appealing security and usability properties. It would also be possible to enrol the local device (WebAuthn/SPC/DBSC/etc.) after a card-based confirmation if desired by the issuer & user.

[ianbjacobs]

Or, it might be interesting in the "new device" flow:

• User has already registered an SPC credential.
• User authenticates for the first time on an unrecognized device where the passkey is available but there is not yet a browser-bound key.
• User uses card somehow during ID&V flow, and new browser-bound key is recognized on subsequent transactions.