The cryptographic identity tied to the token can live anywhere, yeah - the question is how to make good use of it. You don't want to have to re-auth on every API call, so presumably if you want to use a proof-of-presence crypto exchange you'd exchange the bearer token for a session cookie that's tied to the IP address (to prevent exfil) and then force re-validation whenever the IP address changes?
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
Re: FIDO2 ?
Date: 2022-05-18 08:49 pm (UTC)