Any time you use a security technology, you have to have an
understanding of the threats you're protecting from. The decisions you
make on the threats you choose to protect from, and how you protect
yourself, becomes the "policy" that guides your usage of the security
One of the problems with FIDO is that most web-developers think of it as
just another "library" to make their applications "cool". This is,
clearly, the wrong approach.
To effectively understand how to leverage FIDO, you need to not only
understand the various options and constraints that are available in the
protocol/API, but how to formulate a "policy" using those options and
constraints. Unfortunately, the moving target of the WebAuthn
specifications makes this challenging.
Take a look at this Policy Module we've implemented in our open-source
and this demonstration site of how policies can be formulated to
accomplish your security goals:
This will give you a better understanding of how to approach this problem.
Hope that helps.
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org