[Remote CryptoKeys] Applicability to payments / anti-fraud use cases

[RByers]

I'd be interested in this API for Chromium if it was also applicable to payments anti-fraud use cases around device-binding. Which, if any, of the various options and hints that WebAuthn provides for key storage might make sense here as well?

Eg. is the design of the API such that one might be able to build a PSD2 SCA-compliant "devicebinding" solution with it, or is that explicitly a non-goal (such as by requiring that keys always be syncable #111).

[jonchoukroun]

@RByers that's an interesting use case I'm not familiar with.

You're correct, the intent of this proposal covers use cases where keys should be syncable across devices. For example, I can create an encryption key pair on my phone, which I use with a native app. But I can also sync those keys to my laptop, where I use them in the browser.

With that said, I don't think there's any way for the spec to require/enforce that the keys are syncable. It may be worth further discussion on a use case where a key is generated/stored in a non-syncable manner, but is still usable via this WebCrypto API.