Add reqirement for real-time transfer.

[hanyuwei70]

Summary

As a normal user, I would be punished by receiving attacker's export request and confused with mine which can leak my credentials.
But when I transfer credentials, it's normally acceptable to require both devices to be online (or physical connected).

Details

Add a extension for key that require "both device online" or "physical connected / Bluetooth / NFC". So user may have an extra layer protection.

Proposed Feature Type

Protocol

Proposed Feature Name

real-time-exchange

Related Content

No response

[Progdrasil]

There are many reasons why we allow "offline" exchanges to happen. Mostly because we want this to work for credential providers that may not have a syncing capability or that a provider goes under, we want the users of that provider to still be able to migrate to a new provider. Guaranteeing online access in these cases is hard.

That being said, for direct exchanges, we're currently focused on "same device" flows. So both providers need to be installed at the same time for an exchange to work.

If you wish to do cross device flows, the current way to do so would be with indirect requests. A platform aided mechanism may be added in the future, but it is not in the plans for now.

So regardless for a cross device flow, it would be very hard to force connectivity for consumers.

For enterprise we do have the Authorizing party which forces connection to a network, not necessarily the internet. This 3rd party would provide some key material to both providers and enforce policy on exchanges. This is a flow that is possible in the enterprise case, but harder to employ on the consumer use cases.