Auth21 Perspective

A signing device ≠ a logged-in user

Cryptographic possession is a different layer from identity. Conflating the two creates a false sense of security for critical operations.

Possession protocols — like POAP — exist to answer: which device is operating now, with a registered key, after identity is already established. That complements OAuth; it does not replace it.

Further reading