The authoritative credential my users have is a smart card. I have an X509 flow set up to allow them to authenticate successfully.
I would like to enable my users to be able to enrol webauthn factors for increased convenience, but not without proof of possession of their smart card; they should not be able to use a webauthn factor to enrol more webauthn factors, but they should be allowed to enrol webauthn factors if they have authenticated via X509.
If you’re familiar with the concept of PIV derived credentials in the U.S. federal government space, I’m trying to achieve effectively the same thing.
The easiest way to achieve this seems to be by allowing access to account-console
only for users with an ACR/LoA that reflects they authenticated via X509, but that doesn’t seem possible at the moment. Are there any other ways to achieve what I’m attempting here?
(I originally hijacked another thread with this issue, but it probably deserves its own discussion.)