[euroclydon]

Nice overview of the crypto.subtle apis, but I'm not sure about some of the use cases.

>Multi-factor Authentication >Sometimes, hackers can steal users’ passwords. So, even if these passwords are hashed or encrypted in the database, it can’t stop them from accessing a user’s account. To make sure that someone who’s accessing an account is the true owner, applications allow multi-factor authentication. >Rather than using transport-layer authentication, such as TLS client certificates application can use suitable client keys which may have been previously generated via the user agent like multifactor tokens.

I could not follow this part. With FIDO, you have should have a Trusted Platform Module or Hardware Security Key to store the secret key, but I'm not sure what is being suggested here.

In the section on "How to deal with man in the middle attacks", there is no mention of TLS 1.3, which would be the #1 thing on my list.

I agree with others here, that JS Crypto is shaky because you still need to trust the server not to give you compromised JavaScript. TLS and the Same Origin Policy are designed to sort of bridge the security boundary of the server up into your browser page. In this scenario, just offload the crypto to the server.