Webauthn allows for software authenticators and there is nothing to stop you from transferring it complete with keys to someone else.
Also, what if the bank signs your ip-address and user-agent-header as part of their payload back to the RP?
That's like mission-impossible / hack into Langely level of effort to get into pornhub, no?
Also, what if the bank signs your ip-address and user-agent-header as part of their payload back to the RP?
That's like mission-impossible / hack into Langely level of effort to get into pornhub, no?