|
|
|
|
|
|
by fmarier
4659 days ago
|
|
|
Yes, your best protection is a short-lived signature on the user's public key. That's up to the identity provider to decide. On our internal Persona IdP (for mozilla.com and mozillafoundation.org email addresses), the signature is short-lived (a few minutes I think). The browser will therefore need to request a new signature very often. This can happen transparently as long as you still have a session with the IdP and that session can be invalidated server-side in case of a compromise (or a password change). |
|
|