Is this not easily patched by the provider encrypting and signing the whole payload? I would have thought that would be table stakes for an identity provider.

▲

arcologies1985 7 hours ago | parent [-]

The identity provider is on-device and has to run on phones which don't do hardware attestation.

	▲	idontwantthis 6 hours ago \| parent [-]
		That’s only for selfies. If they use and id I’m pretty sure it is getting sent to a k-id server.