Security Summary
The public reference content emphasizes a few security properties.
Key Points
BSTvalues are backend-issued and signedBRTvalues are verified on the backend- replay protection prevents reuse
- enrolled-user binding should be handled server-side
- the browser should never become the source of truth for result validity
Operational Rule
Use the browser to collect the result, not to authorize the action.