Only Holder binding shall be considered

[GSMA-EIG]

§ 6.6.3.7 & 6.6.3.8 : We believe that device binding is not an adequate tool as it is not realistic to get a high level of certification for devices such as smartphones. As mentioned in the text, it is necessary that the WSCD authenticates the user, so user binding is key to ensure that the obtained signature is done by the right user with the right WSCD. We do recognize that user binding can use possession factor from the device.

However, the device binding term is probably used inadequately in the ARF as the description of it points to a form of a user/holder binding. Furthermore, the term user binding points to additional checks that can be performed by the RP to further assess the identity of the user.

We recommend to remove the term device binding from the ARF and re-architect it under the concept of holder binding.