@TechBrandon@SeanWrightSec FIDO implements channel binding to try and try and protect session creds (so cookies etc) - the session cookie *should* be bound back the key so subsequent challenges can be sent. Not sure that all browsers support it though.