Skip to content
Axowl

Devices

A device is a first-class hardware principal, on par with a user — the holder of a TPM/Secure-Enclave key.

Three layers (key ≠ device ≠ person)

Section titled “Three layers (key ≠ device ≠ person)”
  • DeviceIdentity — one row per physical authenticator, keyed by a globally-unique CredentialId (= base64 credential id, 1:1 with UserCredential). The key-holder. Never deleted — only Status transitions.
  • DeviceBinding — per-org trust (the same DeviceIdentity can be trusted by multiple orgs). Org-scoped operations key on this.
  • ConnectedId — the person’s membership (Connected ID).

Ownership decides revocation rights

Section titled “Ownership decides revocation rights”

OwnerType = User (BYOD) or Organization (ASSET):

  • BYOD (OwnerUserId) — the user controls the key; an org can only revoke its trust (binding), not kill the key.
  • ASSET (OwnerOrgId) — the org controls the key and can bulk-revoke.

Assurance axes (measured at enrollment, not policy)

Section titled “Assurance axes (measured at enrollment, not policy)”

IsHardwareBacked (TPM/SE), UserVerified (biometric/PIN), BackupEligible (key syncable — false = device-bound), plus Aaguid and SecurityLevel. These are tamper-protected via IContentHashable (ContentHash over GetHashableFields).

The current device is identified by the session device_id claim (= credentialId); status/delete enforce anti-lockout — see Devices reference.