As I went through Fido specifications:
the server (providing web app/services) need to trust user agent for local fido authentication and if needed can enforce certain policies"
I am not sure what that translates into.
How is the trust established? Aren't there any side effects that now authentication is performed locally at user rather at server side traditionally?
FIDO servers connect with authenticator meta data service which has a "score" for each authenticator. Policy can be the type of the authenticator and the features the authenticator allow to perform. To make thing simple server can decide that up to 100$ transaction will be permitted with 4 digit PIN authenticator and for bigger transaction fingerprint sensor is required. Server still verify the client but instead of verifying it password it verify cryptographic signature which the client generate after device verifies user identity.
