Most browsers support client certificates for mutual TLS authentication. But what is really being authenticated here, the end user, their device, or both? One way to find out is to check where browsers look for client certificates. While Firefox manages its own certificate store, Chrome, Edge and Internet Explorer defer certificate management to Windows. Windows has two types of certificates stores that are relevant in this context, the local machine store and the current user store: The curr...
