We use Anchor desktop/mobile and ESR with the Hypha dapp (and others). We have a current process that enables the user to authenticate to additional resources (e.g. off-chain profile data store) after signing/submitting an action. The backend checks the chain and triangulates the session to grant access. The Anchor identity request that occurs does not submit an action.
Can we also use this identity request to authenticate the user to the additional resource? Is this part of UAL or ESR? Is it secure, meaning the client can fully trust that the identity request was signed via the user’s private key, or is it a non-cryptographic acknowledgement that “this is the account I want to use” (which would not be secure)?