As @infu rightly pointed out, generating the identity fully in the browser, using the signatures as seed, is a security risk. A malicious app B could replay the same message to get the same identity to the access canister A and do foul stuff. Most Ethereum wallets provide some protection against this as signing a SIWE message from a domain other than the on you are currently visiting will produce a big red warning. But, relying on the wallets to provide 100% protection does not feel right.
Instead, for the ic-siwe library I will borrow some code from Internet Identity and allow canisters instead to create full signature delegations instead. More info 