- From: Nick Mooney via GitHub <sysbot+gh@w3.org>
- Date: Fri, 12 Jul 2019 20:51:33 +0000
- To: public-webauthn@w3.org
I'm definitely curious to hear if folks feel that proximity _is_ a factor that provides phishing resistance properties. I've heard that reasoning more than once, but I'm not sure I understand the claim. The architecture @emlun describes above is definitely vulnerable to phishing. I would assume that, in the case of a network-based transport, the WebAuthn client would still be required to do the domain checking that it does with the other transports. In my mind the browser would still act as the client in such a case, rather than push notifications being triggered by the RP. Concerns about phishing can be mitigated by some sort of channel binding between the browser and the authenticator, or by placing trust in the cloud service that manages the push notifications. Both approaches have their own advantages and drawbacks. -- GitHub Notification of comment by nickmooney Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1257#issuecomment-511029323 using your GitHub account
Received on Friday, 12 July 2019 20:51:35 UTC