- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 11 Sep 2023 10:39:08 +0000
- To: public-webauthn@w3.org
> such a scheme would make phishing more difficult, since the password entry would need to happen via the browser's UI, which shouldn't be possible to impersonate by a malicious site. This would only be true on the honest site, though. There would be nothing stopping an imposter site from showing a plain password entry form on the page instead of invoking the WebAuthn API. This would likely be enough to trick most people, since the difference is rather subtle - especially if the website tries hard to mimic the browser UI the victim is used to. Then the imposter can perform the client side of the OPAQUE protocol, for example, to authenticate as the victim to the real server. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1960#issuecomment-1713622989 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 11 September 2023 10:39:11 UTC