Re: [webauthn] Proposal for password-only authentication using ES256 (#2091) from Fredrik Tolf via GitHub on 2024-07-02 (public-webauthn@w3.org from July 2024)

From: Fredrik Tolf via GitHub <sysbot+gh@w3.org>
Date: Tue, 02 Jul 2024 19:56:57 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2204275469-1719950215-sysbot+gh@w3.org>

>If a bad actor can present a phishing site with a dialog into which a user supplies their password
In my experience, most current WebAuthn user-agent implementations use a dialog that a site can't really spoof since it's partly outside the page viewport.

Sure, I guess a naïve user could be fooled into entering their password into a non-standard dialog, but having that distinction I would think makes a big difference, at least.

-- 
GitHub Notification of comment by dolda2000
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2091#issuecomment-2204275469 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 2 July 2024 19:56:58 UTC