[Ajedi32]

Huh? What are you even talking about? This comment makes no sense to me in the context of what jon-wood said.

> the URL is not included in the hash

What hash? Nobody even mentioned a hash. The crypto keys used for U2F are indeed domain-specific, if that's what you're trying to ask.

> It could be by having those two talk to each other.

Who's "those two"? And what's "it"? I'm very confused.

[wopwopwop]

> What hash? Nobody even mentioned a hash.

I mentioned a hash. The secret is hashed together with the time. _That_ hash.

> The crypto keys used for U2F are indeed domain-specific, if that's what you're trying to ask.

I know the secret is domain-specific. What I was describing is taking the secret, and the time AND THE DOMAIN and use them to produce the hash. This would break MITM. One of the comments above me mentioned this and I run with it. But you're talking to me like you didn't read anything above....

> Who's "those two"?

Those two are the yubikey and the browser.

[Ajedi32]

> I mentioned a hash.

I think you're confused. You have not mentioned the word "hash" even once in this thread prior to the previous comment I replied to.

Anyway, I think you're confusing U2F with TOTP. U2F does not rely on the time at all AFAIK; it uses public key cryptography, and authenticates by signing a data structure containing the domain name of the site and a server-provided nonce (among other things).

> What I was describing is taking the secret, and the time AND THE DOMAIN and use them to produce the hash.

I think there's still some sort of disconnect here, because up until this this comment you've described nothing of the sort in this thread. Could you link the comment you're referring to where you explained all this?

> One of the comments above me mentioned this and I run with it.

If you're referring to acdha's comment about U2F, as acdha and others in this thread have explained, U2F (aka Universal 2nd Factor) is an entirely different protocol from TOTP (aka Time-based One Time Password). U2F does not use hashing or the system time in the way you seem to be envisioning, but it is also not vulnerable to phishing like TOTP is.

U2F interfaces with your browser, and uses a set of public and private keys (that is stored on the U2F device, not in your browser) to authenticate to sites in a way which can't be phished. It's not theoretical; it exists and can be used today with many popular sites, including Google, GitHub, Dropbox, and more. You just need a USB device which supports U2F (YubiKey is one, but there are many others).

[acdha]

I think most of us are having trouble understanding exactly the question which you're trying to ask – could you try to state it clearly and precisely?