[valkum]

hmm. I assumed U2F does not protect you from phishing. It just adds a second layer of protection to your account. Protecting you from credential theft. U2F antiphishing stuff implemented by chrome is just a neat little extra. Is this behaviour of checking the origin in the spec?

[Ajedi32]

Yes, preventing phishing by only sending credentials to the appropriate origins is a very important part of the spec: https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fid...

[tedunangst]

The supposed ability to tap the yubikey button even on phishing sites and not actually give up working credentials was like the selling point.