|
|
|
|
|
|
by danjoc
2886 days ago
|
|
|
>But we're implementing the W3C Web Authentication (webauthn) spec and you can already use it in Chrome in place of U2F. How are users going to differentiate between a webauthn permission request and a webusb permission request? The later can be used for phishing attacks, which appears to defeat the entire purpose of having a U2F key. https://www.wired.com/story/chrome-yubikey-phishing-webusb/ |
|
|
However, it remains the case that if the user downloads and runs exes, or otherwise grants the attacker direct access to the Security Key, then they can ask it to sign an authentication request for a given website. Such an attacker could also compromise the browser and wait for the user to login themselves etc.