|
|
|
|
|
|
by juliusmusseau
2499 days ago
|
|
|
Suppose the key allows mysite.com to let you see your emails, send more emails, and send money to people, etc. Basically mysite.com let's you see and do interesting things after you've authed. Even if evil.com gets you to register and present your key, they cannot forward it to mysite.com. Even if they go to all the trouble to completely mitm you and the site looks identical to mysite.com, they cannot get the emails or get it to send money. This is because evil.com cannot pretend to be you when they interact with mysite.com no matter what you've given them. It's going to be hard to trick me into thinking I've logged into my gmail if none of my emails are there! Unless they somehow convince you to put your yubikey in the mail and physically send it to them... |
|
|
I'd just be careful about overly relying on this property or calling it anything like mutual authentication:
If an attacker can make an educated guess about a user's account contents, they could still convince them to provide additional personal information once they let their guard down after authenticating.