[hn_throwaway_99]

> Given that there's no namespacing of the signed messages, users can be easily phished into providing a response to a challenge posed by a different web site

This is key. The whole benefit of hardware token-based authentication is that it is resistant against phishing (because SMS 2-factor and TOTP, e.g. Google Authenticator, are NOT phishing resistant).

So this approach is more complicated than those other 2 2FA approaches but with no additional security benefit.

[md_]

As the other commenter said, this has nothing to do with hardware tokens. This has to do with the user agent (the browser) passing the (browser-verified) origin to the authenticator (which can be hardware or software). But, critically, the signatures are also origin-scoped—the message that your user-agent correctly passes to google.com cannot be used by google to sign into microsoft.com.

What’s broken here is not that user agents are or aren’t validating the origin (or relying party)—it’s that the same key+challenge is used for every origin. (As a result, there’s nothing for the user agent to validate, because the same signature is used for all origins!)

It’s like using the same password for every website you log into. As severe understatement, this is a very, very bad protocol design, and nobody should use it.

[gruez]

>The whole benefit of hardware token-based authentication [...]

Technically it's not something limited to hardware tokens. You can conceivably do something similar with username/password authentication, as long as the credentials are sent to the browser and not the site.