[dinosaurdynasty]

I wonder if having the user copy-paste the token could work?

[Thorrez]

Copy and paste means a user can be phished. The user can copy and paste it to an attacker.

[dinosaurdynasty]

The token could be made only usable by the cli process that asked for it (should be really).

[Thorrez]

Yes, but that doesn't stop this attack.

1. Attacker runs the cli process to generate the URL

2. Attacker sends the URL to the victim saying "as a second factor verification, you need to copy this code into this form"

3. Victim does it

4. Attacker enters the code into the original cli process

[seanhunter]

As long as noone compromised their clipboard using malware etc. Which is a vector that seems quite common in spearphishing at least anecdotally.

[dinosaurdynasty]

Wouldn't they already be pwned in that case?

[seanhunter]

Their machine would be pwned, but their 2nd factor would not be compromised if they used something like a yubikey, so the attacker couldn't use the compromised host to SSO to other systems and enlarge their compromise. That's why yubikey requires that you touch it - an attacker can't just remotely trigger it even if they totally own the host the yubikey is plugged into.

That's the point of TFA - unphishable second factors and ways to make them phishable. I'm saying that using the clipboard would be a bad idea in this case.

[dinosaurdynasty]

If the machine is pwned, it seems like it wouldn't be super hard to get the user to touch the yubikey.