Hacker News new | ask | show | jobs
by RaisingSpear 808 days ago
> That's why I qualified it with "certificate-based". The private key never leaves the device

Except that phishing doesn't require the private key - it just needs to echo back the generated token. And even if that isn't possible, what stops it obtaining the session token that's sent back?
2 comments
smw 808 days ago
Doesn't work for FIDO-based tokens, they auth the site as well, so won't send anything to phishing site.
link
RaisingSpear 807 days ago
From my understanding, FIDO isn't MFA though (the authenticator may present its own local challenge, but I don't think the remote party can mandate it).

There's also the issue of how many sites actually use it, as well as how it handles the loss of or inability to access private keys etc. I generally see stuff like 'recovery keys' being a solution, but now you're just back to a password, just with extra steps.

link
mr_mitm 808 days ago
The phisher will not receive a valid token, though, because you sign something that contains the domain you are authenticating to.
link
RaisingSpear 808 days ago
The phisher can just pass on whatever you sign, and capture the token the server sends back.

Sure, you can probably come up with some non-HTTPS scheme that can address this, but I don't see any site actually doing this, so you're back to the unrealistic scenario.

link
mr_mitm 808 days ago
No, because the phisher will get a token that is designated for, say, mircos0ft.com which microsoft.com will not accept. It is signed with the user's private key and the attacker cannot forge a signature without it.
link
account42 803 days ago
A password manager is also not going to fill in the password on mircos0ft.com so is perfectly safe in this scenario. You need a MitM-style attack or a full on client compromise in both cases, which are vulnerable to session cookie exfiltration or just remote control of your session no matter the authentication method.
link
RaisingSpear 807 days ago
I think we're talking past each other a bit here.

If I were trying to phish someone, I wouldn't attack the public key crypto part, so how domains come into play during authentication doesn't matter. I'd just grab the "unencrypted" session token at the end of the exchange.

Even if you somehow protected the session token (sounds dubious), there's still plenty a phisher could do, since it has full MITM capability.

link