08-08-2024 08:08 AM
Hi!
I use a FIDO2 token to secure my accounts (NitroKey), and on some sites it'll prompt for the device PIN. Unfortunately, this dialog appears to be really generic, in the sense that it might be easily faked by some JavaScript code or something of the sort. This feels like it could be a bit of a security vulnerability, or at least make it easier for attackers to trick people into handing over their token PINs.
My suggestion is to add some sort of icon that can't be triggered using JavaScript - maybe a key icon or something?
I've attached an image of what the dialog looks like for me - maybe it's a bit different on different platforms but this is what I get on all of my Linux computers.
08-23-2024 11:25 AM
On Ubuntu 23.04 the appearance looks same, this is definitely easy to spoof. Chrome has a nice UI to prompt for PIN, it doesn't have to look good, just needs to look distinguishable. Practically I don't find it okay to use keys on firefox for now.
08-23-2024 11:40 AM - edited 08-23-2024 11:43 AM
11-11-2024 09:00 AM
On Windows it could use the Windows Security window.