Hacker News new | past | comments | ask | show | jobs | submit login

That would be useless, as the key could just be passed through.



What do you mean "passed through"? You can't just steal a key and replay it whenever you want. (Unless you physically steal the key)


But you can trick Bob into entering his credentials + using his security key on corp.bank.co.m and then use those credentials + security key interaction to log into corp.bank.com IF the security key interaction is domain agnostic (like you can do with the 2FA codes you get on your phone - if you can trick Bob into entering his password you can trick corp.bank.com into sending Bob a 2FA code which he will also give you).


U2F key interaction is not domain agnostic. That's why it's so good against phishing--it can't be collected by a fake domain to pass through to the real one.


The key requires physical feedback, the user needs to push the button when prompted by the software and that button pushing will only authorize a single authentication.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: