It would have to contain some piece of user information, like say your user account name and photo, that the app itself is never granted access to.
A security seal, defined by the user (one time operation). Yahoo used to have this, and so does my bank in the login page. May be some text, a doodle or picture.
Curiously, Wikipedia only seems to know about physical seals. Searching for "security seal login" yields some info.
These never seemed very secure to me for the reason mentioned in that article:
The obvious flaw in the design is that a phishing site can get the correct SiteKey info from the genuine site, then serve it to the user, "proving" its legitimacy[1]. SiteKey is thus susceptible to a man-in-the-middle attack.
But at least it requires the attacker to connect to the website, which gives them opportunity to block hosts that are known or suspected to be phishing users.
And of course that vulnerability would not exist here, in that the information would not web accessible, but rather only accessible to the local operating system.
A security seal, defined by the user (one time operation). Yahoo used to have this, and so does my bank in the login page. May be some text, a doodle or picture.
Curiously, Wikipedia only seems to know about physical seals. Searching for "security seal login" yields some info.