topic Re: FIDO2 Pin Entry dialog looks too generic. in Discussions

FIDO2 Pin Entry dialog looks too generic.

fwfy — Thu, 08 Aug 2024 15:08:48 GMT

Hi!

I use a FIDO2 token to secure my accounts (NitroKey), and on some sites it'll prompt for the device PIN. Unfortunately, this dialog appears to be really generic, in the sense that it might be easily faked by some JavaScript code or something of the sort. This feels like it could be a bit of a security vulnerability, or at least make it easier for attackers to trick people into handing over their token PINs.

My suggestion is to add some sort of icon that can't be triggered using JavaScript - maybe a key icon or something?

I've attached an image of what the dialog looks like for me - maybe it's a bit different on different platforms but this is what I get on all of my Linux computers.

Re: FIDO2 Pin Entry dialog looks too generic.

selimrecep — Fri, 23 Aug 2024 18:25:04 GMT

On Ubuntu 23.04 the appearance looks same, this is definitely easy to spoof. Chrome has a nice UI to prompt for PIN, it doesn't have to look good, just needs to look distinguishable. Practically I don't find it okay to use keys on firefox for now.

Re: FIDO2 Pin Entry dialog looks too generic.

selimrecep — Fri, 23 Aug 2024 18:43:06 GMT

Just easy as a simple

val = prompt("Please enter the PIN for your device.")

Edit: You could say the one in attachment is narrower etc. but all those properties could be changed by an update, so not significant enough to rely on.

Re: FIDO2 Pin Entry dialog looks too generic.

rogue-agent — Mon, 11 Nov 2024 17:00:35 GMT

On Windows it could use the Windows Security window.

Re: FIDO2 Pin Entry dialog looks too generic.

selimrecep — Tue, 24 Dec 2024 10:54:19 GMT

Yeah, good idea

Though not sure what alternative should be used for linux based OSes.