This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Support
Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FIDO2 Pin Entry dialog looks too generic.

fwfy
Making moves

‎08-08-2024 08:08 AM

Hi!

I use a FIDO2 token to secure my accounts (NitroKey), and on some sites it'll prompt for the device PIN. Unfortunately, this dialog appears to be really generic, in the sense that it might be easily faked by some JavaScript code or something of the sort. This feels like it could be a bit of a security vulnerability, or at least make it easier for attackers to trick people into handing over their token PINs.

My suggestion is to add some sort of icon that can't be triggered using JavaScript - maybe a key icon or something?

I've attached an image of what the dialog looks like for me - maybe it's a bit different on different platforms but this is what I get on all of my Linux computers.

Preview file
13 KB
2 REPLIES 2

selimrecep
Making moves

‎08-23-2024 11:25 AM

On Ubuntu 23.04 the appearance looks same, this is definitely easy to spoof. Chrome has a nice UI to prompt for PIN, it doesn't have to look good, just needs to look distinguishable. Practically I don't find it okay to use keys on firefox for now.

0 Kudos

selimrecep
Making moves

‎08-23-2024 11:40 AM - edited ‎08-23-2024 11:43 AM

Just easy as a simple

 

val = prompt("Please enter the PIN for your device.")

Edit: You could say the one in attachment is narrower etc. but all those properties could be changed by an update, so not significant enough to rely on.

 

Preview file
36 KB
0 Kudos
Copyright © 2024 Khoros, LLC