cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FIDO2 Pin Entry dialog looks too generic.

fwfy
Making moves

Hi!

I use a FIDO2 token to secure my accounts (NitroKey), and on some sites it'll prompt for the device PIN. Unfortunately, this dialog appears to be really generic, in the sense that it might be easily faked by some JavaScript code or something of the sort. This feels like it could be a bit of a security vulnerability, or at least make it easier for attackers to trick people into handing over their token PINs.

My suggestion is to add some sort of icon that can't be triggered using JavaScript - maybe a key icon or something?

I've attached an image of what the dialog looks like for me - maybe it's a bit different on different platforms but this is what I get on all of my Linux computers.

4 REPLIES 4

selimrecep
Making moves

On Ubuntu 23.04 the appearance looks same, this is definitely easy to spoof. Chrome has a nice UI to prompt for PIN, it doesn't have to look good, just needs to look distinguishable. Practically I don't find it okay to use keys on firefox for now.

selimrecep
Making moves

Just easy as a simple

 

val = prompt("Please enter the PIN for your device.")

Edit: You could say the one in attachment is narrower etc. but all those properties could be changed by an update, so not significant enough to rely on.

 

rogue-agent
Making moves

On Windows it could use the Windows Security window.

Yeah, good idea

Though not sure what alternative should be used for linux based OSes.