[Openid-specs-fapi] Phishing protection in CIBA?

Anders Rundgren anders.rundgren.net at gmail.com
Mon Aug 13 10:20:31 UTC 2018

Bear with me, I'm not [at all] versed in CIBA.

Anyway, here is the rub.  There are hordes of third-party mobile authentication solutions out there.
That these applications are vulnerable to phishing when used in the quite popular OOB mode is proved beyond doubt.

Unfortunately it seems that even in "Mobile Only" mode, the phishing problem may be for real since there is (except when using FIDO2/WebAuthentication) no secured binding between the page in the mobile browser and the authentication application.


Related: https://github.com/cyberphone/qr-replacement#a-better-qr

More information about the Openid-specs-fapi mailing list