[Openid-specs-fapi] Phishing protection in CIBA?
Anders Rundgren
anders.rundgren.net at gmail.com
Mon Aug 13 10:20:31 UTC 2018
Bear with me, I'm not [at all] versed in CIBA.
Anyway, here is the rub. There are hordes of third-party mobile authentication solutions out there.
That these applications are vulnerable to phishing when used in the quite popular OOB mode is proved beyond doubt.
Unfortunately it seems that even in "Mobile Only" mode, the phishing problem may be for real since there is (except when using FIDO2/WebAuthentication) no secured binding between the page in the mobile browser and the authentication application.
Anders
Related: https://github.com/cyberphone/qr-replacement#a-better-qr
More information about the Openid-specs-fapi
mailing list