FIDO2 Support txAuthSimple extension #334
Labels
fido
Two-factor authentication using Trezor
Comments
|
Unfortunately this feature has been removed from WebAuthn, because allegedly none of the browsers implemented it. What a shame :-(. This could have been used to securely confirm withdrawals from cryptocurrency exchanges. |
|
The extension was removed via w3c/webauthn#1386 |
|
Help us get it back, @prusnak! w3c/webauthn#2020 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The txAuthSimple extension allows for a simple form of transaction authorization. A Relying Party can specify a prompt string, which will be displayed on the Trezor. If the user confirms, then the prompt string will be signed using the credential private key.
Currently I am not aware of any site that would use this, so this is low priority.
We have to be careful about displaying arbitrary prompts on the screen. Since the display is considered trusted by the user, an attacker could misuse this to persuade the user into taking some dangerous action. So we should say something like "Do you wish to authorize the following transaction from ?". The prompt should have a different color or some other visual distinction. The user will be able to swipe up and down until they reach the end of the prompt and then confirm or decline, similar to the way the recovery seed is displayed.
The text was updated successfully, but these errors were encountered: