You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I saw some claims online that a password manager I was considering to use doesn't correctly enforce the RPID domain check and therefore would allow phishing attacks. Not mentioning the password manager in question because I haven't confirmed the rumor.
But wouldn't it be nice if we had a way of testing this? e.g. have webauthn.io use a passkey for a different rpid and see if the password manager accepts it?
And extending on the concept, maybe we could add other checks testing for conformance with other parts of the standard?
The text was updated successfully, but these errors were encountered:
I saw some claims online that a password manager I was considering to use doesn't correctly enforce the RPID domain check and therefore would allow phishing attacks. Not mentioning the password manager in question because I haven't confirmed the rumor.
But wouldn't it be nice if we had a way of testing this? e.g. have webauthn.io use a passkey for a different rpid and see if the password manager accepts it?
And extending on the concept, maybe we could add other checks testing for conformance with other parts of the standard?
The text was updated successfully, but these errors were encountered: