Password mangers built into the browser also help here - the remote browser won’t have the passwords saved, which hopefully will raise an alarm or stop the attack (if the saved password was too complex to remember).
And the local browser won’t be able to fill the login screen anyway, since the form will be rasterized. As far as the browser is concerned, it’s a static image or something.
This is still ridiculously devious, though, and probably very effective. Most people still don’t even use password managers.
At $WORK, they’ve been pushing to eliminate passwords so much that it now seems incredibly retro when I see one and on any work system it’s a big red flag if something wants me to enter a password: it should happen only once, when I first use a device. The authorisation flow looks something like this:
I get presented with a list of known accounts.
I select the one that I want.
The server sends a random number to my browser.
My browser requests TPM access to encrypt it with a public key.
The system requires biometric ID to authorise the signing.
My browser encrypts sends the encrypted version to the server.
The server decrypts it with the public keys it has on file for me and either accepts it or decides that this is a resource needing MFA. In the second case:
I get a notification on my phone and the browser provides me a two-digit number.
I enter the number in my phone, tap the fingerprint reader, and hit approve.
This kind of attack would first fail in step 1: I wouldn’t see my accounts listed. If I entered my username, then at step 3, the remote browser wouldn’t have the keys and so it would fall back to password auth. This is now something sufficiently unusual that I’d start to get really nervous. Step 7 doesn’t really help with this kind of attack except by giving me a bit more thinking time.
Password mangers built into the browser also help here - the remote browser won’t have the passwords saved, which hopefully will raise an alarm or stop the attack (if the saved password was too complex to remember).
And the local browser won’t be able to fill the login screen anyway, since the form will be rasterized. As far as the browser is concerned, it’s a static image or something.
This is still ridiculously devious, though, and probably very effective. Most people still don’t even use password managers.
At $WORK, they’ve been pushing to eliminate passwords so much that it now seems incredibly retro when I see one and on any work system it’s a big red flag if something wants me to enter a password: it should happen only once, when I first use a device. The authorisation flow looks something like this:
This kind of attack would first fail in step 1: I wouldn’t see my accounts listed. If I entered my username, then at step 3, the remote browser wouldn’t have the keys and so it would fall back to password auth. This is now something sufficiently unusual that I’d start to get really nervous. Step 7 doesn’t really help with this kind of attack except by giving me a bit more thinking time.