How does this help against Phishing?

[nooikko]

I haven't backed the product yet so I'm not able to comment directly on Kickstarter. If this doesn't belong here please let me know.

Phishing is defined as:

the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

How does a hardware device help prevent me from being phished? Are you using the wrong wording in your advertisements? Is that in reference to phishing attacks that are only interested in your passwords as opposed to other types of PII?

Overall it feels like the kickstarter video is made to make things sounds as bad as possible when a lot of the statements are true only a fraction of the time or in very specific situations. And make it sound like the product does a significant amount more than being passwordless provides.

[My1]

well usually phishing generally works by having a site with a similar enough name that looks convincing enough to let the user "login" to it but instead it just steals the credentials, which can include standard TOTP codes.

when a site uses FIDO, no matter whether just as a second factor or full passwordless and all, that trick wont work because the actual domain name of the site is used as part of the process for working with the keys.

so on a general phishing campaign with no malware distribution and all, your solo (or in fact any fido device) will just say "I have no credentials to present" and that's it.

to get around FIDO you need an evil browser telling your fido device the domain name it needs to hear rather than the truth.

also on a good browser FIDO generally only works on sites with HTTPS, so while nowadays that is almost no concern anyway, it is a very helpful addition.

This basically means that short of actually being able to perform an active HTTPS MITM to steal the session and all, or giving the user an evil browser you cant just phish around FIDO

[nickray]

In short: To log in with the device, the website sends a random challenge. The browser adds the website's domain (e.g. google.com or facebook.com; protected by DNS/TLS). The device signs over both random challenge and website domain, which the browser sends back to the website.

Phishing means that someone man-in-the-middle's communication (e.g. when entering a password or TOTP code on an evil website, or when giving the password or TOTP to someone on the phone), and then logs in on your behalf / behind your back with password or password+TOTP.

With FIDO, if you land on an evil website (e.g. faceboook.com instead of facebook.com), even if you touch the device, the evil website will get a signature for its own, incorrect domain. If it tries to relay that to the real website, that website will notice the signature is not for its own domain, and refuse login.

Also, you can't really share the signature over the phone, as it's not directly accessible to you easily.

[My1]

it likely doesnt even go that far, as credentials are generally scoped to the domain so the solo (or yubikey or whatever) will likely just say "I dont know this" and end it.