Open cyberphone opened 9 months ago
Thank you very much for your submission. These problems are known in the respective standardization committees and actively being discussed. A promising initiative is the introduction of the "Browser API" (https://wicg.github.io/digital-credentials/) in the W3C. We will follow this discussions and ensure that the Wallet keeps up to date with the latest version of the standards.
The so called "Deep Links" that are used by most current authentication solutions like BankID in Sweden, are in spite of secure key storage and PKI, susceptible to traditional phishing attacks for simple reason that deep links do not provide the security context (certificate path) of the invoking Web page. This contrasts to FIDO/WebAuthn which does not suffer from this problem.
QR codes for cross-device use have the same problem.
These issues have been known for ages.