undefined | Better HN

0 pointscryptonector3y ago0 comments

Yes, but the idea is that you'd enroll the device (and its TPM), and thence wouldn't be phishable like this. Granted, there might still be a problem at device enrollment time.

0 comments

remram3y ago

See sibling thread, we're being duplicated; the point of this OAuth flow is to sign in on a different device, using the trusted one. That different device might be a legitimate TV with a TPM and cryptographic attestations that it truly belong to John Doe, there is still no way for your iPhone and Apple to check whether you meant to sign in to John Doe's TV or if they are a scammer and sent you the (legitimate) sign-up link over email.

cryptonectorOP3y ago

It's essentially an enrollment workflow using an existing enrolled device, yes?

remram3y ago

This submission's title mentions "2FA". The first post in this thread is about OAuth. Nothing in here is about anything but the "enrollment".

j / k navigate · click thread line to collapse

0 pointscryptonector3y ago0 comments

Yes, but the idea is that you'd enroll the device (and its TPM), and thence wouldn't be phishable like this. Granted, there might still be a problem at device enrollment time.

0 comments

remram3y ago

cryptonectorOP3y ago

It's essentially an enrollment workflow using an existing enrolled device, yes?

remram3y ago

This submission's title mentions "2FA". The first post in this thread is about OAuth. Nothing in here is about anything but the "enrollment".

j / k navigate · click thread line to collapse